[mariadb-operator] Fix mariadb TLS

This PS fixed some imcompatibilities of inherited mariadb config with
docker-entrypoint.sh script that is now used to perform initial mariadb
nodes setup and mariadb-upgrade at startup.
Also added x509 requirement for root and audit users
connections.


Change-Id: Ic5ad2e692b64927fc73962fe0cc250a9d682114c
This commit is contained in:
Sergiy Markin 2024-01-06 02:43:12 +00:00
parent 359ab4b8d7
commit d0b3f1c1d2
6 changed files with 27 additions and 27 deletions

View File

@ -15,7 +15,7 @@ apiVersion: v1
appVersion: v10.6.14 appVersion: v10.6.14
description: OpenStack-Helm MariaDB controlled by mariadb-operator description: OpenStack-Helm MariaDB controlled by mariadb-operator
name: mariadb-cluster name: mariadb-cluster
version: 0.0.2 version: 0.0.3
home: https://mariadb.com/kb/en/ home: https://mariadb.com/kb/en/
icon: http://badges.mariadb.org/mariadb-badge-180x60.png icon: http://badges.mariadb.org/mariadb-badge-180x60.png
sources: sources:

View File

@ -151,29 +151,6 @@ spec:
{{ end }} {{ end }}
env: env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
- name: MARIADB_REPLICAS
value: {{ .Values.pod.replicas.server | quote }}
- name: POD_NAME_PREFIX
value: {{ tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- name: DISCOVERY_DOMAIN
value: {{ tuple "oslo_db" "discovery" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
- name: DIRECT_SVC_NAME
value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- name: MYSQL_DBADMIN_USERNAME
value: {{ .Values.endpoints.oslo_db.auth.admin.username }}
- name: MYSQL_DBADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-dbadmin-password
key: MYSQL_DBADMIN_PASSWORD
- name: MYSQL_HISTFILE - name: MYSQL_HISTFILE
value: {{ .Values.conf.database.mysql_histfile }} value: {{ .Values.conf.database.mysql_histfile }}
{{ if .Values.conf.database.auto_upgrade.enabled }} {{ if .Values.conf.database.auto_upgrade.enabled }}
@ -190,6 +167,10 @@ spec:
mountPath: /etc/mysql/admin_user.cnf mountPath: /etc/mysql/admin_user.cnf
subPath: admin_user.cnf subPath: admin_user.cnf
readOnly: true readOnly: true
- name: mariadb-secrets
mountPath: /docker-entrypoint-initdb.d/privileges.sql
subPath: privileges.sql
readOnly: true
- name: mariadb-bin - name: mariadb-bin
mountPath: /tmp/init.sh mountPath: /tmp/init.sh
subPath: init.sh subPath: init.sh

View File

@ -23,4 +23,5 @@ type: Opaque
data: data:
admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }} admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
admin_user_internal.cnf: {{ tuple "secrets/_admin_user_internal.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }} admin_user_internal.cnf: {{ tuple "secrets/_admin_user_internal.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
privileges.sql: {{ tuple "secrets/_privileges.sql.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
{{- end }} {{- end }}

View File

@ -0,0 +1,20 @@
###########################################
# The lines not confirmed to be working with operator are disabled
###########################################
# DELETE FROM mysql.user WHERE user != 'mariadb.sys';
# CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.admin.password }}';
{{- if .Values.manifests.certificates }}
GRANT ALL ON *.* TO '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' REQUIRE X509 WITH GRANT OPTION;
{{- else }}
GRANT ALL ON *.* TO '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' WITH GRANT OPTION;
{{- end }}
DROP DATABASE IF EXISTS test ;
# CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.sst.username }}'@'127.0.0.1' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.sst.password }}';
# GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.sst.username }}'@'127.0.0.1' ;
CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.audit.password }}';
{{- if .Values.manifests.certificates }}
GRANT SELECT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' REQUIRE X509;
{{- else }}
GRANT SELECT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' ;
{{- end }}
FLUSH PRIVILEGES ;

View File

@ -368,15 +368,12 @@ conf:
[client] [client]
default_character_set=utf8 default_character_set=utf8
protocol=tcp
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.manifests.certificates }} {{ if .Values.manifests.certificates }}
# TLS # TLS
ssl_ca=/etc/mysql/certs/ca.crt ssl_ca=/etc/mysql/certs/ca.crt
ssl_key=/etc/mysql/certs/tls.key ssl_key=/etc/mysql/certs/tls.key
ssl_cert=/etc/mysql/certs/tls.crt ssl_cert=/etc/mysql/certs/tls.crt
# tls_version = TLSv1.2,TLSv1.3 # tls_version = TLSv1.2,TLSv1.3
ssl-verify-server-cert
{{ end }} {{ end }}
my: | my: |

View File

@ -2,4 +2,5 @@
mariadb-cluster: mariadb-cluster:
- 0.0.1 Initial Chart - 0.0.1 Initial Chart
- 0.0.2 Enable auto-upgrade - 0.0.2 Enable auto-upgrade
- 0.0.3 Fixed TLS config and added x509 requirement
... ...