From d458e888a921d315f1be15686139267def4dc515 Mon Sep 17 00:00:00 2001 From: "Gupta, Sangeet (sg774j)" Date: Mon, 27 Jul 2020 21:08:33 +0000 Subject: [PATCH] feat(tls): add tls to mariadb exporter charts This patchset updates the .cnf files to support tls and mount the certificates where needed. Change-Id: I5aff6821f2649f55dd4444896379491b504415bb --- mariadb/templates/cron-job-backup-mariadb.yaml | 2 ++ .../monitoring/prometheus/bin/_create-mysql-user.sh.tpl | 2 +- .../monitoring/prometheus/exporter-deployment.yaml | 2 ++ .../monitoring/prometheus/exporter-job-create-user.yaml | 6 ++++++ .../monitoring/prometheus/secrets/_exporter_user.cnf.tpl | 6 ++++++ mariadb/templates/pod-test.yaml | 2 ++ mariadb/templates/secrets/_admin_user.cnf.tpl | 5 +++++ mariadb/templates/secrets/_admin_user_internal.cnf.tpl | 5 +++++ 8 files changed, 29 insertions(+), 1 deletion(-) diff --git a/mariadb/templates/cron-job-backup-mariadb.yaml b/mariadb/templates/cron-job-backup-mariadb.yaml index 165e1535e..713049085 100644 --- a/mariadb/templates/cron-job-backup-mariadb.yaml +++ b/mariadb/templates/cron-job-backup-mariadb.yaml @@ -121,6 +121,7 @@ spec: mountPath: /etc/mysql/admin_user.cnf subPath: admin_user.cnf readOnly: true +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} restartPolicy: OnFailure serviceAccount: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }} @@ -145,4 +146,5 @@ spec: type: DirectoryOrCreate name: mariadb-backup-dir {{- end }} +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl b/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl index 7c75ab4c1..682d3beee 100644 --- a/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl +++ b/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl @@ -18,7 +18,7 @@ set -e if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \ "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \ - GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%'; \ + GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \ FLUSH PRIVILEGES;" ; then echo "ERROR: Could not create user: ${EXPORTER_USER}" exit 1 diff --git a/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml b/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml index 5fe5c063b..2bd4590d4 100644 --- a/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml +++ b/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml @@ -93,6 +93,7 @@ spec: mountPath: /tmp/mysqld-exporter.sh subPath: mysqld-exporter.sh readOnly: true +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -104,4 +105,5 @@ spec: configMap: name: mysql-exporter-bin defaultMode: 0555 +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml b/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml index 4b5331f85..c897f5d8a 100644 --- a/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml +++ b/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml @@ -59,6 +59,10 @@ spec: secretKeyRef: name: mysql-exporter-secrets key: EXPORTER_PASSWORD +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} volumeMounts: - name: pod-tmp mountPath: /tmp @@ -70,6 +74,7 @@ spec: mountPath: /etc/mysql/admin_user.cnf subPath: admin_user.cnf readOnly: true +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -81,4 +86,5 @@ spec: secret: secretName: mariadb-secrets defaultMode: 0444 +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl b/mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl index da2d64fce..111d492fe 100644 --- a/mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl +++ b/mariadb/templates/monitoring/prometheus/secrets/_exporter_user.cnf.tpl @@ -17,3 +17,9 @@ user = {{ .Values.endpoints.oslo_db.auth.exporter.username }} password = {{ .Values.endpoints.oslo_db.auth.exporter.password }} host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- if .Values.manifests.certificates -}} +ssl-ca = /etc/mysql/certs/ca.crt +ssl-key = /etc/mysql/certs/tls.key +ssl-cert = /etc/mysql/certs/tls.crt +{{- end -}} + diff --git a/mariadb/templates/pod-test.yaml b/mariadb/templates/pod-test.yaml index 687caa028..02d9b6f29 100644 --- a/mariadb/templates/pod-test.yaml +++ b/mariadb/templates/pod-test.yaml @@ -61,6 +61,7 @@ spec: {{ fail "Either 'direct' or 'internal' should be specified for .Values.conf.tests.endpoint" }} {{ end }} readOnly: true +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -72,4 +73,5 @@ spec: secret: secretName: mariadb-secrets defaultMode: 0444 +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/mariadb/templates/secrets/_admin_user.cnf.tpl b/mariadb/templates/secrets/_admin_user.cnf.tpl index f9785aab2..2148731dc 100644 --- a/mariadb/templates/secrets/_admin_user.cnf.tpl +++ b/mariadb/templates/secrets/_admin_user.cnf.tpl @@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.admin.username }} password = {{ .Values.endpoints.oslo_db.auth.admin.password }} host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- if .Values.manifests.certificates -}} +ssl-ca = /etc/mysql/certs/ca.crt +ssl-key = /etc/mysql/certs/tls.key +ssl-cert = /etc/mysql/certs/tls.crt +{{- end -}} diff --git a/mariadb/templates/secrets/_admin_user_internal.cnf.tpl b/mariadb/templates/secrets/_admin_user_internal.cnf.tpl index 1103fa88f..72125c417 100644 --- a/mariadb/templates/secrets/_admin_user_internal.cnf.tpl +++ b/mariadb/templates/secrets/_admin_user_internal.cnf.tpl @@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.admin.username }} password = {{ .Values.endpoints.oslo_db.auth.admin.password }} host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- if .Values.manifests.certificates -}} +ssl-ca = /etc/mysql/certs/ca.crt +ssl-key = /etc/mysql/certs/tls.key +ssl-cert = /etc/mysql/certs/tls.crt +{{- end -}}