[COMMON] Allow to use ' in mysql passwords

derivePassword which we use to generate our passwords includes ' in
set of special characters that can be used in passwords.

Current implementation of bitnami configure-mysql.sh simply
concatenates password surrounded with '' rest of SQL query. This
causes issues if password contains ' as it creates invalid SQL statement.

To fix this issue we just patch the script and escape the special '
character in password.

Issue-ID: OOM-2246
Reported-by: Mateusz Pilat <m.pilat@partner.samsung.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I3d2150760755e55558e2045cbb7ca5693c8ab71f
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>

diff --git a/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh b/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh
new file mode 100755 (executable)
index 0000000..42c5c89
--- /dev/null
+++ b/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+#
+# Adfinis SyGroup AG
+# openshift-mariadb-galera: mysql setup script
+#
+
+set -eox pipefail
+
+echo 'Running mysql_install_db ...'
+mysql_install_db --datadir=/var/lib/mysql
+echo 'Finished mysql_install_db'
+
+mysqld --skip-networking --socket=/var/lib/mysql/mysql-init.sock --wsrep_on=OFF &
+pid="$!"
+
+mysql=( mysql --protocol=socket -uroot -hlocalhost --socket=/var/lib/mysql/mysql-init.sock )
+
+for i in {30..0}; do
+  if echo 'SELECT 1' | "${mysql[@]}" &> /dev/null; then
+    break
+  fi
+  echo 'MySQL init process in progress...'
+  sleep 1
+done
+if [ "$i" = 0 ]; then
+  echo >&2 'MySQL init process failed.'
+  exit 1
+fi
+
+if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
+       # sed is for https://bugs.mysql.com/bug.php?id=20545
+       mysql_tzinfo_to_sql /usr/share/zoneinfo | sed 's/Local time zone must be set--see zic manual page/FCTY/' | "${mysql[@]}" mysql
+fi
+
+function prepare_password {
+       echo -n $1 | sed -e "s/'/''/g"
+}
+
+mysql_root_password=`prepare_password $MYSQL_ROOT_PASSWORD`
+# add MariaDB root user
+"${mysql[@]}" <<-EOSQL
+-- What's done in this file shouldn't be replicated
+--  or products like mysql-fabric won't work
+SET @@SESSION.SQL_LOG_BIN=0;
+
+DELETE FROM mysql.user ;
+CREATE USER 'root'@'%' IDENTIFIED BY '${mysql_root_password}' ;
+GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ;
+DROP DATABASE IF EXISTS test ;
+FLUSH PRIVILEGES ;
+EOSQL
+
+# add root password for subsequent calls to mysql
+if [ ! -z "$MYSQL_ROOT_PASSWORD" ]; then
+       mysql+=( -p"${MYSQL_ROOT_PASSWORD}" )
+fi
+
+# add users require for Galera
+# TODO: make them somehow configurable
+"${mysql[@]}" <<-EOSQL
+CREATE USER 'xtrabackup_sst'@'localhost' IDENTIFIED BY 'xtrabackup_sst' ;
+GRANT RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'xtrabackup_sst'@'localhost' ;
+CREATE USER 'readinessProbe'@'localhost' IDENTIFIED BY 'readinessProbe';
+EOSQL
+
+if [ "$MYSQL_DATABASE" ]; then
+       echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" | "${mysql[@]}"
+       mysql+=( "$MYSQL_DATABASE" )
+fi
+
+if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then
+       mysql_password=`prepare_password $MYSQL_PASSWORD`
+       echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$mysql_password' ;" | "${mysql[@]}"
+
+       if [ "$MYSQL_DATABASE" ]; then
+               echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
+       fi
+
+       echo 'FLUSH PRIVILEGES ;' | "${mysql[@]}"
+fi
+
+if ! kill -s TERM "$pid" || ! wait "$pid"; then
+       echo >&2 'MySQL init process failed.'
+       exit 1
+fi
+
+echo
+echo 'MySQL init process done. Ready for start up.'
+echo

diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml
index e7bb701..a7064d7 100644 (file)
--- a/kubernetes/common/mariadb-galera/templates/configmap.yaml
+++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml
@@ -1,5 +1,6 @@
 {{/*
 # Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2020 Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -28,4 +29,17 @@ metadata:
 data:
   my_extra.cnf: |
 {{ .Values.externalConfig | indent 4 }}
-{{- end -}}
+{{- end }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}

diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index 7157e33..855d50e 100644 (file)
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -47,6 +47,10 @@ spec:
           configMap:
             name: {{ include "common.fullname" . }}-external-config
       {{- end}}
+        - name: init-script
+          configMap:
+            name: {{ include "common.fullname" . }}
+            defaultMode: 0755
         - name: localtime
           hostPath:
             path: /etc/localtime
@@ -104,6 +108,9 @@ spec:
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
+          - mountPath: /usr/share/container-scripts/mysql/configure-mysql.sh
+            subPath: configure-mysql.sh
+            name: init-script
 {{- if .Values.persistence.enabled }}
           - mountPath: /var/lib/mysql
             name: {{ include "common.fullname" . }}-data