airship/drydock
Code Issues Proposed changes

Improve chart database configurability

Browse Source 
- Support configured Postgres admin password
- Use secrets for database job environment setup

Change-Id: Icf7ceb4efb1b1bf976ca36e4fdd21b9b7990bc83
This commit is contained in:
Scott Hussey 2018-01-28 15:42:14 -06:00 committed by Kaspars Skels
parent 13b768aeee
commit 1804203ea1
5 changed files with 85 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
charts/drydock/templates/bin/_db-init.sh.tpl
View File

@ -28,7 +28,7 @@ pgsql_superuser_cmd () {
psql \
-h $DB_FQDN \
-p $DB_PORT \
-U ${ROOT_DB_USER} \
-U ${DB_ADMIN_USER} \
--command="${DB_COMMAND}"
}
@ -36,8 +36,8 @@ pgsql_superuser_cmd () {
pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME';" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $DB_NAME;"
# Create db user
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
pgsql_superuser_cmd "CREATE ROLE ${DB_USER} LOGIN PASSWORD '$DB_PASS';"
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_SERVICE_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
pgsql_superuser_cmd "CREATE ROLE ${DB_SERVICE_USER} LOGIN PASSWORD '$DB_SERVICE_PASSWORD';"
# Grant permissions to user
pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_USER;"
pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_SERVICE_USER;"

41
charts/drydock/templates/job-drydock-db-init.yaml
View File

@ -43,17 +43,40 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: DB_NAME
value: {{ .Values.database.postgresql.db_name | quote }}
- name: DB_USER
value: {{ .Values.endpoints.postgresql.auth.user.username | quote }}
- name: DB_PASS
value: {{ .Values.endpoints.postgresql.auth.user.password | quote}}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_NAME
- name: DB_SERVICE_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_USERNAME
- name: DB_SERVICE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_PASSWORD
- name: DB_FQDN
value: {{ tuple "postgresql" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | quote}}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_HOST
- name: DB_PORT
value: {{ tuple "postgresql" "internal" "postgresql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: ROOT_DB_USER
value: {{ .Values.endpoints.postgresql.auth.admin.username | quote }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_PORT
- name: DB_ADMIN_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.admin }}
key: DATABASE_USERNAME
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.admin }}
key: DATABASE_PASSWORD
command:
- /tmp/db-init.sh
volumeMounts:

5
charts/drydock/templates/job-drydock-db-sync.yaml
View File

@ -43,7 +43,10 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: DRYDOCK_DB_URL
value: {{ tuple "postgresql" "internal" "user" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_URI
command:
- /tmp/db-sync.sh
volumeMounts:

41
charts/drydock/templates/secret-db.yaml Normal file
View File

@ -0,0 +1,41 @@
{{/*
# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
{{- if .Values.manifests.secret_database }}
{{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" "user" }}
{{- $secretName := index $envAll.Values.secrets.postgresql $userClass }}
{{- $auth := index $envAll.Values.endpoints.postgresql.auth $userClass }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: Opaque
data:
DATABASE_HOST: |-
{{ tuple "postgresql" "internal" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | b64enc | indent 4 }}
DATABASE_USERNAME: |-
{{ $auth.username | b64enc | indent 4 }}
DATABASE_PASSWORD: |-
{{ $auth.password | b64enc | indent 4 }}
DATABASE_NAME: |-
{{ $auth.database | default "" | b64enc | indent 4 }}
DATABASE_PORT: {{ tuple "postgresql" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
DATABASE_URI: |-
{{ tuple "postgresql" "internal" "user" "postgresql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc | indent 4 }}
...
{{- end }}
{{- end }}

7
charts/drydock/values.yaml
View File

@ -112,6 +112,7 @@ manifests:
job_drydock_db_init: true
job_drydock_db_sync: true
secret_keystone: true
secret_database: true
configmap_etc: true
configmap_bin: true
service_drydock: true
@ -214,6 +215,7 @@ endpoints:
user:
username: drydock
password: password
database: drydock
hosts:
default: postgresql
path: /drydock
@ -228,10 +230,9 @@ secrets:
identity:
admin: drydock-keystone-admin
user: drydock-keystone-user
database:
postgresql:
db_name: drydock
admin: drydock-postgresql-admin
user: drydock-postgresql-user
# Settings for drydock.conf
conf: