galera: support mariabackup SST method

Make the SST method configurable in the galera custom resource, and
allow both rsync and mariabackup methods.
Mariabackup requires a database user's credentials to operate, so
reuse the root db user for the time being.

Jira: OSPRH-10195

Author: dciabrin

api/bases/mariadb.openstack.org_galeras.yaml

@@ -78,6 +78,13 @@ spec:
               secret:
                 description: Name of the secret to look for password keys
                 type: string
+              sst:
+                default: rsync
+                description: Snapshot State Transfer method to use for full node synchronization
+                enum:
+                - rsync
+                - mariabackup
+                type: string
               storageClass:
                 description: Storage class to host the mariadb databases
                 type: string

api/v1beta1/galera_types.go

@@ -80,8 +80,21 @@ type GaleraSpecCore struct {
 	// +kubebuilder:validation:Optional
 	// Log Galera pod's output to disk
 	LogToDisk bool `json:"logToDisk"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=rsync
+	// +kubebuilder:validation:Enum=rsync;mariabackup
+	// Snapshot State Transfer method to use for full node synchronization
+	SST GaleraSST `json:"sst"`
 }
 
+// Supported SST type
+type GaleraSST string
+
+const (
+	RSync       GaleraSST = "rsync"
+	MariaBackup GaleraSST = "mariabackup"
+)
+
 // GaleraAttributes holds startup information for a Galera host
 type GaleraAttributes struct {
 	// Last recorded replication sequence number in the DB

config/crd/bases/mariadb.openstack.org_galeras.yaml

@@ -78,6 +78,13 @@ spec:
               secret:
                 description: Name of the secret to look for password keys
                 type: string
+              sst:
+                default: rsync
+                description: Snapshot State Transfer method to use for full node synchronization
+                enum:
+                - rsync
+                - mariabackup
+                type: string
               storageClass:
                 description: Storage class to host the mariadb databases
                 type: string

config/samples/mariadb_v1beta1_galera_sst.yaml

@@ -0,0 +1,10 @@
+apiVersion: mariadb.openstack.org/v1beta1
+kind: Galera
+metadata:
+  name: openstack
+spec:
+  secret: osp-secret
+  storageClass: local-storage
+  storageRequest: 500M
+  replicas: 3
+  sst: mariabackup

pkg/mariadb/volumes.go

@@ -37,6 +37,13 @@ func getGaleraVolumes(g *mariadbv1.Galera) []corev1.Volume {
 		}
 	}
 
+	if g.Spec.SST == mariadbv1.MariaBackup {
+		configTemplates = append(configTemplates, corev1.KeyToPath{
+			Key:  "galera_sst_mariabackup.cnf.in",
+			Path: "galera_sst_mariabackup.cnf.in",
+		})
+	}
+
 	volumes := []corev1.Volume{
 		{
 			Name: "secrets",

templates/galera/bin/mysql_bootstrap.sh

@@ -1,5 +1,10 @@
 #!/bin/bash
-set +eux
+set +eu
+
+init_error() {
+    echo "Container initialization failed at $(caller)." >&2
+}
+trap init_error ERR
 
 if [ -e /var/lib/mysql/mysql ]; then
     echo -e "Database already exists. Reuse it."
@@ -27,24 +32,34 @@ if [ "$(sysctl -n crypto.fips_enabled)" == "1" ]; then
 else
     SSL_CIPHER='AES128-SHA256'
 fi
+export SSL_CIPHER
 
 PODNAME=$(hostname -f | cut -d. -f1,2)
 PODIPV4=$(grep "${PODNAME}" /etc/hosts | grep -v ':' | cut -d$'\t' -f1)
 PODIPV6=$(grep "${PODNAME}" /etc/hosts | grep ':' | cut -d$'\t' -f1)
+if [[ "" = "${PODIPV6}" ]]; then
+    PODIP="${PODIPV4}"
+    IPSTACK="IPV4"
+else
+    PODIP="[::]"
+    IPSTACK="IPV6"
+fi
+export PODNAME PODIP
+
+# mariabackup: default credentials if no configuration was provided
+: ${MARIABACKUP_USER=root}
+: ${MARIABACKUP_PASSWORD=$DB_ROOT_PASSWORD}
+export MARIABACKUP_USER MARIABACKUP_PASSWORD
 
 cd /var/lib/config-data/default
 for cfg in *.cnf.in; do
     if [ -s "${cfg}" ]; then
-
-        if [[ "" = "${PODIPV6}" ]]; then
-            PODIP="${PODIPV4}"
-            IPSTACK="IPV4"
-        else
-            PODIP="[::]"
-            IPSTACK="IPV6"
-        fi
-
         echo "Generating config file from template ${cfg}, will use ${IPSTACK} listen address of ${PODIP}"
-        sed -e "s/{ PODNAME }/${PODNAME}/" -e "s/{ PODIP }/${PODIP}/" -e "s/{ SSL_CIPHER }/${SSL_CIPHER}/" "/var/lib/config-data/default/${cfg}" > "/var/lib/config-data/generated/${cfg%.in}"
+        # replace all occurrences of "{ xxx }" with their value from environment
+        awk '{
+patsplit($0,markers,/{ (PODNAME|PODIP|SSL_CIPHER|MARIABACKUP_USER|MARIABACKUP_PASSWORD) }/);
+for(i in markers){ m=markers[i]; gsub(/\W/,"",m); gsub(markers[i], ENVIRON[m])};
+print $0
+}' "/var/lib/config-data/default/${cfg}" > "/var/lib/config-data/generated/${cfg%.in}"
     fi
 done

templates/galera/bin/mysql_probe.sh

@@ -2,7 +2,7 @@
 set -u
 
 # This secret is mounted by k8s and always up to date
-read -s -u 3 3< /var/lib/secrets/dbpassword MYSQL_PWD || true
+read -s -u 3 3< <(cat /var/lib/secrets/dbpassword; echo) MYSQL_PWD
 export MYSQL_PWD
 
 PROBE_USER=root

templates/galera/config/config.json

@@ -28,6 +28,13 @@
             "perm": "0644",
             "optional": true
         },
+        {
+            "source": "/var/lib/config-data/generated/galera_sst_mariabackup.cnf",
+            "dest": "/etc/my.cnf.d/galera_mariabackup.cnf",
+            "owner": "root",
+            "perm": "0644",
+            "optional": true
+        },
         {
             "source": "/var/lib/operator-scripts",
             "dest": "/usr/local/bin",

templates/galera/config/galera_sst_mariabackup.cnf.in

@@ -0,0 +1,3 @@
+[mysqld]
+wsrep_sst_method = mariabackup
+wsrep_sst_auth = root:{ MARIABACKUP_PASSWORD }

templates/galera/config/init_config.json

@@ -0,0 +1,10 @@
+{
+    "command": "/usr/bin/true",
+    "permissions": [
+        {
+            "path": "/var/lib/mysql",
+            "owner": "mysql:mysql",
+            "recurse": "true"
+        }
+    ]
+}