Support for password rotation

- This PS adds support for password rotation for 'maas-region' password
  and 'maas-postgres-password'.

- This PS enables MAAS to use the newly created helm-toolkit
  script for postgreSQL DB initialization

Depends-On: https://review.openstack.org/#/c/635348/

Change-Id: Ibb36761351d8c34933a3bb71555bb23e8247a069

charts/maas/templates/bin/_bootstrap-admin-user.sh.tpl

@@ -14,6 +14,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-set -ex
+set -e
 
 maas-region createadmin --username=${ADMIN_USERNAME} --password=${ADMIN_PASSWORD} --email=${ADMIN_EMAIL} || true
+
+# Change password.
+echo "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | maas-region changepasswords

charts/maas/templates/bin/_db-init.sh.tpl

@@ -1,63 +0,0 @@
-#!/bin/bash
-
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -ex
-export HOME=/tmp
-
-pgsql_superuser_cmd () {
-  DB_COMMAND="$1"
-  if [[ ! -z $2 ]]; then
-      EXPORT PGDATABASE=$2
-  fi
-
-  psql \
-  -h ${DB_HOST} \
-  -p 5432 \
-  -U ${ROOT_DB_USER} \
-  --command="${DB_COMMAND}"
-}
-
-if [[ ! -v DB_HOST ]]; then
-    echo "environment variable DB_HOST not set"
-    exit 1
-elif [[ ! -v ROOT_DB_USER ]]; then
-    echo "environment variable ROOT_DB_USER not set"
-    exit 1
-elif [[ ! -v PGPASSWORD ]]; then
-    echo "environment variable PGPASSWORD not set"
-    exit 1
-elif [[ ! -v USER_DB_USER ]]; then
-    echo "environment variable USER_DB_USER not set"
-    exit 1
-elif [[ ! -v USER_DB_PASS ]]; then
-    echo "environment variable USER_DB_PASS not set"
-    exit 1
-elif [[ ! -v USER_DB_NAME ]]; then
-    echo "environment variable USER_DB_NAME not set"
-    exit 1
-else
-    echo "Got DB connection info"
-fi
-
-#create db
-pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q 1 || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
-
-#create db user
-pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | tail -n +3 | head -n -2 | grep -q 1 || \
-    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} WITH SUPERUSER"
-
-#give permissions to user
-pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"

charts/maas/templates/configmap-bin.yaml

@@ -22,7 +22,7 @@ metadata:
   name: maas-bin
 data:
   db-init.sh: |+
-{{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{-  include "helm-toolkit.scripts.pg_db_init" . | indent 4 }}
   db-sync.sh: |+
 {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   bootstrap-admin-user.sh: |

charts/maas/templates/job-db-init.yaml

@@ -43,7 +43,7 @@ spec:
           imagePullPolicy: {{ .Values.images.pull_policy | quote }}
 {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           env:
-            - name: ROOT_DB_USER
+            - name: DB_ADMIN_USER
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.secrets.maas_db.admin }}
@@ -73,6 +73,11 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.secrets.maas_db.user }}
                   key: DATABASE_NAME
+            - name: DB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.maas_db.user }}
+                  key: DATABASE_PORT
           command:
             - /tmp/db-init.sh
           volumeMounts:

charts/maas/templates/secret-db.yaml

@@ -33,4 +33,5 @@ data:
 {{ $auth.password | b64enc | indent 4 }}
   DATABASE_NAME: |-
 {{ $auth.database | default "" | b64enc | indent 4 }}
+  DATABASE_PORT: {{ tuple "maas_db" "internal" "postgresql" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | b64enc }}
 {{ end }}

charts/maas/templates/statefulset-region.yaml

@@ -36,6 +36,8 @@ spec:
       labels:
 {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
 {{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}

tools/helm_tk.sh

@@ -18,7 +18,7 @@
 HELM=$1
 HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
 HTK_PATH=${HTK_PATH:-""}
-HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
+HTK_STABLE_COMMIT=${HTK_COMMIT:-"7f21b85128ea4e6e64998b916f065c3100f5c4f7"}
 DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
 
 if [[ ! -z $(echo $http_proxy) ]]