From d0b3f1c1d27657838f3851e3a88cd43ae5efce7c Mon Sep 17 00:00:00 2001 From: Sergiy Markin Date: Sat, 6 Jan 2024 02:43:12 +0000 Subject: [PATCH] [mariadb-operator] Fix mariadb TLS This PS fixed some imcompatibilities of inherited mariadb config with docker-entrypoint.sh script that is now used to perform initial mariadb nodes setup and mariadb-upgrade at startup. Also added x509 requirement for root and audit users connections. Change-Id: Ic5ad2e692b64927fc73962fe0cc250a9d682114c --- mariadb-cluster/Chart.yaml | 2 +- mariadb-cluster/templates/mariadb.yaml | 27 +++---------------- mariadb-cluster/templates/secrets-etc.yaml | 1 + .../templates/secrets/_privileges.sql.tpl | 20 ++++++++++++++ mariadb-cluster/values.yaml | 3 --- releasenotes/notes/mariadb-cluster.yaml | 1 + 6 files changed, 27 insertions(+), 27 deletions(-) create mode 100644 mariadb-cluster/templates/secrets/_privileges.sql.tpl diff --git a/mariadb-cluster/Chart.yaml b/mariadb-cluster/Chart.yaml index aadfc0e13..c6cc0183b 100644 --- a/mariadb-cluster/Chart.yaml +++ b/mariadb-cluster/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v10.6.14 description: OpenStack-Helm MariaDB controlled by mariadb-operator name: mariadb-cluster -version: 0.0.2 +version: 0.0.3 home: https://mariadb.com/kb/en/ icon: http://badges.mariadb.org/mariadb-badge-180x60.png sources: diff --git a/mariadb-cluster/templates/mariadb.yaml b/mariadb-cluster/templates/mariadb.yaml index ad030b570..c38f0219f 100644 --- a/mariadb-cluster/templates/mariadb.yaml +++ b/mariadb-cluster/templates/mariadb.yaml @@ -151,29 +151,6 @@ spec: {{ end }} env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if $envAll.Values.manifests.certificates }} - - name: MARIADB_X509 - value: "REQUIRE X509" - {{- end }} - - name: MARIADB_REPLICAS - value: {{ .Values.pod.replicas.server | quote }} - - name: POD_NAME_PREFIX - value: {{ tuple "oslo_db" "server" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - - name: DISCOVERY_DOMAIN - value: {{ tuple "oslo_db" "discovery" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} - - name: DIRECT_SVC_NAME - value: {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - - name: MYSQL_DBADMIN_USERNAME - value: {{ .Values.endpoints.oslo_db.auth.admin.username }} - - name: MYSQL_DBADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: mariadb-dbadmin-password - key: MYSQL_DBADMIN_PASSWORD - name: MYSQL_HISTFILE value: {{ .Values.conf.database.mysql_histfile }} {{ if .Values.conf.database.auto_upgrade.enabled }} @@ -190,6 +167,10 @@ spec: mountPath: /etc/mysql/admin_user.cnf subPath: admin_user.cnf readOnly: true + - name: mariadb-secrets + mountPath: /docker-entrypoint-initdb.d/privileges.sql + subPath: privileges.sql + readOnly: true - name: mariadb-bin mountPath: /tmp/init.sh subPath: init.sh diff --git a/mariadb-cluster/templates/secrets-etc.yaml b/mariadb-cluster/templates/secrets-etc.yaml index 9dac3eb1b..51bafd322 100644 --- a/mariadb-cluster/templates/secrets-etc.yaml +++ b/mariadb-cluster/templates/secrets-etc.yaml @@ -23,4 +23,5 @@ type: Opaque data: admin_user.cnf: {{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }} admin_user_internal.cnf: {{ tuple "secrets/_admin_user_internal.cnf.tpl" . | include "helm-toolkit.utils.template" | b64enc }} + privileges.sql: {{ tuple "secrets/_privileges.sql.tpl" . | include "helm-toolkit.utils.template" | b64enc }} {{- end }} diff --git a/mariadb-cluster/templates/secrets/_privileges.sql.tpl b/mariadb-cluster/templates/secrets/_privileges.sql.tpl new file mode 100644 index 000000000..01d3f9a66 --- /dev/null +++ b/mariadb-cluster/templates/secrets/_privileges.sql.tpl @@ -0,0 +1,20 @@ +########################################### +# The lines not confirmed to be working with operator are disabled +########################################### +# DELETE FROM mysql.user WHERE user != 'mariadb.sys'; +# CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.admin.password }}'; +{{- if .Values.manifests.certificates }} +GRANT ALL ON *.* TO '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' REQUIRE X509 WITH GRANT OPTION; +{{- else }} +GRANT ALL ON *.* TO '{{ .Values.endpoints.oslo_db.auth.admin.username }}'@'%' WITH GRANT OPTION; +{{- end }} +DROP DATABASE IF EXISTS test ; +# CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.sst.username }}'@'127.0.0.1' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.sst.password }}'; +# GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.sst.username }}'@'127.0.0.1' ; +CREATE OR REPLACE USER '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' IDENTIFIED BY '{{ .Values.endpoints.oslo_db.auth.audit.password }}'; +{{- if .Values.manifests.certificates }} +GRANT SELECT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' REQUIRE X509; +{{- else }} +GRANT SELECT ON *.* TO '{{ .Values.endpoints.oslo_db.auth.audit.username }}'@'%' ; +{{- end }} +FLUSH PRIVILEGES ; diff --git a/mariadb-cluster/values.yaml b/mariadb-cluster/values.yaml index 075f5c420..509108a72 100644 --- a/mariadb-cluster/values.yaml +++ b/mariadb-cluster/values.yaml @@ -368,15 +368,12 @@ conf: [client] default_character_set=utf8 - protocol=tcp - port={{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{ if .Values.manifests.certificates }} # TLS ssl_ca=/etc/mysql/certs/ca.crt ssl_key=/etc/mysql/certs/tls.key ssl_cert=/etc/mysql/certs/tls.crt # tls_version = TLSv1.2,TLSv1.3 - ssl-verify-server-cert {{ end }} my: | diff --git a/releasenotes/notes/mariadb-cluster.yaml b/releasenotes/notes/mariadb-cluster.yaml index fac57aeca..419f0d28f 100644 --- a/releasenotes/notes/mariadb-cluster.yaml +++ b/releasenotes/notes/mariadb-cluster.yaml @@ -2,4 +2,5 @@ mariadb-cluster: - 0.0.1 Initial Chart - 0.0.2 Enable auto-upgrade + - 0.0.3 Fixed TLS config and added x509 requirement ...