[mariadb-operator] Fix mariadb TLS
This PS fixed some imcompatibilities of inherited mariadb config with docker-entrypoint.sh script that is now used to perform initial mariadb nodes setup and mariadb-upgrade at startup. Also added x509 requirement for root and audit users connections. Change-Id: Ic5ad2e692b64927fc73962fe0cc250a9d682114c
This commit is contained in:
parent
359ab4b8d7
commit
d0b3f1c1d2
@ -15,7 +15,7 @@ apiVersion: v1
|
|||||||
appVersion: v10.6.14
|
appVersion: v10.6.14
|
||||||
description: OpenStack-Helm MariaDB controlled by mariadb-operator
|
description: OpenStack-Helm MariaDB controlled by mariadb-operator
|
||||||
name: mariadb-cluster
|
name: mariadb-cluster
|
||||||
version: 0.0.2
|
version: 0.0.3
|
||||||
home: https://mariadb.com/kb/en/
|
home: https://mariadb.com/kb/en/
|
||||||
icon: http://badges.mariadb.org/mariadb-badge-180x60.png
|
icon: http://badges.mariadb.org/mariadb-badge-180x60.png
|
||||||
sources:
|
sources:
|
||||||
|
@ -151,29 +151,6 @@ spec:
|
|||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
env:
|
env:
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
{{- if $envAll.Values.manifests.certificates }}
|
|
||||||
- name: MARIADB_X509
|
|
||||||
value: "REQUIRE X509"
|
|
||||||
{{- end }}
|
|
||||||
- name: MARIADB_REPLICAS
|
|
||||||
value: {{ .Values.pod.replicas.server | quote }}
|
|
||||||
- name: POD_NAME_PREFIX
|
|
||||||
value: {{ tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
|
||||||
- name: DISCOVERY_DOMAIN
|
|
||||||
value: {{ tuple "oslo_db" "discovery" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
|
||||||
- name: DIRECT_SVC_NAME
|
|
||||||
value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
|
||||||
- name: MYSQL_DBADMIN_USERNAME
|
|
||||||
value: {{ .Values.endpoints.oslo_db.auth.admin.username }}
|
|
||||||
- name: MYSQL_DBADMIN_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: mariadb-dbadmin-password
|
|
||||||
key: MYSQL_DBADMIN_PASSWORD
|
|
||||||
- name: MYSQL_HISTFILE
|
- name: MYSQL_HISTFILE
|
||||||
value: {{ .Values.conf.database.mysql_histfile }}
|
value: {{ .Values.conf.database.mysql_histfile }}
|
||||||
{{ if .Values.conf.database.auto_upgrade.enabled }}
|
{{ if .Values.conf.database.auto_upgrade.enabled }}
|
||||||
@ -190,6 +167,10 @@ spec:
|
|||||||
mountPath: /etc/mysql/admin_user.cnf
|
mountPath: /etc/mysql/admin_user.cnf
|
||||||
subPath: admin_user.cnf
|
subPath: admin_user.cnf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- name: mariadb-secrets
|
||||||
|
mountPath: /docker-entrypoint-initdb.d/privileges.sql
|
||||||
|
subPath: privileges.sql
|
||||||
|
readOnly: true
|
||||||
- name: mariadb-bin
|
- name: mariadb-bin
|
||||||
mountPath: /tmp/init.sh
|
mountPath: /tmp/init.sh
|
||||||
subPath: init.sh
|
subPath: init.sh
|
||||||
|
@ -23,4 +23,5 @@ type: Opaque
|
|||||||
data:
|
data:
|
||||||
admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
||||||
admin_user_internal.cnf: {{ tuple "secrets/_admin_user_internal.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
admin_user_internal.cnf: {{ tuple "secrets/_admin_user_internal.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
||||||
|
privileges.sql: {{ tuple "secrets/_privileges.sql.tpl" . | include "helm-toolkit.utils.template" | b64enc }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
20
mariadb-cluster/templates/secrets/_privileges.sql.tpl
Normal file
20
mariadb-cluster/templates/secrets/_privileges.sql.tpl
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
###########################################
|
||||||
|
# The lines not confirmed to be working with operator are disabled
|
||||||
|
###########################################
|
||||||
|
# DELETE FROM mysql.user WHERE user != 'mariadb.sys';
|
||||||
|
# CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.admin.password }}';
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
GRANT ALL ON *.* TO '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' REQUIRE X509 WITH GRANT OPTION;
|
||||||
|
{{- else }}
|
||||||
|
GRANT ALL ON *.* TO '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' WITH GRANT OPTION;
|
||||||
|
{{- end }}
|
||||||
|
DROP DATABASE IF EXISTS test ;
|
||||||
|
# CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.sst.username }}'@'127.0.0.1' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.sst.password }}';
|
||||||
|
# GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.sst.username }}'@'127.0.0.1' ;
|
||||||
|
CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.audit.password }}';
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
GRANT SELECT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' REQUIRE X509;
|
||||||
|
{{- else }}
|
||||||
|
GRANT SELECT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' ;
|
||||||
|
{{- end }}
|
||||||
|
FLUSH PRIVILEGES ;
|
@ -368,15 +368,12 @@ conf:
|
|||||||
|
|
||||||
[client]
|
[client]
|
||||||
default_character_set=utf8
|
default_character_set=utf8
|
||||||
protocol=tcp
|
|
||||||
port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
||||||
{{ if .Values.manifests.certificates }}
|
{{ if .Values.manifests.certificates }}
|
||||||
# TLS
|
# TLS
|
||||||
ssl_ca=/etc/mysql/certs/ca.crt
|
ssl_ca=/etc/mysql/certs/ca.crt
|
||||||
ssl_key=/etc/mysql/certs/tls.key
|
ssl_key=/etc/mysql/certs/tls.key
|
||||||
ssl_cert=/etc/mysql/certs/tls.crt
|
ssl_cert=/etc/mysql/certs/tls.crt
|
||||||
# tls_version = TLSv1.2,TLSv1.3
|
# tls_version = TLSv1.2,TLSv1.3
|
||||||
ssl-verify-server-cert
|
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
my: |
|
my: |
|
||||||
|
@ -2,4 +2,5 @@
|
|||||||
mariadb-cluster:
|
mariadb-cluster:
|
||||||
- 0.0.1 Initial Chart
|
- 0.0.1 Initial Chart
|
||||||
- 0.0.2 Enable auto-upgrade
|
- 0.0.2 Enable auto-upgrade
|
||||||
|
- 0.0.3 Fixed TLS config and added x509 requirement
|
||||||
...
|
...
|
||||||
|
Loading…
Reference in New Issue
Block a user