Browse Source

Support for password rotation

- This PS adds support for password rotation for 'maas-region' password
  and 'maas-postgres-password'.

- This PS enables MAAS to use the newly created helm-toolkit
  script for postgreSQL DB initialization

Depends-On: https://review.openstack.org/#/c/635348/

Change-Id: Ibb36761351d8c34933a3bb71555bb23e8247a069
changes/81/634981/15
Nishant Kumar 3 months ago
parent
commit
20df4f6eaa

+ 4
- 1
charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl View File

@@ -14,6 +14,9 @@
14 14
 # See the License for the specific language governing permissions and
15 15
 # limitations under the License.
16 16
 
17
-set -ex
17
+set -e
18 18
 
19 19
 maas-region createadmin --username=${ADMIN_USERNAME} --password=${ADMIN_PASSWORD} --email=${ADMIN_EMAIL} || true
20
+
21
+# Change password.
22
+echo "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | maas-region changepasswords

+ 0
- 63
charts/maas/templates/bin/_db-init.sh.tpl View File

@@ -1,63 +0,0 @@
1
-#!/bin/bash
2
-
3
-# Copyright 2017 The Openstack-Helm Authors.
4
-#
5
-# Licensed under the Apache License, Version 2.0 (the "License");
6
-# you may not use this file except in compliance with the License.
7
-# You may obtain a copy of the License at
8
-#
9
-#     http://www.apache.org/licenses/LICENSE-2.0
10
-#
11
-# Unless required by applicable law or agreed to in writing, software
12
-# distributed under the License is distributed on an "AS IS" BASIS,
13
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
-# See the License for the specific language governing permissions and
15
-# limitations under the License.
16
-
17
-set -ex
18
-export HOME=/tmp
19
-
20
-pgsql_superuser_cmd () {
21
-  DB_COMMAND="$1"
22
-  if [[ ! -z $2 ]]; then
23
-      EXPORT PGDATABASE=$2
24
-  fi
25
-
26
-  psql \
27
-  -h ${DB_HOST} \
28
-  -p 5432 \
29
-  -U ${ROOT_DB_USER} \
30
-  --command="${DB_COMMAND}"
31
-}
32
-
33
-if [[ ! -v DB_HOST ]]; then
34
-    echo "environment variable DB_HOST not set"
35
-    exit 1
36
-elif [[ ! -v ROOT_DB_USER ]]; then
37
-    echo "environment variable ROOT_DB_USER not set"
38
-    exit 1
39
-elif [[ ! -v PGPASSWORD ]]; then
40
-    echo "environment variable PGPASSWORD not set"
41
-    exit 1
42
-elif [[ ! -v USER_DB_USER ]]; then
43
-    echo "environment variable USER_DB_USER not set"
44
-    exit 1
45
-elif [[ ! -v USER_DB_PASS ]]; then
46
-    echo "environment variable USER_DB_PASS not set"
47
-    exit 1
48
-elif [[ ! -v USER_DB_NAME ]]; then
49
-    echo "environment variable USER_DB_NAME not set"
50
-    exit 1
51
-else
52
-    echo "Got DB connection info"
53
-fi
54
-
55
-#create db
56
-pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
57
-
58
-#create db user
59
-pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
60
-    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} WITH SUPERUSER"
61
-
62
-#give permissions to user
63
-pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"

+ 1
- 1
charts/maas/templates/configmap-bin.yaml View File

@@ -22,7 +22,7 @@ metadata:
22 22
   name: maas-bin
23 23
 data:
24 24
   db-init.sh: |+
25
-{{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
25
+{{-  include "helm-toolkit.scripts.pg_db_init" . | indent 4 }}
26 26
   db-sync.sh: |+
27 27
 {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
28 28
   bootstrap-admin-user.sh: |

+ 6
- 1
charts/maas/templates/job-db-init.yaml View File

@@ -43,7 +43,7 @@ spec:
43 43
           imagePullPolicy: {{ .Values.images.pull_policy | quote }}
44 44
 {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
45 45
           env:
46
-            - name: ROOT_DB_USER
46
+            - name: DB_ADMIN_USER
47 47
               valueFrom:
48 48
                 secretKeyRef:
49 49
                   name: {{ .Values.secrets.maas_db.admin }}
@@ -73,6 +73,11 @@ spec:
73 73
                 secretKeyRef:
74 74
                   name: {{ .Values.secrets.maas_db.user }}
75 75
                   key: DATABASE_NAME
76
+            - name: DB_PORT
77
+              valueFrom:
78
+                secretKeyRef:
79
+                  name: {{ .Values.secrets.maas_db.user }}
80
+                  key: DATABASE_PORT
76 81
           command:
77 82
             - /tmp/db-init.sh
78 83
           volumeMounts:

+ 1
- 0
charts/maas/templates/secret-db.yaml View File

@@ -33,4 +33,5 @@ data:
33 33
 {{ $auth.password | b64enc | indent 4 }}
34 34
   DATABASE_NAME: |-
35 35
 {{ $auth.database | default "" | b64enc | indent 4 }}
36
+  DATABASE_PORT: {{ tuple "maas_db" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
36 37
 {{ end }}

+ 2
- 0
charts/maas/templates/statefulset-region.yaml View File

@@ -36,6 +36,8 @@ spec:
36 36
       labels:
37 37
 {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
38 38
       annotations:
39
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
40
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
39 41
 {{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
40 42
     spec:
41 43
       serviceAccountName: {{ $serviceAccountName }}

+ 1
- 1
tools/helm_tk.sh View File

@@ -18,7 +18,7 @@
18 18
 HELM=$1
19 19
 HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
20 20
 HTK_PATH=${HTK_PATH:-""}
21
-HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
21
+HTK_STABLE_COMMIT=${HTK_COMMIT:-"7f21b85128ea4e6e64998b916f065c3100f5c4f7"}
22 22
 DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
23 23
 
24 24
 if [[ ! -z $(echo $http_proxy) ]]

Loading…
Cancel
Save