From 6e13d74c876a5c3eaf03b664f3df538972c54452 Mon Sep 17 00:00:00 2001 From: sgupta Date: Tue, 14 Jul 2020 19:32:57 +0000 Subject: [PATCH] feat(tls): add tls to mariadb chart This patch set makes changes for maraidb certs to be used by all users when connecting to MariaDB. Change-Id: Id38c9fb0b18dd8ba164a69f179d940192efc3247 --- .../manifests/_job-db-drop-mysql.tpl | 6 ----- .../manifests/_job-db-init-mysql.tpl | 6 ----- .../templates/manifests/_job-db-sync.tpl | 4 ---- .../templates/scripts/_db-drop.py.tpl | 24 +++++-------------- .../templates/scripts/_db-init.py.tpl | 24 +++++-------------- 5 files changed, 12 insertions(+), 52 deletions(-) diff --git a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl index 265a4ba9c..0c2b63ab6 100644 --- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl +++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl @@ -34,8 +34,6 @@ limitations under the License. {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} -{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}} -{{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }} @@ -88,8 +86,6 @@ spec: {{- if $envAll.Values.manifests.certificates }} - name: MARIADB_X509 value: "REQUIRE X509" - - name: USER_CERT_PATH - value: {{ $tlsPath | quote }} {{- end }} {{- if eq $dbToDropType "secret" }} - name: DB_CONNECTION @@ -121,7 +117,6 @@ spec: readOnly: true {{- end }} {{- if $envAll.Values.manifests.certificates }} -{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- end }} {{- end }} @@ -139,7 +134,6 @@ spec: defaultMode: 0555 {{- end }} {{- if $envAll.Values.manifests.certificates }} -{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} {{- $local := dict "configMapBinFirst" true -}} diff --git a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl index 3f72f3335..9192ccc95 100644 --- a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl +++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl @@ -34,8 +34,6 @@ limitations under the License. {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} -{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}} -{{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }} @@ -94,8 +92,6 @@ spec: {{- if $envAll.Values.manifests.certificates }} - name: MARIADB_X509 value: "REQUIRE X509" - - name: USER_CERT_PATH - value: {{ $tlsPath | quote }} {{- end }} command: - /tmp/db-init.py @@ -119,7 +115,6 @@ spec: readOnly: true {{- end }} {{- if $envAll.Values.manifests.certificates }} -{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- end }} {{- end }} @@ -137,7 +132,6 @@ spec: defaultMode: 0555 {{- end }} {{- if $envAll.Values.manifests.certificates }} -{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} {{- $local := dict "configMapBinFirst" true -}} diff --git a/helm-toolkit/templates/manifests/_job-db-sync.tpl b/helm-toolkit/templates/manifests/_job-db-sync.tpl index 1352293b5..0a60a3b4d 100644 --- a/helm-toolkit/templates/manifests/_job-db-sync.tpl +++ b/helm-toolkit/templates/manifests/_job-db-sync.tpl @@ -31,8 +31,6 @@ limitations under the License. {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} -{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}} -{{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }} @@ -90,7 +88,6 @@ spec: mountPath: {{ $dbToSync.logConfigFile | quote }} subPath: {{ base $dbToSync.logConfigFile | quote }} readOnly: true -{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- if $podVolMounts }} {{ $podVolMounts | toYaml | indent 12 }} @@ -114,7 +111,6 @@ spec: secret: secretName: {{ $configMapEtc | quote }} defaultMode: 0444 -{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- if $podVols }} {{ $podVols | toYaml | indent 8 }} diff --git a/helm-toolkit/templates/scripts/_db-drop.py.tpl b/helm-toolkit/templates/scripts/_db-drop.py.tpl index 322932eb1..03884fa18 100644 --- a/helm-toolkit/templates/scripts/_db-drop.py.tpl +++ b/helm-toolkit/templates/scripts/_db-drop.py.tpl @@ -55,11 +55,11 @@ else: sys.exit(1) mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} if mysql_x509: - user_tls_cert_path = os.getenv('USER_CERT_PATH', "") - if not user_tls_cert_path: - logger.critical('environment variable USER_CERT_PATH not set') - sys.exit(1) + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} # Get the connection string for the service db if "OPENSTACK_CONFIG_FILE" in os.environ: @@ -101,13 +101,7 @@ try: host = root_engine_full.url.host port = root_engine_full.url.port root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) - if mysql_x509: - ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', - 'key': '/etc/mysql/certs/tls.key', - 'cert': '/etc/mysql/certs/tls.crt'}} - root_engine = create_engine(root_engine_url, connect_args=ssl_args) - else: - root_engine = create_engine(root_engine_url) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) connection = root_engine.connect() connection.close() logger.info("Tested connection to DB @ {0}:{1} as {2}".format( @@ -118,13 +112,7 @@ except: # User DB engine try: - if mysql_x509: - ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path), - 'key': '{0}/tls.key'.format(user_tls_cert_path), - 'cert': '{0}/tls.crt'.format(user_tls_cert_path)}} - user_engine = create_engine(user_db_conn, connect_args=ssl_args) - else: - user_engine = create_engine(user_db_conn) + user_engine = create_engine(user_db_conn, connect_args=ssl_args) # Get our user data out of the user_engine database = user_engine.url.database user = user_engine.url.username diff --git a/helm-toolkit/templates/scripts/_db-init.py.tpl b/helm-toolkit/templates/scripts/_db-init.py.tpl index d0bda49a6..4294d40c5 100644 --- a/helm-toolkit/templates/scripts/_db-init.py.tpl +++ b/helm-toolkit/templates/scripts/_db-init.py.tpl @@ -55,11 +55,11 @@ else: sys.exit(1) mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} if mysql_x509: - user_tls_cert_path = os.getenv('USER_CERT_PATH', "") - if not user_tls_cert_path: - logger.critical('environment variable USER_CERT_PATH not set') - sys.exit(1) + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', + 'key': '/etc/mysql/certs/tls.key', + 'cert': '/etc/mysql/certs/tls.crt'}} # Get the connection string for the service db if "OPENSTACK_CONFIG_FILE" in os.environ: @@ -101,13 +101,7 @@ try: host = root_engine_full.url.host port = root_engine_full.url.port root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) - if mysql_x509: - ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', - 'key': '/etc/mysql/certs/tls.key', - 'cert': '/etc/mysql/certs/tls.crt'}} - root_engine = create_engine(root_engine_url, connect_args=ssl_args) - else: - root_engine = create_engine(root_engine_url) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) connection = root_engine.connect() connection.close() logger.info("Tested connection to DB @ {0}:{1} as {2}".format( @@ -118,13 +112,7 @@ except: # User DB engine try: - if mysql_x509: - ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path), - 'key': '{0}/tls.key'.format(user_tls_cert_path), - 'cert': '{0}/tls.crt'.format(user_tls_cert_path)}} - user_engine = create_engine(user_db_conn, connect_args=ssl_args) - else: - user_engine = create_engine(user_db_conn) + user_engine = create_engine(user_db_conn, connect_args=ssl_args) # Get our user data out of the user_engine database = user_engine.url.database user = user_engine.url.username