This is an automated email from the ASF dual-hosted git repository. willholley pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/couchdb-helm.git
The following commit(s) were added to refs/heads/master by this push: new bb17404 Prehashed pw (#26) bb17404 is described below commit bb174048094a498604cdcc35e95cf6a046f0b0d5 Author: Will Holley <willhol...@apache.org> AuthorDate: Fri May 22 14:21:34 2020 +0100 Prehashed pw (#26) * Use Chart Testing v3 * Allow setting of consistent admin password hash Co-authored-by: Arne Diekmann <a...@neoskop.de> --- couchdb/Chart.yaml | 2 +- couchdb/README.md | 18 ++++++++++++++++++ couchdb/password.ini | 2 ++ couchdb/templates/secrets.yaml | 3 +++ couchdb/templates/statefulset.yaml | 24 ++++++++++++++++++++++++ couchdb/values.yaml | 12 +++++++----- docs/couchdb-3.3.0.tgz | Bin 0 -> 9496 bytes docs/index.yaml | 25 ++++++++++++++++++++++++- test/ct.yaml | 2 +- test/e2e-kind.sh | 33 ++++++--------------------------- 10 files changed, 86 insertions(+), 35 deletions(-) diff --git a/couchdb/Chart.yaml b/couchdb/Chart.yaml index f253fd9..63e5571 100644 --- a/couchdb/Chart.yaml +++ b/couchdb/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: couchdb -version: 3.2.0 +version: 3.3.0 appVersion: 2.3.1 description: A database featuring seamless multi-master sync, that scales from big data to mobile, with an intuitive HTTP/JSON API and designed for diff --git a/couchdb/README.md b/couchdb/README.md index b67e77e..ca3716b 100644 --- a/couchdb/README.md +++ b/couchdb/README.md @@ -59,6 +59,23 @@ Secret containing `adminUsername`, `adminPassword` and `cookieAuthSecret` keys: $ kubectl create secret generic my-release-couchdb --from-literal=adminUsername=foo --from-literal=adminPassword=bar --from-literal=cookieAuthSecret=baz ``` +If you want to set the `adminHash` directly to achieve consistent salts between +different nodes you need to addionally add the key `password.ini` to the secret: + +```bash +$ kubectl create secret generic my-release-couchdb \ + --from-literal=adminUsername=foo \ + --from-literal=cookieAuthSecret=baz \ + --from-file=./my-password.ini +``` + +With the following contents in `my-password.ini`: + +``` +[admins] +foo = <pbkdf2-hash> +``` + and then install the chart while overriding the `createAdminSecret` setting: ```bash @@ -148,6 +165,7 @@ A variety of other parameters are also configurable. See the comments in the |--------------------------------------|----------------------------------------| | `adminUsername` | admin | | `adminPassword` | auto-generated | +| `adminHash` | | | `cookieAuthSecret` | auto-generated | | `image.repository` | couchdb | | `image.tag` | 2.3.1 | diff --git a/couchdb/password.ini b/couchdb/password.ini new file mode 100644 index 0000000..4ce8445 --- /dev/null +++ b/couchdb/password.ini @@ -0,0 +1,2 @@ +[admins] +{{ .Values.adminUsername }} = {{ .Values.adminHash }} diff --git a/couchdb/templates/secrets.yaml b/couchdb/templates/secrets.yaml index 06513bb..92f55c6 100644 --- a/couchdb/templates/secrets.yaml +++ b/couchdb/templates/secrets.yaml @@ -13,4 +13,7 @@ data: adminUsername: {{ template "couchdb.defaultsecret" .Values.adminUsername }} adminPassword: {{ template "couchdb.defaultsecret" .Values.adminPassword }} cookieAuthSecret: {{ template "couchdb.defaultsecret" .Values.cookieAuthSecret }} +{{- if .Values.adminHash }} + password.ini: {{ tpl (.Files.Get "password.ini") . | b64enc }} +{{- end -}} {{- end -}} diff --git a/couchdb/templates/statefulset.yaml b/couchdb/templates/statefulset.yaml index 2f3d54d..c631dfa 100644 --- a/couchdb/templates/statefulset.yaml +++ b/couchdb/templates/statefulset.yaml @@ -39,6 +39,18 @@ spec: mountPath: /tmp/ - name: config-storage mountPath: /default.d +{{- if .Values.adminHash }} + - name: admin-hash-copy + image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" + imagePullPolicy: {{ .Values.initImage.pullPolicy }} + command: ['sh','-c','cp /tmp/password.ini /local.d/ ;'] + volumeMounts: + - name: admin-password + mountPath: /tmp/password.ini + subPath: "password.ini" + - name: local-config-storage + mountPath: /local.d +{{- end }} containers: - name: couchdb image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -112,6 +124,10 @@ spec: volumeMounts: - name: config-storage mountPath: /opt/couchdb/etc/default.d +{{- if .Values.adminHash }} + - name: local-config-storage + mountPath: /opt/couchdb/etc/local.d +{{- end }} - name: database-storage mountPath: /opt/couchdb/data {{- if .Values.enableSearch }} @@ -149,6 +165,14 @@ spec: - key: seedlistinifile path: seedlist.ini +{{- if .Values.adminHash }} + - name: local-config-storage + emptyDir: {} + - name: admin-password + secret: + secretName: {{ template "couchdb.fullname" . }} +{{- end -}} + {{- if not .Values.persistentVolume.enabled }} - name: database-storage emptyDir: {} diff --git a/couchdb/values.yaml b/couchdb/values.yaml index bc1b9c6..bc74922 100644 --- a/couchdb/values.yaml +++ b/couchdb/values.yaml @@ -13,9 +13,10 @@ allowAdminParty: false ## be created containing auto-generated credentials. Users who prefer to set ## these values themselves have a couple of options: ## -## 1) The `adminUsername`, `adminPassword`, and `cookieAuthSecret` can be -## defined directly in the chart's values. Note that all of a chart's values -## are currently stored in plaintext in a ConfigMap in the tiller namespace. +## 1) The `adminUsername`, `adminPassword`, `adminHash`, and `cookieAuthSecret` +## can be defined directly in the chart's values. Note that all of a chart's +## values are currently stored in plaintext in a ConfigMap in the tiller +## namespace. ## ## 2) This flag can be disabled and a Secret with the required keys can be ## created ahead of time. @@ -23,6 +24,7 @@ createAdminSecret: true adminUsername: admin # adminPassword: this_is_not_secure +# adminHash: -pbkdf2-this_is_not_necessarily_secure_either # cookieAuthSecret: neither_is_this ## When enabled, will deploy a networkpolicy that allows CouchDB pods to @@ -129,7 +131,8 @@ ingress: ## Optional resource requests and limits for the CouchDB container ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -resources: {} +resources: + {} # requests: # cpu: 100m # memory: 128Mi @@ -160,7 +163,6 @@ couchdbConfig: # 5984 when is set to true. require_valid_user: false - # Kubernetes local cluster domain. # This is used to generate FQDNs for peers when joining the CouchDB cluster. dns: diff --git a/docs/couchdb-3.3.0.tgz b/docs/couchdb-3.3.0.tgz new file mode 100644 index 0000000..90ca60e Binary files /dev/null and b/docs/couchdb-3.3.0.tgz differ diff --git a/docs/index.yaml b/docs/index.yaml index 01fb9a1..94d1bec 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -3,6 +3,29 @@ entries: couchdb: - apiVersion: v1 appVersion: 2.3.1 + created: "2020-05-22T13:16:19.793936+01:00" + description: A database featuring seamless multi-master sync, that scales from + big data to mobile, with an intuitive HTTP/JSON API and designed for reliability. + digest: 0d2613f898fd6f6d86e396e2f64f21e85d3d07889fe3fcc76e03cdb741ecce74 + home: https://couchdb.apache.org/ + icon: http://couchdb.apache.org/CouchDB-visual-identity/logo/CouchDB-couch-symbol.svg + keywords: + - couchdb + - database + - nosql + maintainers: + - email: kocol...@apache.org + name: kocolosk + - email: willhol...@apache.org + name: willholley + name: couchdb + sources: + - https://github.com/apache/couchdb-docker + urls: + - https://apache.github.io/couchdb-helm/couchdb-3.3.0.tgz + version: 3.3.0 + - apiVersion: v1 + appVersion: 2.3.1 created: "2020-02-24T14:28:33.088976214+01:00" description: A database featuring seamless multi-master sync, that scales from big data to mobile, with an intuitive HTTP/JSON API and designed for reliability. @@ -162,4 +185,4 @@ entries: urls: - https://apache.github.io/couchdb-helm/couchdb-2.2.0.tgz version: 2.2.0 -generated: "2020-02-24T14:28:33.083464834+01:00" +generated: "2020-05-22T13:16:19.792815+01:00" diff --git a/test/ct.yaml b/test/ct.yaml index d40aa57..1ba45a4 100644 --- a/test/ct.yaml +++ b/test/ct.yaml @@ -1 +1 @@ -helm-extra-args: --timeout 800 +helm-extra-args: --timeout 800s diff --git a/test/e2e-kind.sh b/test/e2e-kind.sh index 4cb57b4..6fe31c2 100755 --- a/test/e2e-kind.sh +++ b/test/e2e-kind.sh @@ -4,10 +4,10 @@ set -o errexit set -o nounset set -o pipefail -readonly CT_VERSION=v2.3.3 -readonly KIND_VERSION=v0.5.1 +readonly CT_VERSION=v3.0.0-rc.1 +readonly KIND_VERSION=v0.7.0 readonly CLUSTER_NAME=chart-testing -readonly K8S_VERSION=v1.14.3 +readonly K8S_VERSION=v1.17.0 run_ct_container() { echo 'Running ct container...' @@ -45,9 +45,10 @@ create_kind_cluster() { docker_exec mkdir -p /root/.kube echo 'Copying kubeconfig to container...' - local kubeconfig - kubeconfig="$(kind get kubeconfig-path --name "$CLUSTER_NAME")" + local kubeconfig=$(mktemp) + kind get kubeconfig --name "$CLUSTER_NAME" >"$kubeconfig" docker cp "$kubeconfig" ct:/root/.kube/config + rm "$kubeconfig" docker_exec kubectl cluster-info echo @@ -59,26 +60,6 @@ create_kind_cluster() { echo } -install_tiller() { - echo 'Installing Tiller...' - docker_exec kubectl --namespace kube-system create sa tiller - docker_exec kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller - docker_exec helm init --service-account tiller --upgrade --wait - echo -} - -install_local-path-provisioner() { - # kind doesn't support Dynamic PVC provisioning yet, this is one ways to get it working - # https://github.com/rancher/local-path-provisioner - - # Remove default storage class. It will be recreated by local-path-provisioner - docker_exec kubectl delete storageclass standard - - echo 'Installing local-path-provisioner...' - docker_exec kubectl apply -f test/local-path-provisioner.yaml - echo -} - install_charts() { docker_exec ct lint-and-install --charts couchdb --upgrade --chart-dirs . echo @@ -89,8 +70,6 @@ main() { trap cleanup EXIT create_kind_cluster - install_local-path-provisioner - install_tiller install_charts }