feat(tls): add tls to mariadb chart
This patch set makes changes for maraidb certs to be used by all users when connecting to MariaDB. Change-Id: Id38c9fb0b18dd8ba164a69f179d940192efc3247
This commit is contained in:
parent
b1fc699808
commit
6e13d74c87
@ -34,8 +34,6 @@ limitations under the License.
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
|
||||
@ -88,8 +86,6 @@ spec:
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: MARIADB_X509
|
||||
value: "REQUIRE X509"
|
||||
- name: USER_CERT_PATH
|
||||
value: {{ $tlsPath | quote }}
|
||||
{{- end }}
|
||||
{{- if eq $dbToDropType "secret" }}
|
||||
- name: DB_CONNECTION
|
||||
@ -121,7 +117,6 @@ spec:
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@ -139,7 +134,6 @@ spec:
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- $local := dict "configMapBinFirst" true -}}
|
||||
|
@ -34,8 +34,6 @@ limitations under the License.
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
|
||||
@ -94,8 +92,6 @@ spec:
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: MARIADB_X509
|
||||
value: "REQUIRE X509"
|
||||
- name: USER_CERT_PATH
|
||||
value: {{ $tlsPath | quote }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/db-init.py
|
||||
@ -119,7 +115,6 @@ spec:
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@ -137,7 +132,6 @@ spec:
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- $local := dict "configMapBinFirst" true -}}
|
||||
|
@ -31,8 +31,6 @@ limitations under the License.
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $tlsPath := index . "tlsPath" | default (printf "/etc/%s/certs" $serviceNamePretty ) -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
|
||||
@ -90,7 +88,6 @@ spec:
|
||||
mountPath: {{ $dbToSync.logConfigFile | quote }}
|
||||
subPath: {{ base $dbToSync.logConfigFile | quote }}
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- if $podVolMounts }}
|
||||
{{ $podVolMounts | toYaml | indent 12 }}
|
||||
@ -114,7 +111,6 @@ spec:
|
||||
secret:
|
||||
secretName: {{ $configMapEtc | quote }}
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- if $podVols }}
|
||||
{{ $podVols | toYaml | indent 8 }}
|
||||
|
@ -55,11 +55,11 @@ else:
|
||||
sys.exit(1)
|
||||
|
||||
mysql_x509 = os.getenv('MARIADB_X509', "")
|
||||
ssl_args = {}
|
||||
if mysql_x509:
|
||||
user_tls_cert_path = os.getenv('USER_CERT_PATH', "")
|
||||
if not user_tls_cert_path:
|
||||
logger.critical('environment variable USER_CERT_PATH not set')
|
||||
sys.exit(1)
|
||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
||||
'key': '/etc/mysql/certs/tls.key',
|
||||
'cert': '/etc/mysql/certs/tls.crt'}}
|
||||
|
||||
# Get the connection string for the service db
|
||||
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
||||
@ -101,13 +101,7 @@ try:
|
||||
host = root_engine_full.url.host
|
||||
port = root_engine_full.url.port
|
||||
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
||||
if mysql_x509:
|
||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
||||
'key': '/etc/mysql/certs/tls.key',
|
||||
'cert': '/etc/mysql/certs/tls.crt'}}
|
||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||
else:
|
||||
root_engine = create_engine(root_engine_url)
|
||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||
connection = root_engine.connect()
|
||||
connection.close()
|
||||
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
||||
@ -118,13 +112,7 @@ except:
|
||||
|
||||
# User DB engine
|
||||
try:
|
||||
if mysql_x509:
|
||||
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
|
||||
'key': '{0}/tls.key'.format(user_tls_cert_path),
|
||||
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
|
||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||
else:
|
||||
user_engine = create_engine(user_db_conn)
|
||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||
# Get our user data out of the user_engine
|
||||
database = user_engine.url.database
|
||||
user = user_engine.url.username
|
||||
|
@ -55,11 +55,11 @@ else:
|
||||
sys.exit(1)
|
||||
|
||||
mysql_x509 = os.getenv('MARIADB_X509', "")
|
||||
ssl_args = {}
|
||||
if mysql_x509:
|
||||
user_tls_cert_path = os.getenv('USER_CERT_PATH', "")
|
||||
if not user_tls_cert_path:
|
||||
logger.critical('environment variable USER_CERT_PATH not set')
|
||||
sys.exit(1)
|
||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
||||
'key': '/etc/mysql/certs/tls.key',
|
||||
'cert': '/etc/mysql/certs/tls.crt'}}
|
||||
|
||||
# Get the connection string for the service db
|
||||
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
||||
@ -101,13 +101,7 @@ try:
|
||||
host = root_engine_full.url.host
|
||||
port = root_engine_full.url.port
|
||||
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
||||
if mysql_x509:
|
||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
||||
'key': '/etc/mysql/certs/tls.key',
|
||||
'cert': '/etc/mysql/certs/tls.crt'}}
|
||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||
else:
|
||||
root_engine = create_engine(root_engine_url)
|
||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||
connection = root_engine.connect()
|
||||
connection.close()
|
||||
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
||||
@ -118,13 +112,7 @@ except:
|
||||
|
||||
# User DB engine
|
||||
try:
|
||||
if mysql_x509:
|
||||
ssl_args = {'ssl': {'ca': '{0}/ca.crt'.format(user_tls_cert_path),
|
||||
'key': '{0}/tls.key'.format(user_tls_cert_path),
|
||||
'cert': '{0}/tls.crt'.format(user_tls_cert_path)}}
|
||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||
else:
|
||||
user_engine = create_engine(user_db_conn)
|
||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||
# Get our user data out of the user_engine
|
||||
database = user_engine.url.database
|
||||
user = user_engine.url.username
|
||||
|
Loading…
Reference in New Issue
Block a user