feat: add mysql tls support (#1462)

apecloud · Feb 11, 2025 · f0924a7 · f0924a7
1 parent 24c704b
commit f0924a7
Show file tree

Hide file tree

Showing 10 changed files with 129 additions and 20 deletions.
diff --git a/addons/mysql/config/mysql5.7-config.tpl b/addons/mysql/config/mysql5.7-config.tpl
@@ -166,6 +166,14 @@ character_set_server = utf8mb4
 # rpl_semi_sync_master_timeout = 1000
 # rpl-semi-sync-slave-enabled = 1
 
+{{- if eq (index $ "TLS_ENABLED") "true" }}
+# tls
+# require_secure_transport=ON
+ssl_ca={{ $data_root }}/tls/ca.pem
+ssl_cert={{ $data_root }}/tls/cert.pem
+ssl_key={{ $data_root }}/tls/key.pem
+{{- end }}
+
 [client]
 port={{ $mysql_port }}
 socket=/var/run/mysqld/mysqld.sock
diff --git a/addons/mysql/config/mysql8.0-config.tpl b/addons/mysql/config/mysql8.0-config.tpl
@@ -198,6 +198,14 @@ default_tmp_storage_engine=innodb
 collation_server = utf8mb4_unicode_520_ci
 character_set_server = utf8mb4
 
+{{- if eq (index $ "TLS_ENABLED") "true" }}
+# tls
+# require_secure_transport=ON
+ssl_ca={{ $data_root }}/tls/ca.pem
+ssl_cert={{ $data_root }}/tls/cert.pem
+ssl_key={{ $data_root }}/tls/key.pem
+{{- end }}
+
 [client]
 port={{ $mysql_port }}
 socket=/var/run/mysqld/mysqld.sock
diff --git a/addons/mysql/templates/_helpers.tpl b/addons/mysql/templates/_helpers.tpl
@@ -188,6 +188,10 @@ vars:
       credentialVarRef:
         name: kbreplicator
         password: Required
+  - name: TLS_ENABLED
+    valueFrom:
+      tlsVarRef:
+        enabled: Optional
 lifecycleActions:
   accountProvision:
     exec:
@@ -226,6 +230,12 @@ lifecycleActions:
           fi
 
           /tools/syncerctl switchover --primary "$KB_SWITCHOVER_CURRENT_NAME" ${KB_SWITCHOVER_CANDIDATE_NAME:+--candidate "$KB_SWITCHOVER_CANDIDATE_NAME"}
+tls:
+  volumeName: tls
+  mountPath: /etc/pki/tls
+  caFile: ca.pem
+  certFile: cert.pem
+  keyFile: key.pem
 roles:
   - name: primary
     updatePriority: 2
@@ -235,6 +245,19 @@ roles:
     participatesInQuorum: false
 {{- end }}
 
+{{- define "mysql.spec.runtime.entrypoint" -}}
+if [ -f {{ .Values.dataMountPath }}/plugin/audit_log.so ]; then
+  cp {{ .Values.dataMountPath }}/plugin/audit_log.so /usr/lib64/mysql/plugin/
+fi 
+if [ -d /etc/pki/tls ]; then
+  mkdir -p {{ .Values.dataMountPath }}/tls/
+  cp -L /etc/pki/tls/*.pem {{ .Values.dataMountPath }}/tls/
+  chmod 600 {{ .Values.dataMountPath }}/tls/*
+fi
+chown -R mysql:root {{ .Values.dataMountPath }}
+SERVICE_ID=$((${POD_NAME##*-} + 1))
+{{ end }}
+
 {{- define "mysql.spec.runtime.common" -}}
 - command:
     - cp
@@ -295,6 +318,12 @@ systemAccounts:
   - name: proxysql
     statement:
       create: CREATE USER IF NOT EXISTS '${KB_ACCOUNT_NAME}' IDENTIFIED BY '${KB_ACCOUNT_PASSWORD}'; GRANT SELECT ON performance_schema.* TO '${KB_ACCOUNT_NAME}'; GRANT SELECT ON sys.* TO '${KB_ACCOUNT_NAME}';
+tls:
+  volumeName: tls
+  mountPath: /etc/pki/tls
+  caFile: ca.pem
+  certFile: cert.pem
+  keyFile: key.pem
 roles:
   - name: primary
     updatePriority: 2
@@ -353,6 +382,10 @@ vars:
       componentVarRef:
         optional: false
         podNames: Required
+  - name: TLS_ENABLED
+    valueFrom:
+      tlsVarRef:
+        enabled: Optional
 exporter:
   containerName: mysql-exporter
   scrapePath: /metrics
@@ -475,6 +508,11 @@ command:
   - -c
   - |
     cp {{ .Values.dataMountPath }}/plugin/audit_log.so /usr/lib64/mysql/plugin/
+    if [ -d /etc/pki/tls ]; then
+      mkdir -p {{ .Values.dataMountPath }}/tls/
+      cp -L /etc/pki/tls/*.pem {{ .Values.dataMountPath }}/tls/
+      chmod 600 {{ .Values.dataMountPath }}/tls/*
+    fi
     chown -R mysql:root {{ .Values.dataMountPath }}
     export skip_slave_start="OFF"
     if [ -f {{ .Values.dataMountPath }}/data/.restore_new_cluster ]; then

diff --git a/addons/mysql/templates/cmpd-mysql57.yaml b/addons/mysql/templates/cmpd-mysql57.yaml
@@ -67,10 +67,7 @@ spec:
           - bash
           - -c
           - |
-            cp {{ .Values.dataMountPath }}/plugin/audit_log.so /usr/lib64/mysql/plugin/
-            chown -R mysql:root {{ .Values.dataMountPath }}
-            export LD_PRELOAD=/tools/lib/libjemalloc.so.2
-            SERVICE_ID=$((${POD_NAME##*-} + 1))
+            {{- include "mysql.spec.runtime.entrypoint" . | nindent 12 }}
             docker-entrypoint.sh mysqld --server-id $SERVICE_ID \
               --ignore-db-dir=lost+found \
               --plugin-load-add=rpl_semi_sync_master=semisync_master.so \
@@ -95,6 +92,8 @@ spec:
         env:
           - name: PATH
             value: /tools/xtrabackup/bin:/tools/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+          - name: LD_PRELOAD
+            value: /tools/lib/libjemalloc.so.2
           - name: KB_SERVICE_CHARACTER_TYPE
             value: mysql
           - name: MYSQL_INITDB_SKIP_TZINFO

diff --git a/addons/mysql/templates/cmpd-mysql80-mgr.yaml b/addons/mysql/templates/cmpd-mysql80-mgr.yaml
@@ -56,9 +56,7 @@ spec:
           - bash
           - -c
           - |
-            cp {{ .Values.dataMountPath }}/plugin/audit_log.so /usr/lib64/mysql/plugin/
-            chown -R mysql:root {{ .Values.dataMountPath }}
-            SERVICE_ID=$((${POD_NAME##*-} + 1))
+            {{- include "mysql.spec.runtime.entrypoint" . | nindent 12 }}
             docker-entrypoint.sh mysqld --server-id $SERVICE_ID \
                --report-host ${POD_NAME}.${CLUSTER_COMPONENT_NAME}-headless \
                --plugin-load-add=rpl_semi_sync_source=semisync_source.so \

diff --git a/addons/mysql/templates/cmpd-mysql80.yaml b/addons/mysql/templates/cmpd-mysql80.yaml
@@ -67,10 +67,7 @@ spec:
           - bash
           - -c
           - |
-            cp {{ .Values.dataMountPath }}/plugin/audit_log.so /usr/lib64/mysql/plugin/
-            chown -R mysql:root {{ .Values.dataMountPath }}
-            export LD_PRELOAD=/tools/lib/libjemalloc.so.2 
-            SERVICE_ID=$((${POD_NAME##*-} + 1))
+            {{- include "mysql.spec.runtime.entrypoint" . | nindent 12 }}
             docker-entrypoint.sh mysqld --server-id $SERVICE_ID \
                --plugin-load-add=rpl_semi_sync_source=semisync_source.so \
                --plugin-load-add=rpl_semi_sync_replica=semisync_replica.so \
@@ -94,6 +91,8 @@ spec:
         env:
           - name: PATH
             value: /tools/xtrabackup/bin:/tools/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+          - name: LD_PRELOAD
+            value: /tools/lib/libjemalloc.so.2
           - name: KB_SERVICE_CHARACTER_TYPE
             value: mysql
           - name: MYSQL_INITDB_SKIP_TZINFO

diff --git a/addons/mysql/templates/cmpd-mysql84-mgr.yaml b/addons/mysql/templates/cmpd-mysql84-mgr.yaml
@@ -44,10 +44,7 @@ spec:
           - bash
           - -c
           - |
-            mkdir -p {{ .Values.dataMountPath }}/{log,binlog,auditlog}
-            chown -R mysql:root {{ .Values.dataMountPath }}
-            export LD_PRELOAD=/tools/lib/libjemalloc.so.2
-            SERVICE_ID=$((${POD_NAME##*-} + 1))
+            {{- include "mysql.spec.runtime.entrypoint" . | nindent 12 }}
             docker-entrypoint.sh mysqld --server-id $SERVICE_ID \
                --report-host ${POD_NAME}.${CLUSTER_COMPONENT_NAME}-headless \
                --plugin-load-add=rpl_semi_sync_source=semisync_source.so \

diff --git a/addons/mysql/templates/cmpd-mysql84.yaml b/addons/mysql/templates/cmpd-mysql84.yaml
@@ -55,10 +55,7 @@ spec:
           - bash
           - -c
           - |
-            mkdir -p {{ .Values.dataMountPath }}/{log,binlog,auditlog}
-            chown -R mysql:root {{ .Values.dataMountPath }}
-            export LD_PRELOAD=/tools/lib/libjemalloc.so.2
-            SERVICE_ID=$((${POD_NAME##*-} + 1))
+            {{- include "mysql.spec.runtime.entrypoint" . | nindent 12 }}
             docker-entrypoint.sh mysqld --server-id $SERVICE_ID \
                --plugin-load-add=rpl_semi_sync_source=semisync_source.so \
                --plugin-load-add=rpl_semi_sync_replica=semisync_replica.so \
@@ -81,6 +78,8 @@ spec:
         env:
           - name: PATH
             value: /tools/xtrabackup/bin:/tools/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+          - name: LD_PRELOAD
+            value: /tools/lib/libjemalloc.so.2
           - name: KB_SERVICE_CHARACTER_TYPE
             value: mysql
           - name: MYSQL_INITDB_SKIP_TZINFO

diff --git a/examples/mysql/cluster-tls.yaml b/examples/mysql/cluster-tls.yaml
@@ -0,0 +1,63 @@
+apiVersion: apps.kubeblocks.io/v1
+kind: Cluster
+metadata:
+  name: mysql-cluster
+  namespace: default
+spec:
+  # Specifies the behavior when a Cluster is deleted.
+  # Valid options are: [DoNotTerminate, Delete, WipeOut] (`Halt` is deprecated since KB 0.9)
+  # - `DoNotTerminate`: Prevents deletion of the Cluster. This policy ensures that all resources remain intact.
+  # - `Delete`: Extends the `Halt` policy by also removing PVCs, leading to a thorough cleanup while removing all persistent data.
+  # - `WipeOut`: An aggressive policy that deletes all Cluster resources, including volume snapshots and backups in external storage. This results in complete data removal and should be used cautiously, primarily in non-production environments to avoid irreversible data loss.
+  terminationPolicy: Delete
+  # Specifies a list of ClusterComponentSpec objects used to define the
+  # individual Components that make up a Cluster.
+  # This field allows for detailed configuration of each Component within the Cluster
+  componentSpecs:
+    - name: mysql
+      # Specifies the ComponentDefinition custom resource (CR) that defines the
+      # Component's characteristics and behavior.
+      # Supports three different ways to specify the ComponentDefinition:
+      # - the regular expression - recommended
+      # - the full name - recommended
+      # - the name prefix
+      componentDef: "mysql-8.0"  # match all CMPD named with 'mysql-8.0-'
+      # ServiceVersion specifies the version of the Service expected to be
+      # provisioned by this Component.
+      # When componentDef is "mysql-8.0",
+      # Valid options are: [8.0.30,8.0.31,8.0.32,8.0.33,8.0.34,8.0.35,8.0.36,8.0.37,8.0.38,8.0.39]
+      serviceVersion: 8.0.35
+      # Determines whether metrics exporter information is annotated on the
+      # Component's headless Service.
+      # Valid options are [true, false]
+      disableExporter: false
+      # Specifies the desired number of replicas in the Component
+      replicas: 2
+      # Specifies the resources required by the Component.
+      resources:
+        limits:
+          cpu: '0.5'
+          memory: 0.5Gi
+        requests:
+          cpu: '0.5'
+          memory: 0.5Gi
+      # Specifies a list of PersistentVolumeClaim templates that define the storage
+      # requirements for the Component.
+      volumeClaimTemplates:
+        # Refers to the name of a volumeMount defined in
+        # `componentDefinition.spec.runtime.containers[*].volumeMounts
+        - name: data
+          spec:
+            # The name of the StorageClass required by the claim.
+            # If not specified, the StorageClass annotated with
+            # `storageclass.kubernetes.io/is-default-class=true` will be used by default
+            storageClassName: ""
+            accessModes:
+              - ReadWriteOnce
+            resources:
+              requests:
+                # Set the storage size as needed
+                storage: 20Gi
+      tls: true   # set TLS to true
+      issuer:     # if TLS is True, this filed is required.
+        name: KubeBlocks  # set Issuer to [KubeBlocks, UserProvided].
diff --git a/examples/mysql/cluster.yaml b/examples/mysql/cluster.yaml
@@ -57,4 +57,4 @@ spec:
             resources:
               requests:
                 # Set the storage size as needed
-                storage: 20Gi
+                storage: 20Gi