feat(tls): add tls to mariadb exporter charts

This patchset updates the .cnf files to support tls and mount
the certificates where needed.

Change-Id: I5aff6821f2649f55dd4444896379491b504415bb

mariadb/templates/cron-job-backup-mariadb.yaml

@@ -121,6 +121,7 @@ spec:
                   mountPath: /etc/mysql/admin_user.cnf
                   subPath: admin_user.cnf
                   readOnly: true
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           restartPolicy: OnFailure
           serviceAccount: {{ $serviceAccountName }}
           serviceAccountName: {{ $serviceAccountName }}
@@ -145,4 +146,5 @@ spec:
                 type: DirectoryOrCreate
               name: mariadb-backup-dir
             {{- end }}
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}

mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl

@@ -18,7 +18,7 @@ set -e
 
 if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
   "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
-   GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%'; \
+   GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
    FLUSH PRIVILEGES;" ; then
   echo "ERROR: Could not create user: ${EXPORTER_USER}"
   exit 1

mariadb/templates/monitoring/prometheus/exporter-deployment.yaml

@@ -93,6 +93,7 @@ spec:
               mountPath: /tmp/mysqld-exporter.sh
               subPath: mysqld-exporter.sh
               readOnly: true
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -104,4 +105,5 @@ spec:
           configMap:
             name: mysql-exporter-bin
             defaultMode: 0555
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}

mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml

@@ -59,6 +59,10 @@ spec:
                 secretKeyRef:
                   name: mysql-exporter-secrets
                   key: EXPORTER_PASSWORD
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp
@@ -70,6 +74,7 @@ spec:
               mountPath: /etc/mysql/admin_user.cnf
               subPath: admin_user.cnf
               readOnly: true
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -81,4 +86,5 @@ spec:
           secret:
             secretName: mariadb-secrets
             defaultMode: 0444
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}

mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl

@@ -17,3 +17,9 @@ user = {{ .Values.endpoints.oslo_db.auth.exporter.username }}
 password = {{ .Values.endpoints.oslo_db.auth.exporter.password }}
 host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- if .Values.manifests.certificates -}}
+ssl-ca = /etc/mysql/certs/ca.crt
+ssl-key = /etc/mysql/certs/tls.key
+ssl-cert = /etc/mysql/certs/tls.crt
+{{- end -}}
+

mariadb/templates/pod-test.yaml

@@ -61,6 +61,7 @@ spec:
           {{ fail "Either 'direct' or 'internal' should be specified for .Values.conf.tests.endpoint" }}
           {{ end }}
           readOnly: true
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
   volumes:
     - name: pod-tmp
       emptyDir: {}
@@ -72,4 +73,5 @@ spec:
       secret:
         secretName: mariadb-secrets
         defaultMode: 0444
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}

mariadb/templates/secrets/_admin_user.cnf.tpl

@@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
 password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
 host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- if .Values.manifests.certificates -}}
+ssl-ca = /etc/mysql/certs/ca.crt
+ssl-key = /etc/mysql/certs/tls.key
+ssl-cert = /etc/mysql/certs/tls.crt
+{{- end -}}

mariadb/templates/secrets/_admin_user_internal.cnf.tpl

@@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
 password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
 host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
 port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- if .Values.manifests.certificates -}}
+ssl-ca = /etc/mysql/certs/ca.crt
+ssl-key = /etc/mysql/certs/tls.key
+ssl-cert = /etc/mysql/certs/tls.crt
+{{- end -}}