From 942c7c6827efa2e6597c10e3b9d34dcd70ed8129 Mon Sep 17 00:00:00 2001 From: Sergiy Markin Date: Fri, 25 Jul 2025 19:49:31 +0000 Subject: [PATCH] [mariadb] Disable TLS for prometheus mysql exporter This change disables TLS for the Prometheus MySQL exporter sidecar container in the MariaDB StatefulSet. Change-Id: Ifcc1f0e50b1d8cd0afd464ed6bea8b1d6018bc86 Signed-off-by: Sergiy Markin --- .../bin/_prometheus-create-mysql-user.sh.tpl | 4 ++-- .../secrets/_prometheus-exporter_user.cnf.tpl | 5 ----- mariadb/templates/statefulset.yaml | 1 + .../notes/mariadb-840fccbf8f0e9d39.yaml | 17 +++++++++++++++++ 4 files changed, 20 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/mariadb-840fccbf8f0e9d39.yaml diff --git a/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl b/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl index e1355fe62b..388a91647b 100644 --- a/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl +++ b/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl @@ -32,8 +32,8 @@ set -e if [[ ! -z ${mariadb_version} && -z $(grep -E '10.2|10.3|10.4' <<< ${mariadb_version}) ]]; then # In case MariaDB version is 10.2.x-10.4.x - we use old privileges definitions if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \ - "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \ - GRANT SLAVE MONITOR, PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \ + "CREATE OR REPLACE USER '${EXPORTER_USER}'@'127.0.0.1' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \ + GRANT SLAVE MONITOR, PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'127.0.0.1'; \ FLUSH PRIVILEGES;" ; then echo "ERROR: Could not create user: ${EXPORTER_USER}" exit 1 diff --git a/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl b/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl index f09ed7f1bd..d0aab834f5 100644 --- a/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl +++ b/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl @@ -17,8 +17,3 @@ user = {{ .Values.endpoints.oslo_db.auth.exporter.username }} password = {{ .Values.endpoints.oslo_db.auth.exporter.password }} host = localhost port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} -{{- if .Values.manifests.certificates }} -ssl-ca = /etc/mysql/certs/ca.crt -ssl-key = /etc/mysql/certs/tls.key -ssl-cert = /etc/mysql/certs/tls.crt -{{- end }} diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml index 889ff71e37..963d66e216 100644 --- a/mariadb/templates/statefulset.yaml +++ b/mariadb/templates/statefulset.yaml @@ -102,6 +102,7 @@ metadata: mariadb-dbadmin-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }} mariadb-sst-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-exporter-hash: {{ tuple "exporter-configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + secrets-etc-exporter-hash: {{ tuple "exporter-secrets-etc.yaml" . | include "helm-toolkit.utils.hash" }} labels: {{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: diff --git a/releasenotes/notes/mariadb-840fccbf8f0e9d39.yaml b/releasenotes/notes/mariadb-840fccbf8f0e9d39.yaml new file mode 100644 index 0000000000..21d5112f70 --- /dev/null +++ b/releasenotes/notes/mariadb-840fccbf8f0e9d39.yaml @@ -0,0 +1,17 @@ +--- +# To create a new release note related to a specific chart: +# reno new +# +# To create a new release note for a common change (when multiple charts +# are changed): +# reno new common +mariadb: + - | + This change disables TLS for the Prometheus MySQL exporter sidecar container in the MariaDB StatefulSet. +issues: + - | + mysql-exporter sidecar container has TLS enabled but was missing the CA certificate, which caused the exporter to fail to connect to the database. +fixes: + - | + In order to fix this issue, the TLS configuration for the Prometheus MySQL exporter sidecar container has been updated to disable TLS. This allows the exporter to connect to the MariaDB database without requiring a CA certificate. +...