MariaDB: Update start script to be more robust

This PS updates the MariaDB start script remove templated values
from being directly inserted into the script. It also moves the
root connection params to a secret to prevent the root password
being exposed in logs.

Change-Id: I10977ef267877a5913bf265280ff5439c7bf268c

mariadb/templates/bin/_readiness.sh.tpl

@@ -16,7 +16,7 @@
 
 set -o pipefail
 
-MYSQL="mysql -u root --password=${MYSQL_ROOT_PASSWORD}"
+MYSQL="mysql --defaults-file=/etc/mysql/admin_user.cnf --host=localhost"
 
 if [ ! $($MYSQL -e 'select 1') ]; then
     echo "Could not SELECT 1" 1>&2

mariadb/templates/bin/_start.sh.tpl

@@ -13,38 +13,41 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#
+set -xe
-# Bootstrap database
-#
-CLUSTER_INIT_ARGS=
 
+# Bootstrap database
+CLUSTER_INIT_ARGS=""
 if [ ! -d /var/lib/mysql/mysql ]; then
     if [ "x${POD_NAME}" = "x${SERVICE_NAME}-0" ]; then
         echo No data found for pod 0
-        if [ "xtrue" = "x{{ .Values.force_bootstrap }}" ]; then
+        if [ "x${FORCE_BOOTSTRAP}" = "xtrue" ]; then
-            echo force_bootstrap set, so will force-initialize node 0.
+            echo 'force_bootstrap set, so will force-initialize node 0.'
             CLUSTER_INIT_ARGS=--wsrep-new-cluster
-        elif ! mysql -h ${SERVICE_NAME} -u root --password=${MYSQL_ROOT_PASSWORD} -e 'select 1'; then
+        elif ! mysql --defaults-file=/etc/mysql/admin_user.cnf \
-            echo No other nodes found, so will initialize cluster.
+                     --connect-timeout 2 \
+                     -e 'select 1'; then
+            echo 'No other nodes found, so will initialize cluster.'
             CLUSTER_INIT_ARGS=--wsrep-new-cluster
         else
-            echo Found other live nodes, will attempt to join them.
+            echo 'Found other live nodes, will attempt to join them.'
             mkdir /var/lib/mysql/mysql
         fi
     else
-        echo Not pod 0, so will avoid upstream database initialization.
+        echo 'Not pod 0, so will avoid upstream database initialization.'
         mkdir /var/lib/mysql/mysql
     fi
 fi
 
-#
 # Construct cluster config
-#
 CLUSTER_CONFIG_PATH=/etc/mysql/conf.d/10-cluster-config.cnf
 
-MEMBERS=
+MEMBERS=""
-for i in $(seq 1 {{ .Values.pod.replicas.server }}); do
+for i in $(seq 1 ${MARIADB_REPLICAS}); do
-    NUM=$(expr $i - 1)
+    if [ "$i" -eq "1" ]; then
+      NUM="0"
+    else
+      NUM="$(expr $i - 1)"
+    fi
     CANDIDATE_POD="${SERVICE_NAME}-$NUM.${DISCOVERY_SERVICE_NAME}"
     if [ "x${CANDIDATE_POD}" != "x${POD_NAME}.${DISCOVERY_SERVICE_NAME}" ]; then
         if [ -n "${MEMBERS}" ]; then
@@ -54,22 +57,14 @@ for i in $(seq 1 {{ .Values.pod.replicas.server }}); do
     fi
 done
 
-echo
+echo "Writing cluster config for ${POD_NAME} to ${CLUSTER_CONFIG_PATH}"
-echo Writing cluster config for ${POD_NAME} to ${CLUSTER_CONFIG_PATH}
+cat >> ${CLUSTER_CONFIG_PATH} <<EOF
-echo vvv
-
-cat <<EOS | tee ${CLUSTER_CONFIG_PATH}
 [mysqld]
 wsrep_cluster_address="gcomm://${MEMBERS}"
 wsrep_node_address=${POD_IP}
 wsrep_node_name=${POD_NAME}.${DISCOVERY_SERVICE_NAME}
-EOS
+EOF
 
-echo ^^^
+echo 'Executing upstream docker-entrypoint.'
-echo Executing upstream docker-entrypoint.
+set +e
-echo
-
-#
-# Start server
-#
 exec /usr/local/bin/docker-entrypoint.sh mysqld ${CLUSTER_INIT_ARGS}

mariadb/templates/etc/_00-base.cnf.tpl

@@ -96,11 +96,9 @@ wsrep_slave_threads=12
 wsrep_sst_auth=root:{{ .Values.endpoints.oslo_db.auth.admin.password }}
 wsrep_sst_method=xtrabackup-v2
 
-
 [mysqldump]
 max-allowed-packet=16M
 
-
 [client]
 default_character_set=utf8
 protocol=tcp

mariadb/templates/secrets-etc.yaml

@@ -0,0 +1,24 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mariadb-secrets
+type: Opaque
+data:
+  admin_user.cnf: |
+{{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template"  | b64enc | indent 4 }}

mariadb/templates/secrets/_admin_user.cnf.tpl

@@ -0,0 +1,19 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[client]
+user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
+password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
+host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}

mariadb/templates/statefulset.yaml

@@ -46,6 +46,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: FORCE_BOOTSTRAP
+              value: {{ .Values.force_bootstrap | quote }}
+            - name: MARIADB_REPLICAS
+              value: {{ .Values.pod.replicas.server | quote }}
             - name: WSREP_PORT
               value: {{ tuple "oslo_db" "internal" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
             - name: SERVICE_NAME
@@ -74,8 +78,8 @@ spec:
               readOnly: true
             - name: mariadb-etc
               mountPath: /etc/mysql/my.cnf
-              readOnly: true
               subPath: my.cnf
+              readOnly: true
             - name: mariadb-etc
               mountPath: /etc/mysql/conf.d/00-base.cnf
               subPath: 00-base.cnf
@@ -88,6 +92,10 @@ spec:
               mountPath: /etc/mysql/conf.d/99-force.cnf
               subPath: 99-force.cnf
               readOnly: true
+            - name: mariadb-secrets
+              mountPath: /etc/mysql/admin_user.cnf
+              subPath: admin_user.cnf
+              readOnly: true
             - name: mysql-data
               mountPath: /var/lib/mysql
       volumes:
@@ -101,6 +109,10 @@ spec:
           configMap:
             name: mariadb-etc
             defaultMode: 0444
+        - name: mariadb-secrets
+          secret:
+            secretName: mariadb-secrets
+            defaultMode: 0444
         {{- if not .Values.volume.enabled }}
         - name: mysql-data
           emptyDir: {}