Change default MySQL client to MariaDB (#36243)

This PR is a response to pretty catastrophic issue caused by expiring
key on MySQL repository on 14th of December. Oracle does not follow the
best practices for signing their packages (while all others do) and
their packages and repositories are signed with a key with short
expiry date. This basically puts an expiry on their repository, and
anyone who releases images following best practices of installation,
while keeping the repository after installing mysql libraries has to
rebuild their past released images every 2 years or so.

This is the last straw for our MySQL client installation problems (we
had a few, especially for ARM images) and we decided that we will
switch to MariaDB client libraries by default (while allowing our
users to build custom images with MySQL libraries).

The issue tracked in Airflow repository is: #36231

The issues in Oracle's MySQL repo:

* https://bugs.mysql.com/bug.php?id=113427
* https://bugs.mysql.com/bug.php?id=113428
* https://bugs.mysql.com/bug.php?id=113432

This PR implements a number of changes:

* MariaDB client is now default client used for both ARM and X86
* both pre-2023 and 2023 keys for MySQL are now added to be trusted
  when custom image with MySQL client is built
* MySQL repository is removed after installing MySQL (to avoid
  repeating similar fiasco for MySQL users in 2025
* changelog added and instructions on how to build custom image
  with MySQL client
* one of our test suites is converted to use "current" image not
  latest released image (that was bug in our CI).
* test was added in `canary` and `release` builds in CI to also test
  build of custom image with MySQL client

Author: potiuk

.github/workflows/ci.yml

@@ -395,32 +395,6 @@ jobs:
       - name: "Generate client codegen diff"
         run: ./scripts/ci/openapi/client_codegen_diff.sh
 
-  test-examples-of-prod-image-building:
-    timeout-minutes: 60
-    name: "Test examples of production image building"
-    runs-on: ${{fromJSON(needs.build-info.outputs.runs-on)}}
-    needs: [build-info]
-    if: needs.build-info.outputs.ci-image-build == 'true'
-    steps:
-      - name: Cleanup repo
-        run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-          persist-credentials: false
-      - name: "Setup python"
-        uses: actions/setup-python@v4
-        with:
-          python-version: "${{needs.build-info.outputs.default-python-version}}"
-          cache: 'pip'
-          cache-dependency-path: ./dev/requirements.txt
-      - name: "Test examples of PROD image building"
-        run: >
-          cd ./docker_tests &&
-          python -m pip install -r requirements.txt &&
-          python -m pytest test_examples_of_prod_image_building.py -n auto --color=yes
-
   test-git-clone-on-windows:
     timeout-minutes: 5
     name: "Test git clone on Windows"
@@ -1734,6 +1708,63 @@ jobs:
           # TODO: improve caching for that build
           IMAGE_TAG: "bullseye-${{ github.event.pull_request.head.sha || github.sha }}"
 
+  build-prod-images-mysql-client:
+    timeout-minutes: 80
+    name: >
+      Build MysQL Client PROD images (main)
+      ${{needs.build-info.outputs.all-python-versions-list-as-string}}
+    runs-on: ${{fromJSON(needs.build-info.outputs.runs-on)}}
+    needs: [build-info, build-ci-images]
+    if: needs.build-info.outputs.canary-run == 'true'
+    env:
+      DEFAULT_BRANCH: ${{ needs.build-info.outputs.default-branch }}
+      DEFAULT_CONSTRAINTS_BRANCH: ${{ needs.build-info.outputs.default-constraints-branch }}
+      RUNS_ON: "${{needs.build-info.outputs.runs-on}}"
+      BACKEND: sqlite
+      VERSION_SUFFIX_FOR_PYPI: "dev0"
+      DEBUG_RESOURCES: ${{needs.build-info.outputs.debug-resources}}
+      # Force more parallelism for build even on public images
+      PARALLELISM: 6
+    steps:
+      - name: Cleanup repo
+        run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
+        if: >
+          needs.build-info.outputs.in-workflow-build == 'true' &&
+          needs.build-info.outputs.default-branch == 'main'
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ needs.build-info.outputs.targetCommitSha }}
+          persist-credentials: false
+          submodules: recursive
+        if: >
+          needs.build-info.outputs.in-workflow-build == 'true' &&
+          needs.build-info.outputs.default-branch == 'main'
+      - name: "Install Breeze"
+        uses: ./.github/actions/breeze
+        if: >
+          needs.build-info.outputs.in-workflow-build == 'true' &&
+          needs.build-info.outputs.default-branch == 'main'
+      - name: >
+          Build Bullseye PROD Images
+          ${{needs.build-info.outputs.all-python-versions-list-as-string}}:${{env.IMAGE_TAG}}
+        uses: ./.github/actions/build-prod-images
+        if: >
+          needs.build-info.outputs.in-workflow-build == 'true' &&
+          needs.build-info.outputs.default-branch == 'main'
+        with:
+          build-provider-packages: ${{ needs.build-info.outputs.default-branch == 'main' }}
+          chicken-egg-providers: ${{ needs.build-info.outputs.chicken-egg-providers }}
+        env:
+          UPGRADE_TO_NEWER_DEPENDENCIES: ${{ needs.build-info.outputs.upgrade-to-newer-dependencies }}
+          DOCKER_CACHE: ${{ needs.build-info.outputs.cache-directive }}
+          PYTHON_VERSIONS: ${{needs.build-info.outputs.all-python-versions-list-as-string}}
+          DEBUG_RESOURCES: ${{ needs.build-info.outputs.debug-resources }}
+          INSTALL_MYSQL_CLIENT_TYPE: "mysql"
+          # Do not override the "mariadb" (original) image - just push a new mysql image
+          # TODO: improve caching for that build
+          IMAGE_TAG: "bullseye-${{ github.event.pull_request.head.sha || github.sha }}"
+
+
   build-prod-images-release-branch:
     timeout-minutes: 80
     name: >
@@ -1840,6 +1871,62 @@ jobs:
           # TODO: improve caching for that build
           IMAGE_TAG: "bullseye-${{ github.event.pull_request.head.sha || github.sha }}"
 
+  build-prod-images-mysql-release-branch:
+    timeout-minutes: 80
+    name: >
+      Build MySQL PROD images (v2_*_test)
+      ${{needs.build-info.outputs.all-python-versions-list-as-string}}
+    runs-on: ${{fromJSON(needs.build-info.outputs.runs-on)}}
+    needs: [build-info, generate-constraints]
+    if: needs.build-info.outputs.canary-run == 'true'
+    env:
+      DEFAULT_BRANCH: ${{ needs.build-info.outputs.default-branch }}
+      DEFAULT_CONSTRAINTS_BRANCH: ${{ needs.build-info.outputs.default-constraints-branch }}
+      RUNS_ON: "${{needs.build-info.outputs.runs-on}}"
+      BACKEND: sqlite
+      VERSION_SUFFIX_FOR_PYPI: "dev0"
+      DEBUG_RESOURCES: ${{needs.build-info.outputs.debug-resources}}
+      # Force more parallelism for build even on public images
+      PARALLELISM: 6
+    steps:
+      - name: Cleanup repo
+        run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
+        if: >
+          needs.build-info.outputs.in-workflow-build == 'true' &&
+          needs.build-info.outputs.default-branch != 'main'
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ needs.build-info.outputs.targetCommitSha }}
+          persist-credentials: false
+          submodules: recursive
+        if: >
+          needs.build-info.outputs.in-workflow-build == 'true' &&
+          needs.build-info.outputs.default-branch != 'main'
+      - name: "Install Breeze"
+        uses: ./.github/actions/breeze
+        if: >
+          needs.build-info.outputs.in-workflow-build == 'true' &&
+          needs.build-info.outputs.default-branch != 'main'
+      - name: >
+          Build Bullseye PROD Images
+          ${{needs.build-info.outputs.all-python-versions-list-as-string}}:${{env.IMAGE_TAG}}
+        uses: ./.github/actions/build-prod-images
+        if: >
+          needs.build-info.outputs.in-workflow-build == 'true' &&
+          needs.build-info.outputs.default-branch != 'main'
+        with:
+          build-provider-packages: ${{ needs.build-info.outputs.default-branch == 'main' }}
+          chicken-egg-providers: ${{ needs.build-info.outputs.chicken-egg-providers }}
+        env:
+          UPGRADE_TO_NEWER_DEPENDENCIES: ${{ needs.build-info.outputs.upgrade-to-newer-dependencies }}
+          DOCKER_CACHE: ${{ needs.build-info.outputs.cache-directive }}
+          PYTHON_VERSIONS: ${{needs.build-info.outputs.all-python-versions-list-as-string}}
+          DEBUG_RESOURCES: ${{ needs.build-info.outputs.debug-resources }}
+          INSTALL_MYSQL_CLIENT_TYPE: "mysql"
+          # Do not override the "mariadb" image - just push a new mysql image
+          # TODO: improve caching for that build
+          IMAGE_TAG: "mysql-${{ github.event.pull_request.head.sha || github.sha }}"
+
   wait-for-prod-images:
     timeout-minutes: 80
     name: "Wait for PROD images"
@@ -1875,6 +1962,43 @@ jobs:
           DEBUG_RESOURCES: ${{needs.build-info.outputs.debug-resources}}
         if: needs.build-info.outputs.in-workflow-build == 'false'
 
+  test-examples-of-prod-image-building:
+    timeout-minutes: 60
+    name: "Test examples of production image building"
+    runs-on: ${{fromJSON(needs.build-info.outputs.runs-on)}}
+    needs: [build-info, wait-for-prod-images]
+    if: needs.build-info.outputs.prod-image-build == 'true'
+    steps:
+      - name: Cleanup repo
+        run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+          persist-credentials: false
+      - name: "Install Breeze"
+        uses: ./.github/actions/breeze
+      - name: Pull PROD image "${{needs.build-info.outputs.default-python-version}}":${{ env.IMAGE_TAG }}
+        run: breeze prod-image pull --tag-as-latest
+        env:
+          PYTHON_MAJOR_MINOR_VERSION: "${{needs.build-info.outputs.default-python-version}}"
+      - name: "Setup python"
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{needs.build-info.outputs.default-python-version}}
+          cache: 'pip'
+          cache-dependency-path: ./dev/requirements.txt
+      - name: "Test examples of PROD image building"
+        # yamllint disable-line rule:line-length
+        run: >
+          cd ./docker_tests &&
+          python -m pip install -r requirements.txt &&
+          TEST_IMAGE="ghcr.io/${GITHUB_REPOSITORY}/main/prod/python${{env.PYTHON_MAJOR_MINOR_VERSION}}:${{env.IMAGE_TAG}}"
+          python -m pytest test_examples_of_prod_image_building.py -n auto --color=yes
+        env:
+          PYTHON_MAJOR_MINOR_VERSION: "${{needs.build-info.outputs.default-python-version}}"
+
+
   test-docker-compose-quick-start:
     timeout-minutes: 60
     name: "Docker-compose quick start with PROD image verifying"

CI_DIAGRAMS.md

@@ -60,8 +60,6 @@ sequenceDiagram
         Note over Tests: OpenAPI client gen
     and
         Note over Tests: React WWW tests
-    and
-        Note over Tests: Test examples<br>PROD image building
     and
         Note over Tests: Test git clone on Windows
     and
@@ -152,6 +150,11 @@ sequenceDiagram
         end
     end
     par
+        opt
+            GitHub Registry ->> Tests: Pull PROD Images<br>[COMMIT_SHA]
+            Note over Tests: Test examples<br>PROD image building
+        end
+    and
         opt
             GitHub Registry ->> Tests: Pull PROD Images<br>[COMMIT_SHA]
             Note over Tests: Run Kubernetes <br>tests
@@ -343,8 +346,6 @@ sequenceDiagram
         Note over Tests: OpenAPI client gen
     and
         Note over Tests: React WWW tests
-    and
-        Note over Tests: Test examples<br>PROD image building
     and
         Note over Tests: Test git clone on Windows
     end
@@ -400,6 +401,9 @@ sequenceDiagram
         Artifacts ->> Tests: Download source,pypi,no-providers constraints
         Note over Tests: Display constraints diff
         Tests ->> Airflow Repo: Push constraints if changed to 'constraints-BRANCH'
+    and
+        GitHub Registry ->> Tests: Pull PROD Images<br>[COMMIT_SHA]
+        Note over Tests: Test examples<br>PROD image building
     and
         GitHub Registry ->> Tests: Pull PROD Image<br>[COMMIT_SHA]
         Note over Tests: Run Kubernetes <br>tests

Dockerfile

@@ -232,7 +232,7 @@ COLOR_RESET=$'\e[0m'
 readonly COLOR_RESET
 
 : "${INSTALL_MYSQL_CLIENT:?Should be true or false}"
-: "${INSTALL_MYSQL_CLIENT_TYPE:-mysql}"
+: "${INSTALL_MYSQL_CLIENT_TYPE:-mariadb}"
 
 export_key() {
     local key="${1}"
@@ -271,7 +271,7 @@ install_mysql_client() {
         exit 1
     fi
 
-    export_key "467B942D3A79BD29" "mysql"
+    export_key "B7B3B788A8D3785C" "mysql"
 
     echo
     echo "${COLOR_BLUE}Installing Oracle MySQL client version ${MYSQL_LTS_VERSION}: ${1}${COLOR_RESET}"
@@ -283,6 +283,13 @@ install_mysql_client() {
     apt-get install --no-install-recommends -y "${packages[@]}"
     apt-get autoremove -yqq --purge
     apt-get clean && rm -rf /var/lib/apt/lists/*
+
+    # Remove mysql repository from sources.list.d as MySQL repos have a basic flaw that they put expiry
+    # date on their GPG signing keys and they sign their repo with those keys. This means that after a
+    # certain date, the GPG key becomes invalid and if you have the repository added in your sources.list
+    # then you will not be able to install anything from any other repository. This id unlike any other
+    # repository we have seen (for example Postgres, MariaDB, MsSQL - all have non-expiring signing keys)
+    rm /etc/apt/sources.list.d/mysql.list
 }
 
 install_mariadb_client() {
@@ -327,6 +334,9 @@ install_mariadb_client() {
 if [[ ${INSTALL_MYSQL_CLIENT:="true"} == "true" ]]; then
     if [[ $(uname -m) == "arm64" || $(uname -m) == "aarch64" ]]; then
         INSTALL_MYSQL_CLIENT_TYPE="mariadb"
+        echo
+        echo "${COLOR_YELLOW}Client forced to mariadb for ARM${COLOR_RESET}"
+        echo
     fi
 
     if [[ "${INSTALL_MYSQL_CLIENT_TYPE}" == "mysql" ]]; then
@@ -1229,7 +1239,7 @@ COPY --from=scripts install_os_dependencies.sh /scripts/docker/
 RUN bash /scripts/docker/install_os_dependencies.sh dev
 
 ARG INSTALL_MYSQL_CLIENT="true"
-ARG INSTALL_MYSQL_CLIENT_TYPE="mysql"
+ARG INSTALL_MYSQL_CLIENT_TYPE="mariadb"
 ARG INSTALL_MSSQL_CLIENT="true"
 ARG INSTALL_POSTGRES_CLIENT="true"
 ARG AIRFLOW_PIP_VERSION

Dockerfile.ci

@@ -192,7 +192,7 @@ COLOR_RESET=$'\e[0m'
 readonly COLOR_RESET
 
 : "${INSTALL_MYSQL_CLIENT:?Should be true or false}"
-: "${INSTALL_MYSQL_CLIENT_TYPE:-mysql}"
+: "${INSTALL_MYSQL_CLIENT_TYPE:-mariadb}"
 
 export_key() {
     local key="${1}"
@@ -231,7 +231,7 @@ install_mysql_client() {
         exit 1
     fi
 
-    export_key "467B942D3A79BD29" "mysql"
+    export_key "B7B3B788A8D3785C" "mysql"
 
     echo
     echo "${COLOR_BLUE}Installing Oracle MySQL client version ${MYSQL_LTS_VERSION}: ${1}${COLOR_RESET}"
@@ -243,6 +243,13 @@ install_mysql_client() {
     apt-get install --no-install-recommends -y "${packages[@]}"
     apt-get autoremove -yqq --purge
     apt-get clean && rm -rf /var/lib/apt/lists/*
+
+    # Remove mysql repository from sources.list.d as MySQL repos have a basic flaw that they put expiry
+    # date on their GPG signing keys and they sign their repo with those keys. This means that after a
+    # certain date, the GPG key becomes invalid and if you have the repository added in your sources.list
+    # then you will not be able to install anything from any other repository. This id unlike any other
+    # repository we have seen (for example Postgres, MariaDB, MsSQL - all have non-expiring signing keys)
+    rm /etc/apt/sources.list.d/mysql.list
 }
 
 install_mariadb_client() {
@@ -287,6 +294,9 @@ install_mariadb_client() {
 if [[ ${INSTALL_MYSQL_CLIENT:="true"} == "true" ]]; then
     if [[ $(uname -m) == "arm64" || $(uname -m) == "aarch64" ]]; then
         INSTALL_MYSQL_CLIENT_TYPE="mariadb"
+        echo
+        echo "${COLOR_YELLOW}Client forced to mariadb for ARM${COLOR_RESET}"
+        echo
     fi
 
     if [[ "${INSTALL_MYSQL_CLIENT_TYPE}" == "mysql" ]]; then

dev/breeze/src/airflow_breeze/commands/ci_image_commands.py

@@ -45,6 +45,7 @@
     option_image_tag_for_building,
     option_image_tag_for_pulling,
     option_image_tag_for_verifying,
+    option_install_mysql_client_type,
     option_install_providers_from_sources,
     option_platform_multiple,
     option_prepare_buildx_cache,
@@ -300,6 +301,7 @@ def get_exitcode(status: int) -> int:
 @option_eager_upgrade_additional_requirements
 @option_github_repository
 @option_github_token
+@option_install_mysql_client_type
 @option_image_tag_for_building
 @option_include_success_outputs
 @option_install_providers_from_sources
@@ -342,6 +344,7 @@ def build(
     github_token: str | None,
     image_tag: str,
     include_success_outputs,
+    install_mysql_client_type: str,
     install_providers_from_sources: bool,
     parallelism: int,
     platform: str | None,
@@ -413,6 +416,7 @@ def run_build(ci_image_params: BuildCiParams) -> None:
         github_repository=github_repository,
         github_token=github_token,
         image_tag=image_tag,
+        install_mysql_client_type=install_mysql_client_type,
         install_providers_from_sources=install_providers_from_sources,
         prepare_buildx_cache=prepare_buildx_cache,
         push=push,

dev/breeze/src/airflow_breeze/commands/ci_image_commands_config.py

@@ -43,22 +43,23 @@
         {
             "name": "Building images in parallel",
             "options": [
-                "--run-in-parallel",
+                "--debug-resources",
+                "--include-success-outputs",
                 "--parallelism",
                 "--python-versions",
+                "--run-in-parallel",
                 "--skip-cleanup",
-                "--debug-resources",
-                "--include-success-outputs",
             ],
         },
         {
             "name": "Advanced build options (for power users)",
             "options": [
-                "--debian-version",
-                "--python-image",
-                "--commit-sha",
                 "--additional-pip-install-flags",
+                "--commit-sha",
+                "--debian-version",
+                "--install-mysql-client-type",
                 "--install-providers-from-sources",
+                "--python-image",
             ],
         },
         {