chore: dynamically generate orc password (#1424)

apecloud · Jan 21, 2025 · 19d658a · 19d658a
1 parent 5236030
commit 19d658a
Show file tree

Hide file tree

Showing 15 changed files with 82 additions and 63 deletions.
diff --git a/addons-cluster/mysql/templates/cluster.yaml b/addons-cluster/mysql/templates/cluster.yaml
@@ -34,6 +34,9 @@ spec:
               component: orchestrator
               service: orchestrator
               port:  {{ .Values.orchestrator.clusterServiceSelector.portName }}
+            credential:
+              component: orchestrator
+              name: orchestrator
         {{- end }}
       {{- end }}
     {{- if hasSuffix "proxysql" .Values.topology }}

diff --git a/addons-cluster/orchestrator/templates/_helpers.tpl b/addons-cluster/orchestrator/templates/_helpers.tpl
diff --git a/addons-cluster/orchestrator/templates/cluster.yaml b/addons-cluster/orchestrator/templates/cluster.yaml
@@ -3,8 +3,6 @@ kind: Cluster
 metadata:
   name: {{ include "kblib.clusterName" . }}
   labels: {{ include "kblib.clusterLabels" . | nindent 4 }}
-  annotations:
-    {{- include "orchestrator-cluster.annotations.extra-envs" . | nindent 4 }}
 spec:
   clusterDef: orchestrator
   topology: {{ .Values.mode }}
@@ -18,13 +16,6 @@ spec:
             port: 80
   componentSpecs:
     - name: orchestrator
-      env:
-        - name: ORC_TOPOLOGY_PASSWORD
-          value: {{ .Values.secret.TOPOLOGY_PASSWORD | default "orchestrator" }}
-        - name: ORC_META_PASSWORD
-          value: {{ .Values.secret.META_PASSWORD | default "orchestrator" }}
-        - name: ORC_META_DATABASE
-          value: {{ .Values.secret.META_DATABASE | default "orchestrator" }}
       {{- include "kblib.componentMonitor" . | indent 6 }}
       replicas: {{ .Values.replicas }}
       {{- include "kblib.componentResources" . | indent 6 }}

diff --git a/addons-cluster/orchestrator/values.yaml b/addons-cluster/orchestrator/values.yaml
@@ -29,14 +29,6 @@ storage: 20
 ## @param mode to deploy orchestrator, choose from {shareend, raft}.
 mode: raft
 
-## @param secret the username and password for orchestrator
-secret:
-  TOPOLOGY_PASSWORD: orchestrator
-  # TOPOLOGY_USER: orchestrator
-  # META_USER: orchestrator
-  META_PASSWORD: orchestrator
-  META_DATABASE: orchestrator
-
 ## @param serviceReference the reference of orchestrator meta service
 serviceReference:
   metadb:

diff --git a/addons/mysql/templates/_helpers.tpl b/addons/mysql/templates/_helpers.tpl
@@ -254,6 +254,16 @@ roles:
     serviceable: true
     writable: false
 vars:
+  - name: ORC_TOPOLOGY_USER
+    valueFrom:
+      serviceRefVarRef:
+        name: orchestrator
+        username: Required
+  - name: ORC_TOPOLOGY_PASSWORD
+    valueFrom:
+      serviceRefVarRef:
+        name: orchestrator
+        password: Required
   - name: CLUSTER_NAME
     valueFrom:
       clusterVarRef:
@@ -441,10 +451,6 @@ env:
     value: "1"
   - name: MYSQL_ROOT_HOST
     value: {{ .Values.auth.rootHost | default "%" | quote }}
-  - name: ORC_TOPOLOGY_USER
-    value: {{ .Values.orchestrator.topology.username }}
-  - name: ORC_TOPOLOGY_PASSWORD
-    value: {{ .Values.orchestrator.topology.password }}
   - name: HA_COMPNENT
     value: orchestrator
   - name: SERVICE_PORT

diff --git a/addons/orchestrator/scripts/init-meta-database.sh b/addons/orchestrator/scripts/init-meta-database.sh
@@ -1,28 +1,25 @@
 #!/bin/sh
-META_MYSQL_USER=${META_MYSQL_USER:-"orchestrator"}
-ORC_META_USER=${ORC_META_USER:-"orchestrator"}
-
 meta_mysql_user="${META_MYSQL_USER}"
 meta_mysql_password="${META_MYSQL_PASSWORD}"
 meta_mysql_host=${META_MYSQL_ENDPOINT%%:*}
 meta_mysql_port=${META_MYSQL_PORT}
 
-meta_user="$ORC_META_USER"
-meta_password="$ORC_META_PASSWORD"
-meta_database="$ORC_META_DATABASE"
+meta_user="${ORC_META_USER:-"orchestrator"}"
+meta_password="${ORC_META_PASSWORD}"
+meta_database="${ORC_META_DATABASE:-"orchestrator"}"
 
 # create orchestrator user in mysql
 init_meta_databases() {
   wait_for_connectivity
 
   echo "Create MySQL User and Grant Permissions..."
   mysql -h $meta_mysql_host -P $meta_mysql_port -u $meta_mysql_user -p$meta_mysql_password << EOF
-CREATE USER IF NOT EXISTS '$ORC_META_USER'@'%' IDENTIFIED BY '$ORC_META_PASSWORD';
+CREATE USER IF NOT EXISTS '$meta_user'@'%' IDENTIFIED BY '$meta_password';
 EOF
 
   mysql -h $meta_mysql_host -P $meta_mysql_port -u $meta_mysql_user -p$meta_mysql_password << EOF
 CREATE DATABASE IF NOT EXISTS $meta_database;
-GRANT ALL PRIVILEGES ON $meta_database.* TO '$ORC_META_USER'@'%';
+GRANT ALL PRIVILEGES ON $meta_database.* TO '$meta_user'@'%';
 EOF
   echo "init meta databases done"
 }

diff --git a/addons/orchestrator/templates/_helpers.tpl b/addons/orchestrator/templates/_helpers.tpl
@@ -116,7 +116,21 @@ description: orchestrator is a MySQL high availability and replication managemen
 serviceKind: orchestrator
 serviceVersion: 3.2.6
 updateStrategy: BestEffortParallel
-
+systemAccounts:
+  - name: meta
+    initAccount: true
+    passwordGenerationPolicy:
+      length: 16
+      numDigits: 8
+      numSymbols: 0
+      letterCase: MixedCases
+  - name: orchestrator
+    initAccount: true
+    passwordGenerationPolicy:
+      length: 16
+      numDigits: 8
+      numSymbols: 0
+      letterCase: MixedCases
 configs:
   - name: orchestrator-config
     templateRef: {{ include "orchestrator.componentDefName" . }}-config

diff --git a/addons/orchestrator/templates/cmpd-raft.yaml b/addons/orchestrator/templates/cmpd-raft.yaml
@@ -18,6 +18,25 @@ spec:
       writable: false
       votable: true
   vars:
+    - name: ORC_META_DATABASE
+      value: orchestrator
+    - name: ORC_META_USER
+      value: orchestrator
+    - name: ORC_META_PASSWORD
+      valueFrom:
+        credentialVarRef:
+          name: meta
+          password: Required
+    - name: ORC_TOPOLOGY_USER
+      valueFrom:
+        credentialVarRef:
+          name: orchestrator
+          username: Required
+    - name: ORC_TOPOLOGY_PASSWORD
+      valueFrom:
+        credentialVarRef:
+          name: orchestrator
+          password: Required
     - name: COMPONENT_NAME
       valueFrom:
         componentVarRef:

diff --git a/addons/orchestrator/templates/cmpd-shareend.yaml b/addons/orchestrator/templates/cmpd-shareend.yaml
@@ -21,6 +21,25 @@ spec:
         - serviceKind: mysql
           serviceVersion: "^*"
   vars:
+    - name: ORC_META_DATABASE
+      value: orchestrator
+    - name: ORC_META_USER
+      value: {{ .Values.auth.metaUser }}
+    - name: ORC_META_PASSWORD
+      valueFrom:
+        credentialVarRef:
+          name: meta
+          password: Required
+    - name: ORC_TOPOLOGY_USER
+      valueFrom:
+        credentialVarRef:
+          name: orchestrator
+          username: Required
+    - name: ORC_TOPOLOGY_PASSWORD
+      valueFrom:
+        credentialVarRef:
+          name: orchestrator
+          password: Required
     - name: COMPONENT_NAME
       valueFrom:
         componentVarRef:

diff --git a/addons/orchestrator/values.yaml b/addons/orchestrator/values.yaml
@@ -11,6 +11,9 @@ image:
 nameOverride: ""
 fullnameOverride: ""
 
+auth:
+  metaUser: orchestrator
+
 ## @param compDefinitionVersionSuffix for all ComponentDefinition resources name created by this chart, that can avoid name conflict
 ## if you install multiple releases of this chart.
 ## If specified, the component definition will use it as name.

diff --git a/examples/mysql/cluster-orc-proxysql.yaml b/examples/mysql/cluster-orc-proxysql.yaml
@@ -65,6 +65,9 @@ spec:
               component: orchestrator
               service: orchestrator
               port:  orc-http
+            credential:
+              component: orchestrator
+              name: orchestrator
     - name: proxysql
       # Specifies the ComponentDefinition custom resource (CR) that defines the
       # Component's characteristics and behavior.

diff --git a/examples/mysql/cluster-orc.yaml b/examples/mysql/cluster-orc.yaml
@@ -34,4 +34,7 @@ spec:
             service:
               component: orchestrator
               service: orchestrator
-              port:  orc-http
+              port:  orc-http
+            credential:
+              component: orchestrator
+              name: orchestrator
diff --git a/examples/mysql/orchestrator.yaml b/examples/mysql/orchestrator.yaml
@@ -16,13 +16,6 @@ spec:
             port: 80
   componentSpecs:
     - name: orchestrator
-      env:
-        - name: ORC_TOPOLOGY_PASSWORD
-          value: orchestrator
-        - name: ORC_META_PASSWORD
-          value: orchestrator
-        - name: ORC_META_DATABASE
-          value: orchestrator
       disableExporter: true
       replicas: 3
       resources:

diff --git a/examples/orchestrator/cluster-raft.yaml b/examples/orchestrator/cluster-raft.yaml
@@ -3,8 +3,6 @@ kind: Cluster
 metadata:
   name: orchestrator-cluster
   namespace: default
-  annotations:
-    "kubeblocks.io/extra-env": '{"ORC_TOPOLOGY_PASSWORD":"orchestrator","ORC_META_PASSWORD":"orchestrator","ORC_META_DATABASE":"orchestrator"}'
 spec:
   # Specifies the behavior when a Cluster is deleted.
   # - `DoNotTerminate`: Prevents deletion of the Cluster. This policy ensures that all resources remain intact.

diff --git a/examples/orchestrator/cluster-shareend.yaml b/examples/orchestrator/cluster-shareend.yaml
@@ -3,8 +3,6 @@ kind: Cluster
 metadata:
   name: orchestrator-cluster
   namespace: default
-  annotations:
-    "kubeblocks.io/extra-env": '{"ORC_TOPOLOGY_PASSWORD":"orchestrator","ORC_META_PASSWORD":"orchestrator","ORC_META_DATABASE":"orchestrator"}'
 spec:
   # Specifies the behavior when a Cluster is deleted.
   # - `DoNotTerminate`: Prevents deletion of the Cluster. This policy ensures that all resources remain intact.
@@ -41,7 +39,7 @@ spec:
           clusterServiceSelector:
             cluster: mysqlo-cluster
             credential:
-              name: kbadmin
+              name: root
               component: mysql
             service:
               service: ""