MariaDB: Update start script to be more robust

This PS updates the MariaDB start script remove templated values from being directly inserted into the script. It also moves the root connection params to a secret to prevent the root password being exposed in logs. Change-Id: I10977ef267877a5913bf265280ff5439c7bf268c
2017-07-29 15:58:59 -05:00 · 2017-07-29 15:58:59 -05:00 · e7abfee16d
commit e7abfee16d
parent 8dfc2cf3a3
6 changed files with 80 additions and 32 deletions
--- a/mariadb/templates/bin/_readiness.sh.tpl
+++ b/mariadb/templates/bin/_readiness.sh.tpl
@ -16,7 +16,7 @@

 set -o pipefail

-MYSQL="mysql -u root --password=${MYSQL_ROOT_PASSWORD}"
+MYSQL="mysql --defaults-file=/etc/mysql/admin_user.cnf --host=localhost"

 if [ ! $($MYSQL -e 'select 1') ]; then
    echo "Could not SELECT 1" 1>&2
--- a/mariadb/templates/bin/_start.sh.tpl
+++ b/mariadb/templates/bin/_start.sh.tpl
@ -13,38 +13,41 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-#
-# Bootstrap database
-#
-CLUSTER_INIT_ARGS=
+set -xe

+# Bootstrap database
+CLUSTER_INIT_ARGS=""
 if [ ! -d /var/lib/mysql/mysql ]; then
    if [ "x${POD_NAME}" = "x${SERVICE_NAME}-0" ]; then
        echo No data found for pod 0
-        if [ "xtrue" = "x{{ .Values.force_bootstrap }}" ]; then
-            echo force_bootstrap set, so will force-initialize node 0.
+        if [ "x${FORCE_BOOTSTRAP}" = "xtrue" ]; then
+            echo 'force_bootstrap set, so will force-initialize node 0.'
            CLUSTER_INIT_ARGS=--wsrep-new-cluster
-        elif ! mysql -h ${SERVICE_NAME} -u root --password=${MYSQL_ROOT_PASSWORD} -e 'select 1'; then
-            echo No other nodes found, so will initialize cluster.
+        elif ! mysql --defaults-file=/etc/mysql/admin_user.cnf \
+                     --connect-timeout 2 \
+                     -e 'select 1'; then
+            echo 'No other nodes found, so will initialize cluster.'
            CLUSTER_INIT_ARGS=--wsrep-new-cluster
        else
-            echo Found other live nodes, will attempt to join them.
+            echo 'Found other live nodes, will attempt to join them.'
            mkdir /var/lib/mysql/mysql
        fi
    else
-        echo Not pod 0, so will avoid upstream database initialization.
+        echo 'Not pod 0, so will avoid upstream database initialization.'
        mkdir /var/lib/mysql/mysql
    fi
 fi

-#
 # Construct cluster config
-#
 CLUSTER_CONFIG_PATH=/etc/mysql/conf.d/10-cluster-config.cnf

-MEMBERS=
-for i in $(seq 1 {{ .Values.pod.replicas.server }}); do
-    NUM=$(expr $i - 1)
+MEMBERS=""
+for i in $(seq 1 ${MARIADB_REPLICAS}); do
+    if [ "$i" -eq "1" ]; then
+      NUM="0"
+    else
+      NUM="$(expr $i - 1)"
+    fi
    CANDIDATE_POD="${SERVICE_NAME}-$NUM.${DISCOVERY_SERVICE_NAME}"
    if [ "x${CANDIDATE_POD}" != "x${POD_NAME}.${DISCOVERY_SERVICE_NAME}" ]; then
        if [ -n "${MEMBERS}" ]; then
@ -54,22 +57,14 @@ for i in $(seq 1 {{ .Values.pod.replicas.server }}); do
    fi
 done

-echo
-echo Writing cluster config for ${POD_NAME} to ${CLUSTER_CONFIG_PATH}
-echo vvv
-
-cat <<EOS | tee ${CLUSTER_CONFIG_PATH}
+echo "Writing cluster config for ${POD_NAME} to ${CLUSTER_CONFIG_PATH}"
+cat >> ${CLUSTER_CONFIG_PATH} <<EOF
 [mysqld]
 wsrep_cluster_address="gcomm://${MEMBERS}"
 wsrep_node_address=${POD_IP}
 wsrep_node_name=${POD_NAME}.${DISCOVERY_SERVICE_NAME}
-EOS
+EOF

-echo ^^^
-echo Executing upstream docker-entrypoint.
-echo
-
-#
-# Start server
-#
+echo 'Executing upstream docker-entrypoint.'
+set +e
 exec /usr/local/bin/docker-entrypoint.sh mysqld ${CLUSTER_INIT_ARGS}
--- a/mariadb/templates/etc/_00-base.cnf.tpl
+++ b/mariadb/templates/etc/_00-base.cnf.tpl
@ -96,11 +96,9 @@ wsrep_slave_threads=12
 wsrep_sst_auth=root:{{ .Values.endpoints.oslo_db.auth.admin.password }}
 wsrep_sst_method=xtrabackup-v2

-
 [mysqldump]
 max-allowed-packet=16M

-
 [client]
 default_character_set=utf8
 protocol=tcp
--- a/mariadb/templates/secrets-etc.yaml
+++ b/mariadb/templates/secrets-etc.yaml
@ -0,0 +1,24 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mariadb-secrets
+type: Opaque
+data:
+  admin_user.cnf: |
+{{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template"  | b64enc | indent 4 }}
--- a/mariadb/templates/secrets/_admin_user.cnf.tpl
+++ b/mariadb/templates/secrets/_admin_user.cnf.tpl
@ -0,0 +1,19 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[client]
+user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
+password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
+host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@ -46,6 +46,10 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
+            - name: FORCE_BOOTSTRAP
+              value: {{ .Values.force_bootstrap | quote }}
+            - name: MARIADB_REPLICAS
+              value: {{ .Values.pod.replicas.server | quote }}
            - name: WSREP_PORT
              value: {{ tuple "oslo_db" "internal" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
            - name: SERVICE_NAME
@ -74,8 +78,8 @@ spec:
              readOnly: true
            - name: mariadb-etc
              mountPath: /etc/mysql/my.cnf
-              readOnly: true
              subPath: my.cnf
+              readOnly: true
            - name: mariadb-etc
              mountPath: /etc/mysql/conf.d/00-base.cnf
              subPath: 00-base.cnf
@ -88,6 +92,10 @@ spec:
              mountPath: /etc/mysql/conf.d/99-force.cnf
              subPath: 99-force.cnf
              readOnly: true
+            - name: mariadb-secrets
+              mountPath: /etc/mysql/admin_user.cnf
+              subPath: admin_user.cnf
+              readOnly: true
            - name: mysql-data
              mountPath: /var/lib/mysql
      volumes:
@ -101,6 +109,10 @@ spec:
          configMap:
            name: mariadb-etc
            defaultMode: 0444
+        - name: mariadb-secrets
+          secret:
+            secretName: mariadb-secrets
+            defaultMode: 0444
        {{- if not .Values.volume.enabled }}
        - name: mysql-data
          emptyDir: {}