Skip to content

Commit

Permalink
fix: rename --cloud-secret-manager to --admin-user-secret-type (#396)
Browse files Browse the repository at this point in the history
  • Loading branch information
nakamasato authored Oct 2, 2024
1 parent bffe45b commit 87ff0f3
Show file tree
Hide file tree
Showing 10 changed files with 95 additions and 5 deletions.
5 changes: 4 additions & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@ golangci-lint run ./...
```
make install run
```
if you need to specify args you can run `go run ./cmd/main.go --admin-user-secret-type=k8s --k8s-secret-namespace=default` after `make install`
1. Apply sample resources.
```
kubectl apply -k config/samples
Expand Down Expand Up @@ -233,7 +236,7 @@ docker rm -f $(docker ps | grep mysql | head -1 |awk '{print $1}')
1. Install and run operator
```
make install
PRJECT_ID=$PROJECT_ID go run main.go --cloud-secret-manager gcp
PRJECT_ID=$PROJECT_ID go run main.go --admin-user-secret-type gcp
```
1. Create custom resources
```
Expand Down
40 changes: 40 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,46 @@ anager.secretAccessor` permission
[Read credentials from GCP SecretManager](docs/usage/gcp-secretmanager.md)
## With k8s Secret Manager
Instead of writing raw password in `MySQL.Spec.AdminPassword`, you can get the password for root user from an external secret manager (e.g. K8s)
1. Create Kubernetes Secret.
```
kubectl create secret generic mysql-user --from-literal=key=root
kubectl create secret generic mysql-password --from-literal=key=password
```
1. Install mysql-operator with `--set adminUserSecretType=k8s --set adminUserSecretNamespace=default`
```
helm repo add nakamasato https://nakamasato.github.io/helm-charts
helm repo update
helm install mysql-operator nakamasato/mysql-operator --set adminUserSecretType=k8s --set adminUserSecretNamespace=default
```
1. You can specify `type: k8s` for `adminUser` and `adminPassword`.
```yaml
apiVersion: mysql.nakamasato.com/v1alpha1
kind: MySQL
metadata:
name: mysql-sample
spec:
host: mysql.default # need to include namespace if you use Kubernetes Service as an endpoint.
adminUser:
name: mysql-user # secret name in SecretManager
type: k8s
adminPassword:
name: mysql-password # secret name in SecretManager
type: k8s
```
Example: (you need to run `kubectl apply -k config/mysql`)
```
kubectl apply -k config/samples-on-k8s-with-k8s-secret
```
## Exposed Metrics
- `mysql_user_created_total`
Expand Down
6 changes: 3 additions & 3 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,9 @@ func main() {
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
"Enable leader election for controller manager. "+
"Enabling this will ensure there is only one active controller manager.")
flag.StringVar(&adminUserSecretType, "cloud-secret-manager", "",
"The cloud secret manager to get credentials from. "+
"Currently, only support gcp")
flag.StringVar(&adminUserSecretType, "admin-user-secret-type", "",
"The secret manager to get credentials from. "+
"Currently, support raw, gcp, and k8s. ")
flag.StringVar(&projectId, "gcp-project-id", "",
"GCP project id. Set this value to use adminUserSecretType=gcp. "+
"Also can be set by environment variable PROJECT_ID."+
Expand Down
2 changes: 1 addition & 1 deletion config/default/manager_gcp_sa_secret_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ spec:
memory: 64Mi
- name: manager
args:
- "--cloud-secret-manager=gcp"
- "--admin-user-secret-type=gcp"
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
Expand Down
1 change: 1 addition & 0 deletions config/mysql/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ resources:
- mysql-deployment.yaml
- mysql-service.yaml
- mysql-service-nodeport.yaml
# - mysql-secret.yaml
15 changes: 15 additions & 0 deletions config/mysql/mysql-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
data:
key: cm9vdA==
kind: Secret
metadata:
name: mysql-user
type: Opaque
---
apiVersion: v1
data:
key: cGFzc3dvcmQ=
kind: Secret
metadata:
name: mysql-password
type: Opaque
6 changes: 6 additions & 0 deletions config/samples-on-k8s-with-k8s-secret/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
## Append samples you want in your CSV to this file as resources ##
resources:
- mysql_v1alpha1_mysqluser.yaml
- mysql_v1alpha1_mysql.yaml
- mysql_v1alpha1_mysqldb.yaml
#+kubebuilder:scaffold:manifestskustomizesamples
12 changes: 12 additions & 0 deletions config/samples-on-k8s-with-k8s-secret/mysql_v1alpha1_mysql.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: mysql.nakamasato.com/v1alpha1
kind: MySQL
metadata:
name: mysql-sample
spec:
host: "mysql.default"
adminUser:
name: mysql-user
type: k8s
adminPassword: # stored in GCP SecretMamanger
name: mysql-password
type: k8s
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: mysql.nakamasato.com/v1alpha1
kind: MySQLDB
metadata:
name: sample-db # this is not a name for MySQL database but just a Kubernetes object name
spec:
dbName: sample_db # this is MySQL database name
mysqlName: mysql-sample
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: mysql.nakamasato.com/v1alpha1
kind: MySQLUser
metadata:
name: sample-user
spec:
mysqlName: mysql-sample

0 comments on commit 87ff0f3

Please sign in to comment.