feat:(*): Support TLS for mysql server and client.

1. Add a new CR variables tlsSecretName to support TLS.
2. Add there new auto configed mysql variables to support TLS.

Author: zhl003

.gitignore

@@ -26,4 +26,8 @@ bin/
 
 # e2e logs
 test/e2e/logs_*
+# vscode local
+.devcontainer
 
+#vs debug files
+__debug_*

api/v1alpha1/mysqlcluster_types.go

@@ -85,6 +85,9 @@ type MysqlClusterSpec struct {
 	// Represents NFS ip address where cluster restore from.
 	// +optional
 	NFSServerAddress string `json:"nfsServerAddress,omitempty"`
+	//containing CA (ca.pem) and optional CRL (crl.pem) ,server certificate and private key for SSL
+	//+optional
+	TlsSecretName string `json:"tlsSecretName,omitempty"`
 }
 
 // MysqlOpts defines the options of MySQL container.

charts/mysql-operator/values.yaml

@@ -21,7 +21,7 @@ tolerationSeconds: 30
 
 manager:
   image: radondb/mysql-operator
-  tag: v2.2.0
+  tag: v2.2.0-beta.1
   enabledWebhooks: true
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious

config/crd/bases/mysql.radondb.com_mysqlclusters.yaml

@@ -1256,6 +1256,10 @@ spec:
                 description: Represents the name of the cluster restore from backup
                   path.
                 type: string
+              tlsSecretName:
+                description: containing CA (ca.pem) and optional CRL (crl.pem) ,server
+                  certificate and private key for SSL
+                type: string
               xenonOpts:
                 default:
                   admitDefeatHearbeatCount: 5

mysqlcluster/container/init_sidecar.go

@@ -200,7 +200,17 @@ func (c *initSidecar) getVolumeMounts() []corev1.VolumeMount {
 			MountPath: utils.SysLocalTimeZoneMountPath,
 		},
 	}
-
+	if c.Spec.TlsSecretName != "" {
+		volumeMounts = append(volumeMounts,
+			corev1.VolumeMount{
+				Name:      utils.TlsVolumeName + "-sidecar",
+				MountPath: "/tmp/mysql-ssl",
+			}, corev1.VolumeMount{
+				Name:      utils.TlsVolumeName,
+				MountPath: utils.TlsMountPath,
+			},
+		)
+	}
 	if c.Spec.MysqlOpts.InitTokuDB {
 		volumeMounts = append(volumeMounts,
 			corev1.VolumeMount{

mysqlcluster/container/mysql.go

@@ -133,7 +133,7 @@ func (c *mysql) getReadinessProbe() *corev1.Probe {
 
 // getVolumeMounts get the container volumeMounts.
 func (c *mysql) getVolumeMounts() []corev1.VolumeMount {
-	return []corev1.VolumeMount{
+	volumeMounts := []corev1.VolumeMount{
 		{
 			Name:      utils.MysqlConfVolumeName,
 			MountPath: utils.MysqlConfVolumeMountPath,
@@ -151,4 +151,13 @@ func (c *mysql) getVolumeMounts() []corev1.VolumeMount {
 			MountPath: utils.SysLocalTimeZoneMountPath,
 		},
 	}
+	if c.Spec.TlsSecretName != "" {
+		volumeMounts = append(volumeMounts,
+			corev1.VolumeMount{
+				Name:      utils.TlsVolumeName,
+				MountPath: utils.TlsMountPath,
+			},
+		)
+	}
+	return volumeMounts
 }

mysqlcluster/mysqlcluster.go

@@ -270,6 +270,22 @@ func (c *MysqlCluster) EnsureVolumes() []corev1.Volume {
 			},
 		})
 	}
+	// add the ssl secret mounts
+	if len(c.Spec.TlsSecretName) != 0 {
+		volumes = append(volumes, corev1.Volume{
+			Name: utils.TlsVolumeName + "-sidecar",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: c.Spec.TlsSecretName,
+				},
+			},
+		}, corev1.Volume{
+			Name: utils.TlsVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		})
+	}
 	return volumes
 }
 

mysqlcluster/syncer/mysql_cm.go

@@ -92,7 +92,9 @@ func buildMysqlConf(c *mysqlcluster.MysqlCluster) (string, error) {
 			log.Error(err, "failed to add boolean key to config section", "key", key)
 		}
 	}
-
+	if len(c.Spec.TlsSecretName) != 0 {
+		addKVConfigsToSection(sec, mysqlSSLConfigs)
+	}
 	data, err := writeConfigs(cfg)
 	if err != nil {
 		return "", err

mysqlcluster/syncer/mysql_configs.go

@@ -152,3 +152,10 @@ var mysqlBooleanConfigs = []string{
 	"log-slave-updates",
 	"!includedir /etc/mysql/conf.d",
 }
+
+//mysqlSSLConfigs is the ist of the mysql ssl configs.
+var mysqlSSLConfigs = map[string]string{
+	"ssl_ca":   "/etc/mysql-ssl/ca.crt",
+	"ssl_cert": "/etc/mysql-ssl/tls.crt",
+	"ssl_key":  "/etc/mysql-ssl/tls.key",
+}

sidecar/init.go

@@ -140,7 +140,10 @@ func runInitCommand(cfg *Config) error {
 	if err = copyFile(path.Join(mysqlCMPath, "my.cnf"), path.Join(mysqlConfigPath, "my.cnf")); err != nil {
 		return fmt.Errorf("failed to copy my.cnf: %s", err)
 	}
-
+	//ssl settins
+	if exists, _ := checkIfPathExists(utils.TlsMountPath); exists {
+		buildSSLdata(uid, gid)
+	}
 	buildDefaultXenonMeta(uid, gid)
 
 	// build client.conf.
@@ -163,7 +166,6 @@ func runInitCommand(cfg *Config) error {
 	if err = os.Chown(extraConfPath, uid, gid); err != nil {
 		return fmt.Errorf("failed to chown %s: %s", dataPath, err)
 	}
-
 	// Run reset master in init-mysql container.
 	if err = ioutil.WriteFile(initFilePath+"/reset.sql", []byte("reset master;"), 0644); err != nil {
 		return fmt.Errorf("failed to write reset.sql: %s", err)
@@ -315,3 +317,18 @@ func buildDefaultXenonMeta(uid, gid int) error {
 	}
 	return nil
 }
+func buildSSLdata(uid, gid int) error {
+	// cp -rp /tmp/myssl/* /etc/mysql/ssl/
+	//refer https://stackoverflow.com/questions/31467153/golang-failed-exec-command-that-works-in-terminal
+	shellCmd := "cp  /tmp/mysql-ssl/* " + utils.TlsMountPath
+	cmd := exec.Command("sh", "-c", shellCmd)
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to copy ssl: %s", err)
+	}
+	cronCmd := "chown -R mysql.mysql " + utils.TlsMountPath
+	cmd = exec.Command("sh", "-c", cronCmd)
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to copy ssl: %s", err)
+	}
+	return nil
+}