[cherry-pick] Adding TLS support on MariaDB plugin (#62) (#82)

/cherry-pick
Signed-off-by: Alif Biswas <alif@appscode.com>

Author: 1gtm

pkg/backup.go

@@ -19,6 +19,8 @@ package pkg
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -38,6 +40,10 @@ import (
 	v1 "kmodules.xyz/offshoot-api/api/v1"
 )
 
+const (
+	MariaDBTLSRootCA = "ca.crt"
+)
+
 func NewCmdBackup() *cobra.Command {
 	var (
 		masterURL      string
@@ -221,8 +227,20 @@ func (opt *mariadbOptions) backupMariaDB(targetRef api_v1beta1.TargetRef) (*rest
 		backupCmd.Args = append(backupCmd.Args, arg)
 	}
 
+	// if ssl enabled, add ca.crt in the arguments
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		if err := ioutil.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, MariaDBTLSRootCA), appBinding.Spec.ClientConfig.CABundle, os.ModePerm); err != nil {
+			return nil, err
+		}
+		tlsCreds := []interface{}{
+			fmt.Sprintf("--ssl-ca=%v", filepath.Join(opt.setupOptions.ScratchDir, MariaDBTLSRootCA)),
+		}
+
+		backupCmd.Args = append(backupCmd.Args, tlsCreds...)
+	}
+
 	// wait for DB ready
-	err = waitForDBReady(appBinding, appBindingSecret, opt.waitTimeout)
+	err = opt.waitForDBReady(appBinding, appBindingSecret)
 	if err != nil {
 		return nil, err
 	}

pkg/restore.go

@@ -19,6 +19,8 @@ package pkg
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -186,12 +188,24 @@ func (opt *mariadbOptions) restoreMariaDB(targetRef api_v1beta1.TargetRef) (*res
 	if appBinding.Spec.ClientConfig.Service.Port != 0 {
 		restoreCmd.Args = append(restoreCmd.Args, fmt.Sprintf("--port=%d", appBinding.Spec.ClientConfig.Service.Port))
 	}
+	// if ssl enabled, add ca.crt in the arguments
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		if err := ioutil.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, MariaDBTLSRootCA), appBinding.Spec.ClientConfig.CABundle, os.ModePerm); err != nil {
+			return nil, err
+		}
+		tlsCreds := []interface{}{
+			fmt.Sprintf("--ssl-ca=%v", filepath.Join(opt.setupOptions.ScratchDir, MariaDBTLSRootCA)),
+		}
+
+		restoreCmd.Args = append(restoreCmd.Args, tlsCreds...)
+	}
+
 	for _, arg := range strings.Fields(opt.myArgs) {
 		restoreCmd.Args = append(restoreCmd.Args, arg)
 	}
 
 	// wait for DB ready
-	err = waitForDBReady(appBinding, appBindingSecret, opt.waitTimeout)
+	err = opt.waitForDBReady(appBinding, appBindingSecret)
 	if err != nil {
 		return nil, err
 	}

pkg/utils.go

@@ -18,6 +18,7 @@ package pkg
 
 import (
 	"fmt"
+	"path/filepath"
 
 	stash "stash.appscode.dev/apimachinery/client/clientset/versioned"
 	"stash.appscode.dev/apimachinery/pkg/restic"
@@ -56,18 +57,22 @@ type mariadbOptions struct {
 	dumpOptions   restic.DumpOptions
 }
 
-func waitForDBReady(appBinding *v1alpha1.AppBinding, secret *core.Secret, waitTimeout int32) error {
+func (opt *mariadbOptions) waitForDBReady(appBinding *v1alpha1.AppBinding, secret *core.Secret) error {
 	log.Infoln("Waiting for the database to be ready.....")
 	shell := sh.NewSession()
 	shell.SetEnv(EnvMariaDBPassword, string(secret.Data[MariaDBPassword]))
 	args := []interface{}{
 		"ping",
 		"--host", appBinding.Spec.ClientConfig.Service.Name,
-		"--user=root",
-		fmt.Sprintf("--wait=%d", waitTimeout),
+		"--user", string(secret.Data[MariaDBUser]),
 	}
 	if appBinding.Spec.ClientConfig.Service.Port != 0 {
 		args = append(args, fmt.Sprintf("--port=%d", appBinding.Spec.ClientConfig.Service.Port))
 	}
+
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		args = append(args, fmt.Sprintf("--ssl-ca=%v", filepath.Join(opt.setupOptions.ScratchDir, MariaDBTLSRootCA)))
+	}
+
 	return shell.Command("mysqladmin", args...).Run()
 }