def secret_data(self):
with open('/database-server-config/sql-config.json', 'r') as f:
server_config = SQLConfig.from_json(f.read())
with open('/database-server-config/server-ca.pem', 'r') as f:
server_ca = f.read()
with open('/database-server-config/client-cert.pem', 'r') as f:
client_cert = f.read()
with open('/database-server-config/client-key.pem', 'r') as f:
client_key = f.read()
if is_test_deployment:
return create_secret_data_from_config(server_config, server_ca, client_cert, client_key)
assert self.name is not None
assert self.password is not None
config = SQLConfig(
host=server_config.host,
port=server_config.port,
user=self.name,
password=self.password,
instance=server_config.instance,
db=self.name,
ssl_ca='/sql-config/server-ca.pem',
ssl_cert='/sql-config/client-cert.pem',
ssl_key='/sql-config/client-key.pem',
ssl_mode='VERIFY_CA',
)
return create_secret_data_from_config(config, server_ca, client_cert, client_key)
def secret_data(self):
with open('/database-server-config/sql-config.json',
'r',
encoding='utf-8') as f:
server_config = SQLConfig.from_json(f.read())
with open('/database-server-config/server-ca.pem',
'r',
encoding='utf-8') as f:
server_ca = f.read()
client_cert: Optional[str]
client_key: Optional[str]
if server_config.using_mtls():
with open('/database-server-config/client-cert.pem',
'r',
encoding='utf-8') as f:
client_cert = f.read()
with open('/database-server-config/client-key.pem',
'r',
encoding='utf-8') as f:
client_key = f.read()
else:
client_cert = None
client_key = None
if is_test_deployment:
return create_secret_data_from_config(server_config, server_ca,
client_cert, client_key)
assert self.name is not None
assert self.password is not None
config = SQLConfig(
host=server_config.host,
port=server_config.port,
user=self.name,
password=self.password,
instance=server_config.instance,
connection_name=server_config.connection_name,
db=self.name,
ssl_ca='/sql-config/server-ca.pem',
ssl_cert='/sql-config/client-cert.pem'
if client_cert is not None else None,
ssl_key='/sql-config/client-key.pem'
if client_key is not None else None,
ssl_mode='VERIFY_CA',
)
return create_secret_data_from_config(config, server_ca, client_cert,
client_key)
async def write_user_config(namespace: str, database_name: str, user: str,
config: SQLConfig):
with open('/sql-config/server-ca.pem', 'r') as f:
server_ca = f.read()
client_cert: Optional[str]
client_key: Optional[str]
if config.using_mtls():
with open('/sql-config/client-cert.pem', 'r') as f:
client_cert = f.read()
with open('/sql-config/client-key.pem', 'r') as f:
client_key = f.read()
else:
client_cert = None
client_key = None
secret = create_secret_data_from_config(config, server_ca, client_cert,
client_key)
files = secret.keys()
for fname, data in secret.items():
with open(os.path.basename(fname), 'w') as f:
f.write(data)
secret_name = f'sql-{database_name}-{user}-config'
print(f'creating secret {secret_name}')
from_files = ' '.join(f'--from-file={f}' for f in files)
await check_shell(f'''
kubectl -n {shq(namespace)} create secret generic \
{shq(secret_name)} \
{from_files} \
--save-config --dry-run=client \
-o yaml \
| kubectl -n {shq(namespace)} apply -f -
''')
def get_sql_config(maybe_config_file: Optional[str] = None) -> SQLConfig:
if maybe_config_file is None:
config_file = os.environ.get('HAIL_DATABASE_CONFIG_FILE',
'/sql-config/sql-config.json')
else:
config_file = maybe_config_file
with open(config_file, 'r') as f:
sql_config = SQLConfig.from_json(f.read())
sql_config.check()
log.info('using tls and verifying server certificates for MySQL')
return sql_config
async def create_database():
with open('/sql-config/sql-config.json', 'r') as f:
sql_config = SQLConfig.from_json(f.read())
namespace = create_database_config['namespace']
database_name = create_database_config['database_name']
cant_create_database = create_database_config['cant_create_database']
if cant_create_database:
assert sql_config.db is not None
await write_user_config(namespace, database_name, 'admin', sql_config)
await write_user_config(namespace, database_name, 'user', sql_config)
return
scope = create_database_config['scope']
_name = create_database_config['_name']
admin_username = create_database_config['admin_username']
user_username = create_database_config['user_username']
db = Database()
await db.async_init()
if scope == 'deploy':
assert _name == database_name
# create if not exists
rows = db.execute_and_fetchall(
f"SHOW DATABASES LIKE '{database_name}';")
rows = [row async for row in rows]
if len(rows) > 0:
assert len(rows) == 1
return
with open(create_database_config['admin_password_file']) as f:
admin_password = f.read()
with open(create_database_config['user_password_file']) as f:
user_password = f.read()
await db.just_execute(f'''
CREATE DATABASE IF NOT EXISTS `{_name}`;
CREATE USER IF NOT EXISTS '{admin_username}'@'%' IDENTIFIED BY '{admin_password}';
GRANT ALL ON `{_name}`.* TO '{admin_username}'@'%';
CREATE USER IF NOT EXISTS '{user_username}'@'%' IDENTIFIED BY '{user_password}';
GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON `{_name}`.* TO '{user_username}'@'%';
''')
await write_user_config(
namespace,
database_name,
'admin',
SQLConfig(
host=sql_config.host,
port=sql_config.port,
instance=sql_config.instance,
connection_name=sql_config.instance,
user=admin_username,
password=admin_password,
db=_name,
ssl_ca=sql_config.ssl_ca,
ssl_cert=sql_config.ssl_cert,
ssl_key=sql_config.ssl_key,
ssl_mode=sql_config.ssl_mode,
),
)
await write_user_config(
namespace,
database_name,
'user',
SQLConfig(
host=sql_config.host,
port=sql_config.port,
instance=sql_config.instance,
connection_name=sql_config.instance,
user=user_username,
password=user_password,
db=_name,
ssl_ca=sql_config.ssl_ca,
ssl_cert=sql_config.ssl_cert,
ssl_key=sql_config.ssl_key,
ssl_mode=sql_config.ssl_mode,
),
)