chore: fixing mariadb template when pop to pod tls is enabled

[nsingla]

The issue resolved by this Pull Request:

Resolves #<issue_number>

Description of your changes:

Testing instructions

Checklist

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Chores
  • Added a PodToPodTLS toggle to switch readiness probe behavior and conditionally include TLS assets for intra-pod connections.
  • Conditionally enforce require_secure_transport when PodToPodTLS is enabled, ensuring TLS-related settings and mounts are applied as needed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hbelmiro for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a PodToPodTLS conditional that toggles TLS-related settings: enables require_secure_transport = on in the MariaDB TLS config and switches the readinessProbe path plus related TLS volume mounts/volumes in the deployment template.

Changes

Cohort / File(s)	Summary
MariaDB TLS configuration config/internal/mariadb/default/tls-config.yaml.tmpl	Adds a conditional block to include require_secure_transport = on when PodToPodTLS is true.
MariaDB deployment template config/internal/mariadb/default/deployment.yaml.tmpl	Adds PodToPodTLS conditionals to the readinessProbe command (switches to TLS client path when enabled), and conditionally mounts TLS-related volumes plus pod-level secret/configMap volumes for TLS artifacts.

Sequence Diagram(s)

sequenceDiagram
  participant Kube as Kubelet
  participant Pod as MariaDB Pod
  participant Container as MariaDB Container
  participant MySQL as MySQL Server (inside container)
  participant Secrets as Secret/ConfigMap

  Kube->>Pod: Start pod (with PodToPodTLS=true)
  Pod->>Secrets: Mount TLS secret & configMap
  Pod->>Container: Start container
  Kube->>Container: Run readinessProbe (TLS path)
  Container->>MySQL: mysql client connects via TLS using mounted certs
  MySQL-->>Container: SELECT 1 result
  Container-->>Kube: Probe succeeds/fails

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A hop, a patch, a TLS hooray,
Pods whisper secrets safe today,
Conditional lines snug and tight,
MySQL smiles, encrypted light,
I nibble bugs — all tucked away. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title mentions 'pop to pod tls' but the correct term throughout the codebase is 'PodToPodTLS' - this appears to be a typo. However, the title correctly identifies the main change: fixing MariaDB template configuration for TLS.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dsp-developers]

A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-960
An OCP cluster where you are logged in as cluster admin is required.

To use this image run the following:

cd $(mktemp -d)
git clone [email protected]:opendatahub-io/data-science-pipelines-operator.git
cd data-science-pipelines-operator/
git fetch origin pull/960/head
git checkout -b pullrequest ba061bd76b0519a519ce5fdf41c3c44250629137
oc new-project opendatahub
make deploy IMG="quay.io/opendatahub/data-science-pipelines-operator:pr-960"

More instructions here on how to deploy and test a Data Science Pipelines Application.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

config/internal/mariadb/default/tls-config.yaml.tmpl (1)

14-16: Logic is correct; consider trimming template whitespace for cleaner output.

The conditional correctly enforces require_secure_transport = on when pod-to-pod TLS is enabled. However, the current template will render extra blank lines (with trailing whitespace) in the generated config regardless of the condition value.

Using the - modifier in Go templates trims adjacent whitespace for cleaner output:

✨ Suggested improvement for cleaner rendered output

     ssl_key = /.mariadb/certs/tls.key
-    {{ if .PodToPodTLS }}
+{{- if .PodToPodTLS }}
     require_secure_transport = on
-    {{ end }}
+{{- end }}

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 13d6fd2 and ba061bd.

📒 Files selected for processing (1)

• config/internal/mariadb/default/tls-config.yaml.tmpl

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: functest
• GitHub Check: dspo-byoargo-tests
• GitHub Check: dspo-tests
• GitHub Check: precommit
• GitHub Check: unittest

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @config/internal/mariadb/default/deployment.yaml.tmpl:
- Around line 41-50: The livenessProbe currently uses an unconditional tcpSocket
(port 3306) which will fail when .PodToPodTLS is true and MariaDB enforces
require_secure_transport; modify the livenessProbe block in deployment.yaml.tmpl
to mirror the readinessProbe conditional: wrap the probe in an {{ if
.PodToPodTLS }} / {{ else }} / {{ end }} and when PodToPodTLS is true use an
exec probe running the same MYSQL_PWD=$MYSQL_PASSWORD mysql -u $MYSQL_USER -D
$MYSQL_DATABASE -e 'SELECT 1' (omitting -h to use the Unix socket), otherwise
keep the existing tcpSocket: port: 3306 behavior so unencrypted TCP is only used
when TLS is disabled.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba061bd and 53b7c02.

📒 Files selected for processing (1)

• config/internal/mariadb/default/deployment.yaml.tmpl

🔇 Additional comments (2)

config/internal/mariadb/default/deployment.yaml.tmpl (2)

98-104: LGTM!

The TLS volume mounts are correctly structured. Using subPath for the config file mount is appropriate to avoid overwriting the existing /etc/my.cnf.d/ directory contents.

---

109-121: LGTM! Volume definitions correctly reference the TLS secret and configMap with appropriate naming conventions. The MariaDB TLS secret is automatically provisioned by OpenShift via the Service annotation, and the configMap is created by the corresponding template. Server-side TLS only requires the certificate and key pair.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and examine the specific lines
if [ -f "config/internal/mariadb/default/deployment.yaml.tmpl" ]; then
  echo "=== File exists. Showing lines 35-55 for context ==="
  sed -n '35,55p' config/internal/mariadb/default/deployment.yaml.tmpl | cat -n
else
  echo "File not found at config/internal/mariadb/default/deployment.yaml.tmpl"
  # Try to find it
  find . -name "*deployment.yaml.tmpl" -type f 2>/dev/null | head -20
fi

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 966

---

🏁 Script executed:

# Search for other readiness probe configurations in MariaDB templates
echo "=== Searching for readinessProbe in MariaDB files ==="
fd -e yaml.tmpl -e yaml . config/internal/mariadb 2>/dev/null | while read f; do
  if grep -l "readinessProbe" "$f" 2>/dev/null; then
    echo "Found in: $f"
    grep -n -A 10 "readinessProbe" "$f"
  fi
done

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 633

---

🏁 Script executed:

# Search for require_secure_transport to understand TLS enforcement
echo "=== Searching for require_secure_transport ==="
rg -n 'require_secure_transport' --type yaml --type tmpl

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 182

---

🏁 Script executed:

# Check the volumeMounts and volumes sections mentioned in the comment (lines 98-104 and 109-121)
echo "=== Checking volumeMounts and volumes in deployment.yaml.tmpl ==="
if [ -f "config/internal/mariadb/default/deployment.yaml.tmpl" ]; then
  echo "=== volumeMounts section (lines 95-110) ==="
  sed -n '95,110p' config/internal/mariadb/default/deployment.yaml.tmpl | cat -n
  echo ""
  echo "=== volumes section (lines 105-125) ==="
  sed -n '105,125p' config/internal/mariadb/default/deployment.yaml.tmpl | cat -n
fi

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 1586

---

🏁 Script executed:

# Look for TLS configuration files
echo "=== Searching for TLS config files ==="
fd 'tls-config\|tls.conf\|my.cnf' config/internal/mariadb 2>/dev/null | head -20

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 128

---

🏁 Script executed:

# Check if there are MySQL/MariaDB config templates with require_secure_transport
echo "=== Searching for MariaDB config templates ==="
fd -e tmpl -e conf -e cnf . config/internal/mariadb 2>/dev/null

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 505

---

🏁 Script executed:

# Examine the TLS configuration template
echo "=== Content of tls-config.yaml.tmpl ==="
cat config/internal/mariadb/default/tls-config.yaml.tmpl

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 522

---

🏁 Script executed:

# Search for any mention of require_secure_transport or ssl-related configs
echo "=== Searching for TLS/SSL enforcement in all files ==="
rg -n 'require_secure_transport|ssl|tls' config/internal/mariadb --type yaml -i

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 144

---

🏁 Script executed:

# Check if there are any init containers or other setup scripts that configure require_secure_transport
echo "=== Checking for init containers or setup scripts ==="
sed -n '1,200p' config/internal/mariadb/default/deployment.yaml.tmpl | grep -A 20 -B 5 'initContainer\|mysql\|mariadb'

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 3096

---

🏁 Script executed:

# Look for any references to socket paths or connection methods in the entire deployment template
echo "=== Checking full readiness and liveliness probe sections ==="
grep -n -B 5 -A 15 'readinessProbe\|livenessProbe' config/internal/mariadb/default/deployment.yaml.tmpl

Repository: opendatahub-io/data-science-pipelines-operator

Length of output: 1634

---

TLS-enabled liveness probe will fail with require_secure_transport = on.

The readiness probe correctly uses a Unix socket connection (by omitting -h 127.0.0.1) to bypass require_secure_transport enforcement. However, the livenessProbe at line 56-63 is unconditionally TCP-based (tcpSocket: port: 3306) and does not have a TLS-enabled variant. When PodToPodTLS=true, the MariaDB server enforces require_secure_transport = on, which will reject the unencrypted TCP liveness probe and cause the probe to fail indefinitely.

The liveness probe must be made conditional (similar to the readiness probe) to use either a Unix socket connection or TLS-enabled TCP when PodToPodTLS=true.

🤖 Prompt for AI Agents

In @config/internal/mariadb/default/deployment.yaml.tmpl around lines 41 - 50,
The livenessProbe currently uses an unconditional tcpSocket (port 3306) which
will fail when .PodToPodTLS is true and MariaDB enforces
require_secure_transport; modify the livenessProbe block in deployment.yaml.tmpl
to mirror the readinessProbe conditional: wrap the probe in an {{ if
.PodToPodTLS }} / {{ else }} / {{ end }} and when PodToPodTLS is true use an
exec probe running the same MYSQL_PWD=$MYSQL_PASSWORD mysql -u $MYSQL_USER -D
$MYSQL_DATABASE -e 'SELECT 1' (omitting -h to use the Unix socket), otherwise
keep the existing tcpSocket: port: 3306 behavior so unencrypted TCP is only used
when TLS is disabled.

[dsp-developers]

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-960