From e7abfee16da68ccf460152fafb293ddb38b3f36e Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Sat, 29 Jul 2017 15:58:59 -0500
Subject: [PATCH] MariaDB: Update start script to be more robust

This PS updates the MariaDB start script remove templated values
from being directly inserted into the script. It also moves the
root connection params to a secret to prevent the root password
being exposed in logs.

Change-Id: I10977ef267877a5913bf265280ff5439c7bf268c
---
 mariadb/templates/bin/_readiness.sh.tpl       |  2 +-
 mariadb/templates/bin/_start.sh.tpl           | 51 +++++++++----------
 mariadb/templates/etc/_00-base.cnf.tpl        |  2 -
 mariadb/templates/secrets-etc.yaml            | 24 +++++++++
 mariadb/templates/secrets/_admin_user.cnf.tpl | 19 +++++++
 mariadb/templates/statefulset.yaml            | 14 ++++-
 6 files changed, 80 insertions(+), 32 deletions(-)
 create mode 100644 mariadb/templates/secrets-etc.yaml
 create mode 100644 mariadb/templates/secrets/_admin_user.cnf.tpl

diff --git a/mariadb/templates/bin/_readiness.sh.tpl b/mariadb/templates/bin/_readiness.sh.tpl
index e13c3b86ac..a761f7de4b 100644
--- a/mariadb/templates/bin/_readiness.sh.tpl
+++ b/mariadb/templates/bin/_readiness.sh.tpl
@@ -16,7 +16,7 @@
 
 set -o pipefail
 
-MYSQL="mysql -u root --password=${MYSQL_ROOT_PASSWORD}"
+MYSQL="mysql --defaults-file=/etc/mysql/admin_user.cnf --host=localhost"
 
 if [ ! $($MYSQL -e 'select 1') ]; then
     echo "Could not SELECT 1" 1>&2
diff --git a/mariadb/templates/bin/_start.sh.tpl b/mariadb/templates/bin/_start.sh.tpl
index 9442bf30cd..6ecff20b81 100644
--- a/mariadb/templates/bin/_start.sh.tpl
+++ b/mariadb/templates/bin/_start.sh.tpl
@@ -13,38 +13,41 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#
-# Bootstrap database
-#
-CLUSTER_INIT_ARGS=
+set -xe
 
+# Bootstrap database
+CLUSTER_INIT_ARGS=""
 if [ ! -d /var/lib/mysql/mysql ]; then
     if [ "x${POD_NAME}" = "x${SERVICE_NAME}-0" ]; then
         echo No data found for pod 0
-        if [ "xtrue" = "x{{ .Values.force_bootstrap }}" ]; then
-            echo force_bootstrap set, so will force-initialize node 0.
+        if [ "x${FORCE_BOOTSTRAP}" = "xtrue" ]; then
+            echo 'force_bootstrap set, so will force-initialize node 0.'
             CLUSTER_INIT_ARGS=--wsrep-new-cluster
-        elif ! mysql -h ${SERVICE_NAME} -u root --password=${MYSQL_ROOT_PASSWORD} -e 'select 1'; then
-            echo No other nodes found, so will initialize cluster.
+        elif ! mysql --defaults-file=/etc/mysql/admin_user.cnf \
+                     --connect-timeout 2 \
+                     -e 'select 1'; then
+            echo 'No other nodes found, so will initialize cluster.'
             CLUSTER_INIT_ARGS=--wsrep-new-cluster
         else
-            echo Found other live nodes, will attempt to join them.
+            echo 'Found other live nodes, will attempt to join them.'
             mkdir /var/lib/mysql/mysql
         fi
     else
-        echo Not pod 0, so will avoid upstream database initialization.
+        echo 'Not pod 0, so will avoid upstream database initialization.'
         mkdir /var/lib/mysql/mysql
     fi
 fi
 
-#
 # Construct cluster config
-#
 CLUSTER_CONFIG_PATH=/etc/mysql/conf.d/10-cluster-config.cnf
 
-MEMBERS=
-for i in $(seq 1 {{ .Values.pod.replicas.server }}); do
-    NUM=$(expr $i - 1)
+MEMBERS=""
+for i in $(seq 1 ${MARIADB_REPLICAS}); do
+    if [ "$i" -eq "1" ]; then
+      NUM="0"
+    else
+      NUM="$(expr $i - 1)"
+    fi
     CANDIDATE_POD="${SERVICE_NAME}-$NUM.${DISCOVERY_SERVICE_NAME}"
     if [ "x${CANDIDATE_POD}" != "x${POD_NAME}.${DISCOVERY_SERVICE_NAME}" ]; then
         if [ -n "${MEMBERS}" ]; then
@@ -54,22 +57,14 @@ for i in $(seq 1 {{ .Values.pod.replicas.server }}); do
     fi
 done
 
-echo
-echo Writing cluster config for ${POD_NAME} to ${CLUSTER_CONFIG_PATH}
-echo vvv
-
-cat <<EOS | tee ${CLUSTER_CONFIG_PATH}
+echo "Writing cluster config for ${POD_NAME} to ${CLUSTER_CONFIG_PATH}"
+cat >> ${CLUSTER_CONFIG_PATH} <<EOF
 [mysqld]
 wsrep_cluster_address="gcomm://${MEMBERS}"
 wsrep_node_address=${POD_IP}
 wsrep_node_name=${POD_NAME}.${DISCOVERY_SERVICE_NAME}
-EOS
+EOF
 
-echo ^^^
-echo Executing upstream docker-entrypoint.
-echo
-
-#
-# Start server
-#
+echo 'Executing upstream docker-entrypoint.'
+set +e
 exec /usr/local/bin/docker-entrypoint.sh mysqld ${CLUSTER_INIT_ARGS}
diff --git a/mariadb/templates/etc/_00-base.cnf.tpl b/mariadb/templates/etc/_00-base.cnf.tpl
index d54a39905c..44c1b0d5ad 100644
--- a/mariadb/templates/etc/_00-base.cnf.tpl
+++ b/mariadb/templates/etc/_00-base.cnf.tpl
@@ -96,11 +96,9 @@ wsrep_slave_threads=12
 wsrep_sst_auth=root:{{ .Values.endpoints.oslo_db.auth.admin.password }}
 wsrep_sst_method=xtrabackup-v2
 
-
 [mysqldump]
 max-allowed-packet=16M
 
-
 [client]
 default_character_set=utf8
 protocol=tcp
diff --git a/mariadb/templates/secrets-etc.yaml b/mariadb/templates/secrets-etc.yaml
new file mode 100644
index 0000000000..b600ef9ab0
--- /dev/null
+++ b/mariadb/templates/secrets-etc.yaml
@@ -0,0 +1,24 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mariadb-secrets
+type: Opaque
+data:
+  admin_user.cnf: |
+{{ tuple "secrets/_admin_user.cnf.tpl" . | include "helm-toolkit.utils.template"  | b64enc | indent 4 }}
diff --git a/mariadb/templates/secrets/_admin_user.cnf.tpl b/mariadb/templates/secrets/_admin_user.cnf.tpl
new file mode 100644
index 0000000000..3486f08d07
--- /dev/null
+++ b/mariadb/templates/secrets/_admin_user.cnf.tpl
@@ -0,0 +1,19 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[client]
+user = {{ .Values.endpoints.oslo_db.auth.admin.username }}
+password = {{ .Values.endpoints.oslo_db.auth.admin.password }}
+host = {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+port = {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index 9d628d154b..aa4e41d1a3 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -46,6 +46,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: FORCE_BOOTSTRAP
+              value: {{ .Values.force_bootstrap | quote }}
+            - name: MARIADB_REPLICAS
+              value: {{ .Values.pod.replicas.server | quote }}
             - name: WSREP_PORT
               value: {{ tuple "oslo_db" "internal" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
             - name: SERVICE_NAME
@@ -74,8 +78,8 @@ spec:
               readOnly: true
             - name: mariadb-etc
               mountPath: /etc/mysql/my.cnf
-              readOnly: true
               subPath: my.cnf
+              readOnly: true
             - name: mariadb-etc
               mountPath: /etc/mysql/conf.d/00-base.cnf
               subPath: 00-base.cnf
@@ -88,6 +92,10 @@ spec:
               mountPath: /etc/mysql/conf.d/99-force.cnf
               subPath: 99-force.cnf
               readOnly: true
+            - name: mariadb-secrets
+              mountPath: /etc/mysql/admin_user.cnf
+              subPath: admin_user.cnf
+              readOnly: true
             - name: mysql-data
               mountPath: /var/lib/mysql
       volumes:
@@ -101,6 +109,10 @@ spec:
           configMap:
             name: mariadb-etc
             defaultMode: 0444
+        - name: mariadb-secrets
+          secret:
+            secretName: mariadb-secrets
+            defaultMode: 0444
         {{- if not .Values.volume.enabled }}
         - name: mysql-data
           emptyDir: {}