Add TLS support

[olliewalsh]

Add a TLS property to the CR to specify the the cert and CA secrets.
TLS/secretName and TLS/caSecretName seems to be the convention in other
operators.

Add secrets to rbac and fix missing patch support for pods. Fix Pod
CreateOrUpdate logic.

Trigger reconcile using a label watch as we do not own the TLS secrets.

Add volume mounts for the TLS secrets and kolla config.
Fix mariadb conf ownership, it was being silently ignored.

[stuggi]

does it still start without TLS? because we do not force TLS if I read the above correct.

[olliewalsh]

Yes. The client decides to initiate the SSL handshake. If the SSL files
exist on the server then it will work. There is a conf option to force ssl
by default but it does not exist in this version of mariadb
https://mariadb.com/kb/en/server-system-variables/#require_secure_transport.

I believe we can require SSL for specific accounts though.

[olliewalsh]

That was when using centos8/train images. If the target is centos9/wallaby then we should have require_secure_transport as it's mariadb 10.5.16.

[dprince]

Do we need to listen on *?

[olliewalsh]

Yes, loopback would only be accessible within the pod. It's the default that we have been using all along since mysql user could not read this file.

[stuggi]

we could set the actual ip via an init container to the status.PodIP, but not sure if that is better than * as we only have a single pod interface.

[olliewalsh]

keystone-operator apache uses Listen 0.0.0.0:5000, which is basically the same but IPv4 only. In fact we should change keystone to Listen 5000.

[stuggi]

openstack-k8s-operators/keystone-operator#86

[stuggi]

not sure how static this is. is this a generic type we want to add to lib-common as its used by all operators?

[stuggi]

could also use labels.Merge

if value, ok := tlsSecret.Labels[mariaDBReconcileLabel]; !ok || value != instance.Name {
    tlsSecret.GetObjectMeta().SetLabels(labels.Merge(tlsSecret.GetObjectMeta().GetLabels(), tlsSecret.Labels[mariaDBReconcileLabel] = instance.Name)
    ... update secret
}

[stuggi]

could do this in one if as the return ctrl is the same?

[stuggi]

same as above, could use labels.Merge

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olliewalsh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [olliewalsh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@olliewalsh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	a1c76ba	link	true	/test images
ci/prow/unit	a1c76ba	link	true	/test unit
ci/prow/precommit-check	a1c76ba	link	true	/test precommit-check
ci/prow/mariadb-operator-build-deploy-kuttl	a1c76ba	link	true	/test mariadb-operator-build-deploy-kuttl

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[olliewalsh]

Closing this initial POC PR. See #119 instead