[stable/mysql] Update mysql user passwords on secrets change #3591
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/assign @scottrigby |
|
/assign |
|
Please resolve the merge conflicts |
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: komljen, rjkernick Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Thanks @komljen I was looking for this exact feature. |
|
@viglesiasce Do we really want to do this? We have this problem with all charts that auto-generate passwords. IMHO you should always set a password explicitly for purposes other then simple testing. Alternatively, there's the /hold |
k8s-ci-robot
added
the
do-not-merge/hold
I agree on this one, but when I tried this chart for the first time I got confused why my apps started to fail after I did the upgrade of umbrella chart where mysql was a dependency. I think that Jenkins chart is changing the password on upgrade if not set also. |
|
@unguiculus is I have tested it like this: which shows that passwords are re-randomized between both deploys. It would make sense since when the password is not set, the randAlphNum doesn't save its output to values no? |
|
Another approach would be to do the secret creation only on first install using the release number as a gate for example: |
|
Good point, but if we specify our own password and then we want to change it, we could just use |
This has been on my mind for various charts - as well as those charts which depend on the ones auto-generating passwords. It would be good to agree on an approach across charts that have this problem. Can we address this at our next charts meeting? I have created #5167 to track this, as well as references a number of related issues/PRs/docs there. |
| @@ -1,5 +1,5 @@ | |||
| name: mysql | |||
| version: 0.3.7 | |||
| version: 0.3.8 | |||
There was a problem hiding this comment.
Perhaps this justifies a "minor" rather than a "patch" version bump?
There was a problem hiding this comment.
Yeah, this should be minor.
|
Created existingSecret option as an alternative solution - #5783 |
|
This pull request solves the problem of updating the password with helm upgrade command. It doesn't matter if the password is auto-generated or set by the user. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
mattfarina
added
the
Contribution Allowed
stale
bot
removed
the
lifecycle/stale
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
This issue is being automatically closed due to inactivity. |
|
What prevented this from being merged? |
|
Bumping up @benlangfeld question, that would be really nice to have feature in a chart |
|
Just in case someone has same issue, it is possible to make exact this thing using extraContainers, extraVolumeMounts etc. below example how to parametrize a chart in values.yaml: initializationFiles:
mysql-init: |-
UPDATE mysql.user SET authentication_string = PASSWORD('MYSQL_ROOT_PASSWORD')
WHERE User = 'root' AND Host = '%';
UPDATE mysql.user SET authentication_string = PASSWORD('MYSQL_PASSWORD')
WHERE User = 'MYSQL_USER' AND Host = '%';
FLUSH PRIVILEGES;
extraInitContainers: |
- name: "update-mysql-init"
image: "busybox:1.25.0"
imagePullPolicy: {{ .Values.imagePullPolicy | quote }}
command: [
"sh",
"-ce",
"cp /docker-entrypoint-initdb.d/mysql-init /tmp/files/mysql-init &&
sed -i \"s/MYSQL_ROOT_PASSWORD/$MYSQL_ROOT_PASSWORD/g\" /tmp/files/mysql-init &&
sed -i \"s/MYSQL_PASSWORD/$MYSQL_PASSWORD/g\" /tmp/files/mysql-init &&
sed -i \"s/MYSQL_USER/$MYSQL_USER/g\" /tmp/files/mysql-init" ]
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mysql.fullname" . }}
key: mysql-root-password
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mysql.fullname" . }}
key: mysql-password
volumeMounts:
- name: migrations
mountPath: /docker-entrypoint-initdb.d
- name: tmp-files
mountPath: /tmp/files
extraVolumes: |
- name: tmp-files
emptyDir: {}
extraVolumeMounts: |
- name: tmp-files
mountPath: /tmp/files``` |
|
@Tarjei400 's solution did not work for me, perhaps because I was using a persistent volume.
|
If you don't specify MySQL root and other users passwords they are auto-generated. However, if you run the Helm upgrade the new auto-generated secrets will become invalid. With this fix, it will be possible to change user-specified password also on Helm upgrade.