From 9a781117f025ebbe62fc6658c8a4037a25262b94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=B6ran=20P=C3=B6hner?=
<10630407+groundhog2k@users.noreply.github.com>
Date: Sun, 5 Nov 2023 18:39:40 +0100
Subject: [PATCH] Bumped to stable major chart version - Allows usage of
existing secret reference and added network policy support (#1257)
* Prepared new database configuration
* Improved secure config
* Bumped version
---
charts/mariadb/Chart.yaml | 11 +++++--
charts/mariadb/README.md | 26 +++++++++++++----
charts/mariadb/RELEASENOTES.md | 6 ++++
charts/mariadb/templates/_helpers.tpl | 9 ------
charts/mariadb/templates/networkpolicy.yaml | 25 ++++++++++++++++
charts/mariadb/templates/pvc.yaml | 4 +--
charts/mariadb/templates/secureconfig.yaml | 20 ++++++++-----
charts/mariadb/templates/statefulset.yaml | 32 +++++++++++++++++----
charts/mariadb/values.yaml | 24 ++++++++++++++--
9 files changed, 124 insertions(+), 33 deletions(-)
create mode 100644 charts/mariadb/templates/networkpolicy.yaml
diff --git a/charts/mariadb/Chart.yaml b/charts/mariadb/Chart.yaml
index d54ce946..f6ee2102 100644
--- a/charts/mariadb/Chart.yaml
+++ b/charts/mariadb/Chart.yaml
@@ -6,7 +6,14 @@ type: application
maintainers:
- name: groundhog2k
+ url: https://github.com/groundhog2k/helm-charts
-version: "0.10.0"
+keywords:
+ - database
+ - mariadb
+ - mysql
-appVersion: "11.1.2"
+version: "1.0.0"
+
+appVersion: "10.4.31"
+icon: https://mariadb.com/wp-content/uploads/2019/11/mariadb-logo_black-transparent-600x150.png
diff --git a/charts/mariadb/README.md b/charts/mariadb/README.md
index 968f3c39..e207ae42 100644
--- a/charts/mariadb/README.md
+++ b/charts/mariadb/README.md
@@ -1,6 +1,6 @@
# MariaDB
-  
+  
## Changelog
@@ -94,6 +94,16 @@ helm uninstall my-release
| service.loadBalancerIP | string | `nil` | The load balancer ip address (only relevant for type LoadBalancer) |
| service.annotations | object | `{}` | Additional service annotations |
+## Network policies
+
+Allows to define optional network policies for [ingress and egress](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+The policyTypes will be automatically set
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| networkPolicy.ingress | object | `{}` | Ingress network policies |
+| networkPolicy.egress | object | `{}` | Egress network policies |
+
## Storage parameters
| Key | Type | Default | Description |
@@ -111,10 +121,16 @@ helm uninstall my-release
|-----|------|---------|-------------|
| useDeployment | bool | `false` | Use Kubernetes Deployment instead of StatefulSet |
| userDatabase | object | `{}` | Optional MariaDB user database |
-| userDatabase.name | string | `""` | Name of the user database |
-| userDatabase.user | string | `""` | User name with full access to user database|
-| userDatabase.password | string | `""` | Password of created user |
-| settings.rootPassword | string | `nil` | MariaDB root password |
+| userDatabase.existingSecret | string | `nil` | Optional existing secret with database name, user and password |
+| userDatabase.name.secretKey | string | `""` | Key of the existingSecret with database name |
+| userDatabase.name.value | string | `""` | Name of the user database (if no existingSecret was specified) |
+| userDatabase.user.secretKey | string | `""` | Key of the existingSecret with database user |
+| userDatabase.user.value | string | `""` | User name with full access to user database (if no existingSecret was specified) |
+| userDatabase.password.secretKey | string | `""` | Key of the existingSecret with password of created user |
+| userDatabase.password.value | string | `""` | Password of created user (if no existingSecret was specified) |
+| settings.existingSecret | string | `nil` | Optional existing secret for the root password |
+| settings.rootPassword.secretKey | string | `nil` | Key of existingSecret for the MariaDB root password |
+| settings.rootPassword.value | string | `nil` | MariaDB root password (if no existingSecret was specified) |
| settings.allowEmptyRootPassword | bool | `false` | Set true to allow an empty root password |
| settings.skipTZInfo | bool | `false` | Set true to skip loading timezone data during init |
| settings.arguments | list | `[]` | Additional arguments for mysqld (entrypoint process) |
diff --git a/charts/mariadb/RELEASENOTES.md b/charts/mariadb/RELEASENOTES.md
index 7d8f7345..268213c1 100644
--- a/charts/mariadb/RELEASENOTES.md
+++ b/charts/mariadb/RELEASENOTES.md
@@ -70,4 +70,10 @@
| 0.9.0 | 11.0.2 | Upgraded MariaDB to 11.0.2 |
| 0.9.1 | 11.0.3 | Upgraded MariaDB to 11.0.3 |
| 0.10.2 | 11.1.2 | Upgraded MariaDB to 11.1.2 |
+| 1.0.0 | 10.4.31 | Bumped to stable major chart version - Allows usage of existing secret reference and added network policy support |
+| 1.1.0 | 10.5.22 | Bumped to stable major chart version - Allows usage of existing secret reference and added network policy support |
+| 1.2.0 | 10.6.15 | Bumped to stable major chart version - Allows usage of existing secret reference and added network policy support |
+| 1.3.0 | 10.11.5 | Bumped to stable major chart version - Allows usage of existing secret reference and added network policy support |
+| 2.0.0 | 11.0.3 | Bumped to stable major chart version - Allows usage of existing secret reference and added network policy support |
+| 2.1.0 | 11.1.2 | Bumped to stable major chart version - Allows usage of existing secret reference and added network policy support |
| | | |
diff --git a/charts/mariadb/templates/_helpers.tpl b/charts/mariadb/templates/_helpers.tpl
index 57d99ab4..b5cd7d6c 100644
--- a/charts/mariadb/templates/_helpers.tpl
+++ b/charts/mariadb/templates/_helpers.tpl
@@ -61,12 +61,3 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
-
-{{/*
-Generate secret with configuration
-*/}}
-{{- define "mariadb.createSecureConfig" -}}
- {{- if or (.Values.settings.rootPassword) (.Values.userDatabase) }}
-true
- {{- end }}
-{{- end }}
diff --git a/charts/mariadb/templates/networkpolicy.yaml b/charts/mariadb/templates/networkpolicy.yaml
new file mode 100644
index 00000000..4ebc5e01
--- /dev/null
+++ b/charts/mariadb/templates/networkpolicy.yaml
@@ -0,0 +1,25 @@
+{{- with .Values.networkPolicy }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "mariadb.fullname" $ }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "mariadb.selectorLabels" $ | nindent 6 }}
+ policyTypes:
+ {{- if .ingress }}
+ - Ingress
+ {{- end }}
+ {{- if .egress }}
+ - Egress
+ {{- end }}
+ {{- with .ingress }}
+ ingress:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .egress }}
+ egress:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/mariadb/templates/pvc.yaml b/charts/mariadb/templates/pvc.yaml
index 963bd268..bb2cef8c 100644
--- a/charts/mariadb/templates/pvc.yaml
+++ b/charts/mariadb/templates/pvc.yaml
@@ -1,6 +1,5 @@
-{{- if .Values.useDeployment }}
{{- $createPvc := and (empty .Values.storage.persistentVolumeClaimName) (.Values.storage.requestedSize) }}
-{{- if $createPvc }}
+{{- if and (.Values.useDeployment) ($createPvc) }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
@@ -24,4 +23,3 @@ spec:
{{- end }}
{{- end }}
{{- end }}
-{{- end }}
diff --git a/charts/mariadb/templates/secureconfig.yaml b/charts/mariadb/templates/secureconfig.yaml
index 30340c7e..f16f40ff 100644
--- a/charts/mariadb/templates/secureconfig.yaml
+++ b/charts/mariadb/templates/secureconfig.yaml
@@ -1,4 +1,6 @@
-{{- if include "mariadb.createSecureConfig" . }}
+{{- $rootSet := and (not .Values.settings.existingSecret) ((.Values.settings.rootPassword).value) }}
+{{- $userDatabaseSet := and (.Values.userDatabase) (not .Values.userDatabase.existingSecret) }}
+{{- if or ($rootSet) ($userDatabaseSet) }}
apiVersion: v1
kind: Secret
metadata:
@@ -8,15 +10,19 @@ metadata:
type: Opaque
data:
{{- with .Values.settings }}
- {{- if .rootPassword }}
- MARIADB_ROOT_PASSWORD: {{ .rootPassword | b64enc }}
+ {{- if (.rootPassword).value }}
+ MARIADB_ROOT_PASSWORD: {{ .rootPassword.value | b64enc }}
{{- end }}
{{- end }}
{{- with .Values.userDatabase }}
- MARIADB_DATABASE: {{ required "Values: userDatabase.name is mandatory if userDatabase is specified." .name | b64enc }}
- {{- if .user }}
- MARIADB_USER: {{ .user | b64enc }}
- MARIADB_PASSWORD: {{ required "Values: userDatabase.password is mandatory if userDatabase.user is specified." .password | b64enc }}
+ {{- if not .existingSecret }}
+ {{- $_ := required "Values: userDatabase.name is mandatory if userDatabase is specified without existing secret" .name }}
+ MARIADB_DATABASE: {{ required "Values: userDatabase.name.value is mandatory if userDatabase is specified without existingSecret." .name.value | b64enc }}
+ {{- if (.user).value }}
+ MARIADB_USER: {{ .user.value | b64enc }}
+ {{- $_ := required "Values: userDatabase.password is mandatory if userDatabase is specified without existing secret" .password }}
+ MARIADB_PASSWORD: {{ required "Values: userDatabase.password.value is mandatory if userDatabase.user is specified without existingSecret." .password.value | b64enc }}
+ {{- end }}
{{- end }}
{{- end }}
{{- end }}
diff --git a/charts/mariadb/templates/statefulset.yaml b/charts/mariadb/templates/statefulset.yaml
index 6dbaa34e..51321431 100644
--- a/charts/mariadb/templates/statefulset.yaml
+++ b/charts/mariadb/templates/statefulset.yaml
@@ -186,6 +186,30 @@ spec:
{{- end }}
{{- end }}
env:
+ {{- if or (.Values.settings.existingSecret) ((.Values.settings.rootPassword).value) }}
+ - name: MARIADB_ROOT_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "mariadb.fullname" .) .Values.settings.existingSecret }}
+ key: {{ default "MARIADB_ROOT_PASSWORD" (.Values.settings.rootPassword).secretKey }}
+ {{- end }}
+ {{- with .Values.userDatabase }}
+ - name: MARIADB_DATABASE
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "mariadb.fullname" $) .existingSecret }}
+ key: {{ default "MARIADB_DATABASE" .name.secretKey }}
+ - name: MARIADB_USER
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "mariadb.fullname" $) .existingSecret }}
+ key: {{ default "MARIADB_USER" .user.secretKey }}
+ - name: MARIADB_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "mariadb.fullname" $) .existingSecret }}
+ key: {{ default "MARIADB_PASSWORD" .password.secretKey }}
+ {{- end }}
{{- if .Values.settings.skipTZInfo }}
- name: MARIADB_INITDB_SKIP_TZINFO
value: "yes"
@@ -197,15 +221,13 @@ spec:
{{- with .Values.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
+ {{- with .Values.extraEnvSecrets }}
envFrom:
- {{- if include "mariadb.createSecureConfig" . }}
- - secretRef:
- name: {{ $fullname }}
- {{- end }}
- {{- range .Values.extraEnvSecrets }}
+ {{- range . }}
- secretRef:
name: {{ . }}
{{- end }}
+ {{- end }}
{{- with .Values.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
diff --git a/charts/mariadb/values.yaml b/charts/mariadb/values.yaml
index fef36b99..575bfe7e 100644
--- a/charts/mariadb/values.yaml
+++ b/charts/mariadb/values.yaml
@@ -136,6 +136,12 @@ extraContainers: []
## Additional environment variables
env: []
+## Network policies
+networkPolicy: {}
+ ## Ingress and Egress policies
+ # ingress: {}
+ # egress: {}
+
## Use Kubernetes Deployment instead of StatefulSet
useDeployment: false
@@ -146,8 +152,13 @@ settings:
# - --character-set-server=utf8mb4
# - --collation-server=utf8mb4_unicode_ci
+ ## Optional existing secret for the MariaDB root password
+ existingSecret:
+
## The root user password
rootPassword:
+ # secretKey:
+ # value:
## Set true to allow an empty root password
allowEmptyRootPassword: false
@@ -157,14 +168,23 @@ settings:
## Optional user database which is created during first startup with user and password
userDatabase: {}
+ ## Optional existing secret with database name, user and password
+ # existingSecret:
## Name of the user database
# name:
-
+ ## Use secretKey when existingSecret was specified otherwise value
+ # secretKey:
+ # value:
## Database user with full access rights
+ ## Use secretKey when existingSecret was specified otherwise value
# user:
-
+ # secretKey:
+ # value:
## Password of the database user
+ ## Use secretKey when existingSecret was specified otherwise value
# password:
+ # secretKey:
+ # value:
## Optional custom configuration block that will be mounted as file in /etc/mysql/conf.d/custom.cnf
## For more flexible options see extraSecretConfigs: section
--
GitLab