From 898fff4a3073f29bf50cd061d8d0c8879a6e0885 Mon Sep 17 00:00:00 2001 From: Mikael Bergemalm Date: Fri, 4 Dec 2020 13:36:07 +0100 Subject: [PATCH] [bitnami/mariadb] Support Vault secrets (#4600) Add support for using custom password files. Example usecase is Hashicorp Vault. Signed-off-by: Mikael Bergemalm --- bitnami/mariadb/Chart.yaml | 2 +- bitnami/mariadb/README.md | 1 + bitnami/mariadb/templates/NOTES.txt | 6 ++++-- bitnami/mariadb/templates/_helpers.tpl | 2 +- bitnami/mariadb/templates/primary/statefulset.yaml | 14 +++++++------- .../mariadb/templates/secondary/statefulset.yaml | 12 ++++++------ bitnami/mariadb/templates/secrets.yaml | 2 +- bitnami/mariadb/values-production.yaml | 8 +++++++- bitnami/mariadb/values.yaml | 8 +++++++- 9 files changed, 35 insertions(+), 20 deletions(-) diff --git a/bitnami/mariadb/Chart.yaml b/bitnami/mariadb/Chart.yaml index e689009aa0..d113d069c3 100644 --- a/bitnami/mariadb/Chart.yaml +++ b/bitnami/mariadb/Chart.yaml @@ -26,4 +26,4 @@ sources: - https://github.com/bitnami/bitnami-docker-mariadb - https://github.com/prometheus/mysqld_exporter - https://mariadb.org -version: 9.0.1 +version: 9.1.1 diff --git a/bitnami/mariadb/README.md b/bitnami/mariadb/README.md index 0ea49695ad..baa9950e19 100644 --- a/bitnami/mariadb/README.md +++ b/bitnami/mariadb/README.md @@ -86,6 +86,7 @@ The following table lists the configurable parameters of the MariaDB chart and t | `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | _random 10 character long alphanumeric string_ | | `auth.forcePassword` | Force users to specify required passwords | `false` | | `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` | +| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `nil` | | `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `nil` | | `initdbScripts` | Dictionary of initdb scripts | `nil` | | `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `nil` | diff --git a/bitnami/mariadb/templates/NOTES.txt b/bitnami/mariadb/templates/NOTES.txt index 7f61cef237..efb41933d3 100644 --- a/bitnami/mariadb/templates/NOTES.txt +++ b/bitnami/mariadb/templates/NOTES.txt @@ -44,5 +44,7 @@ To upgrade this helm chart: {{- include "common.warnings.rollingTag" .Values.image }} {{- include "common.warnings.rollingTag" .Values.metrics.image }} {{- include "mariadb.validateValues" . }} -{{- $passwordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}} -{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} +{{- if not .Values.auth.customPasswordFiles -}} + {{- $passwordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} +{{- end }} diff --git a/bitnami/mariadb/templates/_helpers.tpl b/bitnami/mariadb/templates/_helpers.tpl index 5978701b3c..4a8bf7fae7 100644 --- a/bitnami/mariadb/templates/_helpers.tpl +++ b/bitnami/mariadb/templates/_helpers.tpl @@ -120,7 +120,7 @@ Return the secret with MariaDB credentials Return true if a secret object should be created for MariaDB */}} {{- define "mariadb.createSecret" -}} -{{- if not .Values.auth.existingSecret }} +{{- if and (not .Values.auth.existingSecret) (not .Values.auth.customPasswordFiles) }} {{- true -}} {{- else -}} {{- end -}} diff --git a/bitnami/mariadb/templates/primary/statefulset.yaml b/bitnami/mariadb/templates/primary/statefulset.yaml index 8f2fe37298..61739c7480 100644 --- a/bitnami/mariadb/templates/primary/statefulset.yaml +++ b/bitnami/mariadb/templates/primary/statefulset.yaml @@ -107,7 +107,7 @@ spec: value: {{ ternary "true" "false" .Values.image.debug | quote }} {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_ROOT_PASSWORD_FILE - value: "/opt/bitnami/mariadb/secrets/mariadb-root-password" + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }} {{- else }} - name: MARIADB_ROOT_PASSWORD valueFrom: @@ -120,7 +120,7 @@ spec: value: {{ .Values.auth.username | quote }} {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_PASSWORD_FILE - value: "/opt/bitnami/mariadb/secrets/mariadb-password" + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-password" .Values.auth.customPasswordFiles.user }} {{- else }} - name: MARIADB_PASSWORD valueFrom: @@ -138,7 +138,7 @@ spec: value: {{ .Values.auth.replicationUser | quote }} {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_REPLICATION_PASSWORD_FILE - value: "/opt/bitnami/mariadb/secrets/mariadb-replication-password" + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-replication-password" .Values.auth.customPasswordFiles.replicator }} {{- else }} - name: MARIADB_REPLICATION_PASSWORD valueFrom: @@ -213,7 +213,7 @@ spec: mountPath: /opt/bitnami/mariadb/conf/my.cnf subPath: my.cnf {{- end }} - {{- if .Values.auth.usePasswordFiles }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials mountPath: /opt/bitnami/mariadb/secrets/ {{- end }} @@ -227,7 +227,7 @@ spec: env: {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_ROOT_PASSWORD_FILE - value: "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" + value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }} {{- else }} - name: MARIADB_ROOT_PASSWORD valueFrom: @@ -262,7 +262,7 @@ spec: {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} - {{- if .Values.auth.usePasswordFiles }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} volumeMounts: - name: mariadb-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ @@ -282,7 +282,7 @@ spec: configMap: name: {{ template "mariadb.initdbScriptsCM" . }} {{- end }} - {{- if .Values.auth.usePasswordFiles }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials secret: secretName: {{ template "mariadb.secretName" . }} diff --git a/bitnami/mariadb/templates/secondary/statefulset.yaml b/bitnami/mariadb/templates/secondary/statefulset.yaml index 32babb27fb..b32b94ea89 100644 --- a/bitnami/mariadb/templates/secondary/statefulset.yaml +++ b/bitnami/mariadb/templates/secondary/statefulset.yaml @@ -116,7 +116,7 @@ spec: value: "root" {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_MASTER_ROOT_PASSWORD_FILE - value: "/opt/bitnami/mariadb/secrets/mariadb-root-password" + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }} {{- else }} - name: MARIADB_MASTER_ROOT_PASSWORD valueFrom: @@ -128,7 +128,7 @@ spec: value: {{ .Values.auth.replicationUser | quote }} {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_REPLICATION_PASSWORD_FILE - value: "/opt/bitnami/mariadb/secrets/mariadb-replication-password" + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-replication-password" .Values.auth.customPasswordFiles.replicator }} {{- else }} - name: MARIADB_REPLICATION_PASSWORD valueFrom: @@ -198,7 +198,7 @@ spec: mountPath: /opt/bitnami/mariadb/conf/my.cnf subPath: my.cnf {{- end }} - {{- if .Values.auth.usePasswordFiles }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials mountPath: /opt/bitnami/mariadb/secrets/ {{- end }} @@ -212,7 +212,7 @@ spec: env: {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_ROOT_PASSWORD_FILE - value: "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" + value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }} {{- else }} - name: MARIADB_ROOT_PASSWORD valueFrom: @@ -247,7 +247,7 @@ spec: {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} - {{- if .Values.auth.usePasswordFiles }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} volumeMounts: - name: mariadb-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ @@ -262,7 +262,7 @@ spec: configMap: name: {{ include "mariadb.secondary.configmapName" . }} {{- end }} - {{- if .Values.auth.usePasswordFiles }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials secret: secretName: {{ template "mariadb.secretName" . }} diff --git a/bitnami/mariadb/templates/secrets.yaml b/bitnami/mariadb/templates/secrets.yaml index d69573d835..1d08e2cbf8 100644 --- a/bitnami/mariadb/templates/secrets.yaml +++ b/bitnami/mariadb/templates/secrets.yaml @@ -1,4 +1,4 @@ -{{- if (include "mariadb.createSecret" .) }} +{{- if eq (include "mariadb.createSecret" .) "true" }} apiVersion: v1 kind: Secret metadata: diff --git a/bitnami/mariadb/values-production.yaml b/bitnami/mariadb/values-production.yaml index 70b2572580..0ade50af10 100644 --- a/bitnami/mariadb/values-production.yaml +++ b/bitnami/mariadb/values-production.yaml @@ -87,9 +87,15 @@ auth: ## Force users to specify required passwords ## forcePassword: true - ## Mount credentials as a files instead of using an environment variable + ## Mount credentials as files instead of using an environment variable ## usePasswordFiles: true + ## Use custom secret files other than chart provided when usePasswordFiles is set to "true" + ## + customPasswordFiles: {} + # root: /vault/secrets/mariadb-root + # user: /vault/secrets/mariadb-user + # replicator: /vault/secrets/mariadb-replicator ## initdb scripts ## Specify dictionary of scripts to be run at first boot diff --git a/bitnami/mariadb/values.yaml b/bitnami/mariadb/values.yaml index 5861e21f07..ffee3bde8c 100644 --- a/bitnami/mariadb/values.yaml +++ b/bitnami/mariadb/values.yaml @@ -87,9 +87,15 @@ auth: ## Force users to specify required passwords ## forcePassword: false - ## Mount credentials as a files instead of using an environment variable + ## Mount credentials as files instead of using an environment variable ## usePasswordFiles: false + ## Use custom secret files other than chart provided when usePasswordFiles is set to "true" + ## + customPasswordFiles: {} + # root: /vault/secrets/mariadb-root + # user: /vault/secrets/mariadb-user + # replicator: /vault/secrets/mariadb-replicator ## initdb scripts ## Specify dictionary of scripts to be run at first boot