K8SPS-421: Add keyring vault support

Author: egegunes

api/v1alpha1/perconaservermysql_types.go

@@ -26,6 +26,7 @@ import (
 	"strings"
 
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	v "github.com/hashicorp/go-version"
 	"github.com/pkg/errors"
 	"github.com/robfig/cron/v3"
 	"golang.org/x/text/cases"
@@ -118,6 +119,8 @@ type MySQLSpec struct {
 	SidecarVolumes []corev1.Volume    `json:"sidecarVolumes,omitempty"`
 	SidecarPVCs    []SidecarPVC       `json:"sidecarPVCs,omitempty"`
 
+	VaultSecretName string `json:"vaultSecretName,omitempty"`
+
 	PodSpec `json:",inline"`
 }
 
@@ -566,6 +569,16 @@ func (cr *PerconaServerMySQL) SetVersion() {
 	cr.Spec.CRVersion = version.Version()
 }
 
+func (cr *PerconaServerMySQL) Version() *v.Version {
+	return v.Must(v.NewVersion(cr.Spec.CRVersion))
+}
+
+// CompareVersion compares given version to current version.
+// Returns -1, 0, or 1 if given version is smaller, equal, or larger than the current version, respectively.
+func (cr *PerconaServerMySQL) CompareVersion(ver string) int {
+	return cr.Version().Compare(v.Must(v.NewVersion(ver)))
+}
+
 // CheckNSetDefaults validates and sets default values for the PerconaServerMySQL custom resource.
 func (cr *PerconaServerMySQL) CheckNSetDefaults(_ context.Context, serverVersion *platform.ServerVersion) error {
 	if len(cr.Spec.MySQL.ClusterType) == 0 {

build/ps-entrypoint.sh

@@ -167,6 +167,26 @@ create_default_cnf() {
 		sed -i "/\[mysqld\]/a ssl_key=${TLS_DIR}/tls.key" $CFG
 	fi
 
+	# if vault secret file exists we assume we need to turn on encryption
+	vault_secret="/etc/mysql/vault-keyring-secret/keyring_vault.conf"
+	if [[ -f "${vault_secret}" ]]; then
+		sed -i "/\[mysqld\]/a early-plugin-load=keyring_vault.so" $CFG
+		sed -i "/\[mysqld\]/a keyring_vault_config=${vault_secret}" $CFG
+
+		if [[ ${MYSQL_VERSION} =~ ^(8\.0|8\.4)$ ]]; then
+			sed -i "/\[mysqld\]/a default_table_encryption=ON" $CFG
+			sed -i "/\[mysqld\]/a table_encryption_privilege_check=ON" $CFG
+			sed -i "/\[mysqld\]/a innodb_undo_log_encrypt=ON" $CFG
+			sed -i "/\[mysqld\]/a innodb_redo_log_encrypt=ON" $CFG
+			sed -i "/\[mysqld\]/a binlog_encryption=ON" $CFG
+			sed -i "/\[mysqld\]/a binlog_rotate_encryption_master_key_at_startup=ON" $CFG
+			sed -i "/\[mysqld\]/a innodb_temp_tablespace_encrypt=ON" $CFG
+			sed -i "/\[mysqld\]/a innodb_parallel_dblwr_encrypt=ON" $CFG
+			sed -i "/\[mysqld\]/a innodb_encrypt_online_alter_logs=ON" $CFG
+			sed -i "/\[mysqld\]/a encrypt_tmp_files=ON" $CFG
+		fi
+	fi
+
 	for f in "${CUSTOM_CONFIG_FILES[@]}"; do
 		echo "${f}"
 		if [ -f "${f}" ]; then

build/run-restore.sh

@@ -41,7 +41,13 @@ main() {
 		"azure") run_azure | extract "${tmpdir}" ;;
 	esac
 
-	xtrabackup --prepare --rollback-prepared-trx --target-dir="${tmpdir}"
+	local keyring=""
+	if [[ -f ${KEYRING_VAULT_PATH} ]]; then
+		echo "Using keyring vault config: ${KEYRING_VAULT_PATH}"
+		keyring="--keyring-vault-config=${KEYRING_VAULT_PATH}"
+	fi
+
+	xtrabackup --prepare --rollback-prepared-trx --target-dir="${tmpdir}" ${keyring}
 	xtrabackup --datadir="${DATADIR}" --move-back --force-non-empty-directories --target-dir="${tmpdir}"
 
 	rm -rf "${tmpdir}"

config/crd/bases/ps.percona.com_perconaservermysqls.yaml

@@ -5001,6 +5001,8 @@ spec:
                       - whenUnsatisfiable
                       type: object
                     type: array
+                  vaultSecretName:
+                    type: string
                   volumeSpec:
                     properties:
                       emptyDir:

deploy/bundle.yaml

@@ -6924,6 +6924,8 @@ spec:
                       - whenUnsatisfiable
                       type: object
                     type: array
+                  vaultSecretName:
+                    type: string
                   volumeSpec:
                     properties:
                       emptyDir:

deploy/cr.yaml

@@ -42,6 +42,7 @@ spec:
     image: perconalab/percona-server-mysql-operator:main-psmysql
     imagePullPolicy: Always
 #    initImage: perconalab/percona-server-mysql-operator:main
+#    vaultSecretName: cluster1-vault
     size: 3
 
 #    env:

deploy/crd.yaml

@@ -6924,6 +6924,8 @@ spec:
                       - whenUnsatisfiable
                       type: object
                     type: array
+                  vaultSecretName:
+                    type: string
                   volumeSpec:
                     properties:
                       emptyDir:

deploy/cw-bundle.yaml

@@ -6924,6 +6924,8 @@ spec:
                       - whenUnsatisfiable
                       type: object
                     type: array
+                  vaultSecretName:
+                    type: string
                   volumeSpec:
                     properties:
                       emptyDir:

deploy/vault-secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster1-vault
+type: Opaque
+stringData:
+  keyring_vault.conf: |-
+    token = <secret>
+    vault_url = http://vault-service.vault-service.svc.cluster.local:8200
+    secret_mount_point = secret

e2e-tests/conf/vault-secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: some-name-vault
+type: Opaque
+stringData:
+  keyring_vault.conf: |-
+    token = #token
+    vault_url = #vault_url
+    secret_mount_point = #secret
+    #vault_ca = /etc/mysql/vault-keyring-secret/ca.cert
+  ca.cert: |-
+    #certVal