in mysqloperator/sidecar_main.py [0:0]
def ensure_correct_tls_sysvars(pod: MySQLPod, session: 'ClassicSession', enabled: bool, caller: str, logger: Logger) -> None:
has_crl = os.path.exists("/etc/mysql-ssl/crl.pem")
logger.info(f"Ensuring custom TLS certificates are {'enabled' if enabled else 'disabled'} {'(with crl)' if has_crl else ''} caller={caller}")
def ensure_sysvar(var, value):
logger.info(f"\tChecking if {var} is [{value}]")
res = session.run_sql("SHOW VARIABLES LIKE ?", [var])
row = res.fetch_one()
if row:
curval = row[1]
if curval != value:
logger.info(f"\t{var} is [{curval}] persisting to [{value}]")
session.run_sql(f"SET PERSIST {var} = ?", [value])
else:
raise kopf.PermanentError(f"Variable {var} not found!")
# first ensure configured paths are correct
if enabled:
ensure_sysvar("ssl_ca", "/etc/mysql-ssl/ca.pem")
ensure_sysvar("ssl_crl", "/etc/mysql-ssl/crl.pem" if has_crl else "")
ensure_sysvar("ssl_cert", "/etc/mysql-ssl/tls.crt")
ensure_sysvar("ssl_key", "/etc/mysql-ssl/tls.key")
if pod.instance_type == "group-member":
ensure_sysvar("group_replication_recovery_ssl_verify_server_cert", "ON")
ensure_sysvar("group_replication_ssl_mode", "VERIFY_IDENTITY")
ensure_sysvar("group_replication_recovery_ssl_ca", "/etc/mysql-ssl/ca.pem")
ensure_sysvar("group_replication_recovery_ssl_cert", "/etc/mysql-ssl/tls.crt")
ensure_sysvar("group_replication_recovery_ssl_key", "/etc/mysql-ssl/tls.key")
else:
ensure_sysvar("ssl_ca", "ca.pem")
ensure_sysvar("ssl_crl", "")
ensure_sysvar("ssl_cert", "server-cert.pem")
ensure_sysvar("ssl_key", "server-key.pem")
if pod.instance_type == "group-member":
ensure_sysvar("group_replication_recovery_ssl_verify_server_cert", "OFF")
ensure_sysvar("group_replication_ssl_mode", "REQUIRED")
ensure_sysvar("group_replication_recovery_ssl_ca", "")
ensure_sysvar("group_replication_recovery_ssl_cert", "")
ensure_sysvar("group_replication_recovery_ssl_key", "")