diff --git a/go/flags/endtoend/mysqlctl.txt b/go/flags/endtoend/mysqlctl.txt index a13d9e35158..b469b5e9ae6 100644 --- a/go/flags/endtoend/mysqlctl.txt +++ b/go/flags/endtoend/mysqlctl.txt @@ -24,19 +24,6 @@ Global flags: --catch-sigpipe catch and ignore SIGPIPE on stdout and stderr if specified --compression-engine-name string compressor engine used for compression. (default "pargzip") --compression-level int what level to pass to the compressor. (default 1) - --db-config-dba-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-dba-flags uint deprecated: use db_flags - --db-config-dba-flavor string deprecated: use db_flavor - --db-config-dba-host string deprecated: use db_host - --db-config-dba-pass string db dba deprecated: use db_dba_password - --db-config-dba-port int deprecated: use db_port - --db-config-dba-server_name string deprecated: use db_server_name - --db-config-dba-ssl-ca string deprecated: use db_ssl_ca - --db-config-dba-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-dba-ssl-cert string deprecated: use db_ssl_cert - --db-config-dba-ssl-key string deprecated: use db_ssl_key - --db-config-dba-uname string deprecated: use db_dba_user (default "vt_dba") - --db-config-dba-unixsocket string deprecated: use db_socket --db-credentials-file string db credentials file; send SIGHUP to reload this file --db-credentials-server string db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation) (default "file") --db-credentials-vault-addr string URL to Vault server diff --git a/go/flags/endtoend/mysqlctld.txt b/go/flags/endtoend/mysqlctld.txt index 6efc20e18e3..dec4a635e3c 100644 --- a/go/flags/endtoend/mysqlctld.txt +++ b/go/flags/endtoend/mysqlctld.txt @@ -12,19 +12,6 @@ Usage of mysqlctld: --catch-sigpipe catch and ignore SIGPIPE on stdout and stderr if specified --compression-engine-name string compressor engine used for compression. (default "pargzip") --compression-level int what level to pass to the compressor. (default 1) - --db-config-dba-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-dba-flags uint deprecated: use db_flags - --db-config-dba-flavor string deprecated: use db_flavor - --db-config-dba-host string deprecated: use db_host - --db-config-dba-pass string db dba deprecated: use db_dba_password - --db-config-dba-port int deprecated: use db_port - --db-config-dba-server_name string deprecated: use db_server_name - --db-config-dba-ssl-ca string deprecated: use db_ssl_ca - --db-config-dba-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-dba-ssl-cert string deprecated: use db_ssl_cert - --db-config-dba-ssl-key string deprecated: use db_ssl_key - --db-config-dba-uname string deprecated: use db_dba_user (default "vt_dba") - --db-config-dba-unixsocket string deprecated: use db_socket --db-credentials-file string db credentials file; send SIGHUP to reload this file --db-credentials-server string db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation) (default "file") --db-credentials-vault-addr string URL to Vault server diff --git a/go/flags/endtoend/vtbackup.txt b/go/flags/endtoend/vtbackup.txt index 888a266d6c7..66c1846d63f 100644 --- a/go/flags/endtoend/vtbackup.txt +++ b/go/flags/endtoend/vtbackup.txt @@ -10,98 +10,6 @@ Usage of vtbackup: --ceph_backup_storage_config string Path to JSON config file for ceph backup storage. (default "ceph_backup_config.json") --concurrency int (init restore parameter) how many concurrent files to restore at once (default 4) --consul_auth_static_file string JSON File to read the topos/tokens from. - --db-config-allprivs-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-allprivs-flags uint deprecated: use db_flags - --db-config-allprivs-flavor string deprecated: use db_flavor - --db-config-allprivs-host string deprecated: use db_host - --db-config-allprivs-pass string db allprivs deprecated: use db_allprivs_password - --db-config-allprivs-port int deprecated: use db_port - --db-config-allprivs-server_name string deprecated: use db_server_name - --db-config-allprivs-ssl-ca string deprecated: use db_ssl_ca - --db-config-allprivs-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-allprivs-ssl-cert string deprecated: use db_ssl_cert - --db-config-allprivs-ssl-key string deprecated: use db_ssl_key - --db-config-allprivs-uname string deprecated: use db_allprivs_user (default "vt_allprivs") - --db-config-allprivs-unixsocket string deprecated: use db_socket - --db-config-app-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-app-flags uint deprecated: use db_flags - --db-config-app-flavor string deprecated: use db_flavor - --db-config-app-host string deprecated: use db_host - --db-config-app-pass string db app deprecated: use db_app_password - --db-config-app-port int deprecated: use db_port - --db-config-app-server_name string deprecated: use db_server_name - --db-config-app-ssl-ca string deprecated: use db_ssl_ca - --db-config-app-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-app-ssl-cert string deprecated: use db_ssl_cert - --db-config-app-ssl-key string deprecated: use db_ssl_key - --db-config-app-uname string deprecated: use db_app_user (default "vt_app") - --db-config-app-unixsocket string deprecated: use db_socket - --db-config-appdebug-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-appdebug-flags uint deprecated: use db_flags - --db-config-appdebug-flavor string deprecated: use db_flavor - --db-config-appdebug-host string deprecated: use db_host - --db-config-appdebug-pass string db appdebug deprecated: use db_appdebug_password - --db-config-appdebug-port int deprecated: use db_port - --db-config-appdebug-server_name string deprecated: use db_server_name - --db-config-appdebug-ssl-ca string deprecated: use db_ssl_ca - --db-config-appdebug-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-appdebug-ssl-cert string deprecated: use db_ssl_cert - --db-config-appdebug-ssl-key string deprecated: use db_ssl_key - --db-config-appdebug-uname string deprecated: use db_appdebug_user (default "vt_appdebug") - --db-config-appdebug-unixsocket string deprecated: use db_socket - --db-config-dba-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-dba-flags uint deprecated: use db_flags - --db-config-dba-flavor string deprecated: use db_flavor - --db-config-dba-host string deprecated: use db_host - --db-config-dba-pass string db dba deprecated: use db_dba_password - --db-config-dba-port int deprecated: use db_port - --db-config-dba-server_name string deprecated: use db_server_name - --db-config-dba-ssl-ca string deprecated: use db_ssl_ca - --db-config-dba-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-dba-ssl-cert string deprecated: use db_ssl_cert - --db-config-dba-ssl-key string deprecated: use db_ssl_key - --db-config-dba-uname string deprecated: use db_dba_user (default "vt_dba") - --db-config-dba-unixsocket string deprecated: use db_socket - --db-config-erepl-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-erepl-dbname string deprecated: dbname does not need to be explicitly configured - --db-config-erepl-flags uint deprecated: use db_flags - --db-config-erepl-flavor string deprecated: use db_flavor - --db-config-erepl-host string deprecated: use db_host - --db-config-erepl-pass string db erepl deprecated: use db_erepl_password - --db-config-erepl-port int deprecated: use db_port - --db-config-erepl-server_name string deprecated: use db_server_name - --db-config-erepl-ssl-ca string deprecated: use db_ssl_ca - --db-config-erepl-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-erepl-ssl-cert string deprecated: use db_ssl_cert - --db-config-erepl-ssl-key string deprecated: use db_ssl_key - --db-config-erepl-uname string deprecated: use db_erepl_user (default "vt_erepl") - --db-config-erepl-unixsocket string deprecated: use db_socket - --db-config-filtered-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-filtered-flags uint deprecated: use db_flags - --db-config-filtered-flavor string deprecated: use db_flavor - --db-config-filtered-host string deprecated: use db_host - --db-config-filtered-pass string db filtered deprecated: use db_filtered_password - --db-config-filtered-port int deprecated: use db_port - --db-config-filtered-server_name string deprecated: use db_server_name - --db-config-filtered-ssl-ca string deprecated: use db_ssl_ca - --db-config-filtered-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-filtered-ssl-cert string deprecated: use db_ssl_cert - --db-config-filtered-ssl-key string deprecated: use db_ssl_key - --db-config-filtered-uname string deprecated: use db_filtered_user (default "vt_filtered") - --db-config-filtered-unixsocket string deprecated: use db_socket - --db-config-repl-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-repl-flags uint deprecated: use db_flags - --db-config-repl-flavor string deprecated: use db_flavor - --db-config-repl-host string deprecated: use db_host - --db-config-repl-pass string db repl deprecated: use db_repl_password - --db-config-repl-port int deprecated: use db_port - --db-config-repl-server_name string deprecated: use db_server_name - --db-config-repl-ssl-ca string deprecated: use db_ssl_ca - --db-config-repl-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-repl-ssl-cert string deprecated: use db_ssl_cert - --db-config-repl-ssl-key string deprecated: use db_ssl_key - --db-config-repl-uname string deprecated: use db_repl_user (default "vt_repl") - --db-config-repl-unixsocket string deprecated: use db_socket --db-credentials-file string db credentials file; send SIGHUP to reload this file --db-credentials-server string db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation) (default "file") --db-credentials-vault-addr string URL to Vault server diff --git a/go/flags/endtoend/vtctld.txt b/go/flags/endtoend/vtctld.txt index 69de8887a3b..5895327dc5f 100644 --- a/go/flags/endtoend/vtctld.txt +++ b/go/flags/endtoend/vtctld.txt @@ -25,17 +25,6 @@ Usage of vtctld: --consul_auth_static_file string JSON File to read the topos/tokens from. --datadog-agent-host string host to send spans to. if empty, no tracing will be done --datadog-agent-port string port to send spans to. if empty, no tracing will be done - --db-credentials-file string db credentials file; send SIGHUP to reload this file - --db-credentials-server string db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation) (default "file") - --db-credentials-vault-addr string URL to Vault server - --db-credentials-vault-path string Vault path to credentials JSON blob, e.g.: secret/data/prod/dbcreds - --db-credentials-vault-role-mountpoint string Vault AppRole mountpoint; can also be passed using VAULT_MOUNTPOINT environment variable (default "approle") - --db-credentials-vault-role-secretidfile string Path to file containing Vault AppRole secret_id; can also be passed using VAULT_SECRETID environment variable - --db-credentials-vault-roleid string Vault AppRole id; can also be passed using VAULT_ROLEID environment variable - --db-credentials-vault-timeout duration Timeout for vault API operations (default 10s) - --db-credentials-vault-tls-ca string Path to CA PEM for validating Vault server certificate - --db-credentials-vault-tokenfile string Path to file containing Vault auth token; token can also be passed using VAULT_TOKEN environment variable - --db-credentials-vault-ttl duration How long to cache DB credentials from the Vault server (default 30m0s) --dba_idle_timeout duration Idle timeout for dba connections (default 1m0s) --dba_pool_size int Size of the connection pool for dba connections (default 20) --disable_active_reparents if set, do not allow active reparents. Use this to protect a cluster using external reparents. diff --git a/go/flags/endtoend/vtctldclient.txt b/go/flags/endtoend/vtctldclient.txt index a8f4b927d74..20c57c3417f 100644 --- a/go/flags/endtoend/vtctldclient.txt +++ b/go/flags/endtoend/vtctldclient.txt @@ -87,58 +87,47 @@ Available Commands: help Help about any command Flags: - --action_timeout duration timeout for the total command (default 1h0m0s) - --alsologtostderr log to standard error as well as files - --db-credentials-file string db credentials file; send SIGHUP to reload this file - --db-credentials-server string db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation) (default "file") - --db-credentials-vault-addr string URL to Vault server - --db-credentials-vault-path string Vault path to credentials JSON blob, e.g.: secret/data/prod/dbcreds - --db-credentials-vault-role-mountpoint string Vault AppRole mountpoint; can also be passed using VAULT_MOUNTPOINT environment variable (default "approle") - --db-credentials-vault-role-secretidfile string Path to file containing Vault AppRole secret_id; can also be passed using VAULT_SECRETID environment variable - --db-credentials-vault-roleid string Vault AppRole id; can also be passed using VAULT_ROLEID environment variable - --db-credentials-vault-timeout duration Timeout for vault API operations (default 10s) - --db-credentials-vault-tls-ca string Path to CA PEM for validating Vault server certificate - --db-credentials-vault-tokenfile string Path to file containing Vault auth token; token can also be passed using VAULT_TOKEN environment variable - --db-credentials-vault-ttl duration How long to cache DB credentials from the Vault server (default 30m0s) - --emit_stats If set, emit stats to push-based monitoring and stats backends - --grpc_auth_static_client_creds string When using grpc_static_auth in the server, this file provides the credentials to use to authenticate with server. - --grpc_compression string Which protocol to use for compressing gRPC. Default: nothing. Supported: snappy - --grpc_enable_tracing Enable gRPC tracing. - --grpc_initial_conn_window_size int gRPC initial connection window size - --grpc_initial_window_size int gRPC initial window size - --grpc_keepalive_time duration After a duration of this time, if the client doesn't see any activity, it pings the server to see if the transport is still alive. (default 10s) - --grpc_keepalive_timeout duration After having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed. (default 10s) - --grpc_max_message_size int Maximum allowed RPC message size. Larger messages will be rejected by gRPC with the error 'exceeding the max size'. (default 16777216) - --grpc_prometheus Enable gRPC monitoring with Prometheus. - -h, --help help for vtctldclient - --keep_logs duration keep logs for this long (using ctime) (zero to keep forever) - --keep_logs_by_mtime duration keep logs for this long (using mtime) (zero to keep forever) - --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) - --log_dir string If non-empty, write log files in this directory - --log_rotate_max_size uint size in bytes at which logs are rotated (glog.MaxSize) (default 1887436800) - --logtostderr log to standard error instead of files - --mysql_server_version string MySQL server version to advertise. - --purge_logs_interval duration how often try to remove old logs (default 1h0m0s) - --remote_operation_timeout duration time to wait for a remote operation (default 30s) - --security_policy string the name of a registered security policy to use for controlling access to URLs - empty means allow all for anyone (built-in policies: deny-all, read-only) - --server string server to use for connection (required) - --stats_backend string The name of the registered push-based monitoring/stats backend to use - --stats_combine_dimensions string List of dimensions to be combined into a single "all" value in exported stats vars - --stats_common_tags strings Comma-separated list of common tags for the stats backend. It provides both label and values. Example: label1:value1,label2:value2 - --stats_drop_variables string Variables to be dropped from the list of exported variables. - --stats_emit_period duration Interval between emitting stats to all registered backends (default 1m0s) - --stderrthreshold severity logs at or above this threshold go to stderr (default 1) - --topo_global_root string the path of the global topology data in the global topology server - --topo_global_server_address string the address of the global topology server - --topo_implementation string the topology implementation to use - -v, --v Level log level for V logs - --version version for vtctldclient - --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging - --vtctl_client_protocol string Protocol to use to talk to the vtctl server. (default "grpc") - --vtctld_grpc_ca string the server ca to use to validate servers when connecting - --vtctld_grpc_cert string the cert to use to connect - --vtctld_grpc_crl string the server crl to use to validate server certificates when connecting - --vtctld_grpc_key string the key to use to connect - --vtctld_grpc_server_name string the server name to use to validate server certificate + --action_timeout duration timeout for the total command (default 1h0m0s) + --alsologtostderr log to standard error as well as files + --emit_stats If set, emit stats to push-based monitoring and stats backends + --grpc_auth_static_client_creds string When using grpc_static_auth in the server, this file provides the credentials to use to authenticate with server. + --grpc_compression string Which protocol to use for compressing gRPC. Default: nothing. Supported: snappy + --grpc_enable_tracing Enable gRPC tracing. + --grpc_initial_conn_window_size int gRPC initial connection window size + --grpc_initial_window_size int gRPC initial window size + --grpc_keepalive_time duration After a duration of this time, if the client doesn't see any activity, it pings the server to see if the transport is still alive. (default 10s) + --grpc_keepalive_timeout duration After having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed. (default 10s) + --grpc_max_message_size int Maximum allowed RPC message size. Larger messages will be rejected by gRPC with the error 'exceeding the max size'. (default 16777216) + --grpc_prometheus Enable gRPC monitoring with Prometheus. + -h, --help help for vtctldclient + --keep_logs duration keep logs for this long (using ctime) (zero to keep forever) + --keep_logs_by_mtime duration keep logs for this long (using mtime) (zero to keep forever) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_rotate_max_size uint size in bytes at which logs are rotated (glog.MaxSize) (default 1887436800) + --logtostderr log to standard error instead of files + --mysql_server_version string MySQL server version to advertise. + --purge_logs_interval duration how often try to remove old logs (default 1h0m0s) + --remote_operation_timeout duration time to wait for a remote operation (default 30s) + --security_policy string the name of a registered security policy to use for controlling access to URLs - empty means allow all for anyone (built-in policies: deny-all, read-only) + --server string server to use for connection (required) + --stats_backend string The name of the registered push-based monitoring/stats backend to use + --stats_combine_dimensions string List of dimensions to be combined into a single "all" value in exported stats vars + --stats_common_tags strings Comma-separated list of common tags for the stats backend. It provides both label and values. Example: label1:value1,label2:value2 + --stats_drop_variables string Variables to be dropped from the list of exported variables. + --stats_emit_period duration Interval between emitting stats to all registered backends (default 1m0s) + --stderrthreshold severity logs at or above this threshold go to stderr (default 1) + --topo_global_root string the path of the global topology data in the global topology server + --topo_global_server_address string the address of the global topology server + --topo_implementation string the topology implementation to use + -v, --v Level log level for V logs + --version version for vtctldclient + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging + --vtctl_client_protocol string Protocol to use to talk to the vtctl server. (default "grpc") + --vtctld_grpc_ca string the server ca to use to validate servers when connecting + --vtctld_grpc_cert string the cert to use to connect + --vtctld_grpc_crl string the server crl to use to validate server certificates when connecting + --vtctld_grpc_key string the key to use to connect + --vtctld_grpc_server_name string the server name to use to validate server certificate Use "vtctldclient [command] --help" for more information about a command. diff --git a/go/flags/endtoend/vtexplain.txt b/go/flags/endtoend/vtexplain.txt index 114d1febdba..df5fea9d1d6 100644 --- a/go/flags/endtoend/vtexplain.txt +++ b/go/flags/endtoend/vtexplain.txt @@ -1,105 +1,94 @@ Usage of vtexplain: - --alsologtostderr log to standard error as well as files - --app_idle_timeout duration Idle timeout for app connections (default 1m0s) - --app_pool_size int Size of the connection pool for app connections (default 40) - --backup_engine_implementation string Specifies which implementation to use for creating new backups (builtin or xtrabackup). Restores will always be done with whichever engine created a given backup. (default "builtin") - --backup_storage_block_size int if backup_storage_compress is true, backup_storage_block_size sets the byte size for each block while compressing (default is 250000). (default 250000) - --backup_storage_compress if set, the backup files will be compressed (default is true). Set to false for instance if a backup_storage_hook is specified and it compresses the data. (default true) - --backup_storage_hook string if set, we send the contents of the backup files through this hook. - --backup_storage_number_blocks int if backup_storage_compress is true, backup_storage_number_blocks sets the number of blocks that can be processed, at once, before the writer blocks, during compression (default is 2). It should be equal to the number of CPUs available for compression. (default 2) - --batch-interval duration Interval between logical time slots. (default 10ms) - --builtinbackup_mysqld_timeout duration how long to wait for mysqld to shutdown at the start of the backup. (default 10m0s) - --builtinbackup_progress duration how often to send progress updates when backing up large files. (default 5s) - --compression-engine-name string compressor engine used for compression. (default "pargzip") - --compression-level int what level to pass to the compressor. (default 1) - --db-credentials-file string db credentials file; send SIGHUP to reload this file - --db-credentials-server string db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation) (default "file") - --db-credentials-vault-addr string URL to Vault server - --db-credentials-vault-path string Vault path to credentials JSON blob, e.g.: secret/data/prod/dbcreds - --db-credentials-vault-role-mountpoint string Vault AppRole mountpoint; can also be passed using VAULT_MOUNTPOINT environment variable (default "approle") - --db-credentials-vault-role-secretidfile string Path to file containing Vault AppRole secret_id; can also be passed using VAULT_SECRETID environment variable - --db-credentials-vault-roleid string Vault AppRole id; can also be passed using VAULT_ROLEID environment variable - --db-credentials-vault-timeout duration Timeout for vault API operations (default 10s) - --db-credentials-vault-tls-ca string Path to CA PEM for validating Vault server certificate - --db-credentials-vault-tokenfile string Path to file containing Vault auth token; token can also be passed using VAULT_TOKEN environment variable - --db-credentials-vault-ttl duration How long to cache DB credentials from the Vault server (default 30m0s) - --dba_idle_timeout duration Idle timeout for dba connections (default 1m0s) - --dba_pool_size int Size of the connection pool for dba connections (default 20) - --dbname string Optional database target to override normal routing - --default_tablet_type topodatapb.TabletType The default tablet type to set for queries, when one is not explicitly selected. (default PRIMARY) - --disable_active_reparents if set, do not allow active reparents. Use this to protect a cluster using external reparents. - --execution-mode string The execution mode to simulate -- must be set to multi, legacy-autocommit, or twopc (default "multi") - --external-compressor string command with arguments to use when compressing a backup. - --external-compressor-extension string extension to use when using an external compressor. - --external-decompressor string command with arguments to use when decompressing a backup. - -h, --help display usage and exit - --keep_logs duration keep logs for this long (using ctime) (zero to keep forever) - --keep_logs_by_mtime duration keep logs for this long (using mtime) (zero to keep forever) - --ks-shard-map string JSON map of keyspace name -> shard name -> ShardReference object. The inner map is the same as the output of FindAllShardsInKeyspace - --ks-shard-map-file string File containing json blob of keyspace name -> shard name -> ShardReference object - --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) - --log_dir string If non-empty, write log files in this directory - --log_err_stacks log stack traces for errors - --log_queries_to_file string Enable query logging to the specified file - --log_rotate_max_size uint size in bytes at which logs are rotated (glog.MaxSize) (default 1887436800) - --logtostderr log to standard error instead of files - --message_stream_grace_period duration the amount of time to give for a vttablet to resume if it ends a message stream, usually because of a reparent. (default 30s) - --mysql-server-pool-conn-read-buffers If set, the server will pool incoming connection read buffers - --mysql_allow_clear_text_without_tls If set, the server will allow the use of a clear text password over non-SSL connections. - --mysql_auth_server_impl string Which auth server implementation to use. Options: none, ldap, clientcert, static, vault. (default "static") - --mysql_default_workload string Default session workload (OLTP, OLAP, DBA) (default "OLTP") - --mysql_server_bind_address string Binds on this address when listening to MySQL binary protocol. Useful to restrict listening to 'localhost' only for instance. - --mysql_server_port int If set, also listen for MySQL binary protocol connections on this port. (default -1) - --mysql_server_query_timeout duration mysql query timeout (default 0s) - --mysql_server_read_timeout duration connection read timeout (default 0s) - --mysql_server_require_secure_transport Reject insecure connections but only if mysql_server_ssl_cert and mysql_server_ssl_key are provided - --mysql_server_socket_path string This option specifies the Unix socket file to use when listening for local connections. By default it will be empty and it won't listen to a unix socket - --mysql_server_ssl_ca string Path to ssl CA for mysql server plugin SSL. If specified, server will require and validate client certs. - --mysql_server_ssl_cert string Path to the ssl cert for mysql server plugin SSL - --mysql_server_ssl_crl string Path to ssl CRL for mysql server plugin SSL - --mysql_server_ssl_key string Path to ssl key for mysql server plugin SSL - --mysql_server_ssl_server_ca string path to server CA in PEM format, which will be combine with server cert, return full certificate chain to clients - --mysql_server_tls_min_version string Configures the minimal TLS version negotiated when SSL is enabled. Defaults to TLSv1.2. Options: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3. - --mysql_server_version string MySQL server version to advertise. - --mysql_server_write_timeout duration connection write timeout (default 0s) - --mysql_slow_connect_warn_threshold duration Warn if it takes more than the given threshold for a mysql connection to establish (default 0s) - --mysql_tcp_version string Select tcp, tcp4, or tcp6 to control the socket type. (default "tcp") - --mysqlctl_mycnf_template string template file to use for generating the my.cnf file during server init - --mysqlctl_socket string socket file to use for remote mysqlctl actions (empty for local actions) - --normalize Whether to enable vtgate normalization - --output-mode string Output in human-friendly text or json (default "text") - --planner-version string Sets the query planner version to use when generating the explain output. Valid values are V3 and Gen4 - --pool_hostname_resolve_interval duration if set force an update to all hostnames and reconnect if changed, defaults to 0 (disabled) - --pprof strings enable profiling - --proxy_protocol Enable HAProxy PROXY protocol on MySQL listener socket - --purge_logs_interval duration how often try to remove old logs (default 1h0m0s) - --querylog-buffer-size int Maximum number of buffered query logs before throttling log output (default 10) - --remote_operation_timeout duration time to wait for a remote operation (default 30s) - --replication-mode string The replication mode to simulate -- must be set to either ROW or STATEMENT (default "ROW") - --replication_connect_retry duration how long to wait in between replica reconnect attempts. Only precise to the second. (default 10s) - --schema string The SQL table schema - --schema-file string Identifies the file that contains the SQL table schema - --security_policy string the name of a registered security policy to use for controlling access to URLs - empty means allow all for anyone (built-in policies: deny-all, read-only) - --shards int Number of shards per keyspace. Passing --ks-shard-map/--ks-shard-map-file causes this flag to be ignored. (default 2) - --sql string A list of semicolon-delimited SQL commands to analyze - --sql-file string Identifies the file that contains the SQL commands to analyze - --sql-max-length-errors int truncate queries in error logs to the given length (default unlimited) - --sql-max-length-ui int truncate queries in debug UIs to the given length (default 512) (default 512) - --stderrthreshold severity logs at or above this threshold go to stderr (default 1) - --tablet_dir string The directory within the vtdataroot to store vttablet/mysql files. Defaults to being generated by the tablet uid. - --topo_global_root string the path of the global topology data in the global topology server - --topo_global_server_address string the address of the global topology server - --topo_implementation string the topology implementation to use - -v, --v Level log level for V logs - --version print binary version - --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging - --vschema string Identifies the VTGate routing schema - --vschema-file string Identifies the VTGate routing schema file - --xbstream_restore_flags string flags to pass to xbstream command during restore. These should be space separated and will be added to the end of the command. These need to match the ones used for backup e.g. --compress / --decompress, --encrypt / --decrypt - --xtrabackup_backup_flags string flags to pass to backup command. These should be space separated and will be added to the end of the command - --xtrabackup_prepare_flags string flags to pass to prepare command. These should be space separated and will be added to the end of the command - --xtrabackup_root_path string directory location of the xtrabackup and xbstream executables, e.g., /usr/bin - --xtrabackup_stream_mode string which mode to use if streaming, valid values are tar and xbstream (default "tar") - --xtrabackup_stripe_block_size uint Size in bytes of each block that gets sent to a given stripe before rotating to the next stripe (default 102400) - --xtrabackup_stripes uint If greater than 0, use data striping across this many destination files to parallelize data transfer and decompression - --xtrabackup_user string User that xtrabackup will use to connect to the database server. This user must have all necessary privileges. For details, please refer to xtrabackup documentation. + --alsologtostderr log to standard error as well as files + --app_idle_timeout duration Idle timeout for app connections (default 1m0s) + --app_pool_size int Size of the connection pool for app connections (default 40) + --backup_engine_implementation string Specifies which implementation to use for creating new backups (builtin or xtrabackup). Restores will always be done with whichever engine created a given backup. (default "builtin") + --backup_storage_block_size int if backup_storage_compress is true, backup_storage_block_size sets the byte size for each block while compressing (default is 250000). (default 250000) + --backup_storage_compress if set, the backup files will be compressed (default is true). Set to false for instance if a backup_storage_hook is specified and it compresses the data. (default true) + --backup_storage_hook string if set, we send the contents of the backup files through this hook. + --backup_storage_number_blocks int if backup_storage_compress is true, backup_storage_number_blocks sets the number of blocks that can be processed, at once, before the writer blocks, during compression (default is 2). It should be equal to the number of CPUs available for compression. (default 2) + --batch-interval duration Interval between logical time slots. (default 10ms) + --builtinbackup_mysqld_timeout duration how long to wait for mysqld to shutdown at the start of the backup. (default 10m0s) + --builtinbackup_progress duration how often to send progress updates when backing up large files. (default 5s) + --compression-engine-name string compressor engine used for compression. (default "pargzip") + --compression-level int what level to pass to the compressor. (default 1) + --dba_idle_timeout duration Idle timeout for dba connections (default 1m0s) + --dba_pool_size int Size of the connection pool for dba connections (default 20) + --dbname string Optional database target to override normal routing + --default_tablet_type topodatapb.TabletType The default tablet type to set for queries, when one is not explicitly selected. (default PRIMARY) + --disable_active_reparents if set, do not allow active reparents. Use this to protect a cluster using external reparents. + --execution-mode string The execution mode to simulate -- must be set to multi, legacy-autocommit, or twopc (default "multi") + --external-compressor string command with arguments to use when compressing a backup. + --external-compressor-extension string extension to use when using an external compressor. + --external-decompressor string command with arguments to use when decompressing a backup. + -h, --help display usage and exit + --keep_logs duration keep logs for this long (using ctime) (zero to keep forever) + --keep_logs_by_mtime duration keep logs for this long (using mtime) (zero to keep forever) + --ks-shard-map string JSON map of keyspace name -> shard name -> ShardReference object. The inner map is the same as the output of FindAllShardsInKeyspace + --ks-shard-map-file string File containing json blob of keyspace name -> shard name -> ShardReference object + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_err_stacks log stack traces for errors + --log_queries_to_file string Enable query logging to the specified file + --log_rotate_max_size uint size in bytes at which logs are rotated (glog.MaxSize) (default 1887436800) + --logtostderr log to standard error instead of files + --message_stream_grace_period duration the amount of time to give for a vttablet to resume if it ends a message stream, usually because of a reparent. (default 30s) + --mysql-server-pool-conn-read-buffers If set, the server will pool incoming connection read buffers + --mysql_allow_clear_text_without_tls If set, the server will allow the use of a clear text password over non-SSL connections. + --mysql_auth_server_impl string Which auth server implementation to use. Options: none, ldap, clientcert, static, vault. (default "static") + --mysql_default_workload string Default session workload (OLTP, OLAP, DBA) (default "OLTP") + --mysql_server_bind_address string Binds on this address when listening to MySQL binary protocol. Useful to restrict listening to 'localhost' only for instance. + --mysql_server_port int If set, also listen for MySQL binary protocol connections on this port. (default -1) + --mysql_server_query_timeout duration mysql query timeout (default 0s) + --mysql_server_read_timeout duration connection read timeout (default 0s) + --mysql_server_require_secure_transport Reject insecure connections but only if mysql_server_ssl_cert and mysql_server_ssl_key are provided + --mysql_server_socket_path string This option specifies the Unix socket file to use when listening for local connections. By default it will be empty and it won't listen to a unix socket + --mysql_server_ssl_ca string Path to ssl CA for mysql server plugin SSL. If specified, server will require and validate client certs. + --mysql_server_ssl_cert string Path to the ssl cert for mysql server plugin SSL + --mysql_server_ssl_crl string Path to ssl CRL for mysql server plugin SSL + --mysql_server_ssl_key string Path to ssl key for mysql server plugin SSL + --mysql_server_ssl_server_ca string path to server CA in PEM format, which will be combine with server cert, return full certificate chain to clients + --mysql_server_tls_min_version string Configures the minimal TLS version negotiated when SSL is enabled. Defaults to TLSv1.2. Options: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3. + --mysql_server_version string MySQL server version to advertise. + --mysql_server_write_timeout duration connection write timeout (default 0s) + --mysql_slow_connect_warn_threshold duration Warn if it takes more than the given threshold for a mysql connection to establish (default 0s) + --mysql_tcp_version string Select tcp, tcp4, or tcp6 to control the socket type. (default "tcp") + --mysqlctl_mycnf_template string template file to use for generating the my.cnf file during server init + --mysqlctl_socket string socket file to use for remote mysqlctl actions (empty for local actions) + --normalize Whether to enable vtgate normalization + --output-mode string Output in human-friendly text or json (default "text") + --planner-version string Sets the query planner version to use when generating the explain output. Valid values are V3 and Gen4 + --pool_hostname_resolve_interval duration if set force an update to all hostnames and reconnect if changed, defaults to 0 (disabled) + --pprof strings enable profiling + --proxy_protocol Enable HAProxy PROXY protocol on MySQL listener socket + --purge_logs_interval duration how often try to remove old logs (default 1h0m0s) + --querylog-buffer-size int Maximum number of buffered query logs before throttling log output (default 10) + --remote_operation_timeout duration time to wait for a remote operation (default 30s) + --replication-mode string The replication mode to simulate -- must be set to either ROW or STATEMENT (default "ROW") + --replication_connect_retry duration how long to wait in between replica reconnect attempts. Only precise to the second. (default 10s) + --schema string The SQL table schema + --schema-file string Identifies the file that contains the SQL table schema + --security_policy string the name of a registered security policy to use for controlling access to URLs - empty means allow all for anyone (built-in policies: deny-all, read-only) + --shards int Number of shards per keyspace. Passing --ks-shard-map/--ks-shard-map-file causes this flag to be ignored. (default 2) + --sql string A list of semicolon-delimited SQL commands to analyze + --sql-file string Identifies the file that contains the SQL commands to analyze + --sql-max-length-errors int truncate queries in error logs to the given length (default unlimited) + --sql-max-length-ui int truncate queries in debug UIs to the given length (default 512) (default 512) + --stderrthreshold severity logs at or above this threshold go to stderr (default 1) + --tablet_dir string The directory within the vtdataroot to store vttablet/mysql files. Defaults to being generated by the tablet uid. + --topo_global_root string the path of the global topology data in the global topology server + --topo_global_server_address string the address of the global topology server + --topo_implementation string the topology implementation to use + -v, --v Level log level for V logs + --version print binary version + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging + --vschema string Identifies the VTGate routing schema + --vschema-file string Identifies the VTGate routing schema file + --xbstream_restore_flags string flags to pass to xbstream command during restore. These should be space separated and will be added to the end of the command. These need to match the ones used for backup e.g. --compress / --decompress, --encrypt / --decrypt + --xtrabackup_backup_flags string flags to pass to backup command. These should be space separated and will be added to the end of the command + --xtrabackup_prepare_flags string flags to pass to prepare command. These should be space separated and will be added to the end of the command + --xtrabackup_root_path string directory location of the xtrabackup and xbstream executables, e.g., /usr/bin + --xtrabackup_stream_mode string which mode to use if streaming, valid values are tar and xbstream (default "tar") + --xtrabackup_stripe_block_size uint Size in bytes of each block that gets sent to a given stripe before rotating to the next stripe (default 102400) + --xtrabackup_stripes uint If greater than 0, use data striping across this many destination files to parallelize data transfer and decompression + --xtrabackup_user string User that xtrabackup will use to connect to the database server. This user must have all necessary privileges. For details, please refer to xtrabackup documentation. diff --git a/go/flags/endtoend/vttablet.txt b/go/flags/endtoend/vttablet.txt index e948f293213..de320274f98 100644 --- a/go/flags/endtoend/vttablet.txt +++ b/go/flags/endtoend/vttablet.txt @@ -38,98 +38,6 @@ Usage of vttablet: --consul_auth_static_file string JSON File to read the topos/tokens from. --datadog-agent-host string host to send spans to. if empty, no tracing will be done --datadog-agent-port string port to send spans to. if empty, no tracing will be done - --db-config-allprivs-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-allprivs-flags uint deprecated: use db_flags - --db-config-allprivs-flavor string deprecated: use db_flavor - --db-config-allprivs-host string deprecated: use db_host - --db-config-allprivs-pass string db allprivs deprecated: use db_allprivs_password - --db-config-allprivs-port int deprecated: use db_port - --db-config-allprivs-server_name string deprecated: use db_server_name - --db-config-allprivs-ssl-ca string deprecated: use db_ssl_ca - --db-config-allprivs-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-allprivs-ssl-cert string deprecated: use db_ssl_cert - --db-config-allprivs-ssl-key string deprecated: use db_ssl_key - --db-config-allprivs-uname string deprecated: use db_allprivs_user (default "vt_allprivs") - --db-config-allprivs-unixsocket string deprecated: use db_socket - --db-config-app-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-app-flags uint deprecated: use db_flags - --db-config-app-flavor string deprecated: use db_flavor - --db-config-app-host string deprecated: use db_host - --db-config-app-pass string db app deprecated: use db_app_password - --db-config-app-port int deprecated: use db_port - --db-config-app-server_name string deprecated: use db_server_name - --db-config-app-ssl-ca string deprecated: use db_ssl_ca - --db-config-app-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-app-ssl-cert string deprecated: use db_ssl_cert - --db-config-app-ssl-key string deprecated: use db_ssl_key - --db-config-app-uname string deprecated: use db_app_user (default "vt_app") - --db-config-app-unixsocket string deprecated: use db_socket - --db-config-appdebug-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-appdebug-flags uint deprecated: use db_flags - --db-config-appdebug-flavor string deprecated: use db_flavor - --db-config-appdebug-host string deprecated: use db_host - --db-config-appdebug-pass string db appdebug deprecated: use db_appdebug_password - --db-config-appdebug-port int deprecated: use db_port - --db-config-appdebug-server_name string deprecated: use db_server_name - --db-config-appdebug-ssl-ca string deprecated: use db_ssl_ca - --db-config-appdebug-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-appdebug-ssl-cert string deprecated: use db_ssl_cert - --db-config-appdebug-ssl-key string deprecated: use db_ssl_key - --db-config-appdebug-uname string deprecated: use db_appdebug_user (default "vt_appdebug") - --db-config-appdebug-unixsocket string deprecated: use db_socket - --db-config-dba-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-dba-flags uint deprecated: use db_flags - --db-config-dba-flavor string deprecated: use db_flavor - --db-config-dba-host string deprecated: use db_host - --db-config-dba-pass string db dba deprecated: use db_dba_password - --db-config-dba-port int deprecated: use db_port - --db-config-dba-server_name string deprecated: use db_server_name - --db-config-dba-ssl-ca string deprecated: use db_ssl_ca - --db-config-dba-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-dba-ssl-cert string deprecated: use db_ssl_cert - --db-config-dba-ssl-key string deprecated: use db_ssl_key - --db-config-dba-uname string deprecated: use db_dba_user (default "vt_dba") - --db-config-dba-unixsocket string deprecated: use db_socket - --db-config-erepl-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-erepl-dbname string deprecated: dbname does not need to be explicitly configured - --db-config-erepl-flags uint deprecated: use db_flags - --db-config-erepl-flavor string deprecated: use db_flavor - --db-config-erepl-host string deprecated: use db_host - --db-config-erepl-pass string db erepl deprecated: use db_erepl_password - --db-config-erepl-port int deprecated: use db_port - --db-config-erepl-server_name string deprecated: use db_server_name - --db-config-erepl-ssl-ca string deprecated: use db_ssl_ca - --db-config-erepl-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-erepl-ssl-cert string deprecated: use db_ssl_cert - --db-config-erepl-ssl-key string deprecated: use db_ssl_key - --db-config-erepl-uname string deprecated: use db_erepl_user (default "vt_erepl") - --db-config-erepl-unixsocket string deprecated: use db_socket - --db-config-filtered-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-filtered-flags uint deprecated: use db_flags - --db-config-filtered-flavor string deprecated: use db_flavor - --db-config-filtered-host string deprecated: use db_host - --db-config-filtered-pass string db filtered deprecated: use db_filtered_password - --db-config-filtered-port int deprecated: use db_port - --db-config-filtered-server_name string deprecated: use db_server_name - --db-config-filtered-ssl-ca string deprecated: use db_ssl_ca - --db-config-filtered-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-filtered-ssl-cert string deprecated: use db_ssl_cert - --db-config-filtered-ssl-key string deprecated: use db_ssl_key - --db-config-filtered-uname string deprecated: use db_filtered_user (default "vt_filtered") - --db-config-filtered-unixsocket string deprecated: use db_socket - --db-config-repl-charset string deprecated: use db_charset (default "utf8mb4") - --db-config-repl-flags uint deprecated: use db_flags - --db-config-repl-flavor string deprecated: use db_flavor - --db-config-repl-host string deprecated: use db_host - --db-config-repl-pass string db repl deprecated: use db_repl_password - --db-config-repl-port int deprecated: use db_port - --db-config-repl-server_name string deprecated: use db_server_name - --db-config-repl-ssl-ca string deprecated: use db_ssl_ca - --db-config-repl-ssl-ca-path string deprecated: use db_ssl_ca_path - --db-config-repl-ssl-cert string deprecated: use db_ssl_cert - --db-config-repl-ssl-key string deprecated: use db_ssl_key - --db-config-repl-uname string deprecated: use db_repl_user (default "vt_repl") - --db-config-repl-unixsocket string deprecated: use db_socket --db-credentials-file string db credentials file; send SIGHUP to reload this file --db-credentials-server string db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation) (default "file") --db-credentials-vault-addr string URL to Vault server diff --git a/go/flags/endtoend/vttestserver.txt b/go/flags/endtoend/vttestserver.txt index 145807a8e1a..53878b9c16a 100644 --- a/go/flags/endtoend/vttestserver.txt +++ b/go/flags/endtoend/vttestserver.txt @@ -16,17 +16,6 @@ Usage of vttestserver: --compression-level int what level to pass to the compressor. (default 1) --consul_auth_static_file string JSON File to read the topos/tokens from. --data_dir string Directory where the data files will be placed, defaults to a random directory under /vt/vtdataroot - --db-credentials-file string db credentials file; send SIGHUP to reload this file - --db-credentials-server string db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation) (default "file") - --db-credentials-vault-addr string URL to Vault server - --db-credentials-vault-path string Vault path to credentials JSON blob, e.g.: secret/data/prod/dbcreds - --db-credentials-vault-role-mountpoint string Vault AppRole mountpoint; can also be passed using VAULT_MOUNTPOINT environment variable (default "approle") - --db-credentials-vault-role-secretidfile string Path to file containing Vault AppRole secret_id; can also be passed using VAULT_SECRETID environment variable - --db-credentials-vault-roleid string Vault AppRole id; can also be passed using VAULT_ROLEID environment variable - --db-credentials-vault-timeout duration Timeout for vault API operations (default 10s) - --db-credentials-vault-tls-ca string Path to CA PEM for validating Vault server certificate - --db-credentials-vault-tokenfile string Path to file containing Vault auth token; token can also be passed using VAULT_TOKEN environment variable - --db-credentials-vault-ttl duration How long to cache DB credentials from the Vault server (default 30m0s) --dba_idle_timeout duration Idle timeout for dba connections (default 1m0s) --dba_pool_size int Size of the connection pool for dba connections (default 20) --default_schema_dir string Default directory for initial schema files. If no schema is found in schema_dir, default to this location. diff --git a/go/vt/dbconfigs/credentials.go b/go/vt/dbconfigs/credentials.go index 1ed3928d008..1f0a0bbb0e2 100644 --- a/go/vt/dbconfigs/credentials.go +++ b/go/vt/dbconfigs/credentials.go @@ -33,32 +33,38 @@ import ( "time" vaultapi "github.com/aquarapid/vaultlib" + "github.com/spf13/pflag" "vitess.io/vitess/go/mysql" "vitess.io/vitess/go/vt/log" + "vitess.io/vitess/go/vt/servenv" ) var ( - // generic flags - dbCredentialsServer = flag.String("db-credentials-server", "file", "db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation)") - - // 'file' implementation flags - dbCredentialsFile = flag.String("db-credentials-file", "", "db credentials file; send SIGHUP to reload this file") - - // 'vault' implementation flags - vaultAddr = flag.String("db-credentials-vault-addr", "", "URL to Vault server") - vaultTimeout = flag.Duration("db-credentials-vault-timeout", 10*time.Second, "Timeout for vault API operations") - vaultCACert = flag.String("db-credentials-vault-tls-ca", "", "Path to CA PEM for validating Vault server certificate") - vaultPath = flag.String("db-credentials-vault-path", "", "Vault path to credentials JSON blob, e.g.: secret/data/prod/dbcreds") - vaultCacheTTL = flag.Duration("db-credentials-vault-ttl", 30*time.Minute, "How long to cache DB credentials from the Vault server") - vaultTokenFile = flag.String("db-credentials-vault-tokenfile", "", "Path to file containing Vault auth token; token can also be passed using VAULT_TOKEN environment variable") - vaultRoleID = flag.String("db-credentials-vault-roleid", "", "Vault AppRole id; can also be passed using VAULT_ROLEID environment variable") - vaultRoleSecretIDFile = flag.String("db-credentials-vault-role-secretidfile", "", "Path to file containing Vault AppRole secret_id; can also be passed using VAULT_SECRETID environment variable") - vaultRoleMountPoint = flag.String("db-credentials-vault-role-mountpoint", "approle", "Vault AppRole mountpoint; can also be passed using VAULT_MOUNTPOINT environment variable") + dbCredentialsServer = "file" + dbCredentialsFile string + vaultAddr string + vaultTimeout = 10 * time.Second + vaultCACert string + vaultPath string + vaultCacheTTL = 30 * time.Minute + vaultTokenFile string + vaultRoleID string + vaultRoleSecretIDFile string + vaultRoleMountPoint = "approle" // ErrUnknownUser is returned by credential server when the // user doesn't exist ErrUnknownUser = errors.New("unknown user") + + cmdsWithDBCredentials = []string{ + "mysqlctl", + "mysqlctld", + "vtbackup", + "vtcombo", + "vtgr", + "vttablet", + } ) // CredentialsServer is the interface for a credential server @@ -76,12 +82,55 @@ type CredentialsServer interface { // been parsed. var AllCredentialsServers = make(map[string]CredentialsServer) +func init() { + AllCredentialsServers["file"] = &FileCredentialsServer{} + AllCredentialsServers["vault"] = &VaultCredentialsServer{} + + sigChan := make(chan os.Signal, 1) + signal.Notify(sigChan, syscall.SIGHUP) + go func() { + for range sigChan { + if fcs, ok := AllCredentialsServers["file"].(*FileCredentialsServer); ok { + fcs.mu.Lock() + fcs.dbCredentials = nil + fcs.mu.Unlock() + } + if vcs, ok := AllCredentialsServers["vault"].(*VaultCredentialsServer); ok { + vcs.mu.Lock() + vcs.dbCredsCache = nil + vcs.mu.Unlock() + } + } + }() + + for _, cmd := range cmdsWithDBCredentials { + servenv.OnParseFor(cmd, func(fs *pflag.FlagSet) { + // generic flags + fs.StringVar(&dbCredentialsServer, "db-credentials-server", dbCredentialsServer, "db credentials server type ('file' - file implementation; 'vault' - HashiCorp Vault implementation)") + + // 'file' implementation flags + fs.StringVar(&dbCredentialsFile, "db-credentials-file", dbCredentialsFile, "db credentials file; send SIGHUP to reload this file") + + // 'vault' implementation flags + flag.StringVar(&vaultAddr, "db-credentials-vault-addr", vaultAddr, "URL to Vault server") + flag.DurationVar(&vaultTimeout, "db-credentials-vault-timeout", vaultTimeout, "Timeout for vault API operations") + flag.StringVar(&vaultCACert, "db-credentials-vault-tls-ca", vaultCACert, "Path to CA PEM for validating Vault server certificate") + flag.StringVar(&vaultPath, "db-credentials-vault-path", vaultPath, "Vault path to credentials JSON blob, e.g.: secret/data/prod/dbcreds") + flag.DurationVar(&vaultCacheTTL, "db-credentials-vault-ttl", vaultCacheTTL, "How long to cache DB credentials from the Vault server") + flag.StringVar(&vaultTokenFile, "db-credentials-vault-tokenfile", vaultTokenFile, "Path to file containing Vault auth token; token can also be passed using VAULT_TOKEN environment variable") + flag.StringVar(&vaultRoleID, "db-credentials-vault-roleid", vaultRoleID, "Vault AppRole id; can also be passed using VAULT_ROLEID environment variable") + flag.StringVar(&vaultRoleSecretIDFile, "db-credentials-vault-role-secretidfile", vaultRoleSecretIDFile, "Path to file containing Vault AppRole secret_id; can also be passed using VAULT_SECRETID environment variable") + flag.StringVar(&vaultRoleMountPoint, "db-credentials-vault-role-mountpoint", vaultRoleMountPoint, "Vault AppRole mountpoint; can also be passed using VAULT_MOUNTPOINT environment variable") + }) + } +} + // GetCredentialsServer returns the current CredentialsServer. Only valid // after flag.Init was called. func GetCredentialsServer() CredentialsServer { - cs, ok := AllCredentialsServers[*dbCredentialsServer] + cs, ok := AllCredentialsServers[dbCredentialsServer] if !ok { - log.Exitf("Invalid credential server: %v", *dbCredentialsServer) + log.Exitf("Invalid credential server: %v", dbCredentialsServer) } return cs } @@ -110,7 +159,7 @@ func (fcs *FileCredentialsServer) GetUserAndPassword(user string) (string, strin fcs.mu.Lock() defer fcs.mu.Unlock() - if *dbCredentialsFile == "" { + if dbCredentialsFile == "" { return "", "", ErrUnknownUser } @@ -118,14 +167,14 @@ func (fcs *FileCredentialsServer) GetUserAndPassword(user string) (string, strin if fcs.dbCredentials == nil { fcs.dbCredentials = make(map[string][]string) - data, err := os.ReadFile(*dbCredentialsFile) + data, err := os.ReadFile(dbCredentialsFile) if err != nil { - log.Warningf("Failed to read dbCredentials file: %v", *dbCredentialsFile) + log.Warningf("Failed to read dbCredentials file: %v", dbCredentialsFile) return "", "", err } if err = json.Unmarshal(data, &fcs.dbCredentials); err != nil { - log.Warningf("Failed to parse dbCredentials file: %v", *dbCredentialsFile) + log.Warningf("Failed to parse dbCredentials file: %v", dbCredentialsFile) return "", "", err } } @@ -143,7 +192,7 @@ func (vcs *VaultCredentialsServer) GetUserAndPassword(user string) (string, stri defer vcs.mu.Unlock() if vcs.vaultCacheExpireTicker == nil { - vcs.vaultCacheExpireTicker = time.NewTicker(*vaultCacheTTL) + vcs.vaultCacheExpireTicker = time.NewTicker(vaultCacheTTL) go func() { for range vcs.vaultCacheExpireTicker.C { if vcs, ok := AllCredentialsServers["vault"].(*VaultCredentialsServer); ok { @@ -161,15 +210,15 @@ func (vcs *VaultCredentialsServer) GetUserAndPassword(user string) (string, stri return user, vcs.dbCredsCache[user][0], nil } - if *vaultAddr == "" { + if vaultAddr == "" { return "", "", errors.New("No Vault server specified") } - token, err := readFromFile(*vaultTokenFile) + token, err := readFromFile(vaultTokenFile) if err != nil { return "", "", errors.New("No Vault token in provided filename") } - secretID, err := readFromFile(*vaultRoleSecretIDFile) + secretID, err := readFromFile(vaultRoleSecretIDFile) if err != nil { return "", "", errors.New("No Vault secret_id in provided filename") } @@ -182,25 +231,25 @@ func (vcs *VaultCredentialsServer) GetUserAndPassword(user string) (string, stri // All these can be overriden by environment // so we need to check if they have been set by NewConfig if config.Address == "" { - config.Address = *vaultAddr + config.Address = vaultAddr } if config.Timeout == (0 * time.Second) { - config.Timeout = *vaultTimeout + config.Timeout = vaultTimeout } if config.CACert == "" { - config.CACert = *vaultCACert + config.CACert = vaultCACert } if config.Token == "" { config.Token = token } if config.AppRoleCredentials.RoleID == "" { - config.AppRoleCredentials.RoleID = *vaultRoleID + config.AppRoleCredentials.RoleID = vaultRoleID } if config.AppRoleCredentials.SecretID == "" { config.AppRoleCredentials.SecretID = secretID } if config.AppRoleCredentials.MountPoint == "" { - config.AppRoleCredentials.MountPoint = *vaultRoleMountPoint + config.AppRoleCredentials.MountPoint = vaultRoleMountPoint } if config.CACert != "" { @@ -217,7 +266,7 @@ func (vcs *VaultCredentialsServer) GetUserAndPassword(user string) (string, stri } } - secret, err := vcs.vaultClient.GetSecret(*vaultPath) + secret, err := vcs.vaultClient.GetSecret(vaultPath) if err != nil { log.Errorf("Error in Vault server params: %v", err) return "", "", ErrUnknownUser @@ -272,25 +321,3 @@ func withCredentials(cp *mysql.ConnParams) (*mysql.ConnParams, error) { } return &result, err } - -func init() { - AllCredentialsServers["file"] = &FileCredentialsServer{} - AllCredentialsServers["vault"] = &VaultCredentialsServer{} - - sigChan := make(chan os.Signal, 1) - signal.Notify(sigChan, syscall.SIGHUP) - go func() { - for range sigChan { - if fcs, ok := AllCredentialsServers["file"].(*FileCredentialsServer); ok { - fcs.mu.Lock() - fcs.dbCredentials = nil - fcs.mu.Unlock() - } - if vcs, ok := AllCredentialsServers["vault"].(*VaultCredentialsServer); ok { - vcs.mu.Lock() - vcs.dbCredsCache = nil - vcs.mu.Unlock() - } - } - }() -} diff --git a/go/vt/dbconfigs/dbconfigs.go b/go/vt/dbconfigs/dbconfigs.go index 250c54a46f6..5ab5e7a9356 100644 --- a/go/vt/dbconfigs/dbconfigs.go +++ b/go/vt/dbconfigs/dbconfigs.go @@ -23,8 +23,10 @@ package dbconfigs import ( "context" "encoding/json" - "flag" + "github.com/spf13/pflag" + + "vitess.io/vitess/go/vt/servenv" "vitess.io/vitess/go/vt/vttls" "vitess.io/vitess/go/mysql" @@ -49,7 +51,7 @@ const ( ) var ( - // GlobalDBConfigs contains the initial values of dbconfgis from flags. + // GlobalDBConfigs contains the initial values of dbconfigs from flags. GlobalDBConfigs DBConfigs // All can be used to register all flags: RegisterFlags(All...) @@ -113,64 +115,47 @@ type UserConfig struct { UseTCP bool `json:"useTcp,omitempty"` } -// RegisterFlags registers the flags for the given DBConfigFlag. -// For instance, vttablet will register client, dba and repl. -// Returns all registered flags. +// RegisterFlags registers the base DBFlags, credentials flags, and the user +// specific ones for the specified system users for the requesting command. +// For instance, the vttablet command will register flags for all users +// as defined in the dbconfigs.All variable. func RegisterFlags(userKeys ...string) { - registerBaseFlags() - for _, userKey := range userKeys { - uc, cp := GlobalDBConfigs.getParams(userKey, &GlobalDBConfigs) - registerPerUserFlags(userKey, uc, cp) - } -} - -func registerBaseFlags() { - flag.StringVar(&GlobalDBConfigs.Socket, "db_socket", "", "The unix socket to connect on. If this is specified, host and port will not be used.") - flag.StringVar(&GlobalDBConfigs.Host, "db_host", "", "The host name for the tcp connection.") - flag.IntVar(&GlobalDBConfigs.Port, "db_port", 0, "tcp port") - flag.StringVar(&GlobalDBConfigs.Charset, "db_charset", "utf8mb4", "Character set used for this tablet.") - flag.Uint64Var(&GlobalDBConfigs.Flags, "db_flags", 0, "Flag values as defined by MySQL.") - flag.StringVar(&GlobalDBConfigs.Flavor, "db_flavor", "", "Flavor overrid. Valid value is FilePos.") - flag.Var(&GlobalDBConfigs.SslMode, "db_ssl_mode", "SSL mode to connect with. One of disabled, preferred, required, verify_ca & verify_identity.") - flag.StringVar(&GlobalDBConfigs.SslCa, "db_ssl_ca", "", "connection ssl ca") - flag.StringVar(&GlobalDBConfigs.SslCaPath, "db_ssl_ca_path", "", "connection ssl ca path") - flag.StringVar(&GlobalDBConfigs.SslCert, "db_ssl_cert", "", "connection ssl certificate") - flag.StringVar(&GlobalDBConfigs.SslKey, "db_ssl_key", "", "connection ssl key") - flag.StringVar(&GlobalDBConfigs.TLSMinVersion, "db_tls_min_version", "", "Configures the minimal TLS version negotiated when SSL is enabled. Defaults to TLSv1.2. Options: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3.") - flag.StringVar(&GlobalDBConfigs.ServerName, "db_server_name", "", "server name of the DB we are connecting to.") - flag.IntVar(&GlobalDBConfigs.ConnectTimeoutMilliseconds, "db_connect_timeout_ms", 0, "connection timeout to mysqld in milliseconds (0 for no timeout)") - flag.BoolVar(&GlobalDBConfigs.EnableQueryInfo, "db_conn_query_info", false, "enable parsing and processing of QUERY_OK info fields") + servenv.OnParse(func(fs *pflag.FlagSet) { + registerBaseFlags(fs) + for _, userKey := range userKeys { + uc, cp := GlobalDBConfigs.getParams(userKey, &GlobalDBConfigs) + registerPerUserFlags(fs, userKey, uc, cp) + } + }) +} + +func registerBaseFlags(fs *pflag.FlagSet) { + fs.StringVar(&GlobalDBConfigs.Socket, "db_socket", "", "The unix socket to connect on. If this is specified, host and port will not be used.") + fs.StringVar(&GlobalDBConfigs.Host, "db_host", "", "The host name for the tcp connection.") + fs.IntVar(&GlobalDBConfigs.Port, "db_port", 0, "tcp port") + fs.StringVar(&GlobalDBConfigs.Charset, "db_charset", "utf8mb4", "Character set used for this tablet.") + fs.Uint64Var(&GlobalDBConfigs.Flags, "db_flags", 0, "Flag values as defined by MySQL.") + fs.StringVar(&GlobalDBConfigs.Flavor, "db_flavor", "", "Flavor overrid. Valid value is FilePos.") + fs.Var(&GlobalDBConfigs.SslMode, "db_ssl_mode", "SSL mode to connect with. One of disabled, preferred, required, verify_ca & verify_identity.") + fs.StringVar(&GlobalDBConfigs.SslCa, "db_ssl_ca", "", "connection ssl ca") + fs.StringVar(&GlobalDBConfigs.SslCaPath, "db_ssl_ca_path", "", "connection ssl ca path") + fs.StringVar(&GlobalDBConfigs.SslCert, "db_ssl_cert", "", "connection ssl certificate") + fs.StringVar(&GlobalDBConfigs.SslKey, "db_ssl_key", "", "connection ssl key") + fs.StringVar(&GlobalDBConfigs.TLSMinVersion, "db_tls_min_version", "", "Configures the minimal TLS version negotiated when SSL is enabled. Defaults to TLSv1.2. Options: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3.") + fs.StringVar(&GlobalDBConfigs.ServerName, "db_server_name", "", "server name of the DB we are connecting to.") + fs.IntVar(&GlobalDBConfigs.ConnectTimeoutMilliseconds, "db_connect_timeout_ms", 0, "connection timeout to mysqld in milliseconds (0 for no timeout)") + fs.BoolVar(&GlobalDBConfigs.EnableQueryInfo, "db_conn_query_info", false, "enable parsing and processing of QUERY_OK info fields") } // The flags will change the global singleton -// TODO(sougou): deprecate the legacy flags. -func registerPerUserFlags(userKey string, uc *UserConfig, cp *mysql.ConnParams) { +func registerPerUserFlags(fs *pflag.FlagSet, userKey string, uc *UserConfig, cp *mysql.ConnParams) { newUserFlag := "db_" + userKey + "_user" - flag.StringVar(&uc.User, "db-config-"+userKey+"-uname", "vt_"+userKey, "deprecated: use "+newUserFlag) - flag.StringVar(&uc.User, newUserFlag, "vt_"+userKey, "db "+userKey+" user userKey") + fs.StringVar(&uc.User, newUserFlag, "vt_"+userKey, "db "+userKey+" user userKey") newPasswordFlag := "db_" + userKey + "_password" - flag.StringVar(&uc.Password, "db-config-"+userKey+"-pass", "", "db "+userKey+" deprecated: use "+newPasswordFlag) - flag.StringVar(&uc.Password, newPasswordFlag, "", "db "+userKey+" password") - - flag.BoolVar(&uc.UseSSL, "db_"+userKey+"_use_ssl", true, "Set this flag to false to make the "+userKey+" connection to not use ssl") - - flag.StringVar(&cp.Host, "db-config-"+userKey+"-host", "", "deprecated: use db_host") - flag.IntVar(&cp.Port, "db-config-"+userKey+"-port", 0, "deprecated: use db_port") - flag.StringVar(&cp.UnixSocket, "db-config-"+userKey+"-unixsocket", "", "deprecated: use db_socket") - flag.StringVar(&cp.Charset, "db-config-"+userKey+"-charset", "utf8mb4", "deprecated: use db_charset") - flag.Uint64Var(&cp.Flags, "db-config-"+userKey+"-flags", 0, "deprecated: use db_flags") - flag.StringVar(&cp.SslCa, "db-config-"+userKey+"-ssl-ca", "", "deprecated: use db_ssl_ca") - flag.StringVar(&cp.SslCaPath, "db-config-"+userKey+"-ssl-ca-path", "", "deprecated: use db_ssl_ca_path") - flag.StringVar(&cp.SslCert, "db-config-"+userKey+"-ssl-cert", "", "deprecated: use db_ssl_cert") - flag.StringVar(&cp.SslKey, "db-config-"+userKey+"-ssl-key", "", "deprecated: use db_ssl_key") - flag.StringVar(&cp.ServerName, "db-config-"+userKey+"-server_name", "", "deprecated: use db_server_name") - flag.StringVar(&cp.Flavor, "db-config-"+userKey+"-flavor", "", "deprecated: use db_flavor") - - if userKey == ExternalRepl { - flag.StringVar(&cp.DeprecatedDBName, "db-config-"+userKey+"-dbname", "", "deprecated: dbname does not need to be explicitly configured") - } + fs.StringVar(&uc.Password, newPasswordFlag, "", "db "+userKey+" password") + fs.BoolVar(&uc.UseSSL, "db_"+userKey+"_use_ssl", true, "Set this flag to false to make the "+userKey+" connection to not use ssl") } // Connector contains Connection Parameters for mysql connection diff --git a/go/vt/dbconfigs/dbconfigs_test.go b/go/vt/dbconfigs/dbconfigs_test.go index 1d415a4e5ce..a97f2526c17 100644 --- a/go/vt/dbconfigs/dbconfigs_test.go +++ b/go/vt/dbconfigs/dbconfigs_test.go @@ -264,8 +264,8 @@ func TestCredentialsFileHUP(t *testing.T) { t.Fatalf("couldn't create temp file: %v", err) } defer os.Remove(tmpFile.Name()) - *dbCredentialsFile = tmpFile.Name() - *dbCredentialsServer = "file" + dbCredentialsFile = tmpFile.Name() + dbCredentialsServer = "file" oldStr := "str1" jsonConfig := fmt.Sprintf("{\"%s\": [\"%s\"]}", oldStr, oldStr) if err := os.WriteFile(tmpFile.Name(), []byte(jsonConfig), 0600); err != nil { diff --git a/go/vt/vttls/vttls.go b/go/vt/vttls/vttls.go index 40a1ca72028..098ed67eec4 100644 --- a/go/vt/vttls/vttls.go +++ b/go/vt/vttls/vttls.go @@ -61,6 +61,12 @@ func (mode *SslMode) String() string { return string(*mode) } +// Type returns the value type, part of the pflag Value interface +// for allowing this to be used as a generic flag. +func (mode *SslMode) Type() string { + return "SslMode" +} + // Set updates the value of the SslMode pointer, part of the Value interface // for allowing to update a flag. func (mode *SslMode) Set(value string) error {