[mariadb-operator] Fix mariadb TLS

This PS fixed some imcompatibilities of inherited mariadb config with docker-entrypoint.sh script that is now used to perform initial mariadb nodes setup and mariadb-upgrade at startup. Also added x509 requirement for root and audit users connections. Change-Id: Ic5ad2e692b64927fc73962fe0cc250a9d682114c
2024-01-06 02:43:12 +00:00 · 2024-01-06 02:43:12 +00:00 · d0b3f1c1d2
commit d0b3f1c1d2
parent 359ab4b8d7
6 changed files with 27 additions and 27 deletions
--- a/mariadb-cluster/Chart.yaml
+++ b/mariadb-cluster/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v10.6.14
 description: OpenStack-Helm MariaDB controlled by mariadb-operator
 name: mariadb-cluster
-version: 0.0.2
+version: 0.0.3
 home: https://mariadb.com/kb/en/
 icon: http://badges.mariadb.org/mariadb-badge-180x60.png
 sources:
--- a/mariadb-cluster/templates/mariadb.yaml
+++ b/mariadb-cluster/templates/mariadb.yaml
@ -151,29 +151,6 @@ spec:
 {{ end }}

  env:
-    - name: POD_NAMESPACE
-      valueFrom:
-        fieldRef:
-          fieldPath: metadata.namespace
-    {{- if $envAll.Values.manifests.certificates }}
-    - name: MARIADB_X509
-      value: "REQUIRE X509"
-    {{- end }}
-    - name: MARIADB_REPLICAS
-      value: {{ .Values.pod.replicas.server | quote }}
-    - name: POD_NAME_PREFIX
-      value: {{ tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
-    - name: DISCOVERY_DOMAIN
-      value: {{ tuple "oslo_db" "discovery" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
-    - name: DIRECT_SVC_NAME
-      value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
-    - name: MYSQL_DBADMIN_USERNAME
-      value: {{ .Values.endpoints.oslo_db.auth.admin.username }}
-    - name: MYSQL_DBADMIN_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: mariadb-dbadmin-password
-          key: MYSQL_DBADMIN_PASSWORD
    - name: MYSQL_HISTFILE
      value: {{ .Values.conf.database.mysql_histfile }}
 {{ if  .Values.conf.database.auto_upgrade.enabled }}
@ -190,6 +167,10 @@ spec:
      mountPath: /etc/mysql/admin_user.cnf
      subPath: admin_user.cnf
      readOnly: true
+    - name: mariadb-secrets
+      mountPath: /docker-entrypoint-initdb.d/privileges.sql
+      subPath: privileges.sql
+      readOnly: true
    - name: mariadb-bin
      mountPath: /tmp/init.sh
      subPath: init.sh
--- a/mariadb-cluster/templates/secrets-etc.yaml
+++ b/mariadb-cluster/templates/secrets-etc.yaml
@ -23,4 +23,5 @@ type: Opaque
 data:
  admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template"  | b64enc }}
  admin_user_internal.cnf: {{ tuple "secrets/_admin_user_internal.cnf.tpl" . | include "helm-toolkit.utils.template"  | b64enc }}
+  privileges.sql: {{ tuple "secrets/_privileges.sql.tpl" . | include "helm-toolkit.utils.template"  | b64enc }}
 {{- end }}
--- a/mariadb-cluster/templates/secrets/_privileges.sql.tpl
+++ b/mariadb-cluster/templates/secrets/_privileges.sql.tpl
@ -0,0 +1,20 @@
+###########################################
+# The lines not confirmed to be working with operator are disabled
+###########################################
+# DELETE FROM mysql.user WHERE user != 'mariadb.sys';
+# CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.admin.password }}';
+{{- if .Values.manifests.certificates }}
+GRANT ALL ON *.* TO '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' REQUIRE X509 WITH GRANT OPTION;
+{{- else }}
+GRANT ALL ON *.* TO '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' WITH GRANT OPTION;
+{{- end }}
+DROP DATABASE IF EXISTS test ;
+# CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.sst.username }}'@'127.0.0.1' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.sst.password }}';
+# GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.sst.username }}'@'127.0.0.1' ;
+CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.audit.password }}';
+{{- if .Values.manifests.certificates }}
+GRANT SELECT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' REQUIRE X509;
+{{- else }}
+GRANT SELECT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' ;
+{{- end }}
+FLUSH PRIVILEGES ;
--- a/mariadb-cluster/values.yaml
+++ b/mariadb-cluster/values.yaml
@ -368,15 +368,12 @@ conf:

      [client]
      default_character_set=utf8
-      protocol=tcp
-      port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
      {{ if .Values.manifests.certificates }}
      # TLS
      ssl_ca=/etc/mysql/certs/ca.crt
      ssl_key=/etc/mysql/certs/tls.key
      ssl_cert=/etc/mysql/certs/tls.crt
      # tls_version = TLSv1.2,TLSv1.3
-      ssl-verify-server-cert
      {{ end }}

    my: |
--- a/releasenotes/notes/mariadb-cluster.yaml
+++ b/releasenotes/notes/mariadb-cluster.yaml
@ -2,4 +2,5 @@
 mariadb-cluster:
  - 0.0.1 Initial Chart
  - 0.0.2 Enable auto-upgrade
+  - 0.0.3 Fixed TLS config and added x509 requirement
 ...