Use secrets for admin user bs

For better security use Kubernetes secrets
to set environmental variables for the
bootstrapping job

- Create secret manifest for the MaaS admin user
- Update job-bootstrap-admin-user to use secret for environment
  setup
- Update job-export-api-key to source admin username
  from secret
- Update job-import to source admin username
  from secret

Change-Id: I0ea5a5517c5a90f481c459e836f081f3d2744dad
This commit is contained in:
Scott Hussey 2018-01-12 08:15:05 -06:00
parent 5cb7936b40
commit 2ad09ad90a
6 changed files with 60 additions and 8 deletions

View File

@ -42,11 +42,20 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap_admin_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: ADMIN_USERNAME
value: {{ .Values.conf.maas.credentials.admin_username }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.maas_users.admin }}
key: USERNAME
- name: ADMIN_PASSWORD
value: {{ .Values.conf.maas.credentials.admin_password }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.maas_users.admin }}
key: PASSWORD
- name: ADMIN_EMAIL
value: {{ .Values.conf.maas.credentials.admin_email}}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.maas_users.admin }}
key: EMAIL
command:
- /tmp/bootstrap-admin-user.sh
volumeMounts:

View File

@ -71,7 +71,10 @@ spec:
- name: SECRET_NAMESPACE
value: {{ .Values.conf.maas.credentials.secret.namespace }}
- name: ADMIN_USERNAME
value: {{ .Values.conf.maas.credentials.admin_username }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.maas_users.admin }}
key: USERNAME
- name: SECRET_NAME
value: {{ .Values.conf.maas.credentials.secret.name }}
command:

View File

@ -45,7 +45,10 @@ spec:
- name: JOB_TIMEOUT
value: {{ .Values.jobs.import_boot_resources.timeout | quote }}
- name: ADMIN_USERNAME
value: {{ .Values.conf.maas.credentials.admin_username }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.maas_users.admin }}
key: USERNAME
- name: RETRY_TIMER
value: {{ .Values.jobs.import_boot_resources.retry_timer | quote }}
- name: MAAS_ENDPOINT

View File

@ -0,0 +1,31 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" }}
{{- $secretName := index $envAll.Values.secrets.maas_users $userClass }}
{{- $auth := index $envAll.Values.endpoints.maas_region_ui.auth $userClass }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: Opaque
data:
USERNAME: {{ $auth.username | b64enc }}
PASSWORD: {{ $auth.password | b64enc }}
EMAIL: {{ $auth.email | b64enc }}
{{ end }}

View File

@ -27,6 +27,8 @@ metadata:
spec:
serviceName: maas-region-ui
replicas: {{ .Values.pod.replicas.region }}
updateStrategy:
type: 'RollingUpdate'
template:
metadata:
labels:

View File

@ -147,9 +147,6 @@ conf:
database_user: maas
database_password: password
credentials:
admin_username: admin
admin_password: admin
admin_email: support@nowhere.com
secret:
namespace: maas
name: maas-api-key
@ -158,6 +155,8 @@ secrets:
maas_db:
admin: maas-db-admin
user: maas-db-user
maas_users:
admin: maas-admin
maas_region:
name: maas-region-secret
value: 3858f62230ac3c915f300c664312c63f
@ -262,6 +261,11 @@ endpoints:
default: null
maas_region_ui:
name: maas-region-ui
auth:
admin:
username: admin
password: admin
email: none@none
hosts:
default: maas-region-ui
public: maas