From 3bdebba4bb0e72f7b27b1048a0ff4a613236fead Mon Sep 17 00:00:00 2001 From: Anthony Lin Date: Mon, 29 Jan 2018 05:11:43 +0000 Subject: [PATCH] Update Deckhand Chart - Database Configurability - Support configured Postgres admin password - Use secrets for database job environment setup - Remove superuser rights from deckhand user Change-Id: I9d8eee1af864b0e99ee7c8a01a6bba84cfcb67f9 --- charts/deckhand/templates/bin/_db-init.sh.tpl | 34 ++++++++----- charts/deckhand/templates/job-db-init.yaml | 51 ++++++++++++++----- charts/deckhand/templates/job-db-sync.yaml | 49 ++++++++++++++---- charts/deckhand/templates/secret-db.yaml | 16 +++++- charts/deckhand/values.yaml | 10 ++-- 5 files changed, 115 insertions(+), 45 deletions(-) diff --git a/charts/deckhand/templates/bin/_db-init.sh.tpl b/charts/deckhand/templates/bin/_db-init.sh.tpl index 635465e1..4f900acb 100644 --- a/charts/deckhand/templates/bin/_db-init.sh.tpl +++ b/charts/deckhand/templates/bin/_db-init.sh.tpl @@ -1,14 +1,24 @@ #!/bin/bash +{{/* +Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + set -ex export HOME=/tmp -# Extract the DB string from deckhand.conf and get the -# value of the DB host and port -db_string=`grep -i '^connection =' ${DECKHAND_CONFIG_FILE}` -db_fqdn=`echo ${db_string#*@} | cut -f1 -d"."` -db_port=`echo ${db_string#*@} | grep -o "[0-9]\+"` - pgsql_superuser_cmd () { DB_COMMAND="$1" if [[ ! -z $2 ]]; then @@ -16,9 +26,9 @@ pgsql_superuser_cmd () { fi psql \ - -h $db_fqdn \ - -p $db_port \ - -U ${ROOT_DB_USER} \ + -h ${DB_FQDN} \ + -p ${DB_PORT} \ + -U ${DB_ADMIN_USER} \ --command="${DB_COMMAND}" } @@ -26,8 +36,8 @@ pgsql_superuser_cmd () { pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $DB_NAME" # Create db user -pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \ - pgsql_superuser_cmd "CREATE ROLE ${DB_USER} LOGIN PASSWORD '$DB_PASS';" && pgsql_superuser_cmd "ALTER USER ${DB_USER} WITH SUPERUSER" +pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_SERVICE_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \ + pgsql_superuser_cmd "CREATE ROLE ${DB_SERVICE_USER} LOGIN PASSWORD '$DB_SERVICE_PASSWORD';" # Grant permissions to user -pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_USER;" +pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_SERVICE_USER;" diff --git a/charts/deckhand/templates/job-db-init.yaml b/charts/deckhand/templates/job-db-init.yaml index 46c722dc..4019ac6f 100644 --- a/charts/deckhand/templates/job-db-init.yaml +++ b/charts/deckhand/templates/job-db-init.yaml @@ -1,5 +1,5 @@ {{/* -Copyright 2017 The Openstack-Helm Authors. +Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -44,21 +44,46 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy | quote }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: - - name: ROOT_DB_CONNECTION + - name: DECKHAND_DB_URL + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_URI + - name: DB_NAME + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_NAME + - name: DB_SERVICE_USER + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_USERNAME + - name: DB_SERVICE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_PASSWORD + - name: DB_FQDN + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_PORT + - name: DB_ADMIN_USER valueFrom: secretKeyRef: name: {{ .Values.secrets.postgresql.admin }} - key: DB_CONNECTION - - name: DECKHAND_CONFIG_FILE - value: /etc/deckhand/deckhand.conf - - name: DB_NAME - value: {{ .Values.database.postgresql.db_name }} - - name: DB_USER - value: {{ .Values.endpoints.postgresql.auth.user.username }} - - name: DB_PASS - value: {{ .Values.endpoints.postgresql.auth.user.password }} - - name: ROOT_DB_USER - value: {{ .Values.database.postgresql.db_root_user }} + key: DATABASE_USERNAME + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.admin }} + key: DATABASE_PASSWORD command: - /tmp/db-init.sh volumeMounts: diff --git a/charts/deckhand/templates/job-db-sync.yaml b/charts/deckhand/templates/job-db-sync.yaml index bf193016..300506e4 100644 --- a/charts/deckhand/templates/job-db-sync.yaml +++ b/charts/deckhand/templates/job-db-sync.yaml @@ -1,5 +1,5 @@ {{/* -Copyright 2017 The Openstack-Helm Authors. +Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -44,19 +44,46 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: - - name: ROOT_DB_CONNECTION + - name: DECKHAND_DB_URL + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_URI + - name: DB_NAME + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_NAME + - name: DB_SERVICE_USER + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_USERNAME + - name: DB_SERVICE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_PASSWORD + - name: DB_FQDN + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.user }} + key: DATABASE_PORT + - name: DB_ADMIN_USER valueFrom: secretKeyRef: name: {{ .Values.secrets.postgresql.admin }} - key: DB_CONNECTION - - name: DECKHAND_CONFIG_FILE - value: /etc/deckhand/deckhand.conf - - name: DB_NAME - value: {{ .Values.database.postgresql.db_name }} - - name: DB_USER - value: {{ .Values.endpoints.postgresql.auth.user.username }} - - name: DB_PASS - value: {{ .Values.endpoints.postgresql.auth.user.password }} + key: DATABASE_USERNAME + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.postgresql.admin }} + key: DATABASE_PASSWORD command: - /tmp/db-sync.sh volumeMounts: diff --git a/charts/deckhand/templates/secret-db.yaml b/charts/deckhand/templates/secret-db.yaml index 4ca68e30..b161a4bd 100644 --- a/charts/deckhand/templates/secret-db.yaml +++ b/charts/deckhand/templates/secret-db.yaml @@ -1,5 +1,5 @@ {{/* -Copyright 2017 The Openstack-Helm Authors. +Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "user" }} {{- $secretName := index $envAll.Values.secrets.postgresql $userClass }} +{{- $auth := index $envAll.Values.endpoints.postgresql.auth $userClass }} --- apiVersion: v1 kind: Secret @@ -25,6 +26,17 @@ metadata: name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "postgresql" "internal" $userClass "postgresql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} + DATABASE_HOST: |- +{{ tuple "postgresql" "internal" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | b64enc | indent 4 }} + DATABASE_USERNAME: |- +{{ $auth.username | b64enc | indent 4 }} + DATABASE_PASSWORD: |- +{{ $auth.password | b64enc | indent 4 }} + DATABASE_NAME: |- +{{ $auth.database | default "" | b64enc | indent 4 }} + DATABASE_PORT: {{ tuple "postgresql" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }} + DATABASE_URI: |- +{{ tuple "postgresql" "internal" "user" "postgresql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc | indent 4 }} +... {{- end }} {{- end }} diff --git a/charts/deckhand/values.yaml b/charts/deckhand/values.yaml index 48319e3e..c2022ea5 100644 --- a/charts/deckhand/values.yaml +++ b/charts/deckhand/values.yaml @@ -1,4 +1,4 @@ -# Copyright 2017 The Openstack-Helm Authors. +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -129,11 +129,12 @@ endpoints: name: postgresql auth: admin: - username: deckhand + username: postgres password: password user: username: deckhand password: password + database: deckhand hosts: default: postgresql path: /deckhand @@ -175,11 +176,6 @@ secrets: admin: deckhand-db-admin user: deckhand-db-user -database: - postgresql: - db_name: deckhand - db_root_user: postgres - conf: uwsgi: threads: 1