Ceph-RGW: Support rotation of s3 key pairs

This updates the helm-toolkit script for creating rgw s3 users
to first check if a user exists, then create the user if it does
not exist or modify the user's keys if it does exist. This is
accomplished by using jq to identify all existing access keys for
the specified user, removing those key pairs using the access key,
then modifies the existing user with the supplied access/secret
key pair for the given user

This also updates the ceph-rgw chart to use the helm-toolkit s3
user script for creating the admin s3 user instead of using a
similar script defined directly in the ceph-rgw chart

Change-Id: I575b66415d44db7bb752102e45595305d86e623b

ceph-rgw/templates/bin/rgw/_rgw-s3-admin.sh.tpl

@@ -1,38 +0,0 @@
-#!/bin/bash
-
-{{/*
-Copyright 2018 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-
-function create_admin_user () {
-  radosgw-admin user create \
-    --uid=${S3_ADMIN_USERNAME} \
-    --display-name=${S3_ADMIN_USERNAME}
-
-  radosgw-admin caps add \
-      --uid=${S3_ADMIN_USERNAME} \
-      --caps={{ .Values.conf.rgw_s3.admin_caps | quote }}
-
-  radosgw-admin key create \
-    --uid=${S3_ADMIN_USERNAME} \
-    --key-type=s3 \
-    --access-key ${S3_ADMIN_ACCESS_KEY} \
-    --secret-key ${S3_ADMIN_SECRET_KEY}
-}
-
-radosgw-admin user stats --uid=${S3_ADMIN_USERNAME} || \
-  create_admin_user

ceph-rgw/templates/configmap-bin.yaml

@@ -39,7 +39,7 @@ data:
   ceph-admin-keyring.sh: |
 {{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   rgw-s3-admin.sh: |
-{{ tuple "bin/rgw/_rgw-s3-admin.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- include "helm-toolkit.scripts.create_s3_user" . | indent 4 }}
   helm-tests.sh: |
 {{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}

ceph-rgw/templates/job-s3-admin.yaml

@@ -92,17 +92,17 @@ spec:
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.rgw_s3_admin | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           env:
-            - name: S3_ADMIN_USERNAME
+            - name: S3_USERNAME
               valueFrom:
                 secretKeyRef:
                   name: {{ $s3AdminSecret }}
                   key: S3_ADMIN_USERNAME
-            - name: S3_ADMIN_ACCESS_KEY
+            - name: S3_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
                   name: {{ $s3AdminSecret }}
                   key: S3_ADMIN_ACCESS_KEY
-            - name: S3_ADMIN_SECRET_KEY
+            - name: S3_SECRET_KEY
               valueFrom:
                 secretKeyRef:
                   name: {{ $s3AdminSecret }}

helm-toolkit/templates/scripts/_create-s3-user.sh.tpl

@@ -22,15 +22,51 @@ set -ex
 function create_s3_user () {
   radosgw-admin user create \
     --uid=${S3_USERNAME} \
-    --display-name=${S3_USERNAME}
+    --display-name=${S3_USERNAME} \
-
-  radosgw-admin key create \
-    --uid=${S3_USERNAME} \
     --key-type=s3 \
     --access-key ${S3_ACCESS_KEY} \
     --secret-key ${S3_SECRET_KEY}
 }
 
-radosgw-admin user stats --uid=${S3_USERNAME} || \
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
   create_s3_user
+else
+  update_s3_user
+fi
+
 {{- end }}

tools/deployment/armada/manifests/armada-lma.yaml

@@ -123,10 +123,10 @@ data:
       delete:
         - type: job
           labels:
-            release_group: osh-infra-radosgw-osh-infra
+            release_group: osh-infra-osh-infra-radosgw
         - type: pod
           labels:
-            release_group: osh-infra-radosgw-osh-infra
+            release_group: osh-infra-osh-infra-radosgw
             component: test
   values:
     release_uuid: ${RELEASE_UUID}