openstack/openstack-helm-infra
Code Issues Proposed changes

feat(tls): add tls to mariadb chart

Browse Source 
This patch set provides capability to enable TLS termination for the
MariaDB chart. This will be used by the follow on patches in OSH
services patches.

Co-authored-by: Tin Lam <tin@irrational.io>
Co-authored-by: sgupta <sg774j@att.com>
Change-Id: I5ebc8db58c0aa7b4e9eb0b5c671b280250d3cd1f
This commit is contained in:
Gage Hugo 2020-06-25 18:13:13 -05:00 committed by Sangeet Gupta
parent 84426374b6
commit c86526cfbc
11 changed files with 204 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
View File

@ -34,6 +34,9 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@ -82,6 +85,12 @@ spec:
- name: OPENSTACK_CONFIG_DB_KEY - name: OPENSTACK_CONFIG_DB_KEY
value: {{ $dbToDrop.configDbKey | quote }} value: {{ $dbToDrop.configDbKey | quote }}
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
- name: USER_CERT_PATH
value: {{ $tlsPath | quote }}
{{- end }}
{{- if eq $dbToDropType "secret" }} {{- if eq $dbToDropType "secret" }}
- name: DB_CONNECTION - name: DB_CONNECTION
valueFrom: valueFrom:
@ -98,6 +107,7 @@ spec:
mountPath: /tmp/db-drop.py mountPath: /tmp/db-drop.py
subPath: db-drop.py subPath: db-drop.py
readOnly: true readOnly: true
{{- if eq $dbToDropType "oslo" }} {{- if eq $dbToDropType "oslo" }}
- name: etc-service - name: etc-service
mountPath: {{ dir $dbToDrop.configFile | quote }} mountPath: {{ dir $dbToDrop.configFile | quote }}
@ -110,6 +120,10 @@ spec:
subPath: {{ base $dbToDrop.logConfigFile | quote }} subPath: {{ base $dbToDrop.logConfigFile | quote }}
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
{{- end }} {{- end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -124,6 +138,10 @@ spec:
name: {{ $configMapBin | quote }} name: {{ $configMapBin | quote }}
defaultMode: 0555 defaultMode: 0555
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- $local := dict "configMapBinFirst" true -}} {{- $local := dict "configMapBinFirst" true -}}
{{- range $key1, $dbToDrop := $dbsToDrop }} {{- range $key1, $dbToDrop := $dbsToDrop }}
{{- $dbToDropType := default "oslo" $dbToDrop.inputType }} {{- $dbToDropType := default "oslo" $dbToDrop.inputType }}

17
helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
View File

@ -34,6 +34,9 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@ -87,6 +90,12 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ $dbToInit.userSecret | quote }} name: {{ $dbToInit.userSecret | quote }}
key: DB_CONNECTION key: DB_CONNECTION
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
- name: USER_CERT_PATH
value: {{ $tlsPath | quote }}
{{- end }} {{- end }}
command: command:
- /tmp/db-init.py - /tmp/db-init.py
@ -109,6 +118,10 @@ spec:
subPath: {{ base $dbToInit.logConfigFile | quote }} subPath: {{ base $dbToInit.logConfigFile | quote }}
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
{{- end }} {{- end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -123,6 +136,10 @@ spec:
name: {{ $configMapBin | quote }} name: {{ $configMapBin | quote }}
defaultMode: 0555 defaultMode: 0555
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- $local := dict "configMapBinFirst" true -}} {{- $local := dict "configMapBinFirst" true -}}
{{- range $key1, $dbToInit := $dbsToInit }} {{- range $key1, $dbToInit := $dbsToInit }}
{{- $dbToInitType := default "oslo" $dbToInit.inputType }} {{- $dbToInitType := default "oslo" $dbToInit.inputType }}

7
helm-toolkit/templates/manifests/_job-db-sync.tpl
View File

@ -31,6 +31,9 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@ -87,6 +90,8 @@ spec:
mountPath: {{ $dbToSync.logConfigFile | quote }} mountPath: {{ $dbToSync.logConfigFile | quote }}
subPath: {{ base $dbToSync.logConfigFile | quote }} subPath: {{ base $dbToSync.logConfigFile | quote }}
readOnly: true readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- if $podVolMounts }} {{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }} {{ $podVolMounts | toYaml | indent 12 }}
{{- end }} {{- end }}
@ -109,6 +114,8 @@ spec:
secret: secret:
secretName: {{ $configMapEtc | quote }} secretName: {{ $configMapEtc | quote }}
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if $podVols }} {{- if $podVols }}
{{ $podVols | toYaml | indent 8 }} {{ $podVols | toYaml | indent 8 }}
{{- end }} {{- end }}

23
helm-toolkit/templates/scripts/_db-drop.py.tpl
View File

@ -54,6 +54,13 @@ else:
logger.critical('environment variable ROOT_DB_CONNECTION not set') logger.critical('environment variable ROOT_DB_CONNECTION not set')
sys.exit(1) sys.exit(1)
mysql_x509 = os.getenv('MARIADB_X509', "")
if mysql_x509:
user_tls_cert_path = os.getenv('USER_CERT_PATH', "")
if not user_tls_cert_path:
logger.critical('environment variable USER_CERT_PATH not set')
sys.exit(1)
# Get the connection string for the service db # Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ: if "OPENSTACK_CONFIG_FILE" in os.environ:
os_conf = os.environ['OPENSTACK_CONFIG_FILE'] os_conf = os.environ['OPENSTACK_CONFIG_FILE']
@ -94,7 +101,13 @@ try:
host = root_engine_full.url.host host = root_engine_full.url.host
port = root_engine_full.url.port port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
root_engine = create_engine(root_engine_url) if mysql_x509:
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
else:
root_engine = create_engine(root_engine_url)
connection = root_engine.connect() connection = root_engine.connect()
connection.close() connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format( logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@ -105,7 +118,13 @@ except:
# User DB engine # User DB engine
try: try:
user_engine = create_engine(user_db_conn) if mysql_x509:
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
'key': '{0}/tls.key'.format(user_tls_cert_path),
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
else:
user_engine = create_engine(user_db_conn)
# Get our user data out of the user_engine # Get our user data out of the user_engine
database = user_engine.url.database database = user_engine.url.database
user = user_engine.url.username user = user_engine.url.username

27
helm-toolkit/templates/scripts/_db-init.py.tpl
View File

@ -54,6 +54,13 @@ else:
logger.critical('environment variable ROOT_DB_CONNECTION not set') logger.critical('environment variable ROOT_DB_CONNECTION not set')
sys.exit(1) sys.exit(1)
mysql_x509 = os.getenv('MARIADB_X509', "")
if mysql_x509:
user_tls_cert_path = os.getenv('USER_CERT_PATH', "")
if not user_tls_cert_path:
logger.critical('environment variable USER_CERT_PATH not set')
sys.exit(1)
# Get the connection string for the service db # Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ: if "OPENSTACK_CONFIG_FILE" in os.environ:
os_conf = os.environ['OPENSTACK_CONFIG_FILE'] os_conf = os.environ['OPENSTACK_CONFIG_FILE']
@ -94,7 +101,13 @@ try:
host = root_engine_full.url.host host = root_engine_full.url.host
port = root_engine_full.url.port port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
root_engine = create_engine(root_engine_url) if mysql_x509:
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
else:
root_engine = create_engine(root_engine_url)
connection = root_engine.connect() connection = root_engine.connect()
connection.close() connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format( logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@ -105,7 +118,13 @@ except:
# User DB engine # User DB engine
try: try:
user_engine = create_engine(user_db_conn) if mysql_x509:
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
'key': '{0}/tls.key'.format(user_tls_cert_path),
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
else:
user_engine = create_engine(user_db_conn)
# Get our user data out of the user_engine # Get our user data out of the user_engine
database = user_engine.url.database database = user_engine.url.database
user = user_engine.url.username user = user_engine.url.username
@ -126,8 +145,8 @@ except:
# Create DB User # Create DB User
try: try:
root_engine.execute( root_engine.execute(
"GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\'".format( "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
database, user, password)) database, user, password, mysql_x509))
logger.info("Created user {0} for {1}".format(user, database)) logger.info("Created user {0} for {1}".format(user, database))
except: except:
logger.critical("Could not create user {0} for {1}".format(user, database)) logger.critical("Could not create user {0} for {1}".format(user, database))

27
mariadb/templates/bin/_readiness.sh.tpl
View File

@ -19,6 +19,12 @@ set -e
MYSQL="mysql \ MYSQL="mysql \
--defaults-file=/etc/mysql/admin_user.cnf \ --defaults-file=/etc/mysql/admin_user.cnf \
--host=localhost \ --host=localhost \
{{- if .Values.manifests.certificates }}
--ssl-verify-server-cert=false \
--ssl-ca=/etc/mysql/certs/ca.crt \
--ssl-key=/etc/mysql/certs/tls.key \
--ssl-cert=/etc/mysql/certs/tls.crt \
{{- end }}
--connect-timeout 2" --connect-timeout 2"
mysql_status_query () { mysql_status_query () {
@ -28,22 +34,25 @@ mysql_status_query () {
} }
if ! $MYSQL -e 'select 1' > /dev/null 2>&1 ; then if ! $MYSQL -e 'select 1' > /dev/null 2>&1 ; then
exit 1 exit 1
fi fi
if [ "x$(mysql_status_query wsrep_ready)" != "xON" ]; then if [ "x$(mysql_status_query wsrep_ready)" != "xON" ]; then
# WSREP says the node can receive queries # WSREP says the node can receive queries
exit 1 exit 1
fi fi
if [ "x$(mysql_status_query wsrep_connected)" != "xON" ]; then if [ "x$(mysql_status_query wsrep_connected)" != "xON" ]; then
# WSREP connected # WSREP connected
exit 1 exit 1
fi fi
if [ "x$(mysql_status_query wsrep_cluster_status)" != "xPrimary" ]; then if [ "x$(mysql_status_query wsrep_cluster_status)" != "xPrimary" ]; then
# Not in primary cluster # Not in primary cluster
exit 1 exit 1
fi fi
if [ "x$(mysql_status_query wsrep_local_state_comment)" != "xSynced" ]; then if [ "x$(mysql_status_query wsrep_local_state_comment)" != "xSynced" ]; then
# WSREP not synced # WSREP not synced
exit 1 exit 1
fi fi

54
mariadb/templates/bin/_start.py.tpl
View File

@ -104,6 +104,8 @@ else:
if check_env_var("MYSQL_DBAUDIT_PASSWORD"): if check_env_var("MYSQL_DBAUDIT_PASSWORD"):
mysql_dbaudit_password = os.environ['MYSQL_DBAUDIT_PASSWORD'] mysql_dbaudit_password = os.environ['MYSQL_DBAUDIT_PASSWORD']
mysql_x509 = os.getenv('MARIADB_X509', "")
if mysql_dbadmin_username == mysql_dbsst_username: if mysql_dbadmin_username == mysql_dbsst_username:
logger.critical( logger.critical(
"The dbadmin username should not match the sst user username") "The dbadmin username should not match the sst user username")
@ -270,33 +272,35 @@ def mysqld_bootstrap():
# is locked and cannot login # is locked and cannot login
"DELETE FROM mysql.user WHERE user != 'mariadb.sys' ;\n" # nosec "DELETE FROM mysql.user WHERE user != 'mariadb.sys' ;\n" # nosec
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" "GRANT ALL ON *.* TO '{0}'@'%' {4} WITH GRANT OPTION; \n"
"DROP DATABASE IF EXISTS test ;\n" "DROP DATABASE IF EXISTS test ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}';\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1';\n"
"FLUSH PRIVILEGES ;\n" "FLUSH PRIVILEGES ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password)) mysql_dbsst_username, mysql_dbsst_password,
mysql_x509))
else: else:
template = ( template = (
"DELETE FROM mysql.user WHERE user != 'mariadb.sys' ;\n" # nosec "DELETE FROM mysql.user WHERE user != 'mariadb.sys' ;\n" # nosec
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" "GRANT ALL ON *.* TO '{0}'@'%' {6} WITH GRANT OPTION;\n"
"DROP DATABASE IF EXISTS test ;\n" "DROP DATABASE IF EXISTS test ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}';\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
"CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n" "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}';\n"
"GRANT SELECT ON *.* TO '{4}'@'%' ;\n" "GRANT SELECT ON *.* TO '{4}'@'%' {6};\n"
"FLUSH PRIVILEGES ;\n" "FLUSH PRIVILEGES ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password, mysql_dbsst_username, mysql_dbsst_password,
mysql_dbaudit_username, mysql_dbaudit_password)) mysql_dbaudit_username, mysql_dbaudit_password,
mysql_x509))
bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name
with open(bootstrap_sql_file, 'w') as f: with open(bootstrap_sql_file, 'w') as f:
f.write(template) f.write(template)
f.close() f.close()
run_cmd_with_logging([ run_cmd_with_logging([
'mysqld', '--bind-address=127.0.0.1', 'mysqld', '--user=mysql', '--bind-address=127.0.0.1',
'--wsrep_cluster_address=gcomm://', '--wsrep_cluster_address=gcomm://',
"--init-file={0}".format(bootstrap_sql_file) "--init-file={0}".format(bootstrap_sql_file)
], logger) ], logger)
@ -780,7 +784,7 @@ def run_mysqld(cluster='existing'):
mysqld_write_cluster_conf(mode='run') mysqld_write_cluster_conf(mode='run')
launch_leader_election() launch_leader_election()
launch_cluster_monitor() launch_cluster_monitor()
mysqld_cmd = ['mysqld'] mysqld_cmd = ['mysqld', '--user=mysql']
if cluster == 'new': if cluster == 'new':
mysqld_cmd.append('--wsrep-new-cluster') mysqld_cmd.append('--wsrep-new-cluster')
@ -791,24 +795,26 @@ def run_mysqld(cluster='existing'):
if not mysql_dbaudit_username: if not mysql_dbaudit_username:
template = ( template = (
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" "GRANT ALL ON *.* TO '{0}'@'%' {4} WITH GRANT OPTION ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
"FLUSH PRIVILEGES ;\n" "FLUSH PRIVILEGES ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password))
else:
template = (
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
"CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n"
"GRANT SELECT ON *.* TO '{4}'@'%' ;\n"
"FLUSH PRIVILEGES ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password, mysql_dbsst_username, mysql_dbsst_password,
mysql_dbaudit_username, mysql_dbaudit_password)) mysql_x509))
else:
template = (
"CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n"
"GRANT ALL ON *.* TO '{0}'@'%' {6} WITH GRANT OPTION ;\n"
"CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n"
"GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n"
"CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n"
"GRANT SELECT ON *.* TO '{4}'@'%' {6};\n"
"FLUSH PRIVILEGES ;\n"
"SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password,
mysql_dbsst_username, mysql_dbsst_password,
mysql_dbaudit_username, mysql_dbaudit_password,
mysql_x509))
bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name
with open(bootstrap_sql_file, 'w') as f: with open(bootstrap_sql_file, 'w') as f:
f.write(template) f.write(template)

17
mariadb/templates/certificates.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "oslo_db" "type" "default" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

6
mariadb/templates/statefulset.yaml
View File

@ -136,6 +136,10 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
- name: MARIADB_REPLICAS - name: MARIADB_REPLICAS
value: {{ .Values.pod.replicas.server | quote }} value: {{ .Values.pod.replicas.server | quote }}
- name: POD_NAME_PREFIX - name: POD_NAME_PREFIX
@ -229,6 +233,7 @@ spec:
readOnly: true readOnly: true
- name: mysql-data - name: mysql-data
mountPath: /var/lib/mysql mountPath: /var/lib/mysql
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -248,6 +253,7 @@ spec:
secret: secret:
secretName: mariadb-secrets secretName: mariadb-secrets
defaultMode: 0444 defaultMode: 0444
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if not .Values.volume.enabled }} {{- if not .Values.volume.enabled }}
- name: mysql-data - name: mysql-data
{{- if .Values.volume.use_local_path_for_single_pod_cluster.enabled }} {{- if .Values.volume.use_local_path_for_single_pod_cluster.enabled }}

25
mariadb/values.yaml
View File

@ -20,7 +20,6 @@ release_group: null
images: images:
tags: tags:
# 10.2.31
mariadb: openstackhelm/mariadb@sha256:5f05ce5dce71c835c6361a05705da5cce31114934689ec87dfa48b8f8c600f70 mariadb: openstackhelm/mariadb@sha256:5f05ce5dce71c835c6361a05705da5cce31114934689ec87dfa48b8f8c600f70
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0 ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0
error_pages: gcr.io/google_containers/defaultbackend:1.4 error_pages: gcr.io/google_containers/defaultbackend:1.4
@ -416,6 +415,15 @@ conf:
wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.sst.username }}:{{ .Values.endpoints.oslo_db.auth.sst.password }} wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.sst.username }}:{{ .Values.endpoints.oslo_db.auth.sst.password }}
wsrep_sst_method=mariabackup wsrep_sst_method=mariabackup
{{ if .Values.manifests.certificates }}
# TLS
ssl_ca=/etc/mysql/certs/ca.crt
ssl_key=/etc/mysql/certs/tls.key
ssl_cert=/etc/mysql/certs/tls.crt
# tls_version = TLSv1.2,TLSv1.3
{{ end }}
[mysqldump] [mysqldump]
max-allowed-packet=16M max-allowed-packet=16M
@ -423,6 +431,15 @@ conf:
default_character_set=utf8 default_character_set=utf8
protocol=tcp protocol=tcp
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.manifests.certificates }}
# TLS
ssl_ca=/etc/mysql/certs/ca.crt
ssl_key=/etc/mysql/certs/tls.key
ssl_cert=/etc/mysql/certs/tls.crt
# tls_version = TLSv1.2,TLSv1.3
ssl-verify-server-cert
{{ end }}
config_override: null config_override: null
# Any configuration here will override the base config. # Any configuration here will override the base config.
# config_override: |- # config_override: |-
@ -445,6 +462,11 @@ secrets:
remote_rgw_user: mariadb-backup-user remote_rgw_user: mariadb-backup-user
mariadb: mariadb:
backup_restore: mariadb-backup-restore backup_restore: mariadb-backup-restore
tls:
oslo_db:
server:
public: mariadb-tls-server
internal: mariadb-tls-direct
# typically overridden by environmental # typically overridden by environmental
# values, but should include all endpoints # values, but should include all endpoints
@ -589,6 +611,7 @@ network_policy:
- {} - {}
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
configmap_ingress_conf: true configmap_ingress_conf: true

23
mariadb/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,23 @@
---
pod:
security_context:
server:
container:
perms:
readOnlyRootFilesystem: false
mariadb:
runAsUser: 0
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
endpoints:
oslo_db:
host_fqdn_override:
default:
tls:
secretName: mariadb-tls-direct
issuerRef:
name: ca-issuer
kind: Issuer
manifests:
certificates: true
...