update tidb secret docs and charts (#398)

* update tidb secret docs and charts * update operation-guide.md * add _initialize_tidb_users.py.tpl
pingcap · Apr 17, 2019 · 5a7db94 · 5a7db94
1 parent b1c5ec6
commit 5a7db94
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 27 deletions.
diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
@@ -0,0 +1,23 @@
+import os, MySQLdb
+host = '{{ template "cluster.name" . }}-tidb'
+port = 4000
+password_dir = '/etc/tidb/password'
+conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5)
+for file in os.listdir(password_dir):
+    if file.startswith('.'):
+        continue
+    user = file
+    with open(os.path.join(password_dir, file), 'r') as f:
+        password = f.read()
+    if user == 'root':
+        conn.cursor().execute("set password for 'root'@'%%' = %s;", (password,))
+    else:
+        conn.cursor().execute("create user %s@'%%' identified by %s;", (user, password,))
+conn.cursor().execute("flush privileges;")
+conn.commit()
+{{- if .Values.tidb.initSql }}
+with open('/data/init.sql', 'r') as sql:
+    for line in sql.readlines():
+        conn.cursor().execute(line)
+        conn.commit()
+{{- end }}
diff --git a/charts/tidb-cluster/templates/tidb-initializer-job.yaml b/charts/tidb-cluster/templates/tidb-initializer-job.yaml
@@ -27,29 +27,7 @@ spec:
         - python
         - -c
         - |
-          import os, MySQLdb
-          host = '{{ template "cluster.name" . }}-tidb'
-          port = 4000
-          password_dir = '/etc/tidb/password'
-          conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5)
-          for file in os.listdir(password_dir):
-              if file.startswith('.'):
-                  continue
-              user = file
-              with open(os.path.join(password_dir, file), 'r') as f:
-                  password = f.read()
-              if user == 'root':
-                  conn.cursor().execute("set password for 'root'@'%%' = %s;", (password,))
-              else:
-                  conn.cursor().execute("create user %s@'%%' identified by %s;", (user, password,))
-          conn.cursor().execute("flush privileges;")
-          conn.commit()
-          {{- if .Values.tidb.initSql }}
-          with open('/data/init.sql', 'r') as sql:
-              for line in sql.readlines():
-                  conn.cursor().execute(line)
-                  conn.commit()
-          {{- end }}
+{{ tuple "scripts/_initialize_tidb_users.py.tpl" . | include "helm-toolkit.utils.template" | indent 10 }}
         volumeMounts:
         - name: password
           mountPath: /etc/tidb/password

diff --git a/charts/tidb-cluster/values.yaml b/charts/tidb-cluster/values.yaml
@@ -149,7 +149,7 @@ tikvPromGateway:
 tidb:
   replicas: 2
   # The secret name of root password, you can create secret with following command:
-  # kubectl create secret generic tidb-secret --from-literal=root_password=<root-password>
+  # kubectl create secret generic tidb-secret --from-literal=root=<root-password> --namespace=<namespace>
   # If unset, the root password will be empty and you can set it after connecting
   # passwordSecretName: tidb-secret
   # initSql is the SQL statements executed after the TiDB cluster is bootstrapped.

diff --git a/docs/operation-guide.md b/docs/operation-guide.md
@@ -34,10 +34,17 @@ By default TiDB service is exposed using [`NodePort`](https://kubernetes.io/docs
 $ kubectl get svc -n ${namespace} # check the available services
 ```
 
-By default the TiDB cluster has no password set. You can specify a password by setting `tidb.password` in `values.yaml` before deploying. You can retrieve the password from the initialization `Secret`:
+By default the TiDB cluster has no root password set. Setting a password in helm is insecure. Instead you can set the name of a K8s secret as `tidb.passwordSecretName` in `values.yaml`. Note that this is only used to initialize users: once your tidb cluster is initialized you may delete the secret. The format of the secret is `user=password`, so you can set the root user password with:
+
+```
+kubectl create namespace ${namespace}
+kubectl create secret generic tidb-secret --from-literal=root=<root-password> --namespace=${namespace}
+```
+
+You can retrieve the password from the initialization `Secret`:
 
 ```shell
-$ PASSWORD=$(kubectl get secret -n ${namespace} ${releaseName}-tidb -ojsonpath="{.data.password}" | base64 --decode | awk '{print $6}')
+$ PASSWORD=$(kubectl get secret -n ${namespace} tidb-secret -ojsonpath="{.data.root}" | base64 --decode)
 $ echo ${PASSWORD}
 ```
 

diff --git a/images/tidb-operator-e2e/tidb-cluster-values.yaml b/images/tidb-operator-e2e/tidb-cluster-values.yaml
@@ -121,7 +121,7 @@ tikvPromGateway:
 tidb:
   replicas: 2
   # The secret name of root password, you can create secret with following command:
-  # kubectl create secret generic tidb-secret --from-literal=root_password=<root-password>
+  # kubectl create secret generic tidb-secret --from-literal=root=<root-password> --namespace=<namespace>
   # If unset, the root password will be empty and you can set it after connecting
   # passwordSecretName: tidb-secret
   # initSql is the SQL statements executed after the TiDB cluster is bootstrapped.