mirror of
https://github.com/bitnami/charts.git
synced 2026-03-05 14:57:31 +08:00
[bitnami/mariadb] Support Vault secrets (#4600)
Add support for using custom password files. Example usecase is Hashicorp Vault. Signed-off-by: Mikael Bergemalm <mbergemalm@gmail.com>
This commit is contained in:
Mikael Bergemalm
@@ -26,4 +26,4 @@ sources:
|
||||
- https://github.com/bitnami/bitnami-docker-mariadb
|
||||
- https://github.com/prometheus/mysqld_exporter
|
||||
- https://mariadb.org
|
||||
version: 9.0.1
|
||||
version: 9.1.1
|
||||
|
||||
@@ -86,6 +86,7 @@ The following table lists the configurable parameters of the MariaDB chart and t
|
||||
| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | _random 10 character long alphanumeric string_ |
|
||||
| `auth.forcePassword` | Force users to specify required passwords | `false` |
|
||||
| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` |
|
||||
| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `nil` |
|
||||
| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `nil` |
|
||||
| `initdbScripts` | Dictionary of initdb scripts | `nil` |
|
||||
| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `nil` |
|
||||
|
||||
@@ -44,5 +44,7 @@ To upgrade this helm chart:
|
||||
{{- include "common.warnings.rollingTag" .Values.image }}
|
||||
{{- include "common.warnings.rollingTag" .Values.metrics.image }}
|
||||
{{- include "mariadb.validateValues" . }}
|
||||
{{- $passwordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}}
|
||||
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}}
|
||||
{{- if not .Values.auth.customPasswordFiles -}}
|
||||
{{- $passwordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}}
|
||||
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}}
|
||||
{{- end }}
|
||||
|
||||
@@ -120,7 +120,7 @@ Return the secret with MariaDB credentials
|
||||
Return true if a secret object should be created for MariaDB
|
||||
*/}}
|
||||
{{- define "mariadb.createSecret" -}}
|
||||
{{- if not .Values.auth.existingSecret }}
|
||||
{{- if and (not .Values.auth.existingSecret) (not .Values.auth.customPasswordFiles) }}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -107,7 +107,7 @@ spec:
|
||||
value: {{ ternary "true" "false" .Values.image.debug | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: MARIADB_ROOT_PASSWORD_FILE
|
||||
value: "/opt/bitnami/mariadb/secrets/mariadb-root-password"
|
||||
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }}
|
||||
{{- else }}
|
||||
- name: MARIADB_ROOT_PASSWORD
|
||||
valueFrom:
|
||||
@@ -120,7 +120,7 @@ spec:
|
||||
value: {{ .Values.auth.username | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: MARIADB_PASSWORD_FILE
|
||||
value: "/opt/bitnami/mariadb/secrets/mariadb-password"
|
||||
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-password" .Values.auth.customPasswordFiles.user }}
|
||||
{{- else }}
|
||||
- name: MARIADB_PASSWORD
|
||||
valueFrom:
|
||||
@@ -138,7 +138,7 @@ spec:
|
||||
value: {{ .Values.auth.replicationUser | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: MARIADB_REPLICATION_PASSWORD_FILE
|
||||
value: "/opt/bitnami/mariadb/secrets/mariadb-replication-password"
|
||||
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-replication-password" .Values.auth.customPasswordFiles.replicator }}
|
||||
{{- else }}
|
||||
- name: MARIADB_REPLICATION_PASSWORD
|
||||
valueFrom:
|
||||
@@ -213,7 +213,7 @@ spec:
|
||||
mountPath: /opt/bitnami/mariadb/conf/my.cnf
|
||||
subPath: my.cnf
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
|
||||
- name: mariadb-credentials
|
||||
mountPath: /opt/bitnami/mariadb/secrets/
|
||||
{{- end }}
|
||||
@@ -227,7 +227,7 @@ spec:
|
||||
env:
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: MARIADB_ROOT_PASSWORD_FILE
|
||||
value: "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password"
|
||||
value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }}
|
||||
{{- else }}
|
||||
- name: MARIADB_ROOT_PASSWORD
|
||||
valueFrom:
|
||||
@@ -262,7 +262,7 @@ spec:
|
||||
{{- if .Values.metrics.resources }}
|
||||
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
|
||||
volumeMounts:
|
||||
- name: mariadb-credentials
|
||||
mountPath: /opt/bitnami/mysqld-exporter/secrets/
|
||||
@@ -282,7 +282,7 @@ spec:
|
||||
configMap:
|
||||
name: {{ template "mariadb.initdbScriptsCM" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
|
||||
- name: mariadb-credentials
|
||||
secret:
|
||||
secretName: {{ template "mariadb.secretName" . }}
|
||||
|
||||
@@ -116,7 +116,7 @@ spec:
|
||||
value: "root"
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: MARIADB_MASTER_ROOT_PASSWORD_FILE
|
||||
value: "/opt/bitnami/mariadb/secrets/mariadb-root-password"
|
||||
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }}
|
||||
{{- else }}
|
||||
- name: MARIADB_MASTER_ROOT_PASSWORD
|
||||
valueFrom:
|
||||
@@ -128,7 +128,7 @@ spec:
|
||||
value: {{ .Values.auth.replicationUser | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: MARIADB_REPLICATION_PASSWORD_FILE
|
||||
value: "/opt/bitnami/mariadb/secrets/mariadb-replication-password"
|
||||
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-replication-password" .Values.auth.customPasswordFiles.replicator }}
|
||||
{{- else }}
|
||||
- name: MARIADB_REPLICATION_PASSWORD
|
||||
valueFrom:
|
||||
@@ -198,7 +198,7 @@ spec:
|
||||
mountPath: /opt/bitnami/mariadb/conf/my.cnf
|
||||
subPath: my.cnf
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
|
||||
- name: mariadb-credentials
|
||||
mountPath: /opt/bitnami/mariadb/secrets/
|
||||
{{- end }}
|
||||
@@ -212,7 +212,7 @@ spec:
|
||||
env:
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: MARIADB_ROOT_PASSWORD_FILE
|
||||
value: "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password"
|
||||
value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }}
|
||||
{{- else }}
|
||||
- name: MARIADB_ROOT_PASSWORD
|
||||
valueFrom:
|
||||
@@ -247,7 +247,7 @@ spec:
|
||||
{{- if .Values.metrics.resources }}
|
||||
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
|
||||
volumeMounts:
|
||||
- name: mariadb-credentials
|
||||
mountPath: /opt/bitnami/mysqld-exporter/secrets/
|
||||
@@ -262,7 +262,7 @@ spec:
|
||||
configMap:
|
||||
name: {{ include "mariadb.secondary.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
|
||||
- name: mariadb-credentials
|
||||
secret:
|
||||
secretName: {{ template "mariadb.secretName" . }}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if (include "mariadb.createSecret" .) }}
|
||||
{{- if eq (include "mariadb.createSecret" .) "true" }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
|
||||
@@ -87,9 +87,15 @@ auth:
|
||||
## Force users to specify required passwords
|
||||
##
|
||||
forcePassword: true
|
||||
## Mount credentials as a files instead of using an environment variable
|
||||
## Mount credentials as files instead of using an environment variable
|
||||
##
|
||||
usePasswordFiles: true
|
||||
## Use custom secret files other than chart provided when usePasswordFiles is set to "true"
|
||||
##
|
||||
customPasswordFiles: {}
|
||||
# root: /vault/secrets/mariadb-root
|
||||
# user: /vault/secrets/mariadb-user
|
||||
# replicator: /vault/secrets/mariadb-replicator
|
||||
|
||||
## initdb scripts
|
||||
## Specify dictionary of scripts to be run at first boot
|
||||
|
||||
@@ -87,9 +87,15 @@ auth:
|
||||
## Force users to specify required passwords
|
||||
##
|
||||
forcePassword: false
|
||||
## Mount credentials as a files instead of using an environment variable
|
||||
## Mount credentials as files instead of using an environment variable
|
||||
##
|
||||
usePasswordFiles: false
|
||||
## Use custom secret files other than chart provided when usePasswordFiles is set to "true"
|
||||
##
|
||||
customPasswordFiles: {}
|
||||
# root: /vault/secrets/mariadb-root
|
||||
# user: /vault/secrets/mariadb-user
|
||||
# replicator: /vault/secrets/mariadb-replicator
|
||||
|
||||
## initdb scripts
|
||||
## Specify dictionary of scripts to be run at first boot
|
||||
|
||||
Reference in New Issue
Block a user