starlingx/openstack-armada-app
Code Issues Proposed changes
Files
40dc95270b84b8a1c612868fa097b8acb6c1cbf2
openstack-armada-app/openstack-helm-infra/debian/deb_folder/patches/0009-Add-GaleraDB-Secure-Replica-Traffic.patch
Daniel Caires 40dc95270b Upversion base OSH-I to Caracal-05f2f459 
This task aims to Upversion base OSH-I to Caracal (05f2f459)

This change upversion the base commit SHA for openstack-helm-infra
to the Caracal version. Because upstream OSH-I does not track
versions the same way Openstack does, the base commit [1] was
chosen after the caracal release date and the stability of the
changes in the upstream repo.

It also ports all StarlingX specific patches on top of it,
dropping the patches that are no longer necessary and updating
what needs to be updated in order to be applied on top of the
new base SHA.

Patch 0005 was removed because upstream OSH-I implemented the same
config. Additional configurations set on the patch was translated
into a change in the static-overrides. Patch 0018 was dropped
because the Ingress Helm chart was removed from upstream OSH-I.
Finally, the changes in the patch 0016 were also merged
on upstream OSH-I, so with the upversion they can be dropped.

Helm Releases are updated to the caracal version of each Helm
chart from OSH-I.

Test Plan:
PASS - Run downloader to get new OSH-I version
PASS - Run build-pkgs -c -a -l openstack to rebuild all packages
PASS - OSH-I is on the Caracal version
PASS - All OSH-I patches are applied
PASS - STX-O is built

With this change STX-Openstack will stop applying until the all
reviews in the relation chain are merged as well. Because of that,
the Test Plan does not include the apply and proper functioning of
the application. The last review of the relation chain will have a
more torough test plan. In order for the build not to be broken, all
reviews in the relation chain should be merged together.

Story: 2011303
Task: 51428

[1] - 05f2f45971

Change-Id: I43a11570a176f1b5aceda88c0cb3c76b2f5d228e
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
2025-02-17 18:59:01 +00:00

93 lines
3.8 KiB
Diff
Raw Blame History

From e363f54d69001789051d1564e9454ea74868b357 Mon Sep 17 00:00:00 2001
From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Date: Thu, 23 Dec 2021 10:15:07 -0300
Subject: [PATCH] Add GaleraDB Secure Replica Traffic
This sets `wsrep_provider_options` for GaleraDB when TLS is enabled
NOTE: The recommended SST (state snapshot transfer) for mariadb>=10.2
is `mariabackup`. mariabackup ONLY works connecting to localhost
see: https://github.com/MariaDB/server/blob/fe7e44d8ad5d7fe9c91f476353a3e1749f18afc6/scripts/wsrep_sst_mariabackup.sh#L711
Therefore, you MUST create a certificate with SAN `localhost` or cert
verification will fail.
Example provided at values_overrides/tls.yaml
Change-Id: Ie9f81d5cfb7e0388f7c061e54342d052a0441647
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
---
mariadb/values.yaml | 12 +++++++++---
mariadb/values_overrides/tls.yaml | 15 ++++++++++++++-
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index 6f325e9c..72f5df7c 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -474,19 +474,25 @@ conf:
wsrep_cluster_name={{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" | replace "." "_" }}
wsrep_on=1
wsrep_provider=/usr/lib/galera/libgalera_smm.so
- wsrep_provider_options="evs.suspect_timeout=PT30S; gmcast.peer_timeout=PT15S; gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
wsrep_slave_threads=12
wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.sst.username }}:{{ .Values.endpoints.oslo_db.auth.sst.password }}
wsrep_sst_method=mariabackup
-
{{ if .Values.manifests.certificates }}
+ wsrep_provider_options="socket.ssl_ca=/etc/mysql/certs/ca.crt; socket.ssl_cert=/etc/mysql/certs/tls.crt; socket.ssl_key=/etc/mysql/certs/tls.key; evs.suspect_timeout=PT30S; gmcast.peer_timeout=PT15S; gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
# TLS
ssl_ca=/etc/mysql/certs/ca.crt
ssl_key=/etc/mysql/certs/tls.key
ssl_cert=/etc/mysql/certs/tls.crt
# tls_version = TLSv1.2,TLSv1.3
- {{ end }}
+ [sst]
+ encrypt = 3
+ tca=/etc/mysql/certs/ca.crt
+ tkey=/etc/mysql/certs/tls.key
+ tcert=/etc/mysql/certs/tls.crt
+ {{ else }}
+ wsrep_provider_options="evs.suspect_timeout=PT30S; gmcast.peer_timeout=PT15S; gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ {{ end }}
[mysqldump]
max-allowed-packet=16M
diff --git a/mariadb/values_overrides/tls.yaml b/mariadb/values_overrides/tls.yaml
index b8da60f8..b09de17c 100644
--- a/mariadb/values_overrides/tls.yaml
+++ b/mariadb/values_overrides/tls.yaml
@@ -9,6 +9,7 @@ pod:
runAsUser: 0
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
+
endpoints:
oslo_db:
host_fqdn_override:
@@ -16,8 +17,20 @@ endpoints:
tls:
secretName: mariadb-tls-direct
issuerRef:
- name: ca-issuer
+ name: rootca-issuer
kind: ClusterIssuer
+ dnsNames:
+ # localhost is needed for mariabackup
+ - localhost
+ - mariadb
+ - mariadb.openstack
+ - mariadb.openstack.svc.cluster.local
+ - mariadb-discovery
+ - mariadb-discovery.openstack
+ - mariadb-server-1.mariadb-discovery.openstack.svc.cluster.local
+ - mariadb-server-0.mariadb-discovery.openstack.svc.cluster.local
+ - mariadb-discovery.openstack.svc.cluster.local
+
manifests:
certificates: true
...
--
2.25.1
View Git Blame Copy Permalink