Cannot connect to mariadb on kubernetes when using secret

Question

I'm hosting a mariadb in a kubernetes cluster on Google Kubernetes Engine. I'm using the official mariadb image from dockerhub (mariadb:10.5).

This is my yml for the service and deployment

apiVersion: v1
kind: Service
metadata:
  name: mariadb
spec:
  ports:
  - port: 3306
  selector:
    app: mariadb
  clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mariadb
spec:
  selector:
    matchLabels:
      app: mariadb
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: mariadb
    spec:
      containers:
      - image: mariadb:10.5
        name: mariadb
        env:
        - name: MYSQL_USER
          valueFrom:
            secretKeyRef:
              name: mariadb-secret
              key: username
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mariadb-secret
              key: password
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mariadb-secret
              key: rootpassword
        - name: MYSQL_DATABASE
          value: test
        ports:
        - containerPort: 3306
          name: mariadb-port
        volumeMounts:
        - name: mariadb-volume
          mountPath: /var/lib/mysql
      volumes:
      - name: mariadb-volume
        persistentVolumeClaim:
          claimName: mariadb-pvc

As you can see, I'm using a secret to configure the environment. The yml for the secret looks like this:

apiVersion: v1
kind: Secret
metadata:
  name: mariadb-secret
type: Opaque
 data:
   rootpassword: dGVzdHJvb3RwYXNzCg==
   username: dGVzdHVzZXIK
   password: dGVzdHBhc3MK

After apply this configuration everything seems fine, except that I cannot connect with the user and it's password to the DB. Not from localhost and also not from remote:

# mysql -u testuser -ptestpass

ERROR 1045 (28000): Access denied for user 'testuser'@'localhost' (using password: YES)

I can only connect using root and it's password (same connection string). When I take a look at my users in mariadb they look like this:

+-----------+-------------+-------------------------------------------+
| Host      | User        | Password                                  |
+-----------+-------------+-------------------------------------------+
| localhost | mariadb.sys |                                           |
| localhost | root        | *293286706D5322A73D8D9B087BE8D14C950AB0FA |
| %         | root        | *293286706D5322A73D8D9B087BE8D14C950AB0FA |
| %         | testuser    | *B07683D91842E0B3FEE182C5182AB7E4F8B3972D |
+-----------+-------------+-------------------------------------------+

If I change my Secret to use stringData instead of data and use non-encoded strings everything works as expected:

apiVersion: v1
kind: Secret
metadata:
  name: mariadb-secret
type: Opaque
stringData:
  rootpassword: testrootpass
  username: testuser
  password: testpass

I use the following commands (on Mac OS) to generate the base64 encoded strings:

echo testuser | base64
echo testpass | base64
echo testrootpass | base64

What am I doing wrong here? I would like to use the base64-encoded strings instead of the normal strings.

Dawid Kruk · Accepted Answer · 2020-10-06T10:16:26.083

You created all your values with:

$ echo "value" | base64
which instead you should use: $ echo -n "value" | base64

Following official man page of echo:

Description

Echo the STRING(s) to standard output.

-n = do not output the trailing newline

TL;DR: You need to edit your Secret.yaml definition with new values:

$ echo -n "testuser" | base64
$ echo -n "testpass" | base64
$ echo -n "testrootpass" | base64

Following above explanation, your Secret.yaml should look like:

apiVersion: v1
kind: Secret
metadata:
  name: mariadb-secret
type: Opaque
data:
  rootpassword: dGVzdHJvb3RwYXNz
  username: dGVzdHVzZXI=
  password: dGVzdHBhc3M=

After that you should be able to connect to your mariadb like below:

$ mysql -u testuser -ptestpass

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.5.5-MariaDB-1:10.5.5+maria~focal mariadb.org binary distribution
<----> 
MariaDB [(none)]>

$ mysql -u root -ptestrootpass

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 10.5.5-MariaDB-1:10.5.5+maria~focal mariadb.org binary distribution
<---->
MariaDB [(none)]>

Additional resources:

Stackoverflow.com: How to get into postgres in kubernetes with local dev minikube

I used kubectl `--from-file` (`kubectl create secret generic dev-db-secret --from-file=username=./testrootpass.txt --from-file=password=./testrootpass.txt`) with the same behavior. It turned out that vim always appends a newline and to avoid this you have to save the file as binary. https://stackoverflow.com/a/16114535/3972213 — skroczek, Mar 18 '21 at 16:16

Cannot connect to mariadb on kubernetes when using secret

1 Answers1

Description