From 2ad09ad90a6906acc4754d40aab6e8708137138c Mon Sep 17 00:00:00 2001 From: Scott Hussey Date: Fri, 12 Jan 2018 08:15:05 -0600 Subject: [PATCH] Use secrets for admin user bs For better security use Kubernetes secrets to set environmental variables for the bootstrapping job - Create secret manifest for the MaaS admin user - Update job-bootstrap-admin-user to use secret for environment setup - Update job-export-api-key to source admin username from secret - Update job-import to source admin username from secret Change-Id: I0ea5a5517c5a90f481c459e836f081f3d2744dad --- .../templates/job-bootstrap-admin-user.yaml | 15 +++++++-- charts/maas/templates/job-export-api-key.yaml | 5 ++- charts/maas/templates/job-import.yaml | 5 ++- charts/maas/templates/secret-admin-user.yaml | 31 +++++++++++++++++++ charts/maas/templates/statefulset-region.yaml | 2 ++ charts/maas/values.yaml | 10 ++++-- 6 files changed, 60 insertions(+), 8 deletions(-) create mode 100644 charts/maas/templates/secret-admin-user.yaml diff --git a/charts/maas/templates/job-bootstrap-admin-user.yaml b/charts/maas/templates/job-bootstrap-admin-user.yaml index 68a6f04..13e445e 100644 --- a/charts/maas/templates/job-bootstrap-admin-user.yaml +++ b/charts/maas/templates/job-bootstrap-admin-user.yaml @@ -42,11 +42,20 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap_admin_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: - name: ADMIN_USERNAME - value: {{ .Values.conf.maas.credentials.admin_username }} + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.maas_users.admin }} + key: USERNAME - name: ADMIN_PASSWORD - value: {{ .Values.conf.maas.credentials.admin_password }} + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.maas_users.admin }} + key: PASSWORD - name: ADMIN_EMAIL - value: {{ .Values.conf.maas.credentials.admin_email}} + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.maas_users.admin }} + key: EMAIL command: - /tmp/bootstrap-admin-user.sh volumeMounts: diff --git a/charts/maas/templates/job-export-api-key.yaml b/charts/maas/templates/job-export-api-key.yaml index dae3d4e..7ebe6bd 100644 --- a/charts/maas/templates/job-export-api-key.yaml +++ b/charts/maas/templates/job-export-api-key.yaml @@ -71,7 +71,10 @@ spec: - name: SECRET_NAMESPACE value: {{ .Values.conf.maas.credentials.secret.namespace }} - name: ADMIN_USERNAME - value: {{ .Values.conf.maas.credentials.admin_username }} + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.maas_users.admin }} + key: USERNAME - name: SECRET_NAME value: {{ .Values.conf.maas.credentials.secret.name }} command: diff --git a/charts/maas/templates/job-import.yaml b/charts/maas/templates/job-import.yaml index 8ea093c..4a5ce30 100644 --- a/charts/maas/templates/job-import.yaml +++ b/charts/maas/templates/job-import.yaml @@ -45,7 +45,10 @@ spec: - name: JOB_TIMEOUT value: {{ .Values.jobs.import_boot_resources.timeout | quote }} - name: ADMIN_USERNAME - value: {{ .Values.conf.maas.credentials.admin_username }} + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.maas_users.admin }} + key: USERNAME - name: RETRY_TIMER value: {{ .Values.jobs.import_boot_resources.retry_timer | quote }} - name: MAAS_ENDPOINT diff --git a/charts/maas/templates/secret-admin-user.yaml b/charts/maas/templates/secret-admin-user.yaml new file mode 100644 index 0000000..87e8599 --- /dev/null +++ b/charts/maas/templates/secret-admin-user.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" }} +{{- $secretName := index $envAll.Values.secrets.maas_users $userClass }} +{{- $auth := index $envAll.Values.endpoints.maas_region_ui.auth $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + USERNAME: {{ $auth.username | b64enc }} + PASSWORD: {{ $auth.password | b64enc }} + EMAIL: {{ $auth.email | b64enc }} +{{ end }} diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index de6c8fb..d345ee5 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -27,6 +27,8 @@ metadata: spec: serviceName: maas-region-ui replicas: {{ .Values.pod.replicas.region }} + updateStrategy: + type: 'RollingUpdate' template: metadata: labels: diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index d4d50b0..f65bc03 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -147,9 +147,6 @@ conf: database_user: maas database_password: password credentials: - admin_username: admin - admin_password: admin - admin_email: support@nowhere.com secret: namespace: maas name: maas-api-key @@ -158,6 +155,8 @@ secrets: maas_db: admin: maas-db-admin user: maas-db-user + maas_users: + admin: maas-admin maas_region: name: maas-region-secret value: 3858f62230ac3c915f300c664312c63f @@ -262,6 +261,11 @@ endpoints: default: null maas_region_ui: name: maas-region-ui + auth: + admin: + username: admin + password: admin + email: none@none hosts: default: maas-region-ui public: maas