feat(tls): add tls to mariadb exporter charts

This patchset updates the .cnf files to support tls and mount
the certificates where needed.

Change-Id: I5aff6821f2649f55dd4444896379491b504415bb
This commit is contained in:
Gupta, Sangeet (sg774j) 2020-07-27 21:08:33 +00:00
parent 802655703e
commit d458e888a9
8 changed files with 29 additions and 1 deletions

View File

@ -121,6 +121,7 @@ spec:
mountPath: /etc/mysql/admin_user.cnf mountPath: /etc/mysql/admin_user.cnf
subPath: admin_user.cnf subPath: admin_user.cnf
readOnly: true readOnly: true
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
restartPolicy: OnFailure restartPolicy: OnFailure
serviceAccount: {{ $serviceAccountName }} serviceAccount: {{ $serviceAccountName }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
@ -145,4 +146,5 @@ spec:
type: DirectoryOrCreate type: DirectoryOrCreate
name: mariadb-backup-dir name: mariadb-backup-dir
{{- end }} {{- end }}
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

View File

@ -18,7 +18,7 @@ set -e
if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \ if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
"CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \ "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%'; \ GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
FLUSH PRIVILEGES;" ; then FLUSH PRIVILEGES;" ; then
echo "ERROR: Could not create user: ${EXPORTER_USER}" echo "ERROR: Could not create user: ${EXPORTER_USER}"
exit 1 exit 1

View File

@ -93,6 +93,7 @@ spec:
mountPath: /tmp/mysqld-exporter.sh mountPath: /tmp/mysqld-exporter.sh
subPath: mysqld-exporter.sh subPath: mysqld-exporter.sh
readOnly: true readOnly: true
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -104,4 +105,5 @@ spec:
configMap: configMap:
name: mysql-exporter-bin name: mysql-exporter-bin
defaultMode: 0555 defaultMode: 0555
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

View File

@ -59,6 +59,10 @@ spec:
secretKeyRef: secretKeyRef:
name: mysql-exporter-secrets name: mysql-exporter-secrets
key: EXPORTER_PASSWORD key: EXPORTER_PASSWORD
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
@ -70,6 +74,7 @@ spec:
mountPath: /etc/mysql/admin_user.cnf mountPath: /etc/mysql/admin_user.cnf
subPath: admin_user.cnf subPath: admin_user.cnf
readOnly: true readOnly: true
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -81,4 +86,5 @@ spec:
secret: secret:
secretName: mariadb-secrets secretName: mariadb-secrets
defaultMode: 0444 defaultMode: 0444
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

View File

@ -17,3 +17,9 @@ user = {{ .Values.endpoints.oslo_db.auth.exporter.username }}
password = {{ .Values.endpoints.oslo_db.auth.exporter.password }} password = {{ .Values.endpoints.oslo_db.auth.exporter.password }}
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.manifests.certificates -}}
ssl-ca = /etc/mysql/certs/ca.crt
ssl-key = /etc/mysql/certs/tls.key
ssl-cert = /etc/mysql/certs/tls.crt
{{- end -}}

View File

@ -61,6 +61,7 @@ spec:
{{ fail "Either 'direct' or 'internal' should be specified for .Values.conf.tests.endpoint" }} {{ fail "Either 'direct' or 'internal' should be specified for .Values.conf.tests.endpoint" }}
{{ end }} {{ end }}
readOnly: true readOnly: true
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -72,4 +73,5 @@ spec:
secret: secret:
secretName: mariadb-secrets secretName: mariadb-secrets
defaultMode: 0444 defaultMode: 0444
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

View File

@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
password = {{ .Values.endpoints.oslo_db.auth.admin.password }} password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.manifests.certificates -}}
ssl-ca = /etc/mysql/certs/ca.crt
ssl-key = /etc/mysql/certs/tls.key
ssl-cert = /etc/mysql/certs/tls.crt
{{- end -}}

View File

@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
password = {{ .Values.endpoints.oslo_db.auth.admin.password }} password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.manifests.certificates -}}
ssl-ca = /etc/mysql/certs/ca.crt
ssl-key = /etc/mysql/certs/tls.key
ssl-cert = /etc/mysql/certs/tls.crt
{{- end -}}