Merge branch 'main' into K8SPS-73-self-healing

Author: tplavcic

api/v1alpha1/perconaservermysql_types.go

@@ -29,6 +29,7 @@ import (
 	"github.com/percona/percona-server-mysql-operator/pkg/version"
 
 	"github.com/pkg/errors"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -41,23 +42,24 @@ import (
 
 // PerconaServerMySQLSpec defines the desired state of PerconaServerMySQL
 type PerconaServerMySQLSpec struct {
-	CRVersion             string           `json:"crVersion,omitempty"`
-	Pause                 bool             `json:"pause,omitempty"`
-	SecretsName           string           `json:"secretsName,omitempty"`
-	SSLSecretName         string           `json:"sslSecretName,omitempty"`
-	SSLInternalSecretName string           `json:"sslInternalSecretName,omitempty"`
-	AllowUnsafeConfig     bool             `json:"allowUnsafeConfigurations,omitempty"`
-	InitImage             string           `json:"initImage,omitempty"`
-	IgnoreAnnotations     []string         `json:"ignoreAnnotations,omitempty"`
-	IgnoreLabels          []string         `json:"ignoreLabels,omitempty"`
-	MySQL                 MySQLSpec        `json:"mysql,omitempty"`
-	Orchestrator          OrchestratorSpec `json:"orchestrator,omitempty"`
-	PMM                   *PMMSpec         `json:"pmm,omitempty"`
-	Backup                *BackupSpec      `json:"backup,omitempty"`
-	Proxy                 ProxySpec        `json:"proxy,omitempty"`
-	TLS                   *TLSSpec         `json:"tls,omitempty"`
-	Toolkit               *ToolkitSpec     `json:"toolkit,omitempty"`
-	UpgradeOptions        UpgradeOptions   `json:"upgradeOptions,omitempty"`
+	CRVersion             string                               `json:"crVersion,omitempty"`
+	Pause                 bool                                 `json:"pause,omitempty"`
+	SecretsName           string                               `json:"secretsName,omitempty"`
+	SSLSecretName         string                               `json:"sslSecretName,omitempty"`
+	SSLInternalSecretName string                               `json:"sslInternalSecretName,omitempty"`
+	AllowUnsafeConfig     bool                                 `json:"allowUnsafeConfigurations,omitempty"`
+	InitImage             string                               `json:"initImage,omitempty"`
+	IgnoreAnnotations     []string                             `json:"ignoreAnnotations,omitempty"`
+	IgnoreLabels          []string                             `json:"ignoreLabels,omitempty"`
+	MySQL                 MySQLSpec                            `json:"mysql,omitempty"`
+	Orchestrator          OrchestratorSpec                     `json:"orchestrator,omitempty"`
+	PMM                   *PMMSpec                             `json:"pmm,omitempty"`
+	Backup                *BackupSpec                          `json:"backup,omitempty"`
+	Proxy                 ProxySpec                            `json:"proxy,omitempty"`
+	TLS                   *TLSSpec                             `json:"tls,omitempty"`
+	Toolkit               *ToolkitSpec                         `json:"toolkit,omitempty"`
+	UpgradeOptions        UpgradeOptions                       `json:"upgradeOptions,omitempty"`
+	UpdateStrategy        appsv1.StatefulSetUpdateStrategyType `json:"updateStrategy,omitempty"`
 }
 
 type TLSSpec struct {
@@ -410,7 +412,6 @@ const (
 	UserOperator     SystemUser = "operator"
 	UserOrchestrator SystemUser = "orchestrator"
 	UserPMMServerKey SystemUser = "pmmserverkey"
-	UserProxyAdmin   SystemUser = "proxyadmin"
 	UserReplication  SystemUser = "replication"
 	UserRoot         SystemUser = "root"
 	UserXtraBackup   SystemUser = "xtrabackup"
@@ -675,6 +676,12 @@ func (cr *PerconaServerMySQL) CheckNSetDefaults(ctx context.Context, serverVersi
 		cr.Spec.SSLSecretName = cr.Name + "-ssl"
 	}
 
+	if cr.Spec.UpdateStrategy == SmartUpdateStatefulSetStrategyType &&
+		!cr.HAProxyEnabled() &&
+		!cr.RouterEnabled() {
+		return errors.Errorf("MySQL Router or HAProxy should be enabled if SmartUpdate set")
+	}
+
 	return nil
 }
 
@@ -894,6 +901,9 @@ func init() {
 	SchemeBuilder.Register(&PerconaServerMySQL{}, &PerconaServerMySQLList{})
 }
 
+// SmartUpdateStatefulSetStrategyType
+const SmartUpdateStatefulSetStrategyType appsv1.StatefulSetUpdateStrategyType = "SmartUpdate"
+
 type UpgradeOptions struct {
 	VersionServiceEndpoint string `json:"versionServiceEndpoint,omitempty"`
 	Apply                  string `json:"apply,omitempty"`

build/ps-entrypoint.sh

@@ -275,7 +275,7 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
 			# no, we don't care if read finds a terminating character in this heredoc
 			# https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
 			read -r -d '' rootCreate <<-EOSQL || true
-				CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
+				CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' PASSWORD EXPIRE NEVER;
 				GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
 			EOSQL
 		fi
@@ -288,9 +288,20 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
 		file_env 'OPERATOR_ADMIN_PASSWORD' '' 'operator'
 		file_env 'XTRABACKUP_PASSWORD' '' 'xtrabackup'
 		file_env 'HEARTBEAT_PASSWORD' '' 'heartbeat'
+
 		read -r -d '' monitorConnectGrant <<-EOSQL || true
 			GRANT SERVICE_CONNECTION_ADMIN ON *.* TO 'monitor'@'${MONITOR_HOST}';
 		EOSQL
+
+		if [ "$CLUSTER_TYPE" == 'async' ]; then
+			read -r -d '' replicationCreate <<-EOSQL || true
+				CREATE USER 'replication'@'%' IDENTIFIED BY '${REPLICATION_PASSWORD}' PASSWORD EXPIRE NEVER;
+				GRANT DELETE, INSERT, UPDATE ON mysql.* TO 'replication'@'%' WITH GRANT OPTION;
+				GRANT SELECT ON performance_schema.threads to 'replication'@'%';
+				GRANT SYSTEM_USER, REPLICATION SLAVE, BACKUP_ADMIN, GROUP_REPLICATION_STREAM, CLONE_ADMIN, CONNECTION_ADMIN, CREATE USER, EXECUTE, FILE, GROUP_REPLICATION_ADMIN, PERSIST_RO_VARIABLES_ADMIN, PROCESS, RELOAD, REPLICATION CLIENT, REPLICATION_APPLIER, REPLICATION_SLAVE_ADMIN, ROLE_ADMIN, SELECT, SHUTDOWN, SYSTEM_VARIABLES_ADMIN ON *.* TO 'replication'@'%' WITH GRANT OPTION;
+			EOSQL
+		fi
+
 		"${mysql[@]}" <<-EOSQL
 			-- What's done in this file shouldn't be replicated
 			--  or products like mysql-fabric won't work
@@ -302,35 +313,29 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
 			${rootCreate}
 			/*!80016 REVOKE SYSTEM_USER ON *.* FROM root */;
 
-			CREATE USER 'operator'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${OPERATOR_ADMIN_PASSWORD}' ;
+			CREATE USER 'operator'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${OPERATOR_ADMIN_PASSWORD}' PASSWORD EXPIRE NEVER;
 			GRANT ALL ON *.* TO 'operator'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
 
-			CREATE USER 'xtrabackup'@'localhost' IDENTIFIED BY '${XTRABACKUP_PASSWORD}';
+			CREATE USER 'xtrabackup'@'localhost' IDENTIFIED BY '${XTRABACKUP_PASSWORD}' PASSWORD EXPIRE NEVER;
 			GRANT SYSTEM_USER, BACKUP_ADMIN, PROCESS, RELOAD, GROUP_REPLICATION_ADMIN, REPLICATION_SLAVE_ADMIN, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'xtrabackup'@'localhost';
 			GRANT SELECT ON performance_schema.replication_group_members TO 'xtrabackup'@'localhost';
 			GRANT SELECT ON performance_schema.log_status TO 'xtrabackup'@'localhost';
 			GRANT SELECT ON performance_schema.keyring_component_status TO 'xtrabackup'@'localhost';
 
-			CREATE USER 'monitor'@'${MONITOR_HOST}' IDENTIFIED BY '${MONITOR_PASSWORD}' WITH MAX_USER_CONNECTIONS 100;
+			CREATE USER 'monitor'@'${MONITOR_HOST}' IDENTIFIED BY '${MONITOR_PASSWORD}' WITH MAX_USER_CONNECTIONS 100 PASSWORD EXPIRE NEVER;
 			GRANT SYSTEM_USER, SELECT, PROCESS, SUPER, REPLICATION CLIENT, RELOAD, BACKUP_ADMIN ON *.* TO 'monitor'@'${MONITOR_HOST}';
 			GRANT SELECT ON performance_schema.* TO 'monitor'@'${MONITOR_HOST}';
 			${monitorConnectGrant}
 
-			CREATE USER 'replication'@'%' IDENTIFIED BY '${REPLICATION_PASSWORD}';
-			GRANT DELETE, INSERT, UPDATE ON mysql.* TO 'replication'@'%' WITH GRANT OPTION;
-			GRANT SELECT ON performance_schema.threads to 'replication'@'%';
-			GRANT SYSTEM_USER, REPLICATION SLAVE, BACKUP_ADMIN, GROUP_REPLICATION_STREAM, CLONE_ADMIN, CONNECTION_ADMIN, CREATE USER, EXECUTE, FILE, GROUP_REPLICATION_ADMIN, PERSIST_RO_VARIABLES_ADMIN, PROCESS, RELOAD, REPLICATION CLIENT, REPLICATION_APPLIER, REPLICATION_SLAVE_ADMIN, ROLE_ADMIN, SELECT, SHUTDOWN, SYSTEM_VARIABLES_ADMIN ON *.* TO 'replication'@'%' WITH GRANT OPTION;
-			GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, REFERENCES, SHOW VIEW, TRIGGER, UPDATE ON mysql_innodb_cluster_metadata.* TO 'replication'@'%' WITH GRANT OPTION;
-			GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, REFERENCES, SHOW VIEW, TRIGGER, UPDATE ON mysql_innodb_cluster_metadata_bkp.* TO 'replication'@'%' WITH GRANT OPTION;
-			GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, REFERENCES, SHOW VIEW, TRIGGER, UPDATE ON mysql_innodb_cluster_metadata_previous.* TO 'replication'@'%' WITH GRANT OPTION;
+			${replicationCreate}
 
-			CREATE USER 'orchestrator'@'%' IDENTIFIED BY '${ORC_TOPOLOGY_PASSWORD}';
+			CREATE USER 'orchestrator'@'%' IDENTIFIED BY '${ORC_TOPOLOGY_PASSWORD}' PASSWORD EXPIRE NEVER;
 			GRANT SYSTEM_USER, SUPER, PROCESS, REPLICATION SLAVE, REPLICATION CLIENT, RELOAD ON *.* TO 'orchestrator'@'%';
 			GRANT SELECT ON mysql.slave_master_info TO 'orchestrator'@'%';
 			GRANT SELECT ON sys_operator.* TO 'orchestrator'@'%';
 
 			CREATE DATABASE IF NOT EXISTS sys_operator;
-			CREATE USER 'heartbeat'@'localhost' IDENTIFIED BY '${HEARTBEAT_PASSWORD}';
+			CREATE USER 'heartbeat'@'localhost' IDENTIFIED BY '${HEARTBEAT_PASSWORD}' PASSWORD EXPIRE NEVER;
 			GRANT SYSTEM_USER, REPLICATION CLIENT ON *.* TO 'heartbeat'@'localhost';
 			GRANT SELECT, CREATE, DELETE, UPDATE, INSERT ON sys_operator.heartbeat TO 'heartbeat'@'localhost';
 

cmd/bootstrap/async_replication.go

@@ -87,7 +87,7 @@ func bootstrapAsyncReplication(ctx context.Context) error {
 		return errors.Wrapf(err, "get %s password", apiv1alpha1.UserOperator)
 	}
 
-	db, err := replicator.NewReplicator(ctx, "operator", operatorPass, podIp, mysql.DefaultAdminPort)
+	db, err := replicator.NewReplicator(ctx, apiv1alpha1.UserOperator, operatorPass, podIp, mysql.DefaultAdminPort)
 	if err != nil {
 		return errors.Wrap(err, "connect to db")
 	}
@@ -142,7 +142,7 @@ func bootstrapAsyncReplication(ctx context.Context) error {
 
 		timer.Start("clone")
 		log.Printf("Cloning from %s", donor)
-		err = db.Clone(ctx, donor, "operator", operatorPass, mysql.DefaultAdminPort)
+		err = db.Clone(ctx, donor, string(apiv1alpha1.UserOperator), operatorPass, mysql.DefaultAdminPort)
 		timer.Stop("clone")
 		if err != nil && !errors.Is(err, replicator.ErrRestartAfterClone) {
 			return errors.Wrapf(err, "clone from donor %s", donor)
@@ -204,7 +204,7 @@ func getTopology(ctx context.Context, peers sets.Set[string]) (string, []string,
 	}
 
 	for _, peer := range sets.List(peers) {
-		db, err := replicator.NewReplicator(ctx, "operator", operatorPass, peer, mysql.DefaultAdminPort)
+		db, err := replicator.NewReplicator(ctx, apiv1alpha1.UserOperator, operatorPass, peer, mysql.DefaultAdminPort)
 		if err != nil {
 			return "", nil, errors.Wrapf(err, "connect to %s", peer)
 		}
@@ -251,7 +251,7 @@ func selectDonor(ctx context.Context, fqdn, primary string, replicas []string) (
 	}
 
 	for _, replica := range replicas {
-		db, err := replicator.NewReplicator(ctx, "operator", operatorPass, replica, mysql.DefaultAdminPort)
+		db, err := replicator.NewReplicator(ctx, apiv1alpha1.UserOperator, operatorPass, replica, mysql.DefaultAdminPort)
 		if err != nil {
 			continue
 		}

config/crd/bases/ps.percona.com_perconaservermysqls.yaml

@@ -7135,6 +7135,8 @@ spec:
                 required:
                 - image
                 type: object
+              updateStrategy:
+                type: string
               upgradeOptions:
                 properties:
                   apply:

deploy/bundle.yaml

@@ -8747,6 +8747,8 @@ spec:
                 required:
                 - image
                 type: object
+              updateStrategy:
+                type: string
               upgradeOptions:
                 properties:
                   apply:

deploy/cr.yaml

@@ -11,6 +11,7 @@ spec:
   crVersion: 0.6.0
   secretsName: cluster1-secrets
   sslSecretName: cluster1-ssl
+  updateStrategy: SmartUpdate
   upgradeOptions:
     versionServiceEndpoint: https://check.percona.com
     apply: disabled

deploy/crd.yaml

@@ -8747,6 +8747,8 @@ spec:
                 required:
                 - image
                 type: object
+              updateStrategy:
+                type: string
               upgradeOptions:
                 properties:
                   apply:

e2e-tests/run-distro.csv

@@ -9,6 +9,7 @@ gr-one-pod
 gr-scaling
 gr-self-healing
 gr-tls-cert-manager
+gr-users
 haproxy
 init-deploy
 monitoring
@@ -18,5 +19,6 @@ scaling
 self-healing
 service-per-pod
 sidecars
+smart-update
 tls-cert-manager
 users

e2e-tests/run-minikube.csv

@@ -9,12 +9,14 @@ gr-one-pod
 gr-scaling
 gr-self-healing
 gr-tls-cert-manager
+gr-users
 haproxy
 init-deploy
 one-pod
 operator-self-healing
 self-healing
 sidecars
+smart-update
 tls-cert-manager
 users
 version-service

e2e-tests/run-pr.csv

@@ -12,6 +12,7 @@ gr-one-pod
 gr-scaling
 gr-self-healing
 gr-tls-cert-manager
+gr-users
 haproxy
 init-deploy
 limits
@@ -22,6 +23,7 @@ scaling
 self-healing
 service-per-pod
 sidecars
+smart-update
 tls-cert-manager
 users
 version-service

e2e-tests/run-release.csv

@@ -11,6 +11,7 @@ gr-one-pod
 gr-scaling
 gr-self-healing
 gr-tls-cert-manager
+gr-users
 haproxy
 init-deploy
 limits
@@ -21,6 +22,7 @@ scaling
 self-healing
 service-per-pod
 sidecars
+smart-update
 tls-cert-manager
 users
 version-service

e2e-tests/tests/gr-users/00-assert.yaml

@@ -0,0 +1,34 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 120
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: perconaservermysqls.ps.percona.com
+spec:
+  group: ps.percona.com
+  names:
+    kind: PerconaServerMySQL
+    listKind: PerconaServerMySQLList
+    plural: perconaservermysqls
+    shortNames:
+    - ps
+    singular: perconaservermysql
+  scope: Namespaced
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: percona-server-mysql-operator
+status:
+  availableReplicas: 1
+  observedGeneration: 1
+  readyReplicas: 1
+  replicas: 1
+  updatedReplicas: 1
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mysql-client

e2e-tests/tests/gr-users/00-deploy-operator.yaml

@@ -0,0 +1,14 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 10
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      deploy_operator
+      deploy_non_tls_cluster_secrets
+      deploy_tls_cluster_secrets
+      deploy_client

e2e-tests/tests/gr-users/01-assert.yaml

@@ -0,0 +1,24 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 420
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  generation: 1
+  name: gr-users-mysql
+status:
+  observedGeneration: 1
+  replicas: 3
+  readyReplicas: 3
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  generation: 1
+  name: gr-users-router
+status:
+  observedGeneration: 1
+  readyReplicas: 3
+  replicas: 3
+  updatedReplicas: 3

e2e-tests/tests/gr-users/01-create-cluster.yaml

@@ -0,0 +1,17 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 10
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      get_cr \
+        | yq eval '.spec.mysql.clusterType="group-replication"' - \
+        | yq eval '.spec.mysql.size=3' - \
+        | yq eval '.spec.proxy.haproxy.enabled=false' - \
+        | yq eval '.spec.proxy.router.enabled=true' - \
+        | yq eval '.spec.proxy.router.size=3' - \
+        | kubectl -n "${NAMESPACE}" apply -f -