diff --git a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl index 1b639f03c..265a4ba9c 100644 --- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl +++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl @@ -34,6 +34,9 @@ limitations under the License. {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }} {{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -82,6 +85,12 @@ spec: - name: OPENSTACK_CONFIG_DB_KEY value: {{ $dbToDrop.configDbKey | quote }} {{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" + - name: USER_CERT_PATH + value: {{ $tlsPath | quote }} +{{- end }} {{- if eq $dbToDropType "secret" }} - name: DB_CONNECTION valueFrom: @@ -98,6 +107,7 @@ spec: mountPath: /tmp/db-drop.py subPath: db-drop.py readOnly: true + {{- if eq $dbToDropType "oslo" }} - name: etc-service mountPath: {{ dir $dbToDrop.configFile | quote }} @@ -110,6 +120,10 @@ spec: subPath: {{ base $dbToDrop.logConfigFile | quote }} readOnly: true {{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} {{- end }} volumes: - name: pod-tmp @@ -124,6 +138,10 @@ spec: name: {{ $configMapBin | quote }} defaultMode: 0555 {{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} {{- $local := dict "configMapBinFirst" true -}} {{- range $key1, $dbToDrop := $dbsToDrop }} {{- $dbToDropType := default "oslo" $dbToDrop.inputType }} diff --git a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl index 73ac04d26..3f72f3335 100644 --- a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl +++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl @@ -34,6 +34,9 @@ limitations under the License. {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }} {{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -87,6 +90,12 @@ spec: secretKeyRef: name: {{ $dbToInit.userSecret | quote }} key: DB_CONNECTION +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" + - name: USER_CERT_PATH + value: {{ $tlsPath | quote }} {{- end }} command: - /tmp/db-init.py @@ -109,6 +118,10 @@ spec: subPath: {{ base $dbToInit.logConfigFile | quote }} readOnly: true {{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} {{- end }} volumes: - name: pod-tmp @@ -123,6 +136,10 @@ spec: name: {{ $configMapBin | quote }} defaultMode: 0555 {{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} {{- $local := dict "configMapBinFirst" true -}} {{- range $key1, $dbToInit := $dbsToInit }} {{- $dbToInitType := default "oslo" $dbToInit.inputType }} diff --git a/helm-toolkit/templates/manifests/_job-db-sync.tpl b/helm-toolkit/templates/manifests/_job-db-sync.tpl index 0e4e3ad83..1352293b5 100644 --- a/helm-toolkit/templates/manifests/_job-db-sync.tpl +++ b/helm-toolkit/templates/manifests/_job-db-sync.tpl @@ -31,6 +31,9 @@ limitations under the License. {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} +{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }} {{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -87,6 +90,8 @@ spec: mountPath: {{ $dbToSync.logConfigFile | quote }} subPath: {{ base $dbToSync.logConfigFile | quote }} readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- if $podVolMounts }} {{ $podVolMounts | toYaml | indent 12 }} {{- end }} @@ -109,6 +114,8 @@ spec: secret: secretName: {{ $configMapEtc | quote }} defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- if $podVols }} {{ $podVols | toYaml | indent 8 }} {{- end }} diff --git a/helm-toolkit/templates/scripts/_db-drop.py.tpl b/helm-toolkit/templates/scripts/_db-drop.py.tpl index 814475467..322932eb1 100644 --- a/helm-toolkit/templates/scripts/_db-drop.py.tpl +++ b/helm-toolkit/templates/scripts/_db-drop.py.tpl @@ -54,6 +54,13 @@ else: logger.critical('environment variable ROOT_DB_CONNECTION not set') sys.exit(1) +mysql_x509 = os.getenv('MARIADB_X509', "") +if mysql_x509: + user_tls_cert_path = os.getenv('USER_CERT_PATH', "") + if not user_tls_cert_path: + logger.critical('environment variable USER_CERT_PATH not set') + sys.exit(1) + # Get the connection string for the service db if "OPENSTACK_CONFIG_FILE" in os.environ: os_conf = os.environ['OPENSTACK_CONFIG_FILE'] @@ -94,7 +101,13 @@ try: host = root_engine_full.url.host port = root_engine_full.url.port root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) - root_engine = create_engine(root_engine_url) + if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} + root_engine = create_engine(root_engine_url, connect_args=ssl_args) + else: + root_engine = create_engine(root_engine_url) connection = root_engine.connect() connection.close() logger.info("Tested connection to DB @ {0}:{1} as {2}".format( @@ -105,7 +118,13 @@ except: # User DB engine try: - user_engine = create_engine(user_db_conn) + if mysql_x509: + ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path), + 'key': '{0}/tls.key'.format(user_tls_cert_path), + 'cert': '{0}/tls.crt'.format(user_tls_cert_path)}} + user_engine = create_engine(user_db_conn, connect_args=ssl_args) + else: + user_engine = create_engine(user_db_conn) # Get our user data out of the user_engine database = user_engine.url.database user = user_engine.url.username diff --git a/helm-toolkit/templates/scripts/_db-init.py.tpl b/helm-toolkit/templates/scripts/_db-init.py.tpl index c620a8d27..d0bda49a6 100644 --- a/helm-toolkit/templates/scripts/_db-init.py.tpl +++ b/helm-toolkit/templates/scripts/_db-init.py.tpl @@ -54,6 +54,13 @@ else: logger.critical('environment variable ROOT_DB_CONNECTION not set') sys.exit(1) +mysql_x509 = os.getenv('MARIADB_X509', "") +if mysql_x509: + user_tls_cert_path = os.getenv('USER_CERT_PATH', "") + if not user_tls_cert_path: + logger.critical('environment variable USER_CERT_PATH not set') + sys.exit(1) + # Get the connection string for the service db if "OPENSTACK_CONFIG_FILE" in os.environ: os_conf = os.environ['OPENSTACK_CONFIG_FILE'] @@ -94,7 +101,13 @@ try: host = root_engine_full.url.host port = root_engine_full.url.port root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) - root_engine = create_engine(root_engine_url) + if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} + root_engine = create_engine(root_engine_url, connect_args=ssl_args) + else: + root_engine = create_engine(root_engine_url) connection = root_engine.connect() connection.close() logger.info("Tested connection to DB @ {0}:{1} as {2}".format( @@ -105,7 +118,13 @@ except: # User DB engine try: - user_engine = create_engine(user_db_conn) + if mysql_x509: + ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path), + 'key': '{0}/tls.key'.format(user_tls_cert_path), + 'cert': '{0}/tls.crt'.format(user_tls_cert_path)}} + user_engine = create_engine(user_db_conn, connect_args=ssl_args) + else: + user_engine = create_engine(user_db_conn) # Get our user data out of the user_engine database = user_engine.url.database user = user_engine.url.username @@ -126,8 +145,8 @@ except: # Create DB User try: root_engine.execute( - "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\'".format( - database, user, password)) + "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format( + database, user, password, mysql_x509)) logger.info("Created user {0} for {1}".format(user, database)) except: logger.critical("Could not create user {0} for {1}".format(user, database)) diff --git a/mariadb/templates/bin/_readiness.sh.tpl b/mariadb/templates/bin/_readiness.sh.tpl index b8fac01ec..fae9172c6 100644 --- a/mariadb/templates/bin/_readiness.sh.tpl +++ b/mariadb/templates/bin/_readiness.sh.tpl @@ -19,6 +19,12 @@ set -e MYSQL="mysql \ --defaults-file=/etc/mysql/admin_user.cnf \ --host=localhost \ +{{- if .Values.manifests.certificates }} + --ssl-verify-server-cert=false \ + --ssl-ca=/etc/mysql/certs/ca.crt \ + --ssl-key=/etc/mysql/certs/tls.key \ + --ssl-cert=/etc/mysql/certs/tls.crt \ +{{- end }} --connect-timeout 2" mysql_status_query () { @@ -28,22 +34,25 @@ mysql_status_query () { } if ! $MYSQL -e 'select 1' > /dev/null 2>&1 ; then - exit 1 + exit 1 fi if [ "x$(mysql_status_query wsrep_ready)" != "xON" ]; then - # WSREP says the node can receive queries - exit 1 + # WSREP says the node can receive queries + exit 1 fi + if [ "x$(mysql_status_query wsrep_connected)" != "xON" ]; then - # WSREP connected - exit 1 + # WSREP connected + exit 1 fi + if [ "x$(mysql_status_query wsrep_cluster_status)" != "xPrimary" ]; then - # Not in primary cluster - exit 1 + # Not in primary cluster + exit 1 fi + if [ "x$(mysql_status_query wsrep_local_state_comment)" != "xSynced" ]; then - # WSREP not synced - exit 1 + # WSREP not synced + exit 1 fi diff --git a/mariadb/templates/bin/_start.py.tpl b/mariadb/templates/bin/_start.py.tpl index 1275fb5f5..6b65e5c83 100644 --- a/mariadb/templates/bin/_start.py.tpl +++ b/mariadb/templates/bin/_start.py.tpl @@ -104,6 +104,8 @@ else: if check_env_var("MYSQL_DBAUDIT_PASSWORD"): mysql_dbaudit_password = os.environ['MYSQL_DBAUDIT_PASSWORD'] +mysql_x509 = os.getenv('MARIADB_X509', "") + if mysql_dbadmin_username == mysql_dbsst_username: logger.critical( "The dbadmin username should not match the sst user username") @@ -270,33 +272,35 @@ def mysqld_bootstrap(): # is locked and cannot login "DELETE FROM mysql.user WHERE user != 'mariadb.sys' ;\n" # nosec "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" - "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' {4} WITH GRANT OPTION; \n" "DROP DATABASE IF EXISTS test ;\n" - "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" - "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}';\n" + "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1';\n" "FLUSH PRIVILEGES ;\n" "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, - mysql_dbsst_username, mysql_dbsst_password)) + mysql_dbsst_username, mysql_dbsst_password, + mysql_x509)) else: template = ( "DELETE FROM mysql.user WHERE user != 'mariadb.sys' ;\n" # nosec "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" - "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' {6} WITH GRANT OPTION;\n" "DROP DATABASE IF EXISTS test ;\n" - "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}';\n" "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" - "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n" - "GRANT SELECT ON *.* TO '{4}'@'%' ;\n" + "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}';\n" + "GRANT SELECT ON *.* TO '{4}'@'%' {6};\n" "FLUSH PRIVILEGES ;\n" "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, mysql_dbsst_username, mysql_dbsst_password, - mysql_dbaudit_username, mysql_dbaudit_password)) + mysql_dbaudit_username, mysql_dbaudit_password, + mysql_x509)) bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name with open(bootstrap_sql_file, 'w') as f: f.write(template) f.close() run_cmd_with_logging([ - 'mysqld', '--bind-address=127.0.0.1', + 'mysqld', '--user=mysql', '--bind-address=127.0.0.1', '--wsrep_cluster_address=gcomm://', "--init-file={0}".format(bootstrap_sql_file) ], logger) @@ -780,7 +784,7 @@ def run_mysqld(cluster='existing'): mysqld_write_cluster_conf(mode='run') launch_leader_election() launch_cluster_monitor() - mysqld_cmd = ['mysqld'] + mysqld_cmd = ['mysqld', '--user=mysql'] if cluster == 'new': mysqld_cmd.append('--wsrep-new-cluster') @@ -791,24 +795,26 @@ def run_mysqld(cluster='existing'): if not mysql_dbaudit_username: template = ( "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" - "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' {4} WITH GRANT OPTION ;\n" "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" "FLUSH PRIVILEGES ;\n" - "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, - mysql_dbsst_username, mysql_dbsst_password)) - else: - template = ( - "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" - "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" - "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" - "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" - "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n" - "GRANT SELECT ON *.* TO '{4}'@'%' ;\n" - "FLUSH PRIVILEGES ;\n" "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, mysql_dbsst_username, mysql_dbsst_password, - mysql_dbaudit_username, mysql_dbaudit_password)) + mysql_x509)) + else: + template = ( + "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' {6} WITH GRANT OPTION ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" + "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" + "CREATE OR REPLACE USER '{4}'@'%' IDENTIFIED BY '{5}' ;\n" + "GRANT SELECT ON *.* TO '{4}'@'%' {6};\n" + "FLUSH PRIVILEGES ;\n" + "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, + mysql_dbsst_username, mysql_dbsst_password, + mysql_dbaudit_username, mysql_dbaudit_password, + mysql_x509)) bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name with open(bootstrap_sql_file, 'w') as f: f.write(template) diff --git a/mariadb/templates/certificates.yaml b/mariadb/templates/certificates.yaml new file mode 100644 index 000000000..200f974ac --- /dev/null +++ b/mariadb/templates/certificates.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.certificates -}} +{{ dict "envAll" . "service" "oslo_db" "type" "default" | include "helm-toolkit.manifests.certificates" }} +{{- end -}} diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml index 70255b597..7ccc219bf 100644 --- a/mariadb/templates/statefulset.yaml +++ b/mariadb/templates/statefulset.yaml @@ -136,6 +136,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" + {{- end }} - name: MARIADB_REPLICAS value: {{ .Values.pod.replicas.server | quote }} - name: POD_NAME_PREFIX @@ -229,6 +233,7 @@ spec: readOnly: true - name: mysql-data mountPath: /var/lib/mysql +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -248,6 +253,7 @@ spec: secret: secretName: mariadb-secrets defaultMode: 0444 +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- if not .Values.volume.enabled }} - name: mysql-data {{- if .Values.volume.use_local_path_for_single_pod_cluster.enabled }} diff --git a/mariadb/values.yaml b/mariadb/values.yaml index cabf6d136..18de2ee5f 100644 --- a/mariadb/values.yaml +++ b/mariadb/values.yaml @@ -20,7 +20,6 @@ release_group: null images: tags: - # 10.2.31 mariadb: openstackhelm/mariadb@sha256:5f05ce5dce71c835c6361a05705da5cce31114934689ec87dfa48b8f8c600f70 ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0 error_pages: gcr.io/google_containers/defaultbackend:1.4 @@ -416,6 +415,15 @@ conf: wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.sst.username }}:{{ .Values.endpoints.oslo_db.auth.sst.password }} wsrep_sst_method=mariabackup + {{ if .Values.manifests.certificates }} + # TLS + ssl_ca=/etc/mysql/certs/ca.crt + ssl_key=/etc/mysql/certs/tls.key + ssl_cert=/etc/mysql/certs/tls.crt + # tls_version = TLSv1.2,TLSv1.3 + {{ end }} + + [mysqldump] max-allowed-packet=16M @@ -423,6 +431,15 @@ conf: default_character_set=utf8 protocol=tcp port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{ if .Values.manifests.certificates }} + # TLS + ssl_ca=/etc/mysql/certs/ca.crt + ssl_key=/etc/mysql/certs/tls.key + ssl_cert=/etc/mysql/certs/tls.crt + # tls_version = TLSv1.2,TLSv1.3 + ssl-verify-server-cert + {{ end }} + config_override: null # Any configuration here will override the base config. # config_override: |- @@ -445,6 +462,11 @@ secrets: remote_rgw_user: mariadb-backup-user mariadb: backup_restore: mariadb-backup-restore + tls: + oslo_db: + server: + public: mariadb-tls-server + internal: mariadb-tls-direct # typically overridden by environmental # values, but should include all endpoints @@ -589,6 +611,7 @@ network_policy: - {} manifests: + certificates: false configmap_bin: true configmap_etc: true configmap_ingress_conf: true diff --git a/mariadb/values_overrides/tls.yaml b/mariadb/values_overrides/tls.yaml new file mode 100644 index 000000000..f89d5e94b --- /dev/null +++ b/mariadb/values_overrides/tls.yaml @@ -0,0 +1,23 @@ +--- +pod: + security_context: + server: + container: + perms: + readOnlyRootFilesystem: false + mariadb: + runAsUser: 0 + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false +endpoints: + oslo_db: + host_fqdn_override: + default: + tls: + secretName: mariadb-tls-direct + issuerRef: + name: ca-issuer + kind: Issuer +manifests: + certificates: true +...