This is an automated email from the ASF dual-hosted git repository. willholley pushed a commit to branch prehashed-pw in repository https://gitbox.apache.org/repos/asf/couchdb-helm.git
commit 85bcc952dd59eabdb67ee4db8aacc72af5ccef7b Author: Arne Diekmann <a...@neoskop.de> AuthorDate: Thu Feb 20 16:44:27 2020 +0100 Allow setting of consistent admin password hash --- couchdb/README.md | 18 ++++++++++++++++++ couchdb/password.ini | 2 ++ couchdb/templates/secrets.yaml | 3 +++ couchdb/templates/statefulset.yaml | 24 ++++++++++++++++++++++++ couchdb/values.yaml | 12 +++++++----- 5 files changed, 54 insertions(+), 5 deletions(-) diff --git a/couchdb/README.md b/couchdb/README.md index b67e77e..ca3716b 100644 --- a/couchdb/README.md +++ b/couchdb/README.md @@ -59,6 +59,23 @@ Secret containing `adminUsername`, `adminPassword` and `cookieAuthSecret` keys: $ kubectl create secret generic my-release-couchdb --from-literal=adminUsername=foo --from-literal=adminPassword=bar --from-literal=cookieAuthSecret=baz ``` +If you want to set the `adminHash` directly to achieve consistent salts between +different nodes you need to addionally add the key `password.ini` to the secret: + +```bash +$ kubectl create secret generic my-release-couchdb \ + --from-literal=adminUsername=foo \ + --from-literal=cookieAuthSecret=baz \ + --from-file=./my-password.ini +``` + +With the following contents in `my-password.ini`: + +``` +[admins] +foo = <pbkdf2-hash> +``` + and then install the chart while overriding the `createAdminSecret` setting: ```bash @@ -148,6 +165,7 @@ A variety of other parameters are also configurable. See the comments in the |--------------------------------------|----------------------------------------| | `adminUsername` | admin | | `adminPassword` | auto-generated | +| `adminHash` | | | `cookieAuthSecret` | auto-generated | | `image.repository` | couchdb | | `image.tag` | 2.3.1 | diff --git a/couchdb/password.ini b/couchdb/password.ini new file mode 100644 index 0000000..4ce8445 --- /dev/null +++ b/couchdb/password.ini @@ -0,0 +1,2 @@ +[admins] +{{ .Values.adminUsername }} = {{ .Values.adminHash }} diff --git a/couchdb/templates/secrets.yaml b/couchdb/templates/secrets.yaml index 06513bb..92f55c6 100644 --- a/couchdb/templates/secrets.yaml +++ b/couchdb/templates/secrets.yaml @@ -13,4 +13,7 @@ data: adminUsername: {{ template "couchdb.defaultsecret" .Values.adminUsername }} adminPassword: {{ template "couchdb.defaultsecret" .Values.adminPassword }} cookieAuthSecret: {{ template "couchdb.defaultsecret" .Values.cookieAuthSecret }} +{{- if .Values.adminHash }} + password.ini: {{ tpl (.Files.Get "password.ini") . | b64enc }} +{{- end -}} {{- end -}} diff --git a/couchdb/templates/statefulset.yaml b/couchdb/templates/statefulset.yaml index 2f3d54d..c631dfa 100644 --- a/couchdb/templates/statefulset.yaml +++ b/couchdb/templates/statefulset.yaml @@ -39,6 +39,18 @@ spec: mountPath: /tmp/ - name: config-storage mountPath: /default.d +{{- if .Values.adminHash }} + - name: admin-hash-copy + image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" + imagePullPolicy: {{ .Values.initImage.pullPolicy }} + command: ['sh','-c','cp /tmp/password.ini /local.d/ ;'] + volumeMounts: + - name: admin-password + mountPath: /tmp/password.ini + subPath: "password.ini" + - name: local-config-storage + mountPath: /local.d +{{- end }} containers: - name: couchdb image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -112,6 +124,10 @@ spec: volumeMounts: - name: config-storage mountPath: /opt/couchdb/etc/default.d +{{- if .Values.adminHash }} + - name: local-config-storage + mountPath: /opt/couchdb/etc/local.d +{{- end }} - name: database-storage mountPath: /opt/couchdb/data {{- if .Values.enableSearch }} @@ -149,6 +165,14 @@ spec: - key: seedlistinifile path: seedlist.ini +{{- if .Values.adminHash }} + - name: local-config-storage + emptyDir: {} + - name: admin-password + secret: + secretName: {{ template "couchdb.fullname" . }} +{{- end -}} + {{- if not .Values.persistentVolume.enabled }} - name: database-storage emptyDir: {} diff --git a/couchdb/values.yaml b/couchdb/values.yaml index bc1b9c6..bc74922 100644 --- a/couchdb/values.yaml +++ b/couchdb/values.yaml @@ -13,9 +13,10 @@ allowAdminParty: false ## be created containing auto-generated credentials. Users who prefer to set ## these values themselves have a couple of options: ## -## 1) The `adminUsername`, `adminPassword`, and `cookieAuthSecret` can be -## defined directly in the chart's values. Note that all of a chart's values -## are currently stored in plaintext in a ConfigMap in the tiller namespace. +## 1) The `adminUsername`, `adminPassword`, `adminHash`, and `cookieAuthSecret` +## can be defined directly in the chart's values. Note that all of a chart's +## values are currently stored in plaintext in a ConfigMap in the tiller +## namespace. ## ## 2) This flag can be disabled and a Secret with the required keys can be ## created ahead of time. @@ -23,6 +24,7 @@ createAdminSecret: true adminUsername: admin # adminPassword: this_is_not_secure +# adminHash: -pbkdf2-this_is_not_necessarily_secure_either # cookieAuthSecret: neither_is_this ## When enabled, will deploy a networkpolicy that allows CouchDB pods to @@ -129,7 +131,8 @@ ingress: ## Optional resource requests and limits for the CouchDB container ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -resources: {} +resources: + {} # requests: # cpu: 100m # memory: 128Mi @@ -160,7 +163,6 @@ couchdbConfig: # 5984 when is set to true. require_valid_user: false - # Kubernetes local cluster domain. # This is used to generate FQDNs for peers when joining the CouchDB cluster. dns: