feat(tls): add tls to mariadb exporter charts
This patchset updates the .cnf files to support tls and mount the certificates where needed. Change-Id: I5aff6821f2649f55dd4444896379491b504415bb
This commit is contained in:
parent
802655703e
commit
d458e888a9
@ -121,6 +121,7 @@ spec:
|
|||||||
mountPath: /etc/mysql/admin_user.cnf
|
mountPath: /etc/mysql/admin_user.cnf
|
||||||
subPath: admin_user.cnf
|
subPath: admin_user.cnf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
serviceAccount: {{ $serviceAccountName }}
|
serviceAccount: {{ $serviceAccountName }}
|
||||||
serviceAccountName: {{ $serviceAccountName }}
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
@ -145,4 +146,5 @@ spec:
|
|||||||
type: DirectoryOrCreate
|
type: DirectoryOrCreate
|
||||||
name: mariadb-backup-dir
|
name: mariadb-backup-dir
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -18,7 +18,7 @@ set -e
|
|||||||
|
|
||||||
if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
|
if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
|
||||||
"CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
|
"CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
|
||||||
GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%'; \
|
GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
|
||||||
FLUSH PRIVILEGES;" ; then
|
FLUSH PRIVILEGES;" ; then
|
||||||
echo "ERROR: Could not create user: ${EXPORTER_USER}"
|
echo "ERROR: Could not create user: ${EXPORTER_USER}"
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -93,6 +93,7 @@ spec:
|
|||||||
mountPath: /tmp/mysqld-exporter.sh
|
mountPath: /tmp/mysqld-exporter.sh
|
||||||
subPath: mysqld-exporter.sh
|
subPath: mysqld-exporter.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -104,4 +105,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: mysql-exporter-bin
|
name: mysql-exporter-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -59,6 +59,10 @@ spec:
|
|||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: mysql-exporter-secrets
|
name: mysql-exporter-secrets
|
||||||
key: EXPORTER_PASSWORD
|
key: EXPORTER_PASSWORD
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
- name: MARIADB_X509
|
||||||
|
value: "REQUIRE X509"
|
||||||
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
mountPath: /tmp
|
mountPath: /tmp
|
||||||
@ -70,6 +74,7 @@ spec:
|
|||||||
mountPath: /etc/mysql/admin_user.cnf
|
mountPath: /etc/mysql/admin_user.cnf
|
||||||
subPath: admin_user.cnf
|
subPath: admin_user.cnf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -81,4 +86,5 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: mariadb-secrets
|
secretName: mariadb-secrets
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -17,3 +17,9 @@ user = {{ .Values.endpoints.oslo_db.auth.exporter.username }}
|
|||||||
password = {{ .Values.endpoints.oslo_db.auth.exporter.password }}
|
password = {{ .Values.endpoints.oslo_db.auth.exporter.password }}
|
||||||
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
ssl-ca = /etc/mysql/certs/ca.crt
|
||||||
|
ssl-key = /etc/mysql/certs/tls.key
|
||||||
|
ssl-cert = /etc/mysql/certs/tls.crt
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
@ -61,6 +61,7 @@ spec:
|
|||||||
{{ fail "Either 'direct' or 'internal' should be specified for .Values.conf.tests.endpoint" }}
|
{{ fail "Either 'direct' or 'internal' should be specified for .Values.conf.tests.endpoint" }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -72,4 +73,5 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: mariadb-secrets
|
secretName: mariadb-secrets
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_db.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
|
|||||||
password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
|
password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
|
||||||
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
host = {{ tuple "oslo_db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
ssl-ca = /etc/mysql/certs/ca.crt
|
||||||
|
ssl-key = /etc/mysql/certs/tls.key
|
||||||
|
ssl-cert = /etc/mysql/certs/tls.crt
|
||||||
|
{{- end -}}
|
||||||
|
@ -17,3 +17,8 @@ user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
|
|||||||
password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
|
password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
|
||||||
host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
||||||
port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
ssl-ca = /etc/mysql/certs/ca.crt
|
||||||
|
ssl-key = /etc/mysql/certs/tls.key
|
||||||
|
ssl-cert = /etc/mysql/certs/tls.crt
|
||||||
|
{{- end -}}
|
||||||
|
Loading…
Reference in New Issue
Block a user