Ceph-RGW: Support rotation of s3 key pairs

This updates the helm-toolkit script for creating rgw s3 users to first check if a user exists, then create the user if it does not exist or modify the user's keys if it does exist. This is accomplished by using jq to identify all existing access keys for the specified user, removing those key pairs using the access key, then modifies the existing user with the supplied access/secret key pair for the given user This also updates the ceph-rgw chart to use the helm-toolkit s3 user script for creating the admin s3 user instead of using a similar script defined directly in the ceph-rgw chart Change-Id: I575b66415d44db7bb752102e45595305d86e623b
2019-02-06 15:34:58 -06:00 · 2019-02-06 15:34:58 -06:00 · cf0ed142f6
commit cf0ed142f6
parent f4aa5dc574
5 changed files with 47 additions and 49 deletions
--- a/ceph-rgw/templates/bin/rgw/_rgw-s3-admin.sh.tpl
+++ b/ceph-rgw/templates/bin/rgw/_rgw-s3-admin.sh.tpl
@ -1,38 +0,0 @@
-#!/bin/bash
-
-{{/*
-Copyright 2018 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-
-function create_admin_user () {
-  radosgw-admin user create \
-    --uid=${S3_ADMIN_USERNAME} \
-    --display-name=${S3_ADMIN_USERNAME}
-
-  radosgw-admin caps add \
-      --uid=${S3_ADMIN_USERNAME} \
-      --caps={{ .Values.conf.rgw_s3.admin_caps | quote }}
-
-  radosgw-admin key create \
-    --uid=${S3_ADMIN_USERNAME} \
-    --key-type=s3 \
-    --access-key ${S3_ADMIN_ACCESS_KEY} \
-    --secret-key ${S3_ADMIN_SECRET_KEY}
-}
-
-radosgw-admin user stats --uid=${S3_ADMIN_USERNAME} || \
-  create_admin_user
--- a/ceph-rgw/templates/configmap-bin.yaml
+++ b/ceph-rgw/templates/configmap-bin.yaml
@ -39,7 +39,7 @@ data:
  ceph-admin-keyring.sh: |
 {{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  rgw-s3-admin.sh: |
-{{ tuple "bin/rgw/_rgw-s3-admin.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- include "helm-toolkit.scripts.create_s3_user" . | indent 4 }}
  helm-tests.sh: |
 {{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}
--- a/ceph-rgw/templates/job-s3-admin.yaml
+++ b/ceph-rgw/templates/job-s3-admin.yaml
@ -92,17 +92,17 @@ spec:
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.rgw_s3_admin | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          env:
-            - name: S3_ADMIN_USERNAME
+            - name: S3_USERNAME
              valueFrom:
                secretKeyRef:
                  name: {{ $s3AdminSecret }}
                  key: S3_ADMIN_USERNAME
-            - name: S3_ADMIN_ACCESS_KEY
+            - name: S3_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ $s3AdminSecret }}
                  key: S3_ADMIN_ACCESS_KEY
-            - name: S3_ADMIN_SECRET_KEY
+            - name: S3_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ $s3AdminSecret }}
--- a/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
+++ b/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@ -22,15 +22,51 @@ set -ex
 function create_s3_user () {
  radosgw-admin user create \
    --uid=${S3_USERNAME} \
-    --display-name=${S3_USERNAME}
-
-  radosgw-admin key create \
-    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
    --key-type=s3 \
    --access-key ${S3_ACCESS_KEY} \
    --secret-key ${S3_SECRET_KEY}
 }

-radosgw-admin user stats --uid=${S3_USERNAME} || \
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
  create_s3_user
+else
+  update_s3_user
+fi
+
 {{- end }}
--- a/tools/deployment/armada/manifests/armada-lma.yaml
+++ b/tools/deployment/armada/manifests/armada-lma.yaml
@ -123,10 +123,10 @@ data:
      delete:
        - type: job
          labels:
-            release_group: osh-infra-radosgw-osh-infra
+            release_group: osh-infra-osh-infra-radosgw
        - type: pod
          labels:
-            release_group: osh-infra-radosgw-osh-infra
+            release_group: osh-infra-osh-infra-radosgw
            component: test
  values:
    release_uuid: ${RELEASE_UUID}