apecloud · leon-inf · Nov 28, 2024
@@ -24,13 +24,10 @@ enable_display_sql_execution_vttablets=false
 enable_read_write_split_for_read_only_txn=false
 enable_interception_for_dml_without_where=true
 
-{{- if $.component.tlsConfig }}
-{{- $ca_file := getCAFile }}
-{{- $cert_file := getCertFile }}
-{{- $key_file := getKeyFile }}
-mysql_server_ssl_ca={{ $ca_file }}
-mysql_server_ssl_cert={{ $cert_file }}
-mysql_server_ssl_key={{ $key_file }}
+{{- if eq $.TLS_ENABLED "true" }}
+mysql_server_ssl_ca=/etc/pki/tls/ca.pem
+mysql_server_ssl_cert=/etc/pki/tls/cert.pem
+mysql_server_ssl_key=/etc/pki/tls/key.pem
 # tls
 {{- else }}
 mysql_server_ssl_ca=

@@ -195,15 +195,12 @@ relay_log_index=relay-bin.index
 pid_file=/var/run/mysqld/mysqld.pid
 socket=/var/run/mysqld/mysqld.sock
 
-{{- if $.component.tlsConfig }}
-{{- $ca_file := getCAFile }}
-{{- $cert_file := getCertFile }}
-{{- $key_file := getKeyFile }}
+{{- if eq $.TLS_ENABLED "true" }}
 # tls
 # require_secure_transport=ON
-ssl_ca={{ $ca_file }}
-ssl_cert={{ $cert_file }}
-ssl_key={{ $key_file }}
+ssl_ca=/etc/pki/tls/ca.pem
+ssl_cert=/etc/pki/tls/cert.pem
+ssl_key=/etc/pki/tls/key.pem
 {{- end }}
 
 ## smartengine base config
@@ -264,4 +261,4 @@ skip_name_resolve=ON
 
 [client]
 port={{ $mysql_port }}
-socket=/var/run/mysqld/mysqld.sock
+socket=/var/run/mysqld/mysqld.sock
@@ -36,7 +36,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Common annotations
 */}}
 {{- define "apecloud-mysql.annotations" -}}
-helm.sh/resource-policy: keep              
+helm.sh/resource-policy: keep
 {{- end }}
 
 {{/*
@@ -117,6 +117,12 @@ systemAccounts:
   - name: kbreplicator
     statement: CREATE USER ${KB_ACCOUNT_NAME} IDENTIFIED BY '${KB_ACCOUNT_PASSWORD}'; GRANT REPLICATION SLAVE ON ${ALL_DB} TO ${KB_ACCOUNT_NAME} WITH GRANT OPTION;
     passwordGenerationPolicy: *defaultPasswordGenerationPolicy
+tls:
+  volumeName: tls
+  mountPath: /etc/pki/tls
+  caFile: ca.pem
+  certFile: cert.pem
+  keyFile: key.pem
 roles:
   - name: leader
     serviceable: true
@@ -298,6 +304,10 @@ vars:
           option: Optional
   - name: SYNCER_HTTP_PORT
     value: "3601"
+  - name: TLS_ENABLED
+    valueFrom:
+      tlsVarRef:
+        enabled: Required
 {{- end -}}
 
 {{- define "apecloud-mysql.spec.runtime.mysql" -}}

@@ -118,3 +118,13 @@ spec:
           port: 
             name: client
             option: Optional
+    - name: TLS_ENABLED
+      valueFrom:
+        tlsVarRef:
+          enabled: Required
+  tls:
+    volumeName: tls
+    mountPath: /etc/pki/tls
+    caFile: ca.pem
+    certFile: cert.pem
+    keyFile: key.pem
@@ -215,14 +215,11 @@ session_replication_role = 'origin'
 sql_firewall.firewall = 'disable'
 shared_buffers = '{{ printf "%d%s" $shared_buffers $buffer_unit }}'
 # shared_preload_libraries = 'pg_stat_statements,auto_explain,bg_mon,pgextwlist,pg_auth_mon,set_user,pg_cron,pg_stat_kcache'
-{{- if $.component.tlsConfig }}
-{{- $ca_file := getCAFile }}
-{{- $cert_file := getCertFile }}
-{{- $key_file := getKeyFile }}
+{{- if eq $.TLS_ENABLED "true" }}
 ssl = 'True'
-ssl_ca_file = '{{ $ca_file }}'
-ssl_cert_file = '{{ $cert_file }}'
-ssl_key_file = '{{ $key_file }}'
+ssl_ca_file = '/etc/pki/tls/ca.pem'
+ssl_cert_file = '/etc/pki/tls/cert.pem'
+ssl_key_file = '/etc/pki/tls/key.pem'
 {{- end }}
 ssl_min_protocol_version = 'TLSv1'
 standard_conforming_strings = 'True'

@@ -180,7 +180,10 @@ vars:
     valueFrom:
       clusterVarRef:
         namespace: Required
-
+  - name: TLS_ENABLED
+    valueFrom:
+      tlsVarRef:
+        enabled: Required
 systemAccounts:
   - name: postgres
     initAccount: true
@@ -196,6 +199,12 @@ systemAccounts:
       numDigits: 5
       numSymbols: 0
     statement: CREATE USER ${KB_ACCOUNT_NAME} SUPERUSER PASSWORD '${KB_ACCOUNT_PASSWORD}';
+tls:
+  volumeName: tls 
+  mountPath: /etc/pki/tls
+  caFile: ca.pem
+  certFile: cert.pem
+  keyFile: key.pem
 lifecycleActions:
   roleProbe:
     periodSeconds: 1
@@ -335,4 +344,4 @@ runtime:
     - emptyDir:
         medium: Memory
       name: dshm
-{{- end -}}
+{{- end -}}
@@ -2,7 +2,7 @@
 {{- $namespace := $.cluster.metadata.namespace }}
 <clickhouse>
   <listen_host>0.0.0.0</listen_host>
-  {{- if $.component.tlsConfig }}
+  {{- if eq $.TLS_ENABLED "true" }}
   <https_port replace="replace" from_env="CLICKHOUSE_HTTPS_PORT"/>
   <tcp_port_secure replace="replace" from_env="CLICKHOUSE_TCP_SECURE_PORT"/>
   <interserver_https_port replace="replace" from_env="CLICKHOUSE_INTERSERVER_HTTPS_PORT"/>
@@ -31,7 +31,7 @@
         {{- range $_, $host := splitList "," .CLICKHOUSE_POD_FQDN_LIST }}
         <replica>
           <host>{{ $host }}</host>
-          {{- if $.component.tlsConfig }}
+          {{- if eq $.TLS_ENABLED "true" }}
           <port replace="replace" from_env="CLICKHOUSE_TCP_SECURE_PORT"/>
           <secure>1</secure>
           {{- else }}
@@ -48,7 +48,7 @@
     {{- range $_, $host := splitList "," .CH_KEEPER_POD_FQDN_LIST }}
     <node>
       <host>{{ $host }}</host>
-      {{- if $.component.tlsConfig }}
+      {{- if eq $.TLS_ENABLED "true" }}
       <port replace="replace" from_env="CLICKHOUSE_KEEPER_TCP_TLS_PORT"/>
       <secure>1</secure>
       {{- else }}
@@ -67,10 +67,10 @@
     <asynchronous_metrics>true</asynchronous_metrics>
   </prometheus>
   <!-- tls configuration -->
-  {{- if $.component.tlsConfig -}}
-  {{- $CA_FILE := getCAFile -}}
-  {{- $CERT_FILE := getCertFile -}}
-  {{- $KEY_FILE := getKeyFile }}
+  {{- if eq $.TLS_ENABLED "true" -}}
+  {{- $CA_FILE := /etc/pki/tls/ca.pem -}}
+  {{- $CERT_FILE := /etc/pki/tls/cert.pem -}}
+  {{- $KEY_FILE := /etc/pki/tls/key.pem }}
   <protocols>
     <prometheus_protocol>
       <type>prometheus</type>

@@ -2,7 +2,7 @@
 {{- $namespace := $.cluster.metadata.namespace }}
 <clickhouse>
   <listen_host>0.0.0.0</listen_host>
-  {{- if $.component.tlsConfig }}
+  {{- if eq $.TLS_ENABLED "true" }}
   <https_port replace="replace" from_env="CLICKHOUSE_HTTPS_PORT"/>
   <tcp_port_secure replace="replace" from_env="CLICKHOUSE_TCP_SECURE_PORT"/>
   <interserver_https_port replace="replace" from_env="CLICKHOUSE_INTERSERVER_HTTPS_PORT"/>
@@ -15,7 +15,7 @@
   <interserver_http_port replace="replace" from_env="CLICKHOUSE_INTERSERVER_HTTP_PORT"/>
   {{- end }}
   <keeper_server>
-      {{- if $.component.tlsConfig }}
+      {{- if eq $.TLS_ENABLED "true" }}
       <tcp_port_secure replace="replace" from_env="CLICKHOUSE_KEEPER_TCP_TLS_PORT"/>
       <secure>1</secure>
       {{- else }}
@@ -30,14 +30,14 @@
           <raft_logs_level>warning</raft_logs_level>
       </coordination_settings>
       <raft_configuration>
-      {{- if $.component.tlsConfig }}
+      {{- if eq $.TLS_ENABLED "true" }}
       <secure>true</secure>
       {{- end }}
       {{- range $id, $host := splitList "," .CH_KEEPER_POD_FQDN_LIST }}
         <server>
           <id>{{ $id }}</id>
           <hostname>{{ $host }}</hostname>
-          {{- if $.component.tlsConfig }}
+          {{- if eq $.TLS_ENABLED "true" }}
           <port replace="replace" from_env="CLICKHOUSE_KEEPER_RAFT_TLS_PORT"/>
           {{- else }}
           <port replace="replace" from_env="CLICKHOUSE_KEEPER_RAFT_PORT"/>
@@ -55,10 +55,10 @@
     <asynchronous_metrics>true</asynchronous_metrics>
   </prometheus>
   <!-- tls configuration -->
-  {{- if $.component.tlsConfig -}}
-  {{- $CA_FILE := getCAFile -}}
-  {{- $CERT_FILE := getCertFile -}}
-  {{- $KEY_FILE := getKeyFile -}}
+  {{- if eq $.TLS_ENABLED "true" -}}
+  {{- $CA_FILE := /etc/pki/tls/ca.pem -}}
+  {{- $CERT_FILE := /etc/pki/tls/cert.pem -}}
+  {{- $KEY_FILE := /etc/pki/tls/key.pem -}}
   <protocols>
     <prometheus_protocol>
       <type>prometheus</type>
@@ -109,4 +109,4 @@
     <verbose_logs>false</verbose_logs>
   </grpc>
   {{- end }}
-</clickhouse>
+</clickhouse>
@@ -1,15 +1,15 @@
 <config>
   <user>admin</user>
   <password from_env="CLICKHOUSE_ADMIN_PASSWORD"/>
-  {{- if $.component.tlsConfig -}}
-  {{- $CA_FILE := getCAFile -}}
-  {{- $CERT_FILE := getCertFile -}}
-  {{- $KEY_FILE := getKeyFile }}
+  {{- if eq $.TLS_ENABLED "true" -}}
+  {{- $CA_FILE := /etc/pki/tls/ca.pem -}}
+  {{- $CERT_FILE := /etc/pki/tls/cert.pem -}}
+  {{- $KEY_FILE := /etc/pki/tls/key.pem }}
   <secure>true</secure>
   <openSSL>
     <client>
       <caConfig>{{$CA_FILE}}</caConfig>
     </client>
   </openSSL>
   {{- end }}
-</config>
+</config>
@@ -151,7 +151,17 @@ spec:
         componentVarRef:
           optional: false
           podFQDNs: Required
+    - name: TLS_ENABLED
+      valueFrom:
+        tlsVarRef:
+          enabled: Required
   updateStrategy: Serial
   podManagementPolicy: Parallel
   volumes:
-    - name: data
+    - name: data
+  tls:
+    volumeName: tls 
+    mountPath: /etc/pki/tls
+    caFile: ca.pem
+    certFile: cert.pem
+    keyFile: key.pem
@@ -135,6 +135,10 @@ spec:
           compDef: {{ include "clickhouse-keeper24.cmpdRegexpPattern" . }}
           optional: true
           podFQDNs: Required
+    - name: TLS_ENABLED
+      valueFrom:
+        tlsVarRef:
+          enabled: Required
   volumes:
     - name: data
   services:
@@ -167,4 +171,10 @@ spec:
             port: 9010
           - name: tcp-secure
             targetPort: tcp-secure
-            port: 9440
+            port: 9440
+  tls:
+    volumeName: tls 
+    mountPath: /etc/pki/tls
+    caFile: ca.pem
+    certFile: cert.pem
+    keyFile: key.pem
@@ -3,10 +3,10 @@
 
 {{- $peer_protocol := "http" }}
 {{- $client_protocol := "http" }}
-{{- if and $.component.tlsConfig (eq .PEER_TLS "true") }}
+{{- if and (eq $.TLS_ENABLED "true") (eq .PEER_TLS "true") }}
   {{- $peer_protocol = "https" }}
 {{- end }}
-{{- if and $.component.tlsConfig (eq .CLIENT_TLS "true") }}
+{{- if and (eq $.TLS_ENABLED "true") (eq .CLIENT_TLS "true") }}
   {{- $client_protocol = "https" }}
 {{- end }}
 
@@ -69,7 +69,7 @@ discovery-srv:
 
 {{- define "init_peers" }}
   {{- $peer_protocol := "http" }}
-  {{- if and $.component.tlsConfig (eq .PEER_TLS "true") }}
+  {{- if and (eq $.TLS_ENABLED "true") (eq .PEER_TLS "true") }}
     {{- $peer_protocol = "https" }}
   {{- end }}
   {{- if (index . "PEER_ENDPOINT") }}
@@ -128,40 +128,37 @@ proxy-write-timeout: 5000
 # Time (in milliseconds) for a read to timeout.
 proxy-read-timeout: 0
 
-{{ if $.component.tlsConfig -}}
-{{- $ca := getCAFile }}
-{{- $cert := getCertFile }}
-{{- $key := getKeyFile }}
+{{ if eq $.TLS_ENABLED "true" -}}
 {{- if eq $client_protocol "https" }}
 client-transport-security:
   # Path to the client server TLS cert file.
-  cert-file: {{ $cert }}
+  cert-file: {{ .Values.tlsMountPath }}/cert.pem
 
   # Path to the client server TLS key file.
-  key-file: {{ $key }}
+  key-file: {{ .Values.tlsMountPath }}/key.pem
 
   # Enable client cert authentication.
   client-cert-auth: true
 
   # Path to the client server TLS trusted CA cert file.
-  trusted-ca-file: {{ $ca }}
+  trusted-ca-file: {{ .Values.tlsMountPath }}/ca.pem
 
   # Client TLS using generated certificates
   auto-tls: false
 {{- end }}
 {{ if eq $peer_protocol "https" }}
 peer-transport-security:
   # Path to the peer server TLS cert file.
-  cert-file: {{ $cert }}
+  cert-file: {{ .Values.tlsMountPath }}/cert.pem
 
   # Path to the peer server TLS key file.
-  key-file: {{ $key }}
+  key-file: {{ .Values.tlsMountPath }}/key.pem
 
   # Enable peer client cert authentication.
   client-cert-auth: true
 
   # Path to the peer server TLS trusted CA cert file.
-  trusted-ca-file: {{ $ca }}
+  trusted-ca-file: {{ .Values.tlsMountPath }}/ca.pem
 
   # Peer TLS using generated certificates.
   auto-tls: false
@@ -202,4 +199,4 @@ tls-min-version: 'TLS1.2'
 tls-max-version: 'TLS1.3'
 
 # Enable to check data corruption before serving any client/peer traffic.
-experimental-initial-corrupt-check: true
+experimental-initial-corrupt-check: true