Flexible tidb initializer job with secret set outside of helm

charts/tidb-cluster/templates/NOTES.txt

@@ -3,17 +3,17 @@ Cluster Startup
      watch kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} -o wide
 2. List services in the tidb-cluster
      kubectl get services --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
-{{- if .Values.tidb.password }}
+{{- if .Values.tidb.passwordSecret }}
 3. Wait until tidb-initializer pod becomes completed
      watch kubectl get po --namespace {{ .Release.Namespace }}  -l app.kubernetes.io/component=tidb-initializer
 4. Get the TiDB password
-     kubectl get secret -n {{ .Release.Namespace }} {{ .Values.clusterName }}-tidb -o jsonpath="{.data.password}" | base64 --decode | awk '{print $6}'
-{{- end -}}
+     kubectl get secret -n {{ .Release.Namespace }} {{ .Values.tidb.passwordSecret }} -ojsonpath='{.data.root}' | base64 --decode
+{{- end }}
 
 Cluster access
 * Access tidb-cluster using the MySQL client
     kubectl port-forward -n {{ .Release.Namespace }} svc/{{ .Values.clusterName }}-tidb 4000:4000 &
-{{- if .Values.tidb.password }}
+{{- if .Values.tidb.passwordSecret }}
     mysql -h 127.0.0.1 -P 4000 -u root -D test -p
 {{- else -}}
     mysql -h 127.0.0.1 -P 4000 -u root -D test

charts/tidb-cluster/templates/tidb-configmap.yaml

@@ -11,7 +11,10 @@ metadata:
 data:
   startup-script: |-
 {{ tuple "scripts/_start_tidb.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-
+  {{- if .Values.tidb.initSql }}
+  init-sql: |-
+{{ .Values.tidb.initSql | indent 4 }}
+  {{- end }}
   config-file: |-
     {{- if .Values.tidb.config }}
 {{ .Values.tidb.config | indent 4 }}

charts/tidb-cluster/templates/tidb-initializer-job.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.tidb.password }}
+{{- if (.Values.tidb.passwordSecret) or (.Values.tidb.initSql) }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -10,6 +10,7 @@ metadata:
     app.kubernetes.io/component: tidb-initializer
     helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
 spec:
+  backoffLimit: 1000
   template:
     metadata:
       labels:
@@ -23,22 +24,50 @@ spec:
         image: {{ .Values.mysqlClient.image }}
         imagePullPolicy: {{ .Values.mysqlClient.imagePullPolicy | default "IfNotPresent" }}
         command:
-        - /bin/sh
+        - python
         - -c
-        # Read sql from file to avoid special characters interpreted as builtin variable
-        # And also avoid plain text password show in Job and Pod spec
-        # Besides we can also add more SQL in the file for initialization, eg. create database, create user etc
         - |
-          until mysql -h {{ .Values.clusterName }}-tidb -P 4000 --connect-timeout=5 < /data/init-password.sql; do sleep 2; done
+          import os, MySQLdb
+          host = {{ printf "%s-tidb" .Values.clusterName | quote }}
+          port = 4000
+          root_password = os.environ.get('ROOT_PASSWORD')
+          system_password = os.environ.get('SYSTEM_PASSWORD')
+          conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5)
+          if root_password:
+              conn.cursor().execute("set password for 'root'@'%%' = %s;", (root_password,))
+          if system_password:
+              conn.cursor().execute("create user 'system'@'%%' identified by %s;", (system_password,))
+          conn.cursor().execute("flush privileges;")
+          conn.commit()
+          {{- if .Values.tidb.initSql }}
+          with open('/data/init.sql', 'r') as sql:
+              for line in sql.readlines():
+                  conn.cursor().execute(line)
+                  conn.commit()
+          {{- end }}
+        env:
+        - name: ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.tidb.passwordSecret }}
+              key: root
+        - name: SYSTEM_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.tidb.passwordSecret }}
+              key: system
+              optional: true
+      {{- if .Values.tidb.initSql }}
         volumeMounts:
-        - name: password
+        - name: init-sql
           mountPath: /data
           readOnly: true
       volumes:
-      - name: password
-        secret:
-          secretName: {{ .Values.clusterName }}-tidb
+      - name: init-sql
+        configMap:
+          name: {{ .Values.clusterName }}-tidb
           items:
-          - key: password
-            path: init-password.sql
+          - key: init-sql
+            path: init.sql
+      {{- end }}
 {{- end }}

charts/tidb-cluster/values.yaml

@@ -145,10 +145,13 @@ tikvPromGateway:
 
 tidb:
   replicas: 2
-  # The password to access TiDB
-  # If set, the password will be stored both in helm and in a Secret
+  # The secret name of root password, you can create secret with following command:
+  # kubectl create secret generic tidb-secret --from-literal=root=<root-password>
   # If unset, the root password will be empty and you can set it after connecting
-  # password: "admin"
+  # passwordSecret: tidb-secret
+  # initSql is the SQL statements executed after the TiDB cluster is bootstrapped.
+  # initSql: |-
+  #   create database app;
   image: pingcap/tidb:v2.1.0
   # Image pull policy.
   imagePullPolicy: IfNotPresent
@@ -177,8 +180,9 @@ tidb:
       # cloud.google.com/load-balancer-type: Internal
 
 # mysqlClient is used to set password for TiDB
+# it must has Python MySQL client installed
 mysqlClient:
-  image: pingcap/tidb-enterprise-tools:latest
+  image: tnir/mysqlclient
   imagePullPolicy: IfNotPresent
 
 monitor: