From 1804203ea1e29ef79d464a2483f8af28cdcfe3ed Mon Sep 17 00:00:00 2001
From: Scott Hussey <sh8121@att.com>
Date: Sun, 28 Jan 2018 15:42:14 -0600
Subject: [PATCH] Improve chart database configurability

- Support configured Postgres admin password
- Use secrets for database job environment setup

Change-Id: Icf7ceb4efb1b1bf976ca36e4fdd21b9b7990bc83
---
 charts/drydock/templates/bin/_db-init.sh.tpl  |  8 ++--
 .../templates/job-drydock-db-init.yaml        | 41 +++++++++++++++----
 .../templates/job-drydock-db-sync.yaml        |  5 ++-
 charts/drydock/templates/secret-db.yaml       | 41 +++++++++++++++++++
 charts/drydock/values.yaml                    |  7 ++--
 5 files changed, 85 insertions(+), 17 deletions(-)
 create mode 100644 charts/drydock/templates/secret-db.yaml

diff --git a/charts/drydock/templates/bin/_db-init.sh.tpl b/charts/drydock/templates/bin/_db-init.sh.tpl
index 4ec31de5..f48d0437 100644
--- a/charts/drydock/templates/bin/_db-init.sh.tpl
+++ b/charts/drydock/templates/bin/_db-init.sh.tpl
@@ -28,7 +28,7 @@ pgsql_superuser_cmd () {
   psql \
   -h $DB_FQDN \
   -p $DB_PORT \
-  -U ${ROOT_DB_USER} \
+  -U ${DB_ADMIN_USER} \
   --command="${DB_COMMAND}"
 }
 
@@ -36,8 +36,8 @@ pgsql_superuser_cmd () {
 pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME';" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $DB_NAME;"
 
 # Create db user
-pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
-    pgsql_superuser_cmd "CREATE ROLE ${DB_USER} LOGIN PASSWORD '$DB_PASS';"
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_SERVICE_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
+    pgsql_superuser_cmd "CREATE ROLE ${DB_SERVICE_USER} LOGIN PASSWORD '$DB_SERVICE_PASSWORD';"
 
 # Grant permissions to user
-pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_USER;"
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_SERVICE_USER;"
diff --git a/charts/drydock/templates/job-drydock-db-init.yaml b/charts/drydock/templates/job-drydock-db-init.yaml
index ab5f5524..9ecfcead 100644
--- a/charts/drydock/templates/job-drydock-db-init.yaml
+++ b/charts/drydock/templates/job-drydock-db-init.yaml
@@ -43,17 +43,40 @@ spec:
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           env:
             - name: DB_NAME
-              value: {{ .Values.database.postgresql.db_name | quote }}
-            - name: DB_USER
-              value: {{ .Values.endpoints.postgresql.auth.user.username | quote }}
-            - name: DB_PASS
-              value: {{ .Values.endpoints.postgresql.auth.user.password | quote}}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.user }}
+                  key: DATABASE_NAME
+            - name: DB_SERVICE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.user }}
+                  key: DATABASE_USERNAME
+            - name: DB_SERVICE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.user }}
+                  key: DATABASE_PASSWORD
             - name: DB_FQDN
-              value: {{ tuple "postgresql" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | quote}}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.user }}
+                  key: DATABASE_HOST
             - name: DB_PORT
-              value: {{ tuple "postgresql" "internal" "postgresql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
-            - name: ROOT_DB_USER
-              value: {{ .Values.endpoints.postgresql.auth.admin.username | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.user }}
+                  key: DATABASE_PORT
+            - name: DB_ADMIN_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.admin }}
+                  key: DATABASE_USERNAME
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.admin }}
+                  key: DATABASE_PASSWORD
           command:
             - /tmp/db-init.sh
           volumeMounts:
diff --git a/charts/drydock/templates/job-drydock-db-sync.yaml b/charts/drydock/templates/job-drydock-db-sync.yaml
index 2e9d32d9..cc770def 100644
--- a/charts/drydock/templates/job-drydock-db-sync.yaml
+++ b/charts/drydock/templates/job-drydock-db-sync.yaml
@@ -43,7 +43,10 @@ spec:
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           env:
             - name: DRYDOCK_DB_URL
-              value: {{ tuple "postgresql" "internal" "user" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.user }}
+                  key: DATABASE_URI
           command:
             - /tmp/db-sync.sh
           volumeMounts:
diff --git a/charts/drydock/templates/secret-db.yaml b/charts/drydock/templates/secret-db.yaml
new file mode 100644
index 00000000..3f88b932
--- /dev/null
+++ b/charts/drydock/templates/secret-db.yaml
@@ -0,0 +1,41 @@
+{{/*
+# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{- if .Values.manifests.secret_database }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.postgresql $userClass }}
+{{- $auth := index $envAll.Values.endpoints.postgresql.auth $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  DATABASE_HOST: |-
+{{ tuple "postgresql" "internal" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | b64enc | indent 4 }}
+  DATABASE_USERNAME: |-
+{{ $auth.username | b64enc | indent 4 }}
+  DATABASE_PASSWORD: |-
+{{ $auth.password | b64enc | indent 4 }}
+  DATABASE_NAME: |-
+{{ $auth.database | default "" | b64enc | indent 4 }}
+  DATABASE_PORT: {{ tuple "postgresql" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
+  DATABASE_URI: |-
+{{ tuple "postgresql" "internal" "user" "postgresql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc | indent 4 }}
+...
+{{- end }}
+{{- end }}
diff --git a/charts/drydock/values.yaml b/charts/drydock/values.yaml
index 7eae0fa4..25e9b5de 100644
--- a/charts/drydock/values.yaml
+++ b/charts/drydock/values.yaml
@@ -112,6 +112,7 @@ manifests:
   job_drydock_db_init: true
   job_drydock_db_sync: true
   secret_keystone: true
+  secret_database: true
   configmap_etc: true
   configmap_bin: true
   service_drydock: true
@@ -214,6 +215,7 @@ endpoints:
       user:
         username: drydock
         password: password
+        database: drydock
     hosts:
       default: postgresql
     path: /drydock
@@ -228,10 +230,9 @@ secrets:
   identity:
     admin: drydock-keystone-admin
     user: drydock-keystone-user
-
-database:
   postgresql:
-    db_name: drydock
+    admin: drydock-postgresql-admin
+    user: drydock-postgresql-user
 
 # Settings for drydock.conf
 conf: