Merge "[mariadb] Disable TLS for prometheus mysql exporter"

2025-07-28 06:36:33 +00:00
parent 2c187ac47d 942c7c6827
commit 05dec8ab60
4 changed files with 20 additions and 7 deletions
--- a/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl
+++ b/mariadb/templates/bin/_prometheus-create-mysql-user.sh.tpl
@@ -32,8 +32,8 @@ set -e
  if [[ ! -z ${mariadb_version} && -z $(grep -E '10.2|10.3|10.4' <<< ${mariadb_version}) ]]; then
    # In case MariaDB version is 10.2.x-10.4.x - we use old privileges definitions
    if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
-      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
-      GRANT SLAVE MONITOR, PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
+      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'127.0.0.1' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
+      GRANT SLAVE MONITOR, PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'127.0.0.1'; \
      FLUSH PRIVILEGES;" ; then
      echo "ERROR: Could not create user: ${EXPORTER_USER}"
      exit 1
--- a/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl
+++ b/mariadb/templates/secrets/_prometheus-exporter_user.cnf.tpl
@@ -17,8 +17,3 @@ user = {{ .Values.endpoints.oslo_db.auth.exporter.username }}
 password = {{ .Values.endpoints.oslo_db.auth.exporter.password }}
 host = localhost
 port = {{ tuple "oslo_db" "direct" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- if .Values.manifests.certificates }}
-ssl-ca = /etc/mysql/certs/ca.crt
-ssl-key = /etc/mysql/certs/tls.key
-ssl-cert = /etc/mysql/certs/tls.crt
-{{- end }}
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -102,6 +102,7 @@ metadata:
    mariadb-dbadmin-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }}
    mariadb-sst-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }}
    configmap-bin-exporter-hash: {{ tuple "exporter-configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+    secrets-etc-exporter-hash: {{ tuple "exporter-secrets-etc.yaml" . | include "helm-toolkit.utils.hash" }}
  labels:
 {{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
--- a/releasenotes/notes/mariadb-840fccbf8f0e9d39.yaml
+++ b/releasenotes/notes/mariadb-840fccbf8f0e9d39.yaml
@@ -0,0 +1,17 @@
+---
+# To create a new release note related to a specific chart:
+# reno new <chart_name>
+#
+# To create a new release note for a common change (when multiple charts
+# are changed):
+# reno new common
+mariadb:
+  - |
+    This change disables TLS for the Prometheus MySQL exporter sidecar container in the MariaDB StatefulSet.
+issues:
+  - |
+    mysql-exporter sidecar container has TLS enabled but was missing the CA certificate, which caused the exporter to fail to connect to the database.
+fixes:
+  - |
+    In order to fix this issue, the TLS configuration for the Prometheus MySQL exporter sidecar container has been updated to disable TLS. This allows the exporter to connect to the MariaDB database without requiring a CA certificate.
+...