diff --git a/config/internal/mariadb/default/deployment.yaml.tmpl b/config/internal/mariadb/default/deployment.yaml.tmpl index d1b9b714..c4f05f02 100644 --- a/config/internal/mariadb/default/deployment.yaml.tmpl +++ b/config/internal/mariadb/default/deployment.yaml.tmpl @@ -88,7 +88,27 @@ spec: volumeMounts: - name: mariadb-persistent-storage mountPath: /var/lib/mysql + {{ if .PodToPodTLS }} + - name: mariadb-tls + mountPath: /.mariadb/certs + - name: mariadb-tls-config + mountPath: /etc/my.cnf.d/mariadb-tls-config.cnf + subPath: mariadb-tls-config.cnf + {{ end }} volumes: - name: mariadb-persistent-storage persistentVolumeClaim: claimName: mariadb-{{.Name}} + {{ if .PodToPodTLS }} + - name: mariadb-tls + secret: + secretName: ds-pipelines-mariadb-tls-{{.Name}} + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + - name: mariadb-tls-config + configMap: + name: ds-pipelines-mariadb-tls-config-{{.Name}} + {{ end }} diff --git a/config/internal/mariadb/default/service.yaml.tmpl b/config/internal/mariadb/default/service.yaml.tmpl index 5a660cea..a8bba6a9 100644 --- a/config/internal/mariadb/default/service.yaml.tmpl +++ b/config/internal/mariadb/default/service.yaml.tmpl @@ -3,6 +3,10 @@ kind: Service metadata: name: mariadb-{{.Name}} namespace: {{.Namespace}} + {{ if .PodToPodTLS }} + annotations: + service.beta.openshift.io/serving-cert-secret-name: ds-pipelines-mariadb-tls-{{.Name}} + {{ end }} labels: app: mariadb-{{.Name}} component: data-science-pipelines diff --git a/config/internal/mariadb/default/tls-config.yaml.tmpl b/config/internal/mariadb/default/tls-config.yaml.tmpl new file mode 100644 index 00000000..082f8245 --- /dev/null +++ b/config/internal/mariadb/default/tls-config.yaml.tmpl @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ds-pipelines-mariadb-tls-config-{{.Name}} + namespace: {{.Namespace}} + labels: + app: mariadb-{{.Name}} + component: data-science-pipelines +data: + mariadb-tls-config.cnf: | + [mariadb] + ssl_cert = /.mariadb/certs/tls.crt + ssl_key = /.mariadb/certs/tls.key diff --git a/controllers/database.go b/controllers/database.go index b8cd81db..ce15f1c4 100644 --- a/controllers/database.go +++ b/controllers/database.go @@ -44,6 +44,7 @@ var mariadbTemplates = []string{ "mariadb/default/service.yaml.tmpl", "mariadb/default/mariadb-sa.yaml.tmpl", "mariadb/default/networkpolicy.yaml.tmpl", + "mariadb/default/tls-config.yaml.tmpl", } func tLSClientConfig(pems [][]byte) (*cryptoTls.Config, error) { diff --git a/controllers/dspipeline_params.go b/controllers/dspipeline_params.go index 2e45c893..96534316 100644 --- a/controllers/dspipeline_params.go +++ b/controllers/dspipeline_params.go @@ -325,6 +325,9 @@ func (p *DSPAParams) SetupDBParams(ctx context.Context, dsp *dspa.DataSciencePip tlsParams := config.DBExtraParams{ "tls": "false", } + if p.PodToPodTLS { + tlsParams["tls"] = "true" + } dbExtraParams, err := config.GetDefaultDBExtraParams(tlsParams, log) if err != nil { log.Error(err, "Unexpected error encountered while retrieving DBExtraparams") diff --git a/controllers/testdata/declarative/case_8/expected/created/mariadb_deployment.yaml b/controllers/testdata/declarative/case_8/expected/created/mariadb_deployment.yaml new file mode 100644 index 00000000..9a0b5a11 --- /dev/null +++ b/controllers/testdata/declarative/case_8/expected/created/mariadb_deployment.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mariadb-testdsp8 + namespace: default + labels: + app: mariadb-testdsp8 + component: data-science-pipelines + dspa: testdsp8 +spec: + strategy: + type: Recreate # Need this since backing PVC is ReadWriteOnce, which creates resource lock condition in default Rolling strategy + selector: + matchLabels: + app: mariadb-testdsp8 + component: data-science-pipelines + dspa: testdsp8 + template: + metadata: + labels: + app: mariadb-testdsp8 + component: data-science-pipelines + dspa: testdsp8 + spec: + containers: + - name: mariadb + image: mariadb:test8 + ports: + - containerPort: 3306 + protocol: TCP + readinessProbe: + exec: + command: + - /bin/sh + - "-i" + - "-c" + - >- + MYSQL_PWD=$MYSQL_PASSWORD mysql -h 127.0.0.1 -u $MYSQL_USER -D + $MYSQL_DATABASE -e 'SELECT 1' + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 3306 + timeoutSeconds: 1 + env: + - name: MYSQL_USER + value: "mlpipeline" + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + key: "password" + name: "ds-pipeline-db-testdsp8" + - name: MYSQL_DATABASE + value: "mlpipeline" + - name: MYSQL_ALLOW_EMPTY_PASSWORD + value: "true" + resources: + requests: + cpu: 300m + memory: 800Mi + limits: + cpu: "1" + memory: 1Gi + volumeMounts: + - name: mariadb-persistent-storage + mountPath: /var/lib/mysql + - name: mariadb-tls + mountPath: /.mariadb/certs + - name: mariadb-tls-config + mountPath: /etc/my.cnf.d/mariadb-tls-config.cnf + subPath: mariadb-tls-config.cnf + volumes: + - name: mariadb-persistent-storage + persistentVolumeClaim: + claimName: mariadb-testdsp8 + - name: mariadb-tls + secret: + secretName: ds-pipelines-mariadb-tls-testdsp8 + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + defaultMode: 420 + - name: mariadb-tls-config + configMap: + name: ds-pipelines-mariadb-tls-config-testdsp8 + defaultMode: 420