Ceph-RGW: Support rotation of s3 key pairs

This updates the helm-toolkit script for creating rgw s3 users
to first check if a user exists, then create the user if it does
not exist or modify the user's keys if it does exist. This is
accomplished by using jq to identify all existing access keys for
the specified user, removing those key pairs using the access key,
then modifies the existing user with the supplied access/secret
key pair for the given user

This also updates the ceph-rgw chart to use the helm-toolkit s3
user script for creating the admin s3 user instead of using a
similar script defined directly in the ceph-rgw chart

Change-Id: I575b66415d44db7bb752102e45595305d86e623b
This commit is contained in:
Steve Wilkerson 2019-02-06 15:34:58 -06:00
parent f4aa5dc574
commit cf0ed142f6
5 changed files with 47 additions and 49 deletions

View File

@ -1,38 +0,0 @@
#!/bin/bash
{{/*
Copyright 2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
function create_admin_user () {
radosgw-admin user create \
--uid=${S3_ADMIN_USERNAME} \
--display-name=${S3_ADMIN_USERNAME}
radosgw-admin caps add \
--uid=${S3_ADMIN_USERNAME} \
--caps={{ .Values.conf.rgw_s3.admin_caps | quote }}
radosgw-admin key create \
--uid=${S3_ADMIN_USERNAME} \
--key-type=s3 \
--access-key ${S3_ADMIN_ACCESS_KEY} \
--secret-key ${S3_ADMIN_SECRET_KEY}
}
radosgw-admin user stats --uid=${S3_ADMIN_USERNAME} || \
create_admin_user

View File

@ -39,7 +39,7 @@ data:
ceph-admin-keyring.sh: | ceph-admin-keyring.sh: |
{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rgw-s3-admin.sh: | rgw-s3-admin.sh: |
{{ tuple "bin/rgw/_rgw-s3-admin.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- include "helm-toolkit.scripts.create_s3_user" . | indent 4 }}
helm-tests.sh: | helm-tests.sh: |
{{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }} {{- end }}

View File

@ -92,17 +92,17 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }} imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.rgw_s3_admin | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.rgw_s3_admin | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
- name: S3_ADMIN_USERNAME - name: S3_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ $s3AdminSecret }} name: {{ $s3AdminSecret }}
key: S3_ADMIN_USERNAME key: S3_ADMIN_USERNAME
- name: S3_ADMIN_ACCESS_KEY - name: S3_ACCESS_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ $s3AdminSecret }} name: {{ $s3AdminSecret }}
key: S3_ADMIN_ACCESS_KEY key: S3_ADMIN_ACCESS_KEY
- name: S3_ADMIN_SECRET_KEY - name: S3_SECRET_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ $s3AdminSecret }} name: {{ $s3AdminSecret }}

View File

@ -22,15 +22,51 @@ set -ex
function create_s3_user () { function create_s3_user () {
radosgw-admin user create \ radosgw-admin user create \
--uid=${S3_USERNAME} \ --uid=${S3_USERNAME} \
--display-name=${S3_USERNAME} --display-name=${S3_USERNAME} \
radosgw-admin key create \
--uid=${S3_USERNAME} \
--key-type=s3 \ --key-type=s3 \
--access-key ${S3_ACCESS_KEY} \ --access-key ${S3_ACCESS_KEY} \
--secret-key ${S3_SECRET_KEY} --secret-key ${S3_SECRET_KEY}
} }
radosgw-admin user stats --uid=${S3_USERNAME} || \ function update_s3_user () {
# Retrieve old access keys, if they exist
old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
| jq -r '.keys[].access_key' || true)
if [[ ! -z ${old_access_keys} ]]; then
for access_key in $old_access_keys; do
# If current access key is the same as the key supplied, do nothing.
if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
echo "Current key pair exists."
continue
else
# If keys differ, remove previous key
radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
fi
done
fi
# Perform one more additional check to account for scenarios where multiple
# key pairs existed previously, but one existing key was the supplied key
current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
| jq -r '.keys[].access_key' || true)
# If the supplied key does not exist, modify the user
if [[ -z ${current_access_key} ]]; then
# Modify user with new access and secret keys
echo "Updating key pair"
radosgw-admin user modify \
--uid=${S3_USERNAME}\
--access-key ${S3_ACCESS_KEY} \
--secret-key ${S3_SECRET_KEY}
fi
}
user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
if [[ -z ${user_exists} ]]; then
create_s3_user create_s3_user
else
update_s3_user
fi
{{- end }} {{- end }}

View File

@ -123,10 +123,10 @@ data:
delete: delete:
- type: job - type: job
labels: labels:
release_group: osh-infra-radosgw-osh-infra release_group: osh-infra-osh-infra-radosgw
- type: pod - type: pod
labels: labels:
release_group: osh-infra-radosgw-osh-infra release_group: osh-infra-osh-infra-radosgw
component: test component: test
values: values:
release_uuid: ${RELEASE_UUID} release_uuid: ${RELEASE_UUID}