Can't change passwords in my-cluster-secrets

dmitriiu · January 20, 2021, 2:22pm

Hello, I’m facing a problem with passwords changing.
First I deploy percona-operator and my-cluster-secrets with default passwords:

root: cm9vdF9wYXNzd29yZA==
xtrabackup: YmFja3VwX3Bhc3N3b3Jk
monitor: bW9uaXRvcg==
clustercheck: Y2x1c3RlcmNoZWNrcGFzc3dvcmQ=
proxyadmin: YWRtaW5fcGFzc3dvcmQ=
pmmserver: c3VwYXxefHBheno=
operator: b3BlcmF0b3JhZG1pbg==
and everything’s ok.

Then I change secrets to custom this way

stringData:
root: f13a826771
operator: xkijmtfjz8
monitor: 3i2sc5ehy2
clustercheck: x1o5xeol9e
proxyadmin: 1d567w40gs
xtrabackup: f894n8na58
pmmserver: x8gvn4n6kr

and remove these rows in proxysql config:

  admin_variables =
  {
    admin_credentials="proxyadmin:admin_password"
    cluster_username="proxyadmin"
    cluster_password="admin_password"

  mysql_variables=
  {
    monitor_password="monitor"

and proxysql pods restarting and start giving an errors:

2021-01-20 13:43:07 MySQL_Session.cpp:4690:handler___status_CONNECTING_CLIENT___STATE_SERVER_HANDSHAKE(): [ERROR] ProxySQL Error: Access denied for user ‘proxyadmin’@‘127.0.0.1’ (using password: YES)
2021-01-20 13:43:07 MySQL_Monitor.cpp:1785:monitor_galera_thread(): [ERROR] Server percona-pxc-1.percona-pxc.***.svc.cluster.local:3306 missed 3 Galera checks. Assuming offline

So,

what could be the reason?
what’s the correct procedure of password changing?
should these options exist: “admin_credentials”, “cluster_username”, “cluster_password”, “monitor_password” in proxysql configuration?
what is the purpose of the internal-percona secret, should there be any actions with it?

Can provide cr.yml and operator-deployment.yml manifests but can’t attach it for now because it restricted for the new users.

Thank you.

matthewb · January 20, 2021, 3:14pm

Are you sure your passwords are base64 encoded in secrets.yaml? And next, did you re-deploy the secrets file?

dmitriiu · January 20, 2021, 5:16pm

Yes, k8s codes them from string to base64 by itself if there is “stringData” option. They match with manual coding by “echo -n … | base64”

First it was k apply -f cluster-secrets-default.yml with default passwords, then k apply -f cluster-secrets-new.yml with custom.

I just tried setting up a cluster with initially custom passwords in secret. Errors with proxyadmin persist. But there is a strange thing: I can connect with the custom root password directly to mysql from pxc pod. Seems that the secret applies, but not for all passwords.

Mykola · February 11, 2021, 8:32am

Hi @dmitriiu

is this bug relevant to your case [K8SPXC-641] Update of secret for proxyadmin user does not work properly - Percona JIRA ?

dmitriiu · February 14, 2021, 9:04pm

hi, I didn’t notice that the new password was successfully applied to only one of the three nodes, but otherwise the bug is similar.

Sergey_Pronin · February 15, 2021, 8:37am

Yes, bug K8SPXC-641 covers this issue. It will be shipped in release 1.8.0.

Topic		Replies	Views
ProxySQL stopped working with "Access denied for user 'proxyadmin'" Percona XtraDB Cluster 8.x closed-no-reply	0	823	March 15, 2023
System user password cannot be changed Percona Operator for MySQL mysql , percona	3	1229	February 7, 2022
Issue while installing Percona XtraDB Cluster on Kubernetes Percona Operator for MySQL percona	3	1035	January 15, 2024
How to change existing Percona generated user's auth plugin to caching_sha2_password Percona XtraDB Cluster 8.x mysql , percona , new-release	9	2413	March 11, 2024
XtraDB replication of mysql.users not working in a 3-node cluster Percona XtraDB Cluster 5.x	1	1147	November 10, 2014

Can't change passwords in my-cluster-secrets

Related topics