Search code examples
mysqldockerkuberneteskubernetes-secretskubernetes-statefulset

Docker Mysql official image not creating user in kubernetes


I'm trying to deploy a mysql instance in k8s through a StatefulSet using the official Mysql image from DockerHub. I'm following the image documentation from DockerHub and providing MYSQL_ROOT_PASSWORD, MYSQL_USER and MYSQL_PASSWORD env vars, so the user should be automatically created, but it is not. The error I can see in container's logs is that root user is not able to connect at the point the user provided in MYSQL_USER is being created.

2021-09-14 17:28:20+00:00 [Note] [Entrypoint]: Creating user foo_user
2021-09-14T17:28:20.860763Z 5 [Note] Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

After some investigation, I've noticed that the problem occurs when the values for the env vars are taken from k8s secrets, but if I hardcode their values in the StatefulSet's manifest, it works just fine. You can see my current code below:

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mysql
  labels:
    app: mysql
spec:
  replicas: 1
  serviceName: mysql-svc
  selector:
    matchLabels:
      app: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
      - name: mysql
        image: "mysql:latest"
        env:
        - name: MYSQL_DATABASE
          value: 'foo_db'
        - name: MYSQL_USER
          value: 'foo_user'
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql-sec
              key: MYSQL_PASSWORD
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql-sec
              key: MYSQL_ROOT_PASSWORD
        ports:
        - containerPort: 3306
          protocol: TCP
        volumeMounts:
        - name: mysql-db
          mountPath: /var/lib/mysql
          subPath: mysql
  volumeClaimTemplates:
  - metadata:
      name: mysql-db
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 4Gi

And the secrets.yml file:

apiVersion: v1
kind: Secret
metadata:
  name: mysql-sec
  labels:
    app: mysql
type: Opaque
data:
  MYSQL_PASSWORD: ***************************
  MYSQL_ROOT_PASSWORD: ***************************

I've also tried to create the secrets first to make sure that the secrets already exist when the pod spins up, but without any success.

Any idea?


Solution

  • I was finally able to find out the root cause of the problem and it had nothing to do with secrets... The problem was related with the "complexity" of the value picked for the password. I chose a strong password autogenerated by an online tool, something similar to !6Y*]q~x+xG{9HQ~, and for some unknown reason this vale made the mysql docker's image's /entrypoint.sh script to fail with the aforementioned error Access denied for user 'root'@'localhost' (using password: YES). However, even though the script failed, the container and mysql server were up&running, and I was able to sneak into in and successfully execute mysql -u root --password="$MYSQL_ROOT_PASSWORD", so it seems pretty clear to me that the error is located in this script and the way it expands and use the value of this env var. After exchanging the password value by a "less complex" one, it worked like a charm.