Skip to content

Commit

Permalink
Use init-file to configure mysql crednetials
Browse files Browse the repository at this point in the history
  • Loading branch information
AMecea committed May 10, 2019
1 parent 40d1d14 commit e5823cb
Show file tree
Hide file tree
Showing 6 changed files with 23 additions and 89 deletions.
10 changes: 7 additions & 3 deletions pkg/controller/mysqlcluster/internal/syncer/secret_operated.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ const (
rStrLen = 18
)

// const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
// const ascii = letters + "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"

// NewOperatedSecretSyncer returns secret syncer
// nolint: gocyclo
func NewOperatedSecretSyncer(c client.Client, scheme *runtime.Scheme, cluster *mysqlcluster.MysqlCluster, opt *options.Options) syncer.Interface {
Expand All @@ -52,7 +55,8 @@ func NewOperatedSecretSyncer(c client.Client, scheme *runtime.Scheme, cluster *m
// the user used for operator to connect to the mysql node for configuration
out.Data["OPERATOR_USER"] = []byte("sys_operator")
if len(out.Data["REPLICATION_PASSWORD"]) == 0 {
random, err := rand.ASCIIString(rStrLen)
// NOTE: use Alpha numeric string because ASCII can generate characters that are not escaped
random, err := rand.AlphaNumericString(rStrLen)
if err != nil {
return err
}
Expand All @@ -62,7 +66,7 @@ func NewOperatedSecretSyncer(c client.Client, scheme *runtime.Scheme, cluster *m
// the user that is used to configure replication between nodes
out.Data["REPLICATION_USER"] = []byte("sys_replication")
if len(out.Data["REPLICATION_PASSWORD"]) == 0 {
random, err := rand.ASCIIString(rStrLen)
random, err := rand.AlphaNumericString(rStrLen)
if err != nil {
return err
}
Expand All @@ -86,7 +90,7 @@ func NewOperatedSecretSyncer(c client.Client, scheme *runtime.Scheme, cluster *m
// the user that is used to serve backups over HTTP
out.Data["BACKUP_USER"] = []byte("sys_backups")
if len(out.Data["BACKUP_PASSWORD"]) == 0 {
random, err := rand.ASCIIString(rStrLen)
random, err := rand.AlphaNumericString(rStrLen)
if err != nil {
return err
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,7 @@ func (s *sfsSyncer) getEnvSourcesFor(name string) []core.EnvFromSource {
},
})
}
if name == containerSidecarName {
if name == containerSidecarName || name == containerInitName {
envSources = append(envSources, core.EnvFromSource{
SecretRef: &core.SecretEnvSource{
LocalObjectReference: core.LocalObjectReference{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ var _ = Describe("Orchestrator controller", func() {
Expect(c.Status().Update(context.TODO(), cluster.Unwrap())).To(Succeed())

By("wait for a first reconcile event")
// this is a sincronization event
// this is a synchronization event
Eventually(requests, 4*time.Second).Should(Receive(Equal(expectedRequest)))
})

Expand Down
12 changes: 11 additions & 1 deletion pkg/sidecar/appconf.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,12 +131,22 @@ func initFileQuery(cfg *Config) []byte {
"SET @@SESSION.SQL_LOG_BIN = 0;",
}

queries = append(queries, createUserQuery(cfg.OperatorUser, cfg.OperatorPassword, "%", []string{"SUPER"}, "*.*"))
// configure operator utility user
queries = append(queries, createUserQuery(cfg.OperatorUser, cfg.OperatorPassword, "%",
//[]string{"SUPER", "SHOW DATABASES", "PROCESS", "RELOAD", "CREATE", "SELECT"}, "*.*",
[]string{"ALL"}, "*.*", // TODO: remove this before commit
[]string{"ALL PRIVILEGES"}, fmt.Sprintf("%s.*", toolsDbName)))

// configure orchestrator user
queries = append(queries, createUserQuery(cfg.OrchestratorUser, cfg.OrchestratorPassword, "%",
[]string{"SUPER", "PROCESS", "REPLICATION SLAVE", "REPLICATION CLIENT", "RELOAD"}, "*.*",
[]string{"SELECT"}, "mysql.slave_master_info"))

// configure replication user
queries = append(queries, createUserQuery(cfg.ReplicationUser, cfg.ReplicationPassword, "%",
[]string{"SELECT", "PROCESS", "RELOAD", "LOCK TABLES", "REPLICATION CLIENT", "REPLICATION SLAVE"}, "*.*"))

// configure metrics exporter user
queries = append(queries, createUserQuery(cfg.MetricsUser, cfg.MetricsPassword, "127.0.0.1",
[]string{"SELECT", "PROCESS", "REPLICATION CLIENT"}, "*.*"))

Expand Down
84 changes: 2 additions & 82 deletions pkg/sidecar/apphelper.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,24 +47,6 @@ func RunSidecarCommand(cfg *Config, stop <-chan struct{}) error {
return fmt.Errorf("failed to configure master node, err: %s", err)
}

// update orchestrator user and password if orchestrator is configured
log.V(1).Info("configure orchestrator credentials")
if err := configureOrchestratorUser(cfg); err != nil {
return err
}

// update replication user and password
log.V(1).Info("configure replication credentials")
if err := configureReplicationUser(cfg); err != nil {
return err
}

// update metrics exporter user and password
log.V(1).Info("configure metrics exporter credentials")
if err := configureExporterUser(cfg); err != nil {
return err
}

// if it's slave set replication source (master host)
log.V(1).Info("configure topology")
if err := configTopology(cfg); err != nil {
Expand All @@ -88,69 +70,6 @@ func RunSidecarCommand(cfg *Config, stop <-chan struct{}) error {
return srv.ListenAndServe()
}

func configureOrchestratorUser(cfg *Config) error {
query := `
SET @@SESSION.SQL_LOG_BIN = 0;
CREATE USER IF NOT EXISTS ?@'%%';
ALTER USER ?@'%%' IDENTIFIED BY ?;
GRANT SUPER, PROCESS, REPLICATION SLAVE, REPLICATION CLIENT, RELOAD ON *.* TO ?@'%%';
GRANT SELECT ON %s.* TO ?@'%%';
GRANT SELECT ON mysql.slave_master_info TO ?@'%%';
`

// insert toolsDBName, it's not user input so it's safe. Can't use
// placeholders for table names, see:
// https://github.com/golang/go/issues/18478
query = fmt.Sprintf(query, toolsDbName)

user := cfg.OrchestratorUser
pass := cfg.OrchestratorPassword
if err := runQuery(cfg, query, user, user, pass, user, user, user); err != nil {
return fmt.Errorf("failed to configure orchestrator (user/pass/access), err: %s", err)
}

return nil
}

func configureReplicationUser(cfg *Config) error {
query := `
SET @@SESSION.SQL_LOG_BIN = 0;
CREATE USER IF NOT EXISTS ?@'%';
ALTER USER ?@'%' IDENTIFIED BY ?;
GRANT SELECT, PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO ?@'%';
`
user := cfg.ReplicationUser
pass := cfg.ReplicationPassword
if err := runQuery(cfg, query, user, user, pass, user); err != nil {
return fmt.Errorf("failed to configure replication user: %s", err)
}

return nil
}

func configureExporterUser(cfg *Config) error {
query := `
SET @@SESSION.SQL_LOG_BIN = 0;
CREATE USER IF NOT EXISTS ?@'127.0.0.1';
ALTER USER ?@'127.0.0.1' IDENTIFIED BY ? WITH MAX_USER_CONNECTIONS 3;
GRANT SELECT, PROCESS, REPLICATION CLIENT ON *.* TO ?@'127.0.0.1';
`

user := cfg.MetricsUser
pass := cfg.MetricsPassword
if err := runQuery(cfg, query, user, user, pass, user); err != nil {
return fmt.Errorf("failed to metrics exporter user: %s", err)
}

return nil
}

func waitForMysqlReady(cfg *Config) error {
log.V(1).Info("wait for mysql to be ready")

Expand All @@ -175,7 +94,8 @@ func configReadOnly(cfg *Config) error {
if cfg.NodeRole() == MasterNode {
query = "SET GLOBAL READ_ONLY = 0"
} else {
query = "SET GLOBAL SUPER_READ_ONLY = 1"
// TODO: make it super read only - but fix pt-heartbeat problem first
query = "SET GLOBAL READ_ONLY = 1"
}
if err := runQuery(cfg, query); err != nil {
return fmt.Errorf("failed to set read_only config, err: %s", err)
Expand Down
2 changes: 1 addition & 1 deletion pkg/sidecar/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,5 +61,5 @@ const (
// RcloneConfigFile represents the path to the file that contains rclon
// configs. This path should be the same as defined in docker entrypoint
// script from mysql-operator-sidecar/docker-entrypoint.sh. /etc/rclone.conf
rcloneConfigFile = "/etc/rclone.conf"
rcloneConfigFile = "/tmp/rclone.conf"
)

0 comments on commit e5823cb

Please sign in to comment.