[bitnami/mysql] feat: ✨ Add TLS support (#30640)

* [bitnami/mysql] feat: ✨ Add TLS support Signed-off-by: Javier J. Salmerón García <[email protected]> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <[email protected]> * fix: 🐛 Apply requested changes Signed-off-by: Javier J. Salmerón García <[email protected]> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <[email protected]> --------- Signed-off-by: Javier J. Salmerón García <[email protected]> Signed-off-by: Bitnami Containers <[email protected]> Co-authored-by: Bitnami Containers <[email protected]>
bitnami · Nov 27, 2024 · 151c51c · 151c51c
1 parent 6278bcc
commit 151c51c
Show file tree

Hide file tree

Showing 10 changed files with 305 additions and 6 deletions.
diff --git a/bitnami/mysql/CHANGELOG.md b/bitnami/mysql/CHANGELOG.md
@@ -1,8 +1,12 @@
 # Changelog
 
-## 12.0.1 (2024-11-25)
+## 12.1.0 (2024-11-27)
 
-* [bitnami/mysql] Release 12.0.1 ([#30614](https://github.com/bitnami/charts/pull/30614))
+* [bitnami/mysql] feat: :sparkles: Add TLS support ([#30640](https://github.com/bitnami/charts/pull/30640))
+
+## <small>12.0.1 (2024-11-25)</small>
+
+* [bitnami/mysql] Release 12.0.1 (#30614) ([cb712f4](https://github.com/bitnami/charts/commit/cb712f4fa72499975e813673edc0fa76927bbfd2)), closes [#30614](https://github.com/bitnami/charts/issues/30614)
 
 ## 12.0.0 (2024-11-12)
 

diff --git a/bitnami/mysql/Chart.yaml b/bitnami/mysql/Chart.yaml
@@ -34,4 +34,4 @@ maintainers:
 name: mysql
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/mysql
-version: 12.0.1
+version: 12.1.0
diff --git a/bitnami/mysql/README.md b/bitnami/mysql/README.md
@@ -112,11 +112,26 @@ initContainers:
         containerPort: 1234
 ```
 
+### TLS
+
+This chart supports encrypting communications using TLS. To enable this feature, set the `tls.enabled`.
+
+It is necessary to create a secret containing the TLS certificates and pass it to the chart via the `tls.existingSecret` parameter. Every secret should contain a `tls.crt` and `tls.key` keys including the certificate and key files respectively and, optionally, a `ca.crt` key including the CA certificate. For example: create the secret with the certificates files:
+
+```console
+kubectl create secret generic tls-secret --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt
+```
+
+You can manually create the required TLS certificates or relying on the chart auto-generation capabilities. The chart supports two different ways to auto-generate the required certificates:
+
+- Using Helm capabilities. Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `helm`.
+- Relying on CertManager (please note it's required to have CertManager installed in your K8s cluster). Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `cert-manager`. Please note it's supported to use an existing Issuer/ClusterIssuer for issuing the TLS certificates by setting the `tls.autoGenerated.certManager.existingIssuer` and `tls.autoGenerated.certManager.existingIssuerKind` parameters.
+
 ### Update credentials
 
 Bitnami charts, with its default settings, configure credentials at first boot. Any further change in the secrets or credentials can be done using one of the following methods:
 
-### Manual update of the passwords and secrets
+#### Manual update of the passwords and secrets
 
 - Update the user password following [the upstream documentation](https://dev.mysql.com/doc/refman/8.4/en/set-password.html)
 - Update the password secret with the new values (replace the SECRET_NAME, PASSWORD and ROOT_PASSWORD placeholders)
@@ -125,14 +140,14 @@ Bitnami charts, with its default settings, configure credentials at first boot.
 kubectl create secret generic SECRET_NAME --from-literal=password=PASSWORD --from-literal=root-password=ROOT_PASSWORD --dry-run -o yaml | kubectl apply -f -
 ```
 
-### Automated update using a password update job
+#### Automated update using a password update job
 
 The Bitnami MySQL provides a password update job that will automatically change the MySQL passwords when running helm upgrade. To enable the job set `passwordUpdateJob.enabled=true`. This job requires:
 
 - The new passwords: this is configured using either `auth.rootPassword`, `auth.password` and `auth.replicationPassword` (if applicable) or setting `auth.existingSecret`.
 - The previous passwords: This value is taken automatically from already deployed secret object. If you are using `auth.existingSecret` or `helm template` instead of `helm upgrade`, then set either `passwordUpdate.job.previousPasswords.rootPassword`, `passwordUpdate.job.previousPasswords.password`, `passwordUpdate.job.previousPasswords.replicationPassword` (when applicable), setting `auth.existingSecret`.
 
-In the following example we update the password via values.yaml in a mariadb installation with replication
+In the following example we update the password via values.yaml in a mysql installation with replication
 
 ```yaml
 architecture: "replication"
@@ -246,6 +261,27 @@ If you encounter errors when working with persistent volumes, refer to our [trou
 | `startdbScripts`            | Dictionary of startdb scripts                                                                                                                                                       | `{}`                    |
 | `startdbScriptsConfigMap`   | ConfigMap with the startdb scripts (Note: Overrides `startdbScripts`)                                                                                                               | `""`                    |
 
+### TLS/SSL parameters
+
+| Name                                               | Description                                                                                            | Value     |
+| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | --------- |
+| `tls.enabled`                                      | Enable TLS in MySQL                                                                                    | `false`   |
+| `tls.existingSecret`                               | Existing secret that contains TLS certificates                                                         | `""`      |
+| `tls.certFilename`                                 | The secret key from the existingSecret if 'cert' key different from the default (tls.crt)              | `tls.crt` |
+| `tls.certKeyFilename`                              | The secret key from the existingSecret if 'key' key different from the default (tls.key)               | `tls.key` |
+| `tls.certCAFilename`                               | The secret key from the existingSecret if 'ca' key different from the default (tls.crt)                | `""`      |
+| `tls.ca`                                           | CA certificate for TLS. Ignored if `tls.existingSecret` is set                                         | `""`      |
+| `tls.cert`                                         | TLS certificate for MySQL. Ignored if `tls.existingSecret` is set                                      | `""`      |
+| `tls.key`                                          | TLS key for MySQL. Ignored if `tls.existingSecret` is set                                              | `""`      |
+| `tls.autoGenerated.enabled`                        | Enable automatic generation of certificates for TLS                                                    | `true`    |
+| `tls.autoGenerated.engine`                         | Mechanism to generate the certificates (allowed values: helm, cert-manager)                            | `helm`    |
+| `tls.autoGenerated.certManager.existingIssuer`     | The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine) | `""`      |
+| `tls.autoGenerated.certManager.existingIssuerKind` | Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)                              | `""`      |
+| `tls.autoGenerated.certManager.keyAlgorithm`       | Key algorithm for the certificates (only for `cert-manager` engine)                                    | `RSA`     |
+| `tls.autoGenerated.certManager.keySize`            | Key size for the certificates (only for `cert-manager` engine)                                         | `2048`    |
+| `tls.autoGenerated.certManager.duration`           | Duration for the certificates (only for `cert-manager` engine)                                         | `2160h`   |
+| `tls.autoGenerated.certManager.renewBefore`        | Renewal period for the certificates (only for `cert-manager` engine)                                   | `360h`    |
+
 ### MySQL Primary parameters
 
 | Name                                                        | Description                                                                                                                                                                                                                       | Value               |

diff --git a/bitnami/mysql/templates/_helpers.tpl b/bitnami/mysql/templates/_helpers.tpl
@@ -180,6 +180,25 @@ Return the secret with new MySQL credentials
     {{- end -}}
 {{- end -}}
 
+{{/*
+Return the MySQL TLS credentials secret
+*/}}
+{{- define "mysql.tlsSecretName" -}}
+{{- if .Values.tls.existingSecret -}}
+    {{- print (tpl .Values.tls.existingSecret $) -}}
+{{- else -}}
+    {{- printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "mysql.tlsCACert" -}}
+{{- if or (eq .Values.tls.autoGenerated.engine "helm") (and (not .Values.tls.autoGenerated.enabled) (empty .Values.tls.existingSecret) .Values.tls.ca) -}}
+    {{- printf "/opt/bitnami/mysql/certs/%s" "ca.crt" -}}
+{{- else }}
+    {{- ternary "" (printf "/opt/bitnami/mysql/certs/%s" .Values.tls.certCAFilename) (empty .Values.tls.certCAFilename) }}
+{{- end -}}
+{{- end -}}
+
 {{/* Check if there are rolling tags in the images */}}
 {{- define "mysql.checkRollingTags" -}}
 {{- include "common.warnings.rollingTag" .Values.image }}

diff --git a/bitnami/mysql/templates/ca-cert.yaml b/bitnami/mysql/templates/ca-cert.yaml
@@ -0,0 +1,56 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }}
+{{- if empty .Values.tls.autoGenerated.certManager.existingIssuer }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ printf "%s-clusterissuer" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mysql
+    app.kubernetes.io/component: mysql
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  selfSigned: {}
+---
+{{- end }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mysql
+    app.kubernetes.io/component: mysql
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
+  commonName: {{ printf "%s-ca" (include "common.names.fullname" .) }}
+  isCA: true
+  issuerRef:
+    name: {{ default (printf "%s-clusterissuer" (include "common.names.fullname" .)) .Values.tls.autoGenerated.certManager.existingIssuer }}
+    kind: {{ default "Issuer" .Values.tls.autoGenerated.certManager.existingIssuerKind }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mysql
+    app.kubernetes.io/component: mysql
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  ca:
+    secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
+{{- end }}
diff --git a/bitnami/mysql/templates/cert.yaml b/bitnami/mysql/templates/cert.yaml
@@ -0,0 +1,48 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ printf "%s-crt" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mysql
+    app.kubernetes.io/component: mysql
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ printf "%s-crt" (include "common.names.fullname" .) }}
+  commonName: {{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain }}
+  issuerRef:
+    name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }}
+    kind: Issuer
+  subject:
+    organizations:
+      - "MySQL"
+  dnsNames:
+    - '*.{{ include "common.names.namespace" . }}'
+    - '*.{{ include "common.names.namespace" . }}.svc'
+    - '*.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
+    - '*.{{ include "mysql.primary.fullname" . }}'
+    - '*.{{ include "mysql.primary.fullname" . }}.{{ include "common.names.namespace" . }}'
+    - '*.{{ include "mysql.primary.fullname" . }}.{{ include "common.names.namespace" . }}.svc'
+    - '*.{{ include "mysql.primary.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
+    - '*.{{ include "mysql.secondary.fullname" . }}'
+    - '*.{{ include "mysql.secondary.fullname" . }}.{{ include "common.names.namespace" . }}'
+    - '*.{{ include "mysql.secondary.fullname" . }}.{{ include "common.names.namespace" . }}.svc'
+    - '*.{{ include "mysql.secondary.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
+    - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}'
+    - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}'
+    - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}.svc'
+    - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
+  privateKey:
+    algorithm: {{ .Values.tls.autoGenerated.certManager.keyAlgorithm }}
+    size: {{ int .Values.tls.autoGenerated.certManager.keySize }}
+  duration: {{ .Values.tls.autoGenerated.certManager.duration }}
+  renewBefore: {{ .Values.tls.autoGenerated.certManager.renewBefore }}
+{{- end }}
diff --git a/bitnami/mysql/templates/primary/statefulset.yaml b/bitnami/mysql/templates/primary/statefulset.yaml
@@ -174,6 +174,12 @@ spec:
                   name: {{ template "mysql.secretName" . }}
                   key: mysql-root-password
             {{- end }}
+            - name: MYSQL_ENABLE_SSL
+              value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+            {{- if and .Values.tls.enabled (include "mysql.tlsCACert" .) }}
+            - name: MYSQL_CLIENT_CA_FILE
+              value: {{ include "mysql.tlsCACert" . | quote }}
+            {{- end }}
             {{- if not (empty .Values.auth.username) }}
             - name: MYSQL_USER
               value: {{ .Values.auth.username | quote }}
@@ -306,6 +312,10 @@ spec:
             - name: empty-dir
               mountPath: /opt/bitnami/mysql/logs
               subPath: app-logs-dir
+            {{- if .Values.tls.enabled }}
+            - name: cert
+              mountPath: /opt/bitnami/mysql/certs
+            {{- end }}
             {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
             - name: custom-init-scripts
               mountPath: /docker-entrypoint-initdb.d
@@ -422,6 +432,12 @@ spec:
                 path: mysql-replication-password
               {{- end }}
         {{- end }}
+        {{- if .Values.tls.enabled }}
+        - name: cert
+          secret:
+            secretName: {{ include "mysql.tlsSecretName" . }}
+            defaultMode: 256
+        {{- end }}
         - name: empty-dir
           emptyDir: {}
         {{- if .Values.primary.extraVolumes }}

diff --git a/bitnami/mysql/templates/secondary/statefulset.yaml b/bitnami/mysql/templates/secondary/statefulset.yaml
@@ -177,6 +177,12 @@ spec:
               value: {{ .Values.secondary.containerPorts.mysql | quote}}
             - name: MYSQL_REPLICATION_USER
               value: {{ .Values.auth.replicationUser | quote }}
+            - name: MYSQL_ENABLE_SSL
+              value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+            {{- if and .Values.tls.enabled (include "mysql.tlsCACert" .) }}
+            - name: MYSQL_CLIENT_CA_FILE
+              value: {{ include "mysql.tlsCACert" . | quote }}
+            {{- end }}
             {{- if .Values.auth.usePasswordFiles }}
             - name: MYSQL_MASTER_ROOT_PASSWORD_FILE
               value: {{ default "/opt/bitnami/mysql/secrets/mysql-root-password" .Values.auth.customPasswordFiles.root }}
@@ -278,6 +284,10 @@ spec:
               {{- if .Values.secondary.persistence.subPath }}
               subPath: {{ .Values.secondary.persistence.subPath }}
               {{- end }}
+            {{- if .Values.tls.enabled }}
+            - name: cert
+              mountPath: /opt/bitnami/mysql/certs
+            {{- end }}
             {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
             - name: custom-init-scripts
               mountPath: /docker-entrypoint-initdb.d
@@ -402,6 +412,12 @@ spec:
               - key: mysql-replication-password
                 path: mysql-replication-password
         {{- end }}
+        {{- if .Values.tls.enabled }}
+        - name: cert
+          secret:
+            secretName: {{ include "mysql.tlsSecretName" . }}
+            defaultMode: 256
+        {{- end }}
         - name: empty-dir
           emptyDir: {}
         {{- if .Values.secondary.extraVolumes }}