airship
/
deckhand
Code Issues Proposed changes

Update Deckhand Chart - Database Configurability 

- Support configured Postgres admin password
- Use secrets for database job environment setup
- Remove superuser rights from deckhand user

Change-Id: I9d8eee1af864b0e99ee7c8a01a6bba84cfcb67f9
This commit is contained in:
Anthony Lin 2018-01-29 05:11:43 +00:00
parent 021090516b
commit 3bdebba4bb
5 changed files with 115 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
charts/deckhand/templates/bin/_db-init.sh.tpl
View File

@ -1,14 +1,24 @@
#!/bin/bash #!/bin/bash
{{/*
Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex set -ex
export HOME=/tmp export HOME=/tmp
# Extract the DB string from deckhand.conf and get the
# value of the DB host and port
db_string=`grep -i '^connection =' ${DECKHAND_CONFIG_FILE}`
db_fqdn=`echo ${db_string#*@} | cut -f1 -d"."`
db_port=`echo ${db_string#*@} | grep -o "[0-9]\+"`
pgsql_superuser_cmd () { pgsql_superuser_cmd () {
DB_COMMAND="$1" DB_COMMAND="$1"
if [[ ! -z $2 ]]; then if [[ ! -z $2 ]]; then
@ -16,9 +26,9 @@ pgsql_superuser_cmd () {
fi fi
psql \ psql \
-h $db_fqdn \ -h ${DB_FQDN} \
-p $db_port \ -p ${DB_PORT} \
-U ${ROOT_DB_USER} \ -U ${DB_ADMIN_USER} \
--command="${DB_COMMAND}" --command="${DB_COMMAND}"
} }
@ -26,8 +36,8 @@ pgsql_superuser_cmd () {
pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $DB_NAME" pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $DB_NAME"
# Create db user # Create db user
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \ pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_SERVICE_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
pgsql_superuser_cmd "CREATE ROLE ${DB_USER} LOGIN PASSWORD '$DB_PASS';" && pgsql_superuser_cmd "ALTER USER ${DB_USER} WITH SUPERUSER" pgsql_superuser_cmd "CREATE ROLE ${DB_SERVICE_USER} LOGIN PASSWORD '$DB_SERVICE_PASSWORD';"
# Grant permissions to user # Grant permissions to user
pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_USER;" pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_SERVICE_USER;"

51
charts/deckhand/templates/job-db-init.yaml
View File

@ -1,5 +1,5 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -44,21 +44,46 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy | quote }} imagePullPolicy: {{ .Values.images.pull_policy | quote }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
- name: ROOT_DB_CONNECTION - name: DECKHAND_DB_URL
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_URI
- name: DB_NAME
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_NAME
- name: DB_SERVICE_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_USERNAME
- name: DB_SERVICE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_PASSWORD
- name: DB_FQDN
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_HOST
- name: DB_PORT
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_PORT
- name: DB_ADMIN_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ .Values.secrets.postgresql.admin }} name: {{ .Values.secrets.postgresql.admin }}
key: DB_CONNECTION key: DATABASE_USERNAME
- name: DECKHAND_CONFIG_FILE - name: PGPASSWORD
value: /etc/deckhand/deckhand.conf valueFrom:
- name: DB_NAME secretKeyRef:
value: {{ .Values.database.postgresql.db_name }} name: {{ .Values.secrets.postgresql.admin }}
- name: DB_USER key: DATABASE_PASSWORD
value: {{ .Values.endpoints.postgresql.auth.user.username }}
- name: DB_PASS
value: {{ .Values.endpoints.postgresql.auth.user.password }}
- name: ROOT_DB_USER
value: {{ .Values.database.postgresql.db_root_user }}
command: command:
- /tmp/db-init.sh - /tmp/db-init.sh
volumeMounts: volumeMounts:

49
charts/deckhand/templates/job-db-sync.yaml
View File

@ -1,5 +1,5 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -44,19 +44,46 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }} imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
- name: ROOT_DB_CONNECTION - name: DECKHAND_DB_URL
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_URI
- name: DB_NAME
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_NAME
- name: DB_SERVICE_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_USERNAME
- name: DB_SERVICE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_PASSWORD
- name: DB_FQDN
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_HOST
- name: DB_PORT
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_PORT
- name: DB_ADMIN_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ .Values.secrets.postgresql.admin }} name: {{ .Values.secrets.postgresql.admin }}
key: DB_CONNECTION key: DATABASE_USERNAME
- name: DECKHAND_CONFIG_FILE - name: PGPASSWORD
value: /etc/deckhand/deckhand.conf valueFrom:
- name: DB_NAME secretKeyRef:
value: {{ .Values.database.postgresql.db_name }} name: {{ .Values.secrets.postgresql.admin }}
- name: DB_USER key: DATABASE_PASSWORD
value: {{ .Values.endpoints.postgresql.auth.user.username }}
- name: DB_PASS
value: {{ .Values.endpoints.postgresql.auth.user.password }}
command: command:
- /tmp/db-sync.sh - /tmp/db-sync.sh
volumeMounts: volumeMounts:

16
charts/deckhand/templates/secret-db.yaml
View File

@ -1,5 +1,5 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -18,6 +18,7 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" "user" }} {{- range $key1, $userClass := tuple "admin" "user" }}
{{- $secretName := index $envAll.Values.secrets.postgresql $userClass }} {{- $secretName := index $envAll.Values.secrets.postgresql $userClass }}
{{- $auth := index $envAll.Values.endpoints.postgresql.auth $userClass }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -25,6 +26,17 @@ metadata:
name: {{ $secretName }} name: {{ $secretName }}
type: Opaque type: Opaque
data: data:
DB_CONNECTION: {{ tuple "postgresql" "internal" $userClass "postgresql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} DATABASE_HOST: |-
{{ tuple "postgresql" "internal" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | b64enc | indent 4 }}
DATABASE_USERNAME: |-
{{ $auth.username | b64enc | indent 4 }}
DATABASE_PASSWORD: |-
{{ $auth.password | b64enc | indent 4 }}
DATABASE_NAME: |-
{{ $auth.database | default "" | b64enc | indent 4 }}
DATABASE_PORT: {{ tuple "postgresql" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
DATABASE_URI: |-
{{ tuple "postgresql" "internal" "user" "postgresql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc | indent 4 }}
...
{{- end }} {{- end }}
{{- end }} {{- end }}

10
charts/deckhand/values.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2017 The Openstack-Helm Authors. # Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -129,11 +129,12 @@ endpoints:
name: postgresql name: postgresql
auth: auth:
admin: admin:
username: deckhand username: postgres
password: password password: password
user: user:
username: deckhand username: deckhand
password: password password: password
database: deckhand
hosts: hosts:
default: postgresql default: postgresql
path: /deckhand path: /deckhand
@ -175,11 +176,6 @@ secrets:
admin: deckhand-db-admin admin: deckhand-db-admin
user: deckhand-db-user user: deckhand-db-user
database:
postgresql:
db_name: deckhand
db_root_user: postgres
conf: conf:
uwsgi: uwsgi:
threads: 1 threads: 1