Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 06:47:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/mariadb] feat: Add Transparent Data Encryption support (#31706)

Browse Source 
* feat: Add Transparent Data Encryption support

Signed-off-by: Derek Robson <derek.robson@gmail.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* fix markdown linting errors

Signed-off-by: Derek Robson <derek.robson@gmail.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* fix: helm linting type errors for TDE parameters

Signed-off-by: Derek Robson <derek.robson@gmail.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

---------

Signed-off-by: Derek Robson <derek.robson@gmail.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Signed-off-by: djr747 <59297681+djr747@users.noreply.github.com>
Signed-off-by: Carlos Rodríguez Hernández <carlos.rodriguez-hernandez@broadcom.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Carlos Rodríguez Hernández <carlos.rodriguez-hernandez@broadcom.com>
This commit is contained in:
djr747
2025-02-19 04:09:51 -05:00
committed by GitHub
parent 0e8c150374
commit 486712d975
9 changed files with 2511 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
bitnami/mariadb/CHANGELOG.md
View File

@@ -1,8 +1,13 @@
# Changelog
## 20.2.4 (2025-02-17)
## 20.3.0 (2025-02-18)
* [bitnami/mariadb] chore(resources): Increase primary resources ([#31959](https://github.com/bitnami/charts/pull/31959))
* [bitnami/mariadb] feat: Add Transparent Data Encryption support ([#31706](https://github.com/bitnami/charts/pull/31706))
## <small>20.2.4 (2025-02-17)</small>
* [bitnami/*] Use CDN url for the Bitnami Application Icons (#31881) ([d9bb11a](https://github.com/bitnami/charts/commit/d9bb11a9076b9bfdcc70ea022c25ef50e9713657)), closes [#31881](https://github.com/bitnami/charts/issues/31881)
* [bitnami/mariadb] chore(resources): Increase primary resources (#31959) ([04f85f5](https://github.com/bitnami/charts/commit/04f85f5b9d464b8f9670affa339ab277692308ad)), closes [#31959](https://github.com/bitnami/charts/issues/31959)
## <small>20.2.3 (2025-02-05)</small>

2
bitnami/mariadb/Chart.yaml
View File

@@ -34,4 +34,4 @@ maintainers:
name: mariadb
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/mariadb
version: 20.2.4
version: 20.3.0

65
bitnami/mariadb/README.md
View File

@@ -166,6 +166,44 @@ You can manually create the required TLS certificates or relying on the chart au
- Using Helm capabilities. Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `helm`.
- Relying on CertManager (please note it's required to have CertManager installed in your K8s cluster). Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `cert-manager`. Please note it's supported to use an existing Issuer/ClusterIssuer for issuing the TLS certificates by setting the `tls.autoGenerated.certManager.existingIssuer` and `tls.autoGenerated.certManager.existingIssuerKind` parameters.
### Securing data at rest using Transparent Data Encryption
This chart supports encrypting data at rest using Transparent Data Encryption (TDE). To enable this feature, set the `tde.enabled`.
The chart supports two different ways to enable TDE:
- Using Kubernetes secret to store the encryption keys. Enable this feature by setting `tde.enabled` to `true` and `tde.existingSecret` to the name of the secret containing the random key and the encrypted TDE key.
- Using the Secrets Store CSI Driver to store the encryption keys. Enable this feature by setting `tde.enabled` to `true` and `tde.secretsStoreProvider.enabled` to `true`. Currently only the `vault` provider is supported and requires further parameters to be set for secret keys and paths to the encryption keys.
To simplify the configuration the chart defaults most configuration values for TDE and [file key management encryption plugin](https://mariadb.com/kb/en/file-key-management-encryption-plugin/). For more information, on creating the required keys to enable TDE please refer to the mariaDB blog post [here](https://mariadb.com/resources/blog/mariadb-encryption-tde-using-mariadbs-file-key-management-encryption-plugin/).
> NOTE: The `tde.enabled` parameter impacts recoverability of the MariaDB data. If you enable TDE, the MariaDB data cannot be recovered if your encryption keys are lost. Always backup your encryption keys and store in a secure location outside of the cluster.
#### Using Kubernetes secret to store the encryption keys
To enable TDE using Kubernetes secret, create a secret containing the random key and the encrypted TDE key.
```console
kubectl create secret generic mariadb-tde-secret --namespace=mariadb \
--from-file=./mariadb/encryption/keyfile.key \
--from-file=./mariadb/encryption/keyfile.enc
```
#### Using the Secrets Store CSI Driver to store the encryption keys in Hashicorp Vault
To enable TDE using the Secrets Store CSI Driver, create a secret containing the random key and the encrypted TDE key. When using the Secrets Store CSI Driver, the `tde.secretsStoreProvider.vault` parameters should be configured. Secrets in Hashicorp Vault are used to store the random key and the encrypted TDE key. The key files must be stored as base64 encoded values.
```console
export KEYFILE_KEY=$(cat ./mariadb/encryption/keyfile.key|base64)
export KEYFILE_ENC=$(cat ./mariadb/encryption/keyfile.enc|base64)
vault kv put secrets-kv/keyfile key="$KEYFILE_KEY" enc="$KEYFILE_ENC"
```
The `SecretProviderClass` for `vault` at minimum requires the `tde.secretsStoreProvider.vault.roleName`, `tde.secretsStoreProvider.vault.*KeySecretPath` and `tde.secretsStoreProvider.vault.*SecretKey` parameters to be set for the secret values to properly be mounted.
>NOTE: This guide does not include configuration for the Secrets Store CSI Driver or Hashicorp Vault provider which are prerequisites for enabling TDE with the Secrets Store CSI Driver.
### Sidecars and Init Containers
If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter.
@@ -301,6 +339,33 @@ As an alternative, this chart supports using an initContainer to change the owne
| `tls.autoGenerated.certManager.duration` | Duration for the certificates (only for `cert-manager` engine) | `2160h` |
| `tls.autoGenerated.certManager.renewBefore` | Renewal period for the certificates (only for `cert-manager` engine) | `360h` |
### Transparent Data Encryption parameters
| Name | Description | Value |
| ------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `tde.enabled` | Enable Transparent Data Encryption using the File Key Management Encryption Plugin for MariaDB | `false` |
| `tde.existingSecret` | Existing secret that contains Transparent Data Encryption key files used when secretsStoreProvider is not enabled | `""` |
| `tde.randomKeyFilename` | File name of the 'random keyfile' when it is different from the default (keyfile.key), is also used for key name in the existingSecret | `keyfile.key` |
| `tde.encryptedKeyFilename` | File name of the 'encrypted keyfile' when it is different from the default (keyfile.enc), is also used for key name in the existingSecret | `keyfile.enc` |
| `tde.fileKeyManagementEncryptionAlgorithm` | Encryption algorithm used for encrypting data (allowed values: AES_CTR, AES_CBC | default: AES_CTR) | `AES_CTR` |
| `tde.innodbEncryptTables` | Enables automatic encryption of all InnoDB tablespaces (allowed values: FORCE, ON, OFF | default: FORCE) | `FORCE` |
| `tde.innodbEncryptLog` | Enables encryption of the InnoDB redo log (allowed values: ON, OFF | default: ON) | `ON` |
| `tde.innodbEncryptTemporaryTables` | Enables automatic encryption of the InnoDB temporary tablespace (allowed values: ON, OFF | default: ON) | `ON` |
| `tde.innodbEncryptionThreads` | Number of threads to use for encryption (default: 4) | `4` |
| `tde.encryptTmpDiskTables` | Enables automatic encryption of all internal on-disk temporary tables that are created during query execution (allowed values: ON, OFF | default: ON) | `ON` |
| `tde.encryptTmpTiles` | Enables automatic encryption of temporary files, such as those created for filesort operations, binary log file caches, etc. (allowed values: ON, OFF | default: ON) | `ON` |
| `tde.encryptBINLOG` | Enables encrypting binary logs including relay logs (allowed values: ON, OFF | default: ON) | `ON` |
| `tde.ariaEncryptTables` | Enables automatic encryption of all Aria tablespaces (allowed values: ON, OFF | default: ON) | `ON` |
| `tde.secretsStoreProvider.enabled` | Enable use of secrets store provider for Transparent Data Encryption key files | `false` |
| `tde.secretsStoreProvider.provider` | Type of provider used in secrets store provider class (allowed values: vault) | `vault` |
| `tde.secretsStoreProvider.vault.roleName` | The name of the HashiCorp Vault role used for accessing the key files (only for `vault` provider) | `""` |
| `tde.secretsStoreProvider.vault.address` | The URL of the HashiCorp Vault server (only for `vault` provider) | `""` |
| `tde.secretsStoreProvider.vault.authMountPath` | The HashiCorp Vault auth mount path (only for `vault` provider) | `""` |
| `tde.secretsStoreProvider.vault.randomKeySecretPath` | The HashiCorp Vault secret path for the 'random keyfile' (only for `vault` provider) | `""` |
| `tde.secretsStoreProvider.vault.randomKeySecretKey` | The HashiCorp Vault secret key for the 'random keyfile' (only for `vault` provider) | `""` |
| `tde.secretsStoreProvider.vault.encryptedKeySecretPath` | The HashiCorp Vault secret path for the 'encrypted keyfile' (only for `vault` provider) | `""` |
| `tde.secretsStoreProvider.vault.encryptedKeySecretKey` | The HashiCorp Vault secret key for the 'encrypted keyfile' (only for `vault` provider) | `""` |
### MariaDB Primary parameters
| Name | Description | Value |

7
bitnami/mariadb/templates/_helpers.tpl
View File

@@ -219,3 +219,10 @@ Get existing password to access MariaDB
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Generate TDE secretProviderClass custom resource name
*/}}
{{- define "mariadb.tde.secretProviderClassName" -}}
{{- printf "%s-spc-tde" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}

22
bitnami/mariadb/templates/primary/statefulset.yaml
View File

@@ -313,6 +313,10 @@ spec:
- name: cert
mountPath: /opt/bitnami/mariadb/certs
{{- end }}
{{- if .Values.tde.enabled }}
- name: tde
mountPath: /opt/bitnami/mariadb/tde
{{- end }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
@@ -430,6 +434,24 @@ spec:
secretName: {{ include "mariadb.tlsSecretName" . }}
defaultMode: 256
{{- end }}
{{- if and .Values.tde.enabled ( not .Values.tde.secretsStoreProvider.enabled ) }}
- name: tde
secret:
secretName: {{ .Values.tde.existingSecret }}
items:
- key: {{ .Values.tde.randomKeyFilename }}
path: {{ .Values.tde.randomKeyFilename }}
- key: {{ .Values.tde.encryptedKeyFilename }}
path: {{ .Values.tde.encryptedKeyFilename }}
defaultMode: 256
{{- else if and .Values.tde.enabled ( .Values.tde.secretsStoreProvider.enabled ) }}
- name: tde
csi:
driver: 'secrets-store.csi.k8s.io'
readOnly: true
volumeAttributes:
secretProviderClass: {{ include "mariadb.tde.secretProviderClassName" . }}
{{- end }}
{{- if .Values.primary.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumes "context" $) | nindent 8 }}
{{- end }}

22
bitnami/mariadb/templates/secondary/statefulset.yaml
View File

@@ -311,6 +311,10 @@ spec:
- name: cert
mountPath: /opt/bitnami/mariadb/certs
{{- end }}
{{- if .Values.tde.enabled }}
- name: tde
mountPath: /opt/bitnami/mariadb/tde
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ include "mariadb.metrics.image" . }}
@@ -402,6 +406,24 @@ spec:
secretName: {{ include "mariadb.tlsSecretName" . }}
defaultMode: 256
{{- end }}
{{- if and .Values.tde.enabled ( not .Values.tde.secretsStoreProvider.enabled ) }}
- name: tde
secret:
secretName: {{ .Values.tde.existingSecret }}
items:
- key: {{ .Values.tde.randomKeyFilename }}
path: {{ .Values.tde.randomKeyFilename }}
- key: {{ .Values.tde.encryptedKeyFilename }}
path: {{ .Values.tde.encryptedKeyFilename }}
defaultMode: 256
{{- else if and .Values.tde.enabled ( .Values.tde.secretsStoreProvider.enabled ) }}
- name: tde
csi:
driver: 'secrets-store.csi.k8s.io'
readOnly: true
volumeAttributes:
secretProviderClass: {{ include "mariadb.tde.secretProviderClassName" . }}
{{- end }}
- name: empty-dir
emptyDir: {}
{{- if .Values.secondary.extraVolumes }}

37
bitnami/mariadb/templates/secretstoreproviderclass-tde.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.tde.enabled ( .Values.tde.secretsStoreProvider.enabled ) }}
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: {{ include "mariadb.tde.secretProviderClassName" . | quote }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: mariadb
app.kubernetes.io/component: mariadb
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
provider: {{ .Values.tde.secretsStoreProvider.provider }}
parameters:
roleName: {{ .Values.tde.secretsStoreProvider.vault.roleName | quote }}
{{- if .Values.tde.secretsStoreProvider.vault.address }}
vaultAddress: {{ .Values.tde.secretsStoreProvider.vault.address | quote }}
{{- end }}
{{- if .Values.tde.secretsStoreProvider.vault.authMountPath }}
vaultAuthMountPath: {{ .Values.tde.secretsStoreProvider.vault.authMountPath | quote }}
{{- end }}
objects: |
- objectName: {{ .Values.tde.randomKeyFilename | quote }}
secretPath: {{ .Values.tde.secretsStoreProvider.vault.randomKeySecretPath | quote }}
secretKey: {{ .Values.tde.secretsStoreProvider.vault.randomKeySecretKey | quote }}
encoding: "base64"
- objectName: {{ .Values.tde.encryptedKeyFilename | quote }}
secretPath: {{ .Values.tde.secretsStoreProvider.vault.encryptedKeySecretPath | quote }}
secretKey: {{ .Values.tde.secretsStoreProvider.vault.encryptedKeySecretKey | quote }}
encoding: "base64"
{{- end }}

2453
bitnami/mariadb/values.schema.json
View File

File diff suppressed because it is too large Load Diff

67
bitnami/mariadb/values.yaml
View File

@@ -215,6 +215,58 @@ tls:
duration: 2160h
renewBefore: 360h
## @section Transparent Data Encryption parameters
## ref: https://mariadb.com/kb/en/file-key-management-encryption-plugin/
##
## @param tde.enabled Enable Transparent Data Encryption using the File Key Management Encryption Plugin for MariaDB
## @param tde.existingSecret Existing secret that contains Transparent Data Encryption key files used when secretsStoreProvider is not enabled
## @param tde.randomKeyFilename File name of the 'random keyfile' when it is different from the default (keyfile.key), is also used for key name in the existingSecret
## @param tde.encryptedKeyFilename File name of the 'encrypted keyfile' when it is different from the default (keyfile.enc), is also used for key name in the existingSecret
## @param tde.fileKeyManagementEncryptionAlgorithm Encryption algorithm used for encrypting data (allowed values: AES_CTR, AES_CBC | default: AES_CTR)
## @param tde.innodbEncryptTables Enables automatic encryption of all InnoDB tablespaces (allowed values: FORCE, ON, OFF | default: FORCE)
## @param tde.innodbEncryptLog Enables encryption of the InnoDB redo log (allowed values: ON, OFF | default: ON)
## @param tde.innodbEncryptTemporaryTables Enables automatic encryption of the InnoDB temporary tablespace (allowed values: ON, OFF | default: ON)
## @param tde.innodbEncryptionThreads Number of threads to use for encryption (default: 4)
## @param tde.encryptTmpDiskTables Enables automatic encryption of all internal on-disk temporary tables that are created during query execution (allowed values: ON, OFF | default: ON)
## @param tde.encryptTmpTiles Enables automatic encryption of temporary files, such as those created for filesort operations, binary log file caches, etc. (allowed values: ON, OFF | default: ON)
## @param tde.encryptBINLOG Enables encrypting binary logs including relay logs (allowed values: ON, OFF | default: ON)
## @param tde.ariaEncryptTables Enables automatic encryption of all Aria tablespaces (allowed values: ON, OFF | default: ON)
##
tde:
enabled: false
existingSecret: ""
randomKeyFilename: keyfile.key
encryptedKeyFilename: keyfile.enc
fileKeyManagementEncryptionAlgorithm: AES_CTR
innodbEncryptTables: FORCE
innodbEncryptLog: "ON"
innodbEncryptTemporaryTables: "ON"
encryptTmpDiskTables: "ON"
encryptTmpTiles: "ON"
encryptBINLOG: "ON"
ariaEncryptTables: "ON"
innodbEncryptionThreads: 4
## @param tde.secretsStoreProvider.enabled Enable use of secrets store provider for Transparent Data Encryption key files
## @param tde.secretsStoreProvider.provider Type of provider used in secrets store provider class (allowed values: vault)
secretsStoreProvider:
enabled: false
provider: vault
## @param tde.secretsStoreProvider.vault.roleName The name of the HashiCorp Vault role used for accessing the key files (only for `vault` provider)
## @param tde.secretsStoreProvider.vault.address The URL of the HashiCorp Vault server (only for `vault` provider)
## @param tde.secretsStoreProvider.vault.authMountPath The HashiCorp Vault auth mount path (only for `vault` provider)
## @param tde.secretsStoreProvider.vault.randomKeySecretPath The HashiCorp Vault secret path for the 'random keyfile' (only for `vault` provider)
## @param tde.secretsStoreProvider.vault.randomKeySecretKey The HashiCorp Vault secret key for the 'random keyfile' (only for `vault` provider)
## @param tde.secretsStoreProvider.vault.encryptedKeySecretPath The HashiCorp Vault secret path for the 'encrypted keyfile' (only for `vault` provider)
## @param tde.secretsStoreProvider.vault.encryptedKeySecretKey The HashiCorp Vault secret key for the 'encrypted keyfile' (only for `vault` provider)
vault:
roleName: ""
address: ""
authMountPath: ""
randomKeySecretPath: ""
randomKeySecretKey: ""
encryptedKeySecretPath: ""
encryptedKeySecretKey: ""
## @section MariaDB Primary parameters
##
@@ -273,6 +325,21 @@ primary:
ssl_ca={{ include "mariadb.tlsCACert" . }}
{{- end }}
{{- end }}
{{- if .Values.tde.enabled }}
plugin_load_add=file_key_management
file_key_management_filename=/opt/bitnami/mariadb/tde/{{ .Values.tde.encryptedKeyFilename }}
file_key_management_filekey=FILE:/opt/bitnami/mariadb/tde/{{ .Values.tde.randomKeyFilename }}
file_key_management_encryption_algorithm={{ .Values.tde.fileKeyManagementEncryptionAlgorithm }}
innodb_encrypt_tables={{ .Values.tde.innodbEncryptTables }}
innodb_encrypt_log={{ .Values.tde.innodbEncryptLog }}
innodb_encrypt_temporary_tables={{ .Values.tde.innodbEncryptTemporaryTables }}
innodb_encryption_threads={{ .Values.tde.innodbEncryptionThreads }}
encrypt_tmp_disk_tables={{ .Values.tde.encryptTmpDiskTables }}
encrypt_tmp_files={{ .Values.tde.encryptTmpTiles }}
encrypt_binlog={{ .Values.tde.encryptBINLOG }}
aria_encrypt_tables={{ .Values.tde.ariaEncryptTables }}
{{- end }}
[client]
port=3306
socket=/opt/bitnami/mariadb/tmp/mysql.sock