[mariadb] Disable TLS for prometheus mysql exporter

This change disables TLS for the Prometheus MySQL exporter sidecar container in the MariaDB StatefulSet. Change-Id: Ifcc1f0e50b1d8cd0afd464ed6bea8b1d6018bc86 Signed-off-by: Sergiy Markin <smarkin@mirantis.com>
2025-07-25 19:49:31 +00:00
parent 80041dfbb5
commit 942c7c6827
4 changed files with 20 additions and 7 deletions
--- a/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl
+++ b/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl
@@ -32,8 +32,8 @@ set -e
  if [[ ! -z ${mariadb_version} && -z $(grep -E '10.2|10.3|10.4' <<< ${mariadb_version}) ]]; then
    # In case MariaDB version is 10.2.x-10.4.x - we use old privileges definitions
    if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
-      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
-      GRANT SLAVE MONITOR, PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
+      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'127.0.0.1' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
+      GRANT SLAVE MONITOR, PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'127.0.0.1'; \
      FLUSH PRIVILEGES;" ; then
      echo "ERROR: Could not create user: ${EXPORTER_USER}"
      exit 1
--- a/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl
+++ b/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl
@@ -17,8 +17,3 @@ user = {{ .Values.endpoints.oslo_db.auth.exporter.username }}
 password = {{ .Values.endpoints.oslo_db.auth.exporter.password }}
 host = localhost
 port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- if .Values.manifests.certificates }}
-ssl-ca = /etc/mysql/certs/ca.crt
-ssl-key = /etc/mysql/certs/tls.key
-ssl-cert = /etc/mysql/certs/tls.crt
-{{- end }}
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -102,6 +102,7 @@ metadata:
    mariadb-dbadmin-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }}
    mariadb-sst-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }}
    configmap-bin-exporter-hash: {{ tuple "exporter-configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+    secrets-etc-exporter-hash: {{ tuple "exporter-secrets-etc.yaml" . | include "helm-toolkit.utils.hash" }}
  labels:
 {{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
--- a/releasenotes/notes/mariadb-840fccbf8f0e9d39.yaml
+++ b/releasenotes/notes/mariadb-840fccbf8f0e9d39.yaml
@@ -0,0 +1,17 @@
+---
+# To create a new release note related to a specific chart:
+# reno new <chart_name>
+#
+# To create a new release note for a common change (when multiple charts
+# are changed):
+# reno new common
+mariadb:
+  - |
+    This change disables TLS for the Prometheus MySQL exporter sidecar container in the MariaDB StatefulSet.
+issues:
+  - |
+    mysql-exporter sidecar container has TLS enabled but was missing the CA certificate, which caused the exporter to fail to connect to the database.
+fixes:
+  - |
+    In order to fix this issue, the TLS configuration for the Prometheus MySQL exporter sidecar container has been updated to disable TLS. This allows the exporter to connect to the MariaDB database without requiring a CA certificate.
+...