From 20df4f6eaa2d4c1af66dccf7e985403d3d10ee74 Mon Sep 17 00:00:00 2001
From: Nishant Kumar <nk613n@att.com>
Date: Tue, 5 Feb 2019 16:51:16 +0000
Subject: [PATCH] Support for password rotation

- This PS adds support for password rotation for 'maas-region' password
  and 'maas-postgres-password'.

- This PS enables MAAS to use the newly created helm-toolkit
  script for postgreSQL DB initialization

Depends-On: https://review.openstack.org/#/c/635348/

Change-Id: Ibb36761351d8c34933a3bb71555bb23e8247a069
---
 .../bin/_bootstrap-admin-user.sh.tpl          |  5 +-
 charts/maas/templates/bin/_db-init.sh.tpl     | 63 -------------------
 charts/maas/templates/configmap-bin.yaml      |  2 +-
 charts/maas/templates/job-db-init.yaml        |  7 ++-
 charts/maas/templates/secret-db.yaml          |  1 +
 charts/maas/templates/statefulset-region.yaml |  2 +
 tools/helm_tk.sh                              |  2 +-
 7 files changed, 15 insertions(+), 67 deletions(-)
 delete mode 100644 charts/maas/templates/bin/_db-init.sh.tpl

diff --git a/charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl b/charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl
index 66200d1..16b9362 100644
--- a/charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl
+++ b/charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl
@@ -14,6 +14,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-set -ex
+set -e
 
 maas-region createadmin --username=${ADMIN_USERNAME} --password=${ADMIN_PASSWORD} --email=${ADMIN_EMAIL} || true
+
+# Change password.
+echo "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | maas-region changepasswords
diff --git a/charts/maas/templates/bin/_db-init.sh.tpl b/charts/maas/templates/bin/_db-init.sh.tpl
deleted file mode 100644
index 3fb7735..0000000
--- a/charts/maas/templates/bin/_db-init.sh.tpl
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/bin/bash
-
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -ex
-export HOME=/tmp
-
-pgsql_superuser_cmd () {
-  DB_COMMAND="$1"
-  if [[ ! -z $2 ]]; then
-      EXPORT PGDATABASE=$2
-  fi
-
-  psql \
-  -h ${DB_HOST} \
-  -p 5432 \
-  -U ${ROOT_DB_USER} \
-  --command="${DB_COMMAND}"
-}
-
-if [[ ! -v DB_HOST ]]; then
-    echo "environment variable DB_HOST not set"
-    exit 1
-elif [[ ! -v ROOT_DB_USER ]]; then
-    echo "environment variable ROOT_DB_USER not set"
-    exit 1
-elif [[ ! -v PGPASSWORD ]]; then
-    echo "environment variable PGPASSWORD not set"
-    exit 1
-elif [[ ! -v USER_DB_USER ]]; then
-    echo "environment variable USER_DB_USER not set"
-    exit 1
-elif [[ ! -v USER_DB_PASS ]]; then
-    echo "environment variable USER_DB_PASS not set"
-    exit 1
-elif [[ ! -v USER_DB_NAME ]]; then
-    echo "environment variable USER_DB_NAME not set"
-    exit 1
-else
-    echo "Got DB connection info"
-fi
-
-#create db
-pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
-
-#create db user
-pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
-    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} WITH SUPERUSER"
-
-#give permissions to user
-pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
diff --git a/charts/maas/templates/configmap-bin.yaml b/charts/maas/templates/configmap-bin.yaml
index 2f875ee..2f9e43f 100644
--- a/charts/maas/templates/configmap-bin.yaml
+++ b/charts/maas/templates/configmap-bin.yaml
@@ -22,7 +22,7 @@ metadata:
   name: maas-bin
 data:
   db-init.sh: |+
-{{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{-  include "helm-toolkit.scripts.pg_db_init" . | indent 4 }}
   db-sync.sh: |+
 {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   bootstrap-admin-user.sh: |
diff --git a/charts/maas/templates/job-db-init.yaml b/charts/maas/templates/job-db-init.yaml
index 025a5c3..48eb148 100644
--- a/charts/maas/templates/job-db-init.yaml
+++ b/charts/maas/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
           imagePullPolicy: {{ .Values.images.pull_policy | quote }}
 {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           env:
-            - name: ROOT_DB_USER
+            - name: DB_ADMIN_USER
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.secrets.maas_db.admin }}
@@ -73,6 +73,11 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.secrets.maas_db.user }}
                   key: DATABASE_NAME
+            - name: DB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.maas_db.user }}
+                  key: DATABASE_PORT
           command:
             - /tmp/db-init.sh
           volumeMounts:
diff --git a/charts/maas/templates/secret-db.yaml b/charts/maas/templates/secret-db.yaml
index 5790d21..4bab4f7 100644
--- a/charts/maas/templates/secret-db.yaml
+++ b/charts/maas/templates/secret-db.yaml
@@ -33,4 +33,5 @@ data:
 {{ $auth.password | b64enc | indent 4 }}
   DATABASE_NAME: |-
 {{ $auth.database | default "" | b64enc | indent 4 }}
+  DATABASE_PORT: {{ tuple "maas_db" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
 {{ end }}
diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml
index a165118..414eeab 100644
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@@ -36,6 +36,8 @@ spec:
       labels:
 {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
 {{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/tools/helm_tk.sh b/tools/helm_tk.sh
index e0b6a93..8dae28b 100755
--- a/tools/helm_tk.sh
+++ b/tools/helm_tk.sh
@@ -18,7 +18,7 @@
 HELM=$1
 HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
 HTK_PATH=${HTK_PATH:-""}
-HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
+HTK_STABLE_COMMIT=${HTK_COMMIT:-"7f21b85128ea4e6e64998b916f065c3100f5c4f7"}
 DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
 
 if [[ ! -z $(echo $http_proxy) ]]