Merge "feat(tls): add tls to mariadb chart"
This commit is contained in:
commit
6409bb6879
@ -34,8 +34,6 @@ limitations under the License.
|
|||||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||||
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
|
|
||||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
|
||||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||||
|
|
||||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
|
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
|
||||||
@ -88,8 +86,6 @@ spec:
|
|||||||
{{- if $envAll.Values.manifests.certificates }}
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
- name: MARIADB_X509
|
- name: MARIADB_X509
|
||||||
value: "REQUIRE X509"
|
value: "REQUIRE X509"
|
||||||
- name: USER_CERT_PATH
|
|
||||||
value: {{ $tlsPath | quote }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if eq $dbToDropType "secret" }}
|
{{- if eq $dbToDropType "secret" }}
|
||||||
- name: DB_CONNECTION
|
- name: DB_CONNECTION
|
||||||
@ -121,7 +117,6 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if $envAll.Values.manifests.certificates }}
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -139,7 +134,6 @@ spec:
|
|||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if $envAll.Values.manifests.certificates }}
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $local := dict "configMapBinFirst" true -}}
|
{{- $local := dict "configMapBinFirst" true -}}
|
||||||
|
@ -34,8 +34,6 @@ limitations under the License.
|
|||||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||||
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
|
|
||||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
|
||||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||||
|
|
||||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
|
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
|
||||||
@ -94,8 +92,6 @@ spec:
|
|||||||
{{- if $envAll.Values.manifests.certificates }}
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
- name: MARIADB_X509
|
- name: MARIADB_X509
|
||||||
value: "REQUIRE X509"
|
value: "REQUIRE X509"
|
||||||
- name: USER_CERT_PATH
|
|
||||||
value: {{ $tlsPath | quote }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/db-init.py
|
- /tmp/db-init.py
|
||||||
@ -119,7 +115,6 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if $envAll.Values.manifests.certificates }}
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -137,7 +132,6 @@ spec:
|
|||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if $envAll.Values.manifests.certificates }}
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $local := dict "configMapBinFirst" true -}}
|
{{- $local := dict "configMapBinFirst" true -}}
|
||||||
|
@ -31,8 +31,6 @@ limitations under the License.
|
|||||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||||
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
|
|
||||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
|
||||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||||
|
|
||||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
|
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
|
||||||
@ -90,7 +88,6 @@ spec:
|
|||||||
mountPath: {{ $dbToSync.logConfigFile | quote }}
|
mountPath: {{ $dbToSync.logConfigFile | quote }}
|
||||||
subPath: {{ base $dbToSync.logConfigFile | quote }}
|
subPath: {{ base $dbToSync.logConfigFile | quote }}
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{- if $podVolMounts }}
|
{{- if $podVolMounts }}
|
||||||
{{ $podVolMounts | toYaml | indent 12 }}
|
{{ $podVolMounts | toYaml | indent 12 }}
|
||||||
@ -114,7 +111,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: {{ $configMapEtc | quote }}
|
secretName: {{ $configMapEtc | quote }}
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- if $podVols }}
|
{{- if $podVols }}
|
||||||
{{ $podVols | toYaml | indent 8 }}
|
{{ $podVols | toYaml | indent 8 }}
|
||||||
|
@ -55,11 +55,11 @@ else:
|
|||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
mysql_x509 = os.getenv('MARIADB_X509', "")
|
mysql_x509 = os.getenv('MARIADB_X509', "")
|
||||||
|
ssl_args = {}
|
||||||
if mysql_x509:
|
if mysql_x509:
|
||||||
user_tls_cert_path = os.getenv('USER_CERT_PATH', "")
|
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
||||||
if not user_tls_cert_path:
|
'key': '/etc/mysql/certs/tls.key',
|
||||||
logger.critical('environment variable USER_CERT_PATH not set')
|
'cert': '/etc/mysql/certs/tls.crt'}}
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
# Get the connection string for the service db
|
# Get the connection string for the service db
|
||||||
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
||||||
@ -101,13 +101,7 @@ try:
|
|||||||
host = root_engine_full.url.host
|
host = root_engine_full.url.host
|
||||||
port = root_engine_full.url.port
|
port = root_engine_full.url.port
|
||||||
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
||||||
if mysql_x509:
|
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
|
||||||
'key': '/etc/mysql/certs/tls.key',
|
|
||||||
'cert': '/etc/mysql/certs/tls.crt'}}
|
|
||||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
|
||||||
else:
|
|
||||||
root_engine = create_engine(root_engine_url)
|
|
||||||
connection = root_engine.connect()
|
connection = root_engine.connect()
|
||||||
connection.close()
|
connection.close()
|
||||||
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
||||||
@ -118,13 +112,7 @@ except:
|
|||||||
|
|
||||||
# User DB engine
|
# User DB engine
|
||||||
try:
|
try:
|
||||||
if mysql_x509:
|
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||||
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
|
|
||||||
'key': '{0}/tls.key'.format(user_tls_cert_path),
|
|
||||||
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
|
|
||||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
|
||||||
else:
|
|
||||||
user_engine = create_engine(user_db_conn)
|
|
||||||
# Get our user data out of the user_engine
|
# Get our user data out of the user_engine
|
||||||
database = user_engine.url.database
|
database = user_engine.url.database
|
||||||
user = user_engine.url.username
|
user = user_engine.url.username
|
||||||
|
@ -55,11 +55,11 @@ else:
|
|||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
mysql_x509 = os.getenv('MARIADB_X509', "")
|
mysql_x509 = os.getenv('MARIADB_X509', "")
|
||||||
|
ssl_args = {}
|
||||||
if mysql_x509:
|
if mysql_x509:
|
||||||
user_tls_cert_path = os.getenv('USER_CERT_PATH', "")
|
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
||||||
if not user_tls_cert_path:
|
'key': '/etc/mysql/certs/tls.key',
|
||||||
logger.critical('environment variable USER_CERT_PATH not set')
|
'cert': '/etc/mysql/certs/tls.crt'}}
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
# Get the connection string for the service db
|
# Get the connection string for the service db
|
||||||
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
||||||
@ -101,13 +101,7 @@ try:
|
|||||||
host = root_engine_full.url.host
|
host = root_engine_full.url.host
|
||||||
port = root_engine_full.url.port
|
port = root_engine_full.url.port
|
||||||
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
||||||
if mysql_x509:
|
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
|
||||||
'key': '/etc/mysql/certs/tls.key',
|
|
||||||
'cert': '/etc/mysql/certs/tls.crt'}}
|
|
||||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
|
||||||
else:
|
|
||||||
root_engine = create_engine(root_engine_url)
|
|
||||||
connection = root_engine.connect()
|
connection = root_engine.connect()
|
||||||
connection.close()
|
connection.close()
|
||||||
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
||||||
@ -118,13 +112,7 @@ except:
|
|||||||
|
|
||||||
# User DB engine
|
# User DB engine
|
||||||
try:
|
try:
|
||||||
if mysql_x509:
|
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||||
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
|
|
||||||
'key': '{0}/tls.key'.format(user_tls_cert_path),
|
|
||||||
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
|
|
||||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
|
||||||
else:
|
|
||||||
user_engine = create_engine(user_db_conn)
|
|
||||||
# Get our user data out of the user_engine
|
# Get our user data out of the user_engine
|
||||||
database = user_engine.url.database
|
database = user_engine.url.database
|
||||||
user = user_engine.url.username
|
user = user_engine.url.username
|
||||||
|
Loading…
Reference in New Issue
Block a user