Updated mariadb to serve over tls

config/internal/mariadb/default/deployment.yaml.tmpl

@@ -88,7 +88,27 @@ spec:
           volumeMounts:
             - name: mariadb-persistent-storage
               mountPath: /var/lib/mysql
+            {{ if .PodToPodTLS }}
+            - name: mariadb-tls
+              mountPath: /.mariadb/certs
+            - name: mariadb-tls-config
+              mountPath: /etc/my.cnf.d/mariadb-tls-config.cnf
+              subPath: mariadb-tls-config.cnf
+            {{ end }}
       volumes:
         - name: mariadb-persistent-storage
           persistentVolumeClaim:
             claimName: mariadb-{{.Name}}
+        {{ if .PodToPodTLS }}
+        - name: mariadb-tls
+          secret:
+            secretName: ds-pipelines-mariadb-tls-{{.Name}}
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+        - name: mariadb-tls-config
+          configMap:
+            name: ds-pipelines-mariadb-tls-config-{{.Name}}
+        {{ end }}

config/internal/mariadb/default/service.yaml.tmpl

@@ -3,6 +3,10 @@ kind: Service
 metadata:
   name: mariadb-{{.Name}}
   namespace: {{.Namespace}}
+  {{ if .PodToPodTLS }}
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: ds-pipelines-mariadb-tls-{{.Name}}
+  {{ end }}
   labels:
     app: mariadb-{{.Name}}
     component: data-science-pipelines

config/internal/mariadb/default/tls-config.yaml.tmpl

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ds-pipelines-mariadb-tls-config-{{.Name}}
+  namespace: {{.Namespace}}
+  labels:
+    app: mariadb-{{.Name}}
+    component: data-science-pipelines
+data:
+  mariadb-tls-config.cnf: |
+    [mariadb]
+    ssl_cert = /.mariadb/certs/tls.crt
+    ssl_key = /.mariadb/certs/tls.key

controllers/database.go

@@ -44,6 +44,7 @@ var mariadbTemplates = []string{
 	"mariadb/default/service.yaml.tmpl",
 	"mariadb/default/mariadb-sa.yaml.tmpl",
 	"mariadb/default/networkpolicy.yaml.tmpl",
+	"mariadb/default/tls-config.yaml.tmpl",
 }
 
 func tLSClientConfig(pems [][]byte) (*cryptoTls.Config, error) {

controllers/dspipeline_params.go

@@ -325,6 +325,9 @@ func (p *DSPAParams) SetupDBParams(ctx context.Context, dsp *dspa.DataSciencePip
 		tlsParams := config.DBExtraParams{
 			"tls": "false",
 		}
+		if p.PodToPodTLS {
+			tlsParams["tls"] = "true"
+		}
 		dbExtraParams, err := config.GetDefaultDBExtraParams(tlsParams, log)
 		if err != nil {
 			log.Error(err, "Unexpected error encountered while retrieving DBExtraparams")

controllers/testdata/declarative/case_8/expected/created/mariadb_deployment.yaml

@@ -0,0 +1,97 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mariadb-testdsp8
+  namespace: default
+  labels:
+    app: mariadb-testdsp8
+    component: data-science-pipelines
+    dspa: testdsp8
+spec:
+  strategy:
+    type: Recreate  # Need this since backing PVC is ReadWriteOnce, which creates resource lock condition in default Rolling strategy
+  selector:
+    matchLabels:
+      app: mariadb-testdsp8
+      component: data-science-pipelines
+      dspa: testdsp8
+  template:
+    metadata:
+      labels:
+        app: mariadb-testdsp8
+        component: data-science-pipelines
+        dspa: testdsp8
+    spec:
+      containers:
+        - name: mariadb
+          image: mariadb:test8
+          ports:
+            - containerPort: 3306
+              protocol: TCP
+          readinessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - "-i"
+                - "-c"
+                - >-
+                  MYSQL_PWD=$MYSQL_PASSWORD mysql -h 127.0.0.1 -u $MYSQL_USER -D
+                  $MYSQL_DATABASE -e 'SELECT 1'
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          livenessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: 3306
+            timeoutSeconds: 1
+          env:
+            - name: MYSQL_USER
+              value: "mlpipeline"
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: "password"
+                  name: "ds-pipeline-db-testdsp8"
+            - name: MYSQL_DATABASE
+              value: "mlpipeline"
+            - name: MYSQL_ALLOW_EMPTY_PASSWORD
+              value: "true"
+          resources:
+            requests:
+              cpu: 300m
+              memory: 800Mi
+            limits:
+              cpu: "1"
+              memory: 1Gi
+          volumeMounts:
+            - name: mariadb-persistent-storage
+              mountPath: /var/lib/mysql
+            - name: mariadb-tls
+              mountPath: /.mariadb/certs
+            - name: mariadb-tls-config
+              mountPath: /etc/my.cnf.d/mariadb-tls-config.cnf
+              subPath: mariadb-tls-config.cnf
+      volumes:
+        - name: mariadb-persistent-storage
+          persistentVolumeClaim:
+            claimName: mariadb-testdsp8
+        - name: mariadb-tls
+          secret:
+            secretName: ds-pipelines-mariadb-tls-testdsp8
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+            defaultMode: 420
+        - name: mariadb-tls-config
+          configMap:
+            name: ds-pipelines-mariadb-tls-config-testdsp8
+            defaultMode: 420