openstack/openstack-helm-infra
Code Issues Proposed changes

Merge "Ceph-RGW: Support rotation of s3 key pairs"

Browse Source
This commit is contained in:
Zuul 2019-02-07 20:32:26 +00:00 committed by Gerrit Code Review
commit 045e64067b
5 changed files with 47 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
ceph-rgw/templates/bin/rgw/_rgw-s3-admin.sh.tpl
View File

@ -1,38 +0,0 @@
#!/bin/bash
{{/*
Copyright 2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
function create_admin_user () {
radosgw-admin user create \
--uid=${S3_ADMIN_USERNAME} \
--display-name=${S3_ADMIN_USERNAME}
radosgw-admin caps add \
--uid=${S3_ADMIN_USERNAME} \
--caps={{ .Values.conf.rgw_s3.admin_caps | quote }}
radosgw-admin key create \
--uid=${S3_ADMIN_USERNAME} \
--key-type=s3 \
--access-key ${S3_ADMIN_ACCESS_KEY} \
--secret-key ${S3_ADMIN_SECRET_KEY}
}
radosgw-admin user stats --uid=${S3_ADMIN_USERNAME} || \
create_admin_user

2
ceph-rgw/templates/configmap-bin.yaml
View File

@ -39,7 +39,7 @@ data:
ceph-admin-keyring.sh: | ceph-admin-keyring.sh: |
{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rgw-s3-admin.sh: | rgw-s3-admin.sh: |
{{ tuple "bin/rgw/_rgw-s3-admin.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- include "helm-toolkit.scripts.create_s3_user" . | indent 4 }}
helm-tests.sh: | helm-tests.sh: |
{{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }} {{- end }}

6
ceph-rgw/templates/job-s3-admin.yaml
View File

@ -92,17 +92,17 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }} imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.rgw_s3_admin | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.rgw_s3_admin | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
- name: S3_ADMIN_USERNAME - name: S3_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ $s3AdminSecret }} name: {{ $s3AdminSecret }}
key: S3_ADMIN_USERNAME key: S3_ADMIN_USERNAME
- name: S3_ADMIN_ACCESS_KEY - name: S3_ACCESS_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ $s3AdminSecret }} name: {{ $s3AdminSecret }}
key: S3_ADMIN_ACCESS_KEY key: S3_ADMIN_ACCESS_KEY
- name: S3_ADMIN_SECRET_KEY - name: S3_SECRET_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ $s3AdminSecret }} name: {{ $s3AdminSecret }}

46
helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
View File

@ -22,15 +22,51 @@ set -ex
function create_s3_user () { function create_s3_user () {
radosgw-admin user create \ radosgw-admin user create \
--uid=${S3_USERNAME} \ --uid=${S3_USERNAME} \
--display-name=${S3_USERNAME} --display-name=${S3_USERNAME} \
radosgw-admin key create \
--uid=${S3_USERNAME} \
--key-type=s3 \ --key-type=s3 \
--access-key ${S3_ACCESS_KEY} \ --access-key ${S3_ACCESS_KEY} \
--secret-key ${S3_SECRET_KEY} --secret-key ${S3_SECRET_KEY}
} }
radosgw-admin user stats --uid=${S3_USERNAME} || \ function update_s3_user () {
# Retrieve old access keys, if they exist
old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
| jq -r '.keys[].access_key' || true)
if [[ ! -z ${old_access_keys} ]]; then
for access_key in $old_access_keys; do
# If current access key is the same as the key supplied, do nothing.
if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
echo "Current key pair exists."
continue
else
# If keys differ, remove previous key
radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
fi
done
fi
# Perform one more additional check to account for scenarios where multiple
# key pairs existed previously, but one existing key was the supplied key
current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
| jq -r '.keys[].access_key' || true)
# If the supplied key does not exist, modify the user
if [[ -z ${current_access_key} ]]; then
# Modify user with new access and secret keys
echo "Updating key pair"
radosgw-admin user modify \
--uid=${S3_USERNAME}\
--access-key ${S3_ACCESS_KEY} \
--secret-key ${S3_SECRET_KEY}
fi
}
user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
if [[ -z ${user_exists} ]]; then
create_s3_user create_s3_user
else
update_s3_user
fi
{{- end }} {{- end }}

4
tools/deployment/armada/manifests/armada-lma.yaml
View File

@ -123,10 +123,10 @@ data:
delete: delete:
- type: job - type: job
labels: labels:
release_group: osh-infra-radosgw-osh-infra release_group: osh-infra-osh-infra-radosgw
- type: pod - type: pod
labels: labels:
release_group: osh-infra-radosgw-osh-infra release_group: osh-infra-osh-infra-radosgw
component: test component: test
values: values:
release_uuid: ${RELEASE_UUID} release_uuid: ${RELEASE_UUID}