henders/gist:4e1ac31a3fb974575d1408a850449547

## gistfile1.txt
# -------------------------------- For the User definitions ----------------------------

# Create a K8s secret with the users:
$ echo '{
  "user-service": [
    {
      "UserData": "user-service",
      "Password": "mybadpassword"
    }
  ],
  "other-service": [
    {
      "UserData": "other-service",
      "Password": "myotherbadpassword"
    }
  ]
}' > users.json
$ kubectl create secret generic vitess-users --from-file=users.json

# Change the VTGate stateful sets to set the Users
      initContainers:
        - name: init-mysql-creds
          image: "vitess/vtgate:latest"
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: creds
              mountPath: "/mysqlcreds"
          env:
            - name: MYSQL_USER_PASSWORDS
              valueFrom:
                secretKeyRef:
                  name: vitess-users
                  key: users.json
          command: ["bash"]
          args:
            - "-c"
            - |
              set -ex
              echo $MYSQL_USER_PASSWORDS > /mysqlcreds/creds.json

# Modify the VTGate container command to add the auth flags, though this should be there by default if using
# helm-generated YAMLs
            -mysql_auth_server_impl="static"
            -mysql_auth_server_static_file="/mysqlcreds/creds.json"

# -------------------------------- For the ACLs ----------------------------

# Create a k8s secret with the ACLs
$ echo '{
  "table_groups": [
    {
      "name": "users",
      "table_names_or_prefixes": [""],
      "readers": ["user-service"],
      "writers": ["user-service"],
      "admins": ["user-service"]
    }
  ]
}' > user-acls.json
$ kubectl create secret generic vitess-user-acls --from-file=user-acls.json

# In each VTTablet Statefulset:

# modify the `init-vttablet` container and add a reference to the ACL secret:
          env:
            - name: MYSQL_USER_ACLS
              valueFrom:
                secretKeyRef:
                  name: vitess-user-acls
                  key: user-acls.json

# Above the `eval exec` cmd for vttablet (or else it won't execute), add a line:
    echo $MYSQL_USER_ACLS > /vtdataroot/acls.json

# In the main `vttablet` container add the following cmdline params:
                -table-acl-config /vtdataroot/acls.json
                -queryserver-config-strict-table-acl
                -enforce-tableacl-config

# Note you'll need a different ACLs K8s secret for each Keyspace you have, otherwise tables with the
# same name across keyspaces will allow other users to access it.
	# -------------------------------- For the User definitions ----------------------------

	# Create a K8s secret with the users:
	$ echo '{
	"user-service": [
	{
	"UserData": "user-service",
	"Password": "mybadpassword"
	}
	],
	"other-service": [
	{
	"UserData": "other-service",
	"Password": "myotherbadpassword"
	}
	]
	}' > users.json
	$ kubectl create secret generic vitess-users --from-file=users.json

	# Change the VTGate stateful sets to set the Users
	initContainers:
	- name: init-mysql-creds
	image: "vitess/vtgate:latest"
	imagePullPolicy: IfNotPresent
	volumeMounts:
	- name: creds
	mountPath: "/mysqlcreds"
	env:
	- name: MYSQL_USER_PASSWORDS
	valueFrom:
	secretKeyRef:
	name: vitess-users
	key: users.json
	command: ["bash"]
	args:
	- "-c"
	- \|
	set -ex
	echo $MYSQL_USER_PASSWORDS > /mysqlcreds/creds.json

	# Modify the VTGate container command to add the auth flags, though this should be there by default if using
	# helm-generated YAMLs
	-mysql_auth_server_impl="static"
	-mysql_auth_server_static_file="/mysqlcreds/creds.json"

	# -------------------------------- For the ACLs ----------------------------

	# Create a k8s secret with the ACLs
	$ echo '{
	"table_groups": [
	{
	"name": "users",
	"table_names_or_prefixes": [""],
	"readers": ["user-service"],
	"writers": ["user-service"],
	"admins": ["user-service"]
	}
	]
	}' > user-acls.json
	$ kubectl create secret generic vitess-user-acls --from-file=user-acls.json

	# In each VTTablet Statefulset:

	# modify the `init-vttablet` container and add a reference to the ACL secret:
	env:
	- name: MYSQL_USER_ACLS
	valueFrom:
	secretKeyRef:
	name: vitess-user-acls
	key: user-acls.json

	# Above the `eval exec` cmd for vttablet (or else it won't execute), add a line:
	echo $MYSQL_USER_ACLS > /vtdataroot/acls.json

	# In the main `vttablet` container add the following cmdline params:
	-table-acl-config /vtdataroot/acls.json
	-queryserver-config-strict-table-acl
	-enforce-tableacl-config

	# Note you'll need a different ACLs K8s secret for each Keyspace you have, otherwise tables with the
	# same name across keyspaces will allow other users to access it.