Support for password rotation

- This PS adds support for password rotation for 'maas-region' password
  and 'maas-postgres-password'.

- This PS enables MAAS to use the newly created helm-toolkit
  script for postgreSQL DB initialization

Depends-On: https://review.openstack.org/#/c/635348/

Change-Id: Ibb36761351d8c34933a3bb71555bb23e8247a069
This commit is contained in:
Nishant Kumar 2019-02-05 16:51:16 +00:00
parent 5e4ab93da8
commit 20df4f6eaa
7 changed files with 15 additions and 67 deletions

View File

@ -14,6 +14,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
set -e
maas-region createadmin --username=${ADMIN_USERNAME} --password=${ADMIN_PASSWORD} --email=${ADMIN_EMAIL} || true
# Change password.
echo "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | maas-region changepasswords

View File

@ -1,63 +0,0 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
export HOME=/tmp
pgsql_superuser_cmd () {
DB_COMMAND="$1"
if [[ ! -z $2 ]]; then
EXPORT PGDATABASE=$2
fi
psql \
-h ${DB_HOST} \
-p 5432 \
-U ${ROOT_DB_USER} \
--command="${DB_COMMAND}"
}
if [[ ! -v DB_HOST ]]; then
echo "environment variable DB_HOST not set"
exit 1
elif [[ ! -v ROOT_DB_USER ]]; then
echo "environment variable ROOT_DB_USER not set"
exit 1
elif [[ ! -v PGPASSWORD ]]; then
echo "environment variable PGPASSWORD not set"
exit 1
elif [[ ! -v USER_DB_USER ]]; then
echo "environment variable USER_DB_USER not set"
exit 1
elif [[ ! -v USER_DB_PASS ]]; then
echo "environment variable USER_DB_PASS not set"
exit 1
elif [[ ! -v USER_DB_NAME ]]; then
echo "environment variable USER_DB_NAME not set"
exit 1
else
echo "Got DB connection info"
fi
#create db
pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
#create db user
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} WITH SUPERUSER"
#give permissions to user
pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"

View File

@ -22,7 +22,7 @@ metadata:
name: maas-bin
data:
db-init.sh: |+
{{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- include "helm-toolkit.scripts.pg_db_init" . | indent 4 }}
db-sync.sh: |+
{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bootstrap-admin-user.sh: |

View File

@ -43,7 +43,7 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy | quote }}
{{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: ROOT_DB_USER
- name: DB_ADMIN_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.maas_db.admin }}
@ -73,6 +73,11 @@ spec:
secretKeyRef:
name: {{ .Values.secrets.maas_db.user }}
key: DATABASE_NAME
- name: DB_PORT
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.maas_db.user }}
key: DATABASE_PORT
command:
- /tmp/db-init.sh
volumeMounts:

View File

@ -33,4 +33,5 @@ data:
{{ $auth.password | b64enc | indent 4 }}
DATABASE_NAME: |-
{{ $auth.database | default "" | b64enc | indent 4 }}
DATABASE_PORT: {{ tuple "maas_db" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
{{ end }}

View File

@ -36,6 +36,8 @@ spec:
labels:
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}

View File

@ -18,7 +18,7 @@
HELM=$1
HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
HTK_PATH=${HTK_PATH:-""}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"7f21b85128ea4e6e64998b916f065c3100f5c4f7"}
DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
if [[ ! -z $(echo $http_proxy) ]]