Support Postgres admin password

- Fully support Postgres configuration
  in the endpoints stanza
- Add RBAC support to the region and rack
  pods
- Add custom RBAC for export API key job
  to allow secret creation

Change-Id: I9d0b63ac329bb0b9539b14123c5e16ad3cd1c9f0

charts/maas/templates/bin/_db-init.sh.tpl

@@ -36,8 +36,8 @@ if [[ ! -v DB_HOST ]]; then
 elif [[ ! -v ROOT_DB_USER ]]; then
     echo "environment variable ROOT_DB_USER not set"
     exit 1
-elif [[ ! -v ROOT_DB_PASS ]]; then
-    echo "environment variable ROOT_DB_PASS not set"
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
     exit 1
 elif [[ ! -v USER_DB_USER ]]; then
     echo "environment variable USER_DB_USER not set"

charts/maas/templates/configmap-etc.yaml

@@ -16,16 +16,6 @@ limitations under the License.
 
 {{- $envAll := . }}
 
-{{- include "maas.conf.maas_values_skeleton" .Values.conf.maas | trunc 0 -}}
-
-{{- if empty .Values.conf.maas.database.database_host -}}
-{{- tuple "maas_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set .Values.conf.maas.database "database_host" | quote | trunc 0 -}}
-{{- end -}}
-
-{{- if empty .Values.conf.maas.url.maas_url -}}
-{{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
-{{- end -}}
-
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -47,17 +37,7 @@ data:
 {{ .Values.conf.bind.append | indent 4 }}
 {{- end }}
   regiond.conf: |
-{{ if .Values.conf.maas.override -}}
-{{ .Values.conf.maas.override | indent 4 }}
-{{- else -}}
-{{- if .Values.conf.maas.prefix -}}
-{{ .Values.conf.maas.prefix | indent 4 }}
-{{- end }}
 {{ tuple "etc/_regiond.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-{{- end }}
-{{- if .Values.conf.maas.append -}}
-{{ .Values.conf.maas.append | indent 4 }}
-{{- end }}
   nsswitch.conf: |
 {{ tuple "etc/_nsswitch.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   register-rack-controller.service: |

charts/maas/templates/deployment-rack.yaml

@@ -1,5 +1,6 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,9 +21,10 @@ limitations under the License.
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.rack_controller }}
 {{- $serviceAccountName := "maas-rack" }}
-{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_maas_rack := .Values.pod.mounts.maas_rack }}
 {{- $mounts_maas_rack_init := .Values.pod.mounts.maas_rack.init_container }}
+
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1beta1
 kind: Deployment

charts/maas/templates/etc/_regiond.conf.tpl

@@ -1,4 +1,6 @@
+{{/*
 # Copyright 2017 The Openstack-Helm Authors.
+# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -11,26 +13,13 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-{{ include "maas.conf.maas_values_skeleton" .Values.conf.maas | trunc 0 }}
-{{ include "maas.conf.maas" .Values.conf.maas }}
-
-{{- define "maas.conf.maas_values_skeleton" -}}
-{{- if not .database -}}{{- set . "database" dict -}}{{- end -}}
-{{- if not .url -}}{{- set . "url" dict -}}{{- end -}}
-{{- end -}}
-
+*/}}
 {{- if empty .Values.conf.maas.url.maas_url -}}
 {{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
-{{- end -}}
+{{- end }}
 
-
-{{- define "maas.conf.maas" -}}
-
-database_host: {{ .database.database_host }}
-database_name: {{ .database.database_name }}
-database_pass: {{ .database.database_password }}
-database_user: {{ .database.database_user }}
-maas_url: {{ .url.maas_url }}
-
-{{- end -}}
+database_host: {{ tuple "maas_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+database_name: {{ .Values.endpoints.maas_db.auth.user.database }}
+database_pass: {{ .Values.endpoints.maas_db.auth.user.password }}
+database_user: {{ .Values.endpoints.maas_db.auth.user.username }}
+maas_url: {{ .Values.conf.maas.url.maas_url }}

charts/maas/templates/job-bootstrap-admin-user.yaml

@@ -1,5 +1,6 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

charts/maas/templates/job-db-init.yaml

@@ -1,5 +1,6 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -46,7 +47,7 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.secrets.maas_db.admin }}
                   key: DATABASE_USERNAME
-            - name: ROOT_DB_PASS
+            - name: PGPASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.secrets.maas_db.admin }}

charts/maas/templates/job-db-sync.yaml

@@ -1,5 +1,6 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

charts/maas/templates/job-export-api-key.yaml

@@ -1,5 +1,6 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,35 +19,55 @@ limitations under the License.
 {{- $dependencies := .Values.dependencies.export_api_key }}
 {{- $initMounts := .Values.pod.mounts.export_api_key.export_api_key }}
 {{- $serviceAccountName := "maas-export-api-key" }}
-{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
+apiVersion: v1
+kind: ServiceAccount
 metadata:
   name: {{ $serviceAccountName }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
-      - update
+  namespace: {{ $envAll.Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
-  name: {{ $serviceAccountName }}
+  name: {{ $envAll.Release.Name }}-{{ $serviceAccountName }}
+  namespace: {{ $envAll.Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ $serviceAccountName }}
+  name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}
 subjects:
   - kind: ServiceAccount
     name: {{ $serviceAccountName }}
     namespace: {{ $envAll.Release.Namespace }}
 ---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}
+  namespace: {{ $envAll.Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      - services
+      - endpoints
+      - jobs
+      - pods
+  - apiGroups:
+      - ""
+    verbs:
+      - get
+      - create
+      - update
+    resources:
+      - secrets
+---
 apiVersion: batch/v1
 kind: Job
 metadata:

charts/maas/templates/job-import.yaml

@@ -1,5 +1,6 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

charts/maas/templates/secret-db.yaml

@@ -32,5 +32,5 @@ data:
   DATABASE_PASSWORD: |-
 {{ $auth.password | b64enc | indent 4 }}
   DATABASE_NAME: |-
-{{ $envAll.Values.endpoints.maas_db.path | b64enc | indent 4 }}
+{{ $auth.database | default "" | b64enc | indent 4 }}
 {{ end }}

charts/maas/templates/statefulset-region.yaml

@@ -16,9 +16,10 @@
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.region_controller }}
 {{- $serviceAccountName := "maas-region" }}
-{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }}
 {{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }}
+
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1beta1
 kind: StatefulSet

charts/maas/values.yaml

@@ -1,4 +1,5 @@
 # Copyright 2017 The Openstack-Helm Authors.
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -251,6 +252,7 @@ endpoints:
       user:
         username: maas
         password: password
+        database: maasdb
     path: maasdb
     hosts:
       default: postgresql