-
Notifications
You must be signed in to change notification settings - Fork 30
K8SPS-265 add special characters #951
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
81a3dca
c3366a9
3b0ded3
eb31c2d
44b9a90
55033b8
293e890
b380d88
242a4f7
0976cfe
fdbb8b1
a1199db
714180e
4f07f91
ff54297
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -43,8 +43,15 @@ fi | |||||||||||||
|
||||||||||||||
set +o xtrace | ||||||||||||||
temp=$(mktemp) | ||||||||||||||
sed -r "s|^[#]?user=.*$|user=${TOPOLOGY_USER}|" "${ORC_CONF_PATH}/orc-topology.cnf" >"${temp}" | ||||||||||||||
sed -r "s|^[#]?password=.*$|password=${TOPOLOGY_PASSWORD:-$ORC_TOPOLOGY_PASSWORD}|" "${ORC_CONF_PATH}/orc-topology.cnf" >"${temp}" | ||||||||||||||
|
||||||||||||||
ESCAPED_PASSWORD=$(printf '%s' "${TOPOLOGY_PASSWORD:-$ORC_TOPOLOGY_PASSWORD}" | sed -e 's/[&"\\]/\\&/g') | ||||||||||||||
ESCAPED_PASSWORD="\"${ESCAPED_PASSWORD}\"" # Wrap in double quotes for .cnf | ||||||||||||||
|
||||||||||||||
sed -r \ | ||||||||||||||
-e "s|^[#]?user=.*$|user=${TOPOLOGY_USER}|" \ | ||||||||||||||
-e "s|^[#]?password=.*$|password=${ESCAPED_PASSWORD}|" \ | ||||||||||||||
"${ORC_CONF_PATH}/orc-topology.cnf" > "${temp}" | ||||||||||||||
Comment on lines
+51
to
+53
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [shfmt] reported by reviewdog 🐶
Suggested change
|
||||||||||||||
|
||||||||||||||
cat "${temp}" >"${ORC_CONF_PATH}/config/orc-topology.cnf" | ||||||||||||||
rm "${temp}" | ||||||||||||||
set -o xtrace | ||||||||||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -58,7 +58,7 @@ | |||||
case "$f" in | ||||||
*.sh) | ||||||
echo "$0: running $f" | ||||||
. "$f" | ||||||
Check warning on line 61 in build/ps-entrypoint.sh
|
||||||
;; | ||||||
*.sql) | ||||||
echo "$0: running $f" | ||||||
|
@@ -190,6 +190,14 @@ | |||||
sed -i "/\[mysqld\]/a super_read_only=ON" $CFG | ||||||
} | ||||||
|
||||||
escape_special() { | ||||||
{ set +x; } 2>/dev/null | ||||||
echo "$1" \ | ||||||
| sed 's/\\/\\\\/g' \ | ||||||
| sed 's/'\''/'\\\\\''/g' \ | ||||||
| sed 's/"/\\\"/g' | ||||||
} | ||||||
|
||||||
MYSQL_VERSION=$(mysqld -V | awk '{print $3}' | awk -F'.' '{print $1"."$2}') | ||||||
|
||||||
if [[ "$MYSQL_VERSION" != '8.0' ]] && [[ "${MYSQL_VERSION}" != '8.4' ]]; then | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [shfmt] reported by reviewdog 🐶
Suggested change
|
||||||
|
@@ -197,7 +205,7 @@ | |||||
exit 1 | ||||||
fi | ||||||
|
||||||
if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then | ||||||
Check warning on line 208 in build/ps-entrypoint.sh
|
||||||
# still need to check config, container may have started with --user | ||||||
_check_config "$@" | ||||||
|
||||||
|
@@ -213,7 +221,7 @@ | |||||
touch /var/lib/mysql/bootstrap.lock | ||||||
file_env 'MYSQL_ROOT_PASSWORD' '' 'root' | ||||||
{ set +x; } 2>/dev/null | ||||||
if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then | ||||||
Check warning on line 224 in build/ps-entrypoint.sh
|
||||||
echo >&2 'error: database is uninitialized and password option is not specified ' | ||||||
echo >&2 ' You need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD' | ||||||
exit 1 | ||||||
|
@@ -271,11 +279,11 @@ | |||||
rootCreate= | ||||||
# default root to listen for connections from anywhere | ||||||
file_env 'MYSQL_ROOT_HOST' '%' | ||||||
if [ -n "$MYSQL_ROOT_HOST" -a "$MYSQL_ROOT_HOST" != 'localhost' ]; then | ||||||
Check warning on line 282 in build/ps-entrypoint.sh
|
||||||
# no, we don't care if read finds a terminating character in this heredoc | ||||||
# https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 | ||||||
read -r -d '' rootCreate <<-EOSQL || true | ||||||
CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' PASSWORD EXPIRE NEVER; | ||||||
CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '$(escape_special "${MYSQL_ROOT_PASSWORD}")' PASSWORD EXPIRE NEVER; | ||||||
GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ; | ||||||
EOSQL | ||||||
fi | ||||||
|
@@ -299,38 +307,38 @@ | |||||
SET @@SESSION.SQL_LOG_BIN=0; | ||||||
|
||||||
DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root', 'mysql.infoschema', 'mysql.session') OR host NOT IN ('localhost') ; | ||||||
ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ; | ||||||
ALTER USER 'root'@'localhost' IDENTIFIED BY '$(escape_special "${MYSQL_ROOT_PASSWORD}")' ; | ||||||
GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ; | ||||||
${rootCreate} | ||||||
/*!80016 REVOKE SYSTEM_USER ON *.* FROM root */; | ||||||
|
||||||
CREATE USER 'operator'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${OPERATOR_ADMIN_PASSWORD}' PASSWORD EXPIRE NEVER; | ||||||
CREATE USER 'operator'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '$(escape_special "${OPERATOR_ADMIN_PASSWORD}")' PASSWORD EXPIRE NEVER; | ||||||
GRANT ALL ON *.* TO 'operator'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ; | ||||||
|
||||||
CREATE USER 'xtrabackup'@'localhost' IDENTIFIED BY '${XTRABACKUP_PASSWORD}' PASSWORD EXPIRE NEVER; | ||||||
CREATE USER 'xtrabackup'@'localhost' IDENTIFIED BY '$(escape_special "${XTRABACKUP_PASSWORD}")' PASSWORD EXPIRE NEVER; | ||||||
GRANT SYSTEM_USER, BACKUP_ADMIN, PROCESS, RELOAD, GROUP_REPLICATION_ADMIN, REPLICATION_SLAVE_ADMIN, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'xtrabackup'@'localhost'; | ||||||
GRANT SELECT ON performance_schema.replication_group_members TO 'xtrabackup'@'localhost'; | ||||||
GRANT SELECT ON performance_schema.log_status TO 'xtrabackup'@'localhost'; | ||||||
GRANT SELECT ON performance_schema.keyring_component_status TO 'xtrabackup'@'localhost'; | ||||||
|
||||||
CREATE USER 'monitor'@'${MONITOR_HOST}' IDENTIFIED BY '${MONITOR_PASSWORD}' WITH MAX_USER_CONNECTIONS 100 PASSWORD EXPIRE NEVER; | ||||||
CREATE USER 'monitor'@'${MONITOR_HOST}' IDENTIFIED BY '$(escape_special "${MONITOR_PASSWORD}")' WITH MAX_USER_CONNECTIONS 100 PASSWORD EXPIRE NEVER; | ||||||
GRANT SYSTEM_USER, SELECT, PROCESS, SUPER, REPLICATION CLIENT, RELOAD, BACKUP_ADMIN ON *.* TO 'monitor'@'${MONITOR_HOST}'; | ||||||
GRANT SELECT ON performance_schema.* TO 'monitor'@'${MONITOR_HOST}'; | ||||||
${monitorConnectGrant} | ||||||
|
||||||
CREATE USER 'replication'@'%' IDENTIFIED BY '${REPLICATION_PASSWORD}' PASSWORD EXPIRE NEVER; | ||||||
CREATE USER 'replication'@'%' IDENTIFIED BY '$(escape_special "${REPLICATION_PASSWORD}")' PASSWORD EXPIRE NEVER; | ||||||
GRANT DELETE, INSERT, UPDATE ON mysql.* TO 'replication'@'%' WITH GRANT OPTION; | ||||||
GRANT SELECT ON performance_schema.threads to 'replication'@'%'; | ||||||
GRANT SYSTEM_USER, REPLICATION SLAVE, BACKUP_ADMIN, GROUP_REPLICATION_STREAM, CLONE_ADMIN, CONNECTION_ADMIN, CREATE USER, EXECUTE, FILE, GROUP_REPLICATION_ADMIN, PERSIST_RO_VARIABLES_ADMIN, PROCESS, RELOAD, REPLICATION CLIENT, REPLICATION_APPLIER, REPLICATION_SLAVE_ADMIN, ROLE_ADMIN, SELECT, SHUTDOWN, SYSTEM_VARIABLES_ADMIN ON *.* TO 'replication'@'%' WITH GRANT OPTION; | ||||||
|
||||||
CREATE USER 'orchestrator'@'%' IDENTIFIED BY '${ORC_TOPOLOGY_PASSWORD}' PASSWORD EXPIRE NEVER; | ||||||
CREATE USER 'orchestrator'@'%' IDENTIFIED BY '$(escape_special "${ORC_TOPOLOGY_PASSWORD}")' PASSWORD EXPIRE NEVER; | ||||||
GRANT SYSTEM_USER, SUPER, PROCESS, REPLICATION SLAVE, REPLICATION CLIENT, RELOAD ON *.* TO 'orchestrator'@'%'; | ||||||
GRANT SELECT ON performance_schema.replication_group_members TO 'orchestrator'@'%'; | ||||||
GRANT SELECT ON mysql.slave_master_info TO 'orchestrator'@'%'; | ||||||
GRANT SELECT ON sys_operator.* TO 'orchestrator'@'%'; | ||||||
|
||||||
CREATE DATABASE IF NOT EXISTS sys_operator; | ||||||
CREATE USER 'heartbeat'@'localhost' IDENTIFIED BY '${HEARTBEAT_PASSWORD}' PASSWORD EXPIRE NEVER; | ||||||
CREATE USER 'heartbeat'@'localhost' IDENTIFIED BY '$(escape_special "${HEARTBEAT_PASSWORD}")' PASSWORD EXPIRE NEVER; | ||||||
GRANT SYSTEM_USER, REPLICATION CLIENT ON *.* TO 'heartbeat'@'localhost'; | ||||||
GRANT SELECT, CREATE, DELETE, UPDATE, INSERT ON sys_operator.heartbeat TO 'heartbeat'@'localhost'; | ||||||
|
||||||
|
@@ -353,7 +361,7 @@ | |||||
file_env 'MYSQL_USER' | ||||||
file_env 'MYSQL_PASSWORD' | ||||||
{ set +x; } 2>/dev/null | ||||||
if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then | ||||||
Check warning on line 364 in build/ps-entrypoint.sh
|
||||||
echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" | "${mysql[@]}" | ||||||
|
||||||
if [ "$MYSQL_DATABASE" ]; then | ||||||
|
@@ -401,7 +409,7 @@ | |||||
if [[ -f /var/lib/mysql/full-cluster-crash ]]; then | ||||||
set +o xtrace | ||||||
node_name=$(hostname -f) | ||||||
cluster_name=$(hostname | cut -d '-' -f1) # TODO: This won't work if CR has `-` in its name. | ||||||
Check warning on line 412 in build/ps-entrypoint.sh
|
||||||
gtid_executed=$(</var/lib/mysql/full-cluster-crash) | ||||||
namespace=$(</var/run/secrets/kubernetes.io/serviceaccount/namespace) | ||||||
|
||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -6,18 +6,23 @@ ROUTER_DIR=${ROUTER_DIR:-/tmp/router} | |||||
OPERATOR_USER=${OPERATOR_USER:-operator} | ||||||
NAMESPACE=$(</var/run/secrets/kubernetes.io/serviceaccount/namespace) | ||||||
|
||||||
urlencode() { | ||||||
python3 -c 'import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))' "$1" | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [shfmt] reported by reviewdog 🐶
Suggested change
|
||||||
} | ||||||
|
||||||
if [ -f "/etc/mysql/mysql-users-secret/${OPERATOR_USER}" ]; then | ||||||
OPERATOR_PASS=$(<"/etc/mysql/mysql-users-secret/${OPERATOR_USER}") | ||||||
OPERATOR_PASS_ESCAPED=$(urlencode "$OPERATOR_PASS") | ||||||
fi | ||||||
|
||||||
mysqlrouter --force \ | ||||||
--bootstrap "${OPERATOR_USER}:${OPERATOR_PASS}@${MYSQL_SERVICE_NAME}-0.${MYSQL_SERVICE_NAME}.${NAMESPACE}.svc" \ | ||||||
--bootstrap "${OPERATOR_USER}:${OPERATOR_PASS_ESCAPED}@${MYSQL_SERVICE_NAME}-0.${MYSQL_SERVICE_NAME}.${NAMESPACE}.svc" \ | ||||||
--conf-bind-address 0.0.0.0 \ | ||||||
--conf-set-option http_auth_backend:default_auth_backend.backend=file \ | ||||||
--conf-set-option http_auth_backend:default_auth_backend.filename="${ROUTER_DIR}/realm.txt" \ | ||||||
--directory "${ROUTER_DIR}" | ||||||
|
||||||
echo ${OPERATOR_PASS} | mysqlrouter_passwd set "${ROUTER_DIR}/realm.txt" ${OPERATOR_USER} | ||||||
echo "${OPERATOR_PASS_ESCAPED}" | mysqlrouter_passwd set "${ROUTER_DIR}/realm.txt" "${OPERATOR_USER}" | ||||||
|
||||||
sed -i 's/logging_folder=.*/logging_folder=/g' "${ROUTER_DIR}/mysqlrouter.conf" | ||||||
sed -i "/\[logger\]/a destination=/dev/stdout" "${ROUTER_DIR}/mysqlrouter.conf" | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -1,15 +1,20 @@ | ||||||
#!/bin/bash | ||||||
|
||||||
urlencode() { | ||||||
python3 -c 'import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))' "$1" | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [shfmt] reported by reviewdog 🐶
Suggested change
|
||||||
} | ||||||
|
||||||
OPERATOR_PASS=$(</etc/mysql/mysql-users-secret/operator) | ||||||
OPERATOR_PASS_ESCAPED=$(urlencode "$OPERATOR_PASS") | ||||||
|
||||||
if ! curl -k -s -u operator:"${OPERATOR_PASS}" https://localhost:8443/api/20190715/routes/bootstrap_rw/health | grep true; then | ||||||
if ! curl -k -s -u operator:"${OPERATOR_PASS_ESCAPED}" https://localhost:8443/api/20190715/routes/bootstrap_rw/health | grep true; then | ||||||
echo "Read-write route is not healthy" | ||||||
exit 1 | ||||||
fi | ||||||
|
||||||
if ! curl -k -s -u operator:"${OPERATOR_PASS}" https://localhost:8443/api/20190715/routes/bootstrap_ro/health | grep true; then | ||||||
if ! curl -k -s -u operator:"${OPERATOR_PASS_ESCAPED}" https://localhost:8443/api/20190715/routes/bootstrap_ro/health | grep true; then | ||||||
echo "Read-only route is not healthy" | ||||||
exit 1 | ||||||
fi | ||||||
|
||||||
exit 0 | ||||||
exit 0 |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -1,7 +1,12 @@ | ||||||
#!/bin/bash | ||||||
|
||||||
urlencode() { | ||||||
python3 -c 'import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))' "$1" | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [shfmt] reported by reviewdog 🐶
Suggested change
|
||||||
} | ||||||
|
||||||
OPERATOR_PASS=$(</etc/mysql/mysql-users-secret/operator) | ||||||
OPERATOR_PASS_ESCAPED=$(urlencode "$OPERATOR_PASS") | ||||||
|
||||||
if [[ $(curl -k -s -u operator:"${OPERATOR_PASS}" -o /dev/null -w %{http_code} https://localhost:8443/api/20190715/router/status) != 200 ]]; then | ||||||
if [[ $(curl -k -s -u operator:"${OPERATOR_PASS_ESCAPED}" -o /dev/null -w %{http_code} https://localhost:8443/api/20190715/router/status) != 200 ]]; then | ||||||
Check warning on line 10 in build/router_startup_check.sh
|
||||||
echo "Router is not ready" | ||||||
fi | ||||||
fi |
Original file line number | Diff line number | Diff line change | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
@@ -1039,6 +1039,11 @@ deploy_cmctl() { | |||||||||
kubectl apply -n "${NAMESPACE}" -f "${TESTS_CONFIG_DIR}/cmctl.yml" | ||||||||||
} | ||||||||||
|
||||||||||
get_user_pass() { | ||||||||||
local user="${1:-root}" | ||||||||||
kubectl -n "${NAMESPACE}" get secret test-secrets -o jsonpath="{.data.${user}}" | base64 --decode | ||||||||||
Comment on lines
+1043
to
+1044
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [shfmt] reported by reviewdog 🐶
Suggested change
|
||||||||||
} | ||||||||||
|
||||||||||
get_operator_version() { | ||||||||||
kubectl get crd -n "$NAMESPACE" perconaservermysqls.ps.percona.com -o jsonpath='{.metadata.labels.app\.kubernetes\.io/version}' | ||||||||||
} | ||||||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,7 +10,6 @@ commands: | |
|
||
apply_s3_storage_secrets | ||
deploy_operator | ||
deploy_non_tls_cluster_secrets | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So we are removing this cause the operator does not trigger the password generation if the key/value pair exists, right? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Because I want operator generate random passwords and we use it in our tests. (now we use passwords from predefined file and it's like |
||
deploy_tls_cluster_secrets | ||
deploy_client | ||
deploy_minio | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[shfmt] reported by reviewdog 🐶