[cherry-pick] Add TLS support for backup and Restore (#328) (#338)

Signed-off-by: suaas21 <sagor@appscode.com>
Co-authored-by: Emruz Hossain <emruz@appscode.com>

Author: 1gtm

docs/examples/backup/sample-mysql.yaml

@@ -1,10 +1,10 @@
-apiVersion: kubedb.com/v1alpha1
+apiVersion: kubedb.com/v1alpha2
 kind: MySQL
 metadata:
   name: sample-mysql
   namespace: demo
 spec:
-  version: "8.0.14"
+  version: "8.0.21-v1"
   replicas: 1
   storageType: Durable
   storage:

docs/examples/restore/restored-mysql.yaml

@@ -1,12 +1,12 @@
-apiVersion: kubedb.com/v1alpha1
+apiVersion: kubedb.com/v1alpha2
 kind: MySQL
 metadata:
   name: restored-mysql
   namespace: demo
 spec:
-  version: "8.0.14"
-  databaseSecret:
-    secretName: sample-mysql-auth
+  version: "8.0.21-v1"
+  authSecret:
+    name: sample-mysql-auth
   replicas: 1
   storageType: Durable
   storage:
@@ -15,7 +15,4 @@ spec:
     resources:
       requests:
         storage: 50Mi
-  init:
-    stashRestoreSession:
-      name: restore-sample-mysql
   terminationPolicy: WipeOut

docs/mysql.md

@@ -54,13 +54,13 @@ Let's deploy a sample MySQL database and insert some data into it.
 Below is the YAML of a sample MySQL CRD that we are going to create for this tutorial:
 
 ```yaml
-apiVersion: kubedb.com/v1alpha1
+apiVersion: kubedb.com/v1alpha2
 kind: MySQL
 metadata:
   name: sample-mysql
   namespace: demo
 spec:
-  version: "8.0.14"
+  version: "8.0.21-v1"
   replicas: 1
   storageType: Durable
   storage:
@@ -166,16 +166,16 @@ The following YAML shows a minimal AppBinding specification that you have to cre
 apiVersion: appcatalog.appscode.com/v1alpha1
 kind: AppBinding
 metadata:
-  name: <my_custom_appbinding_name>
-  namespace: <my_database_namespace>
+  name: my-custom-appbinding-name
+  namespace: my-database-namespace
 spec:
   clientConfig:
     service:
-      name: <my_database_service_name>
-      port: <my_database_port_number>
+      name: my-database-service-name
+      port: 3306 # my_database_port_number
       scheme: mysql
   secret:
-    name: <my_database_credentials_secret_name>
+    name: my-database-credentials-secret-name
   # type field is optional. you can keep it empty.
   # if you keep it empty then the value of TARGET_APP_RESOURCE variable
   # will be set to "appbinding" during auto-backup.
@@ -439,15 +439,15 @@ Now, we have to deploy the restored database similarly as we have deployed the o
 Below is the YAML for `MySQL` CRD we are going deploy to initialize from backup,
 
 ```yaml
-apiVersion: kubedb.com/v1alpha1
+apiVersion: kubedb.com/v1alpha2
 kind: MySQL
 metadata:
   name: restored-mysql
   namespace: demo
 spec:
-  version: "8.0.14"
-  databaseSecret:
-    secretName: sample-mysql-auth
+  version: "8.0.21-v1"
+  authSecret:
+    name: sample-mysql-auth
   replicas: 1
   storageType: Durable
   storage:
@@ -456,9 +456,6 @@ spec:
     resources:
       requests:
         storage: 50Mi
-  init:
-    stashRestoreSession:
-      name: sample-mysql-restore
   terminationPolicy: WipeOut
 ```
 

pkg/backup.go

@@ -19,6 +19,8 @@ package pkg
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -38,14 +40,17 @@ import (
 	v1 "kmodules.xyz/offshoot-api/api/v1"
 )
 
+const (
+	MySQLTLSRootCA = "ca.crt"
+)
+
 func NewCmdBackup() *cobra.Command {
 	var (
 		masterURL      string
 		kubeconfigPath string
 		opt            = mysqlOptions{
 
-			myArgs:      "--all-databases",
-			waitTimeout: 300,
+			myArgs: "--all-databases",
 			setupOptions: restic.SetupOptions{
 				ScratchDir:  restic.DefaultScratchDir,
 				EnableCache: false,
@@ -221,8 +226,20 @@ func (opt *mysqlOptions) backupMySQL(targetRef api_v1beta1.TargetRef) (*restic.B
 		opt.backupOptions.StdinPipeCommand.Args = append(opt.backupOptions.StdinPipeCommand.Args, arg)
 	}
 
+	// if ssl enabled, add ca.crt in the arguments
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		if err := ioutil.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, MySQLTLSRootCA), appBinding.Spec.ClientConfig.CABundle, os.ModePerm); err != nil {
+			return nil, err
+		}
+		tlsCreds := []interface{}{
+			fmt.Sprintf("--ssl-ca=%v", filepath.Join(opt.setupOptions.ScratchDir, MySQLTLSRootCA)),
+		}
+
+		opt.backupOptions.StdinPipeCommand.Args = append(opt.backupOptions.StdinPipeCommand.Args, tlsCreds...)
+	}
+
 	// wait for DB ready
-	err = waitForDBReady(appBinding, appBindingSecret, opt.waitTimeout)
+	err = opt.waitForDBReady(appBinding, appBindingSecret)
 	if err != nil {
 		return nil, err
 	}

pkg/restore.go

@@ -19,6 +19,8 @@ package pkg
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -190,8 +192,20 @@ func (opt *mysqlOptions) restoreMySQL(targetRef api_v1beta1.TargetRef) (*restic.
 		opt.dumpOptions.StdoutPipeCommand.Args = append(opt.dumpOptions.StdoutPipeCommand.Args, arg)
 	}
 
+	// if ssl enabled, add ca.crt in the arguments
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		if err := ioutil.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, MySQLTLSRootCA), appBinding.Spec.ClientConfig.CABundle, os.ModePerm); err != nil {
+			return nil, err
+		}
+		tlsCreds := []interface{}{
+			fmt.Sprintf("--ssl-ca=%v", filepath.Join(opt.setupOptions.ScratchDir, MySQLTLSRootCA)),
+		}
+
+		opt.dumpOptions.StdoutPipeCommand.Args = append(opt.dumpOptions.StdoutPipeCommand.Args, tlsCreds...)
+	}
+
 	// wait for DB ready
-	err = waitForDBReady(appBinding, appBindingSecret, opt.waitTimeout)
+	err = opt.waitForDBReady(appBinding, appBindingSecret)
 	if err != nil {
 		return nil, err
 	}

pkg/utils.go

@@ -18,15 +18,14 @@ package pkg
 
 import (
 	"fmt"
-	"time"
+	"path/filepath"
 
 	stash "stash.appscode.dev/apimachinery/client/clientset/versioned"
 	"stash.appscode.dev/apimachinery/pkg/restic"
 
 	"github.com/codeskyblue/go-sh"
 	"gomodules.xyz/x/log"
 	core "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
 	appcatalog_cs "kmodules.xyz/custom-resources/client/clientset/versioned"
@@ -58,7 +57,7 @@ type mysqlOptions struct {
 	dumpOptions   restic.DumpOptions
 }
 
-func waitForDBReady(appBinding *v1alpha1.AppBinding, secret *core.Secret, waitTimeout int32) error {
+func (opt *mysqlOptions) waitForDBReady(appBinding *v1alpha1.AppBinding, secret *core.Secret) error {
 	log.Infoln("Waiting for the database to be ready.....")
 	shell := sh.NewSession()
 	shell.SetEnv(EnvMySqlPassword, string(secret.Data[MySqlPassword]))
@@ -70,17 +69,14 @@ func waitForDBReady(appBinding *v1alpha1.AppBinding, secret *core.Secret, waitTi
 		args = append(args, fmt.Sprintf("--port=%d", appBinding.Spec.ClientConfig.Service.Port))
 	}
 
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		args = append(args, fmt.Sprintf("--ssl-ca=%v", filepath.Join(opt.setupOptions.ScratchDir, MySQLTLSRootCA)))
+	}
+
 	// Execute "SELECT 1" query to the database. It should return an error when mysqld is not ready.
 	args = append(args, "-e", "SELECT 1;")
 
 	// don't show the output of the query
 	shell.Stdout = nil
-	return wait.PollImmediate(5*time.Second, time.Duration(waitTimeout)*time.Second, func() (done bool, err error) {
-		if err := shell.Command("mysql", args...).Run(); err == nil {
-			log.Infoln("Database is accepting connection....")
-			return true, nil
-		}
-		log.Infoln("Retrying after 5 seconds....")
-		return false, nil
-	})
+	return shell.Command("mysql", args...).Run()
 }