Merge "feat(tls): add tls to mariadb chart"

This commit is contained in:
Zuul 2020-07-14 22:42:34 +00:00 committed by Gerrit Code Review
commit 6409bb6879
5 changed files with 12 additions and 52 deletions

View File

@ -34,8 +34,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
@ -88,8 +86,6 @@ spec:
{{- if $envAll.Values.manifests.certificates }} {{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509 - name: MARIADB_X509
value: "REQUIRE X509" value: "REQUIRE X509"
- name: USER_CERT_PATH
value: {{ $tlsPath | quote }}
{{- end }} {{- end }}
{{- if eq $dbToDropType "secret" }} {{- if eq $dbToDropType "secret" }}
- name: DB_CONNECTION - name: DB_CONNECTION
@ -121,7 +117,6 @@ spec:
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }} {{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
@ -139,7 +134,6 @@ spec:
defaultMode: 0555 defaultMode: 0555
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }} {{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}
{{- $local := dict "configMapBinFirst" true -}} {{- $local := dict "configMapBinFirst" true -}}

View File

@ -34,8 +34,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
@ -94,8 +92,6 @@ spec:
{{- if $envAll.Values.manifests.certificates }} {{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509 - name: MARIADB_X509
value: "REQUIRE X509" value: "REQUIRE X509"
- name: USER_CERT_PATH
value: {{ $tlsPath | quote }}
{{- end }} {{- end }}
command: command:
- /tmp/db-init.py - /tmp/db-init.py
@ -119,7 +115,6 @@ spec:
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }} {{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
@ -137,7 +132,6 @@ spec:
defaultMode: 0555 defaultMode: 0555
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }} {{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}
{{- $local := dict "configMapBinFirst" true -}} {{- $local := dict "configMapBinFirst" true -}}

View File

@ -31,8 +31,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} {{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
@ -90,7 +88,6 @@ spec:
mountPath: {{ $dbToSync.logConfigFile | quote }} mountPath: {{ $dbToSync.logConfigFile | quote }}
subPath: {{ base $dbToSync.logConfigFile | quote }} subPath: {{ base $dbToSync.logConfigFile | quote }}
readOnly: true readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- if $podVolMounts }} {{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }} {{ $podVolMounts | toYaml | indent 12 }}
@ -114,7 +111,6 @@ spec:
secret: secret:
secretName: {{ $configMapEtc | quote }} secretName: {{ $configMapEtc | quote }}
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if $podVols }} {{- if $podVols }}
{{ $podVols | toYaml | indent 8 }} {{ $podVols | toYaml | indent 8 }}

View File

@ -55,11 +55,11 @@ else:
sys.exit(1) sys.exit(1)
mysql_x509 = os.getenv('MARIADB_X509', "") mysql_x509 = os.getenv('MARIADB_X509', "")
ssl_args = {}
if mysql_x509: if mysql_x509:
user_tls_cert_path = os.getenv('USER_CERT_PATH', "") ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
if not user_tls_cert_path: 'key': '/etc/mysql/certs/tls.key',
logger.critical('environment variable USER_CERT_PATH not set') 'cert': '/etc/mysql/certs/tls.crt'}}
sys.exit(1)
# Get the connection string for the service db # Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ: if "OPENSTACK_CONFIG_FILE" in os.environ:
@ -101,13 +101,7 @@ try:
host = root_engine_full.url.host host = root_engine_full.url.host
port = root_engine_full.url.port port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
if mysql_x509: root_engine = create_engine(root_engine_url, connect_args=ssl_args)
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
else:
root_engine = create_engine(root_engine_url)
connection = root_engine.connect() connection = root_engine.connect()
connection.close() connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format( logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@ -118,13 +112,7 @@ except:
# User DB engine # User DB engine
try: try:
if mysql_x509: user_engine = create_engine(user_db_conn, connect_args=ssl_args)
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
'key': '{0}/tls.key'.format(user_tls_cert_path),
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
else:
user_engine = create_engine(user_db_conn)
# Get our user data out of the user_engine # Get our user data out of the user_engine
database = user_engine.url.database database = user_engine.url.database
user = user_engine.url.username user = user_engine.url.username

View File

@ -55,11 +55,11 @@ else:
sys.exit(1) sys.exit(1)
mysql_x509 = os.getenv('MARIADB_X509', "") mysql_x509 = os.getenv('MARIADB_X509', "")
ssl_args = {}
if mysql_x509: if mysql_x509:
user_tls_cert_path = os.getenv('USER_CERT_PATH', "") ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
if not user_tls_cert_path: 'key': '/etc/mysql/certs/tls.key',
logger.critical('environment variable USER_CERT_PATH not set') 'cert': '/etc/mysql/certs/tls.crt'}}
sys.exit(1)
# Get the connection string for the service db # Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ: if "OPENSTACK_CONFIG_FILE" in os.environ:
@ -101,13 +101,7 @@ try:
host = root_engine_full.url.host host = root_engine_full.url.host
port = root_engine_full.url.port port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
if mysql_x509: root_engine = create_engine(root_engine_url, connect_args=ssl_args)
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
else:
root_engine = create_engine(root_engine_url)
connection = root_engine.connect() connection = root_engine.connect()
connection.close() connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format( logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@ -118,13 +112,7 @@ except:
# User DB engine # User DB engine
try: try:
if mysql_x509: user_engine = create_engine(user_db_conn, connect_args=ssl_args)
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
'key': '{0}/tls.key'.format(user_tls_cert_path),
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
else:
user_engine = create_engine(user_db_conn)
# Get our user data out of the user_engine # Get our user data out of the user_engine
database = user_engine.url.database database = user_engine.url.database
user = user_engine.url.username user = user_engine.url.username