Improve chart database configurability

- Support configured Postgres admin password
- Use secrets for database job environment setup

Change-Id: Icf7ceb4efb1b1bf976ca36e4fdd21b9b7990bc83
This commit is contained in:
Scott Hussey 2018-01-28 15:42:14 -06:00 committed by Kaspars Skels
parent 13b768aeee
commit 1804203ea1
5 changed files with 85 additions and 17 deletions

View File

@ -28,7 +28,7 @@ pgsql_superuser_cmd () {
psql \ psql \
-h $DB_FQDN \ -h $DB_FQDN \
-p $DB_PORT \ -p $DB_PORT \
-U ${ROOT_DB_USER} \ -U ${DB_ADMIN_USER} \
--command="${DB_COMMAND}" --command="${DB_COMMAND}"
} }
@ -36,8 +36,8 @@ pgsql_superuser_cmd () {
pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME';" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $DB_NAME;" pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME';" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $DB_NAME;"
# Create db user # Create db user
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \ pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$DB_SERVICE_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
pgsql_superuser_cmd "CREATE ROLE ${DB_USER} LOGIN PASSWORD '$DB_PASS';" pgsql_superuser_cmd "CREATE ROLE ${DB_SERVICE_USER} LOGIN PASSWORD '$DB_SERVICE_PASSWORD';"
# Grant permissions to user # Grant permissions to user
pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_USER;" pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME to $DB_SERVICE_USER;"

View File

@ -43,17 +43,40 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
- name: DB_NAME - name: DB_NAME
value: {{ .Values.database.postgresql.db_name | quote }} valueFrom:
- name: DB_USER secretKeyRef:
value: {{ .Values.endpoints.postgresql.auth.user.username | quote }} name: {{ .Values.secrets.postgresql.user }}
- name: DB_PASS key: DATABASE_NAME
value: {{ .Values.endpoints.postgresql.auth.user.password | quote}} - name: DB_SERVICE_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_USERNAME
- name: DB_SERVICE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_PASSWORD
- name: DB_FQDN - name: DB_FQDN
value: {{ tuple "postgresql" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | quote}} valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_HOST
- name: DB_PORT - name: DB_PORT
value: {{ tuple "postgresql" "internal" "postgresql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} valueFrom:
- name: ROOT_DB_USER secretKeyRef:
value: {{ .Values.endpoints.postgresql.auth.admin.username | quote }} name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_PORT
- name: DB_ADMIN_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.admin }}
key: DATABASE_USERNAME
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.admin }}
key: DATABASE_PASSWORD
command: command:
- /tmp/db-init.sh - /tmp/db-init.sh
volumeMounts: volumeMounts:

View File

@ -43,7 +43,10 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
- name: DRYDOCK_DB_URL - name: DRYDOCK_DB_URL
value: {{ tuple "postgresql" "internal" "user" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.user }}
key: DATABASE_URI
command: command:
- /tmp/db-sync.sh - /tmp/db-sync.sh
volumeMounts: volumeMounts:

View File

@ -0,0 +1,41 @@
{{/*
# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
{{- if .Values.manifests.secret_database }}
{{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" "user" }}
{{- $secretName := index $envAll.Values.secrets.postgresql $userClass }}
{{- $auth := index $envAll.Values.endpoints.postgresql.auth $userClass }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: Opaque
data:
DATABASE_HOST: |-
{{ tuple "postgresql" "internal" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | b64enc | indent 4 }}
DATABASE_USERNAME: |-
{{ $auth.username | b64enc | indent 4 }}
DATABASE_PASSWORD: |-
{{ $auth.password | b64enc | indent 4 }}
DATABASE_NAME: |-
{{ $auth.database | default "" | b64enc | indent 4 }}
DATABASE_PORT: {{ tuple "postgresql" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
DATABASE_URI: |-
{{ tuple "postgresql" "internal" "user" "postgresql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc | indent 4 }}
...
{{- end }}
{{- end }}

View File

@ -112,6 +112,7 @@ manifests:
job_drydock_db_init: true job_drydock_db_init: true
job_drydock_db_sync: true job_drydock_db_sync: true
secret_keystone: true secret_keystone: true
secret_database: true
configmap_etc: true configmap_etc: true
configmap_bin: true configmap_bin: true
service_drydock: true service_drydock: true
@ -214,6 +215,7 @@ endpoints:
user: user:
username: drydock username: drydock
password: password password: password
database: drydock
hosts: hosts:
default: postgresql default: postgresql
path: /drydock path: /drydock
@ -228,10 +230,9 @@ secrets:
identity: identity:
admin: drydock-keystone-admin admin: drydock-keystone-admin
user: drydock-keystone-user user: drydock-keystone-user
database:
postgresql: postgresql:
db_name: drydock admin: drydock-postgresql-admin
user: drydock-postgresql-user
# Settings for drydock.conf # Settings for drydock.conf
conf: conf: