summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNishant Kumar <nk613n@att.com>2019-02-05 16:51:16 +0000
committerNishant Kumar <nk613n@att.com>2019-03-05 18:45:22 +0000
commit20df4f6eaa2d4c1af66dccf7e985403d3d10ee74 (patch)
treedf3b242547f54970932b47031d2083ee3e2c31fa
parent5e4ab93da83733a3ccc3f2f50d812242f11fe82e (diff)
Support for password rotation
- This PS adds support for password rotation for 'maas-region' password and 'maas-postgres-password'. - This PS enables MAAS to use the newly created helm-toolkit script for postgreSQL DB initialization Depends-On: https://review.openstack.org/#/c/635348/ Change-Id: Ibb36761351d8c34933a3bb71555bb23e8247a069
Notes
Notes (review): Code-Review+2: Scott Hussey <sthussey@att.com> Code-Review+1: Sirajudeen <sirajudeen.yasin@gmail.com> Code-Review+2: Drew Walters <drewwalters96@gmail.com> Workflow+1: Drew Walters <drewwalters96@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Thu, 07 Mar 2019 20:42:45 +0000 Reviewed-on: https://review.openstack.org/634981 Project: openstack/airship-maas Branch: refs/heads/master
-rw-r--r--charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl5
-rw-r--r--charts/maas/templates/bin/_db-init.sh.tpl63
-rw-r--r--charts/maas/templates/configmap-bin.yaml2
-rw-r--r--charts/maas/templates/job-db-init.yaml7
-rw-r--r--charts/maas/templates/secret-db.yaml1
-rw-r--r--charts/maas/templates/statefulset-region.yaml2
-rwxr-xr-xtools/helm_tk.sh2
7 files changed, 15 insertions, 67 deletions
diff --git a/charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl b/charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl
index 66200d1..16b9362 100644
--- a/charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl
+++ b/charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl
@@ -14,6 +14,9 @@
14# See the License for the specific language governing permissions and 14# See the License for the specific language governing permissions and
15# limitations under the License. 15# limitations under the License.
16 16
17set -ex 17set -e
18 18
19maas-region createadmin --username=${ADMIN_USERNAME} --password=${ADMIN_PASSWORD} --email=${ADMIN_EMAIL} || true 19maas-region createadmin --username=${ADMIN_USERNAME} --password=${ADMIN_PASSWORD} --email=${ADMIN_EMAIL} || true
20
21# Change password.
22echo "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | maas-region changepasswords
diff --git a/charts/maas/templates/bin/_db-init.sh.tpl b/charts/maas/templates/bin/_db-init.sh.tpl
deleted file mode 100644
index 3fb7735..0000000
--- a/charts/maas/templates/bin/_db-init.sh.tpl
+++ /dev/null
@@ -1,63 +0,0 @@
1#!/bin/bash
2
3# Copyright 2017 The Openstack-Helm Authors.
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -ex
18export HOME=/tmp
19
20pgsql_superuser_cmd () {
21 DB_COMMAND="$1"
22 if [[ ! -z $2 ]]; then
23 EXPORT PGDATABASE=$2
24 fi
25
26 psql \
27 -h ${DB_HOST} \
28 -p 5432 \
29 -U ${ROOT_DB_USER} \
30 --command="${DB_COMMAND}"
31}
32
33if [[ ! -v DB_HOST ]]; then
34 echo "environment variable DB_HOST not set"
35 exit 1
36elif [[ ! -v ROOT_DB_USER ]]; then
37 echo "environment variable ROOT_DB_USER not set"
38 exit 1
39elif [[ ! -v PGPASSWORD ]]; then
40 echo "environment variable PGPASSWORD not set"
41 exit 1
42elif [[ ! -v USER_DB_USER ]]; then
43 echo "environment variable USER_DB_USER not set"
44 exit 1
45elif [[ ! -v USER_DB_PASS ]]; then
46 echo "environment variable USER_DB_PASS not set"
47 exit 1
48elif [[ ! -v USER_DB_NAME ]]; then
49 echo "environment variable USER_DB_NAME not set"
50 exit 1
51else
52 echo "Got DB connection info"
53fi
54
55#create db
56pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
57
58#create db user
59pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
60 pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} WITH SUPERUSER"
61
62#give permissions to user
63pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
diff --git a/charts/maas/templates/configmap-bin.yaml b/charts/maas/templates/configmap-bin.yaml
index 2f875ee..2f9e43f 100644
--- a/charts/maas/templates/configmap-bin.yaml
+++ b/charts/maas/templates/configmap-bin.yaml
@@ -22,7 +22,7 @@ metadata:
22 name: maas-bin 22 name: maas-bin
23data: 23data:
24 db-init.sh: |+ 24 db-init.sh: |+
25{{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} 25{{- include "helm-toolkit.scripts.pg_db_init" . | indent 4 }}
26 db-sync.sh: |+ 26 db-sync.sh: |+
27{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} 27{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
28 bootstrap-admin-user.sh: | 28 bootstrap-admin-user.sh: |
diff --git a/charts/maas/templates/job-db-init.yaml b/charts/maas/templates/job-db-init.yaml
index 025a5c3..48eb148 100644
--- a/charts/maas/templates/job-db-init.yaml
+++ b/charts/maas/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
43 imagePullPolicy: {{ .Values.images.pull_policy | quote }} 43 imagePullPolicy: {{ .Values.images.pull_policy | quote }}
44{{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} 44{{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
45 env: 45 env:
46 - name: ROOT_DB_USER 46 - name: DB_ADMIN_USER
47 valueFrom: 47 valueFrom:
48 secretKeyRef: 48 secretKeyRef:
49 name: {{ .Values.secrets.maas_db.admin }} 49 name: {{ .Values.secrets.maas_db.admin }}
@@ -73,6 +73,11 @@ spec:
73 secretKeyRef: 73 secretKeyRef:
74 name: {{ .Values.secrets.maas_db.user }} 74 name: {{ .Values.secrets.maas_db.user }}
75 key: DATABASE_NAME 75 key: DATABASE_NAME
76 - name: DB_PORT
77 valueFrom:
78 secretKeyRef:
79 name: {{ .Values.secrets.maas_db.user }}
80 key: DATABASE_PORT
76 command: 81 command:
77 - /tmp/db-init.sh 82 - /tmp/db-init.sh
78 volumeMounts: 83 volumeMounts:
diff --git a/charts/maas/templates/secret-db.yaml b/charts/maas/templates/secret-db.yaml
index 5790d21..4bab4f7 100644
--- a/charts/maas/templates/secret-db.yaml
+++ b/charts/maas/templates/secret-db.yaml
@@ -33,4 +33,5 @@ data:
33{{ $auth.password | b64enc | indent 4 }} 33{{ $auth.password | b64enc | indent 4 }}
34 DATABASE_NAME: |- 34 DATABASE_NAME: |-
35{{ $auth.database | default "" | b64enc | indent 4 }} 35{{ $auth.database | default "" | b64enc | indent 4 }}
36 DATABASE_PORT: {{ tuple "maas_db" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
36{{ end }} 37{{ end }}
diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml
index a165118..414eeab 100644
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@@ -36,6 +36,8 @@ spec:
36 labels: 36 labels:
37{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} 37{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
38 annotations: 38 annotations:
39 configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
40 configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
39{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} 41{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
40 spec: 42 spec:
41 serviceAccountName: {{ $serviceAccountName }} 43 serviceAccountName: {{ $serviceAccountName }}
diff --git a/tools/helm_tk.sh b/tools/helm_tk.sh
index e0b6a93..8dae28b 100755
--- a/tools/helm_tk.sh
+++ b/tools/helm_tk.sh
@@ -18,7 +18,7 @@
18HELM=$1 18HELM=$1
19HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"} 19HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
20HTK_PATH=${HTK_PATH:-""} 20HTK_PATH=${HTK_PATH:-""}
21HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"} 21HTK_STABLE_COMMIT=${HTK_COMMIT:-"7f21b85128ea4e6e64998b916f065c3100f5c4f7"}
22DEP_UP_LIST=${DEP_UP_LIST:-"maas"} 22DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
23 23
24if [[ ! -z $(echo $http_proxy) ]] 24if [[ ! -z $(echo $http_proxy) ]]