feat(tls): add tls to mariadb chart

This patch set makes changes for maraidb certs to be used
by all users when connecting to MariaDB.

Change-Id: Id38c9fb0b18dd8ba164a69f179d940192efc3247
This commit is contained in:
sgupta 2020-07-14 19:32:57 +00:00
parent b1fc699808
commit 6e13d74c87
5 changed files with 12 additions and 52 deletions

View File

@ -34,8 +34,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
@ -88,8 +86,6 @@ spec:
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
- name: USER_CERT_PATH
value: {{ $tlsPath | quote }}
{{- end }}
{{- if eq $dbToDropType "secret" }}
- name: DB_CONNECTION
@ -121,7 +117,6 @@ spec:
readOnly: true
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
{{- end }}
@ -139,7 +134,6 @@ spec:
defaultMode: 0555
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- $local := dict "configMapBinFirst" true -}}

View File

@ -34,8 +34,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
@ -94,8 +92,6 @@ spec:
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
- name: USER_CERT_PATH
value: {{ $tlsPath | quote }}
{{- end }}
command:
- /tmp/db-init.py
@ -119,7 +115,6 @@ spec:
readOnly: true
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
{{- end }}
@ -137,7 +132,6 @@ spec:
defaultMode: 0555
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- $local := dict "configMapBinFirst" true -}}

View File

@ -31,8 +31,6 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
@ -90,7 +88,6 @@ spec:
mountPath: {{ $dbToSync.logConfigFile | quote }}
subPath: {{ base $dbToSync.logConfigFile | quote }}
readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }}
@ -114,7 +111,6 @@ spec:
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if $podVols }}
{{ $podVols | toYaml | indent 8 }}

View File

@ -55,11 +55,11 @@ else:
sys.exit(1)
mysql_x509 = os.getenv('MARIADB_X509', "")
ssl_args = {}
if mysql_x509:
user_tls_cert_path = os.getenv('USER_CERT_PATH', "")
if not user_tls_cert_path:
logger.critical('environment variable USER_CERT_PATH not set')
sys.exit(1)
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
# Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ:
@ -101,13 +101,7 @@ try:
host = root_engine_full.url.host
port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
if mysql_x509:
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
else:
root_engine = create_engine(root_engine_url)
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
connection = root_engine.connect()
connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@ -118,13 +112,7 @@ except:
# User DB engine
try:
if mysql_x509:
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
'key': '{0}/tls.key'.format(user_tls_cert_path),
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
else:
user_engine = create_engine(user_db_conn)
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
# Get our user data out of the user_engine
database = user_engine.url.database
user = user_engine.url.username

View File

@ -55,11 +55,11 @@ else:
sys.exit(1)
mysql_x509 = os.getenv('MARIADB_X509', "")
ssl_args = {}
if mysql_x509:
user_tls_cert_path = os.getenv('USER_CERT_PATH', "")
if not user_tls_cert_path:
logger.critical('environment variable USER_CERT_PATH not set')
sys.exit(1)
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
# Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ:
@ -101,13 +101,7 @@ try:
host = root_engine_full.url.host
port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
if mysql_x509:
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
else:
root_engine = create_engine(root_engine_url)
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
connection = root_engine.connect()
connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@ -118,13 +112,7 @@ except:
# User DB engine
try:
if mysql_x509:
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
'key': '{0}/tls.key'.format(user_tls_cert_path),
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
else:
user_engine = create_engine(user_db_conn)
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
# Get our user data out of the user_engine
database = user_engine.url.database
user = user_engine.url.username