[proxysql] init job disable ssl (#146)

Co-authored-by: Rainer 'rei' Schuth <rainer.schuth@digital-results-international.com>

Author: reixd

charts/proxysql/Chart.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 appVersion: 3.0.8
 description: ProxySQL Helm chart for Kubernetes
 name: proxysql
-version: 1.2.0
+version: 1.2.1
 home: https://www.proxysql.com/
 sources:
   - https://github.com/dysnix/charts

charts/proxysql/README.md

@@ -1,6 +1,6 @@
 # proxysql
 
-![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![AppVersion: 3.0.8](https://img.shields.io/badge/AppVersion-3.0.8-informational?style=flat-square)
+![Version: 1.2.1](https://img.shields.io/badge/Version-1.2.1-informational?style=flat-square) ![AppVersion: 3.0.8](https://img.shields.io/badge/AppVersion-3.0.8-informational?style=flat-square)
 
 ProxySQL Helm chart for Kubernetes
 
@@ -103,7 +103,7 @@ ProxySQL Helm chart for Kubernetes
 | mysql_query_rules | string | `nil` | Configure mysql_query_rules. |
 | use_default_proxysql_servers | bool | `true` | Configure use_default_proxysql_servers. |
 | additional_proxysql_servers | string | `nil` | Configure additional_proxysql_servers. |
-| proxysql_cluster | object | `{"core":{"enabled":true,"exit_on_error":false,"podDisruptionBudget":{},"priorityClassName":"","replicas":3,"service":{"name":""},"statefullset":{"affinity":{},"minReadySeconds":0,"nodeSelector":{},"podAnnotations":{},"resources":{},"tolerations":[],"updateStrategy":{"type":"RollingUpdate"}}},"enabled":false,"healthcheck":{"diff_check_limit":10,"kill_if_healthcheck_failed":true,"livenessCommand":["/bin/sh","-c","/usr/local/bin/proxysql_cluster_healthcheck.sh liveness"],"psql_host":"127.0.0.1","psql_host_port":null,"psql_pass":null,"psql_user":null,"readinessCommand":["/bin/sh","-c","/usr/local/bin/proxysql_cluster_healthcheck.sh readiness"],"startupCommand":["/bin/sh","-c","/usr/local/bin/proxysql_cluster_healthcheck.sh started"],"verbose":false},"job":{"affinity":{},"backoffLimit":3,"enabled":true,"nodeSelector":{},"podAnnotations":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":86400},"satellite":{"daemonset":{"affinity":{},"minReadySeconds":0,"nodeSelector":{},"podAnnotations":{},"resources":{},"tolerations":[],"updateStrategy":{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}},"deployment":{"minReadySeconds":0,"strategy":{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}},"enabled":true,"exit_on_error":false,"kind":"DaemonSet","podDisruptionBudget":{},"priorityClassName":"","replicas":3,"service":{"name":""}},"secret":{"cluster_password":"proxysql","cluster_username":"proxysql-cluster"}}` | Set proxysql_cluster. |
+| proxysql_cluster | object | `{"core":{"enabled":true,"exit_on_error":false,"podDisruptionBudget":{},"priorityClassName":"","replicas":3,"service":{"name":""},"statefullset":{"affinity":{},"minReadySeconds":0,"nodeSelector":{},"podAnnotations":{},"resources":{},"tolerations":[],"updateStrategy":{"type":"RollingUpdate"}}},"enabled":false,"healthcheck":{"diff_check_limit":10,"kill_if_healthcheck_failed":true,"livenessCommand":["/bin/sh","-c","/usr/local/bin/proxysql_cluster_healthcheck.sh liveness"],"psql_host":"127.0.0.1","psql_host_port":null,"psql_pass":null,"psql_user":null,"readinessCommand":["/bin/sh","-c","/usr/local/bin/proxysql_cluster_healthcheck.sh readiness"],"startupCommand":["/bin/sh","-c","/usr/local/bin/proxysql_cluster_healthcheck.sh started"],"verbose":false},"job":{"affinity":{},"backoffLimit":3,"enabled":true,"mysqlClientFlags":"--ssl=0","nodeSelector":{},"podAnnotations":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":86400},"satellite":{"daemonset":{"affinity":{},"minReadySeconds":0,"nodeSelector":{},"podAnnotations":{},"resources":{},"tolerations":[],"updateStrategy":{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}},"deployment":{"minReadySeconds":0,"strategy":{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}},"enabled":true,"exit_on_error":false,"kind":"DaemonSet","podDisruptionBudget":{},"priorityClassName":"","replicas":3,"service":{"name":""}},"secret":{"cluster_password":"proxysql","cluster_username":"proxysql-cluster"}}` | Set proxysql_cluster. |
 | proxysql_cluster.enabled | bool | `false` | Enable this feature. |
 | proxysql_cluster.secret | object | `{"cluster_password":"proxysql","cluster_username":"proxysql-cluster"}` | Component secret configuration map. |
 | proxysql_cluster.secret.cluster_username | string | `"proxysql-cluster"` | Set proxysql_cluster.secret.cluster_username. |
@@ -150,10 +150,11 @@ ProxySQL Helm chart for Kubernetes
 | proxysql_cluster.satellite.deployment.strategy.rollingUpdate.maxSurge | int | `1` | Allow one extra pod during upgrades. |
 | proxysql_cluster.satellite.service | object | `{"name":""}` | Service configuration. |
 | proxysql_cluster.satellite.service.name | string | `""` | Set proxysql_cluster.satellite.service.name. |
-| proxysql_cluster.job | object | `{"affinity":{},"backoffLimit":3,"enabled":true,"nodeSelector":{},"podAnnotations":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":86400}` | Set proxysql_cluster.job. |
+| proxysql_cluster.job | object | `{"affinity":{},"backoffLimit":3,"enabled":true,"mysqlClientFlags":"--ssl=0","nodeSelector":{},"podAnnotations":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":86400}` | Set proxysql_cluster.job. |
 | proxysql_cluster.job.enabled | bool | `true` | Enable this feature. |
 | proxysql_cluster.job.backoffLimit | int | `3` | Set proxysql_cluster.job.backoffLimit. |
 | proxysql_cluster.job.ttlSecondsAfterFinished | int | `86400` | Set proxysql_cluster.job.ttlSecondsAfterFinished. |
+| proxysql_cluster.job.mysqlClientFlags | string | `"--ssl=0"` | Extra mysql client flags used by init-cluster job. Default disables TLS for internal admin connection to avoid certificate trust errors. |
 | proxysql_cluster.job.nodeSelector | object | `{}` | Node selector for pod scheduling. |
 | proxysql_cluster.job.tolerations | list | `[]` | Tolerations for pod scheduling. |
 | proxysql_cluster.job.affinity | object | `{}` | Affinity rules for pod scheduling. |

charts/proxysql/templates/jobs.yaml

@@ -2,6 +2,7 @@
 {{- if and .Values.proxysql_cluster.enabled .Values.proxysql_cluster.job.enabled .Values.proxysql_cluster.core.enabled }}
 {{- $coreServiceName := printf "%s-core.%s.svc" (include "proxysql.fullname" .) .Release.Namespace }}
 {{- $coreServiceAdminPort := (.Values.proxysql_cluster.healthcheck.psql_host_port | default .Values.service.adminPort) }}
+{{- $mysqlClientFlags := .Values.proxysql_cluster.job.mysqlClientFlags }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -78,7 +79,7 @@ spec:
             - >
                 mysql --user=${PSQL_USER} --password=${PSQL_PASSWORD}
                 --host={{ $coreServiceName }} --port={{ $coreServiceAdminPort }}
-                --wait -vv < /data/update-cluster-checksums.sql
+                {{- if $mysqlClientFlags }} {{ $mysqlClientFlags }}{{- end }} --wait -vv < /data/update-cluster-checksums.sql
           resources:
             {{- toYaml (default .Values.resources .Values.proxysql_cluster.job.resources) | nindent 12 }}
           env:

charts/proxysql/values.yaml

@@ -528,6 +528,10 @@ proxysql_cluster:
     # -- Set proxysql_cluster.job.ttlSecondsAfterFinished.
     ttlSecondsAfterFinished: 86400
 
+    # -- Extra mysql client flags used by init-cluster job.
+    # Default disables TLS for internal admin connection to avoid certificate trust errors.
+    mysqlClientFlags: "--ssl=0"
+
     # -- Node selector for pod scheduling.
     nodeSelector: {}
     # -- Tolerations for pod scheduling.