Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update generated random password #25

Merged
merged 2 commits into from
Mar 11, 2024
Merged

Update generated random password #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e79439c
Update generated random password
trispera Mar 11, 2024
8907406
update README
trispera Mar 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/hedgedoc/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: hedgedoc-helm
description: Hedgedoc Helm Chart for Rahti platform
Link to the repo https://github.com/CSCfi/helm-charts
version: 1.0.0
version: 1.1.0
sources:
- https://github.com/CSCfi/helm-charts
dependencies:
Expand Down
8 changes: 7 additions & 1 deletion charts/hedgedoc/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,16 @@ helm upgrade --install hedgedoc . -f {custom_values.yaml}
| `hedgedoc.containerSecurityContext` | Set SecurityContext for the container | `allowPrivilegeEscalation: false`<br>`runAsUser:`<br>`runAsGroup:`<br>`capabilities:`<br>&nbsp;&nbsp;`drop:`<br>&nbsp;&nbsp;`- ALL`<br>`runAsNonRoot: true`<br>`seccompProfile:`<br>&nbsp;&nbsp;`type: RuntimeDefault` |
| `hedgedoc.pvc.storageSpace` | Storage space for the PersistentVolume | `5Gi` |
| `hedgedoc.service.type` | Set the Service type | `ClusterIP` |
| `hedgedoc.random_pw_secret_key` | Key to store the password | `database-password` |
| `hedgedoc.secret.database-name` | Name of the database | `postgres` |
| `hedgedoc.secret.database-user` | Name of the postgres user | `postgres` |
| `hedgedoc.secret.database-password` | Function that retrieve the generated password | `'{{- include "random_pw_reusable" . -}}'` |

### PostgreSQL parameters

Since we are using the `bitnami/postgresql` Helm Chart as a dependency, you can take a look to the [PostgreSQL ArtifactHub](https://artifacthub.io/packages/helm/bitnami/postgresql/13.4.4) to check the different values
Since we are using the `bitnami/postgresql` Helm Chart as a dependency, you can take a look to the [PostgreSQL ArtifactHub](https://artifacthub.io/packages/helm/bitnami/postgresql/13.4.4) to check the different values.

The postgres database password is generated randomly and won't change if you upgrade the Chart.

## Cleanup
To delete all the resources, simply uninstall the Helm Chart:
Expand Down
4 changes: 4 additions & 0 deletions charts/hedgedoc/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,7 @@ Your HedgeDoc applications is now deployed. Wait a little bit the time that the
and then you could access it through this URL:

https://{{ .Values.hedgedoc.appname }}.{{ .Values.hedgedoc.domain }}

The postgresql database password is generated automatically. To check its value, run this command:

echo PostgreSQL Password: $(oc get secret --namespace={{ .Release.Namespace }} postgres -o jsonpath="{.data.database-password}" | base64 -d)
38 changes: 33 additions & 5 deletions charts/hedgedoc/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,37 @@ Create the name of the service account to use
{{- end }}
{{- end }}

{{/*
Generate postgres database password
{{/*
Define a function that generate static password
*/}}
{{- define "hedgedoc.postgresPassword" -}}
database-password: {{ randAlphaNum 16 | quote }}
{{- end }}
{{- define "generate_static_password" -}}
{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
{{- if not (index .Release "tmp_vars") -}}
{{- $_ := set .Release "tmp_vars" dict -}}
{{- end -}}
{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
{{- $key := printf "%s_%s" .Release.Name "password" -}}
{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
{{- if not (index .Release.tmp_vars $key) -}}
{{- /* ... store random password under the $key */ -}}
{{- $_ := set .Release.tmp_vars $key (randAlphaNum 20) -}}
{{- end -}}
{{- /* Retrieve previously generated value. */ -}}
{{- index .Release.tmp_vars $key -}}
{{- end -}}

{{/*
Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
*/}}
{{- define "random_pw_reusable" -}}
{{- if .Release.IsUpgrade -}}
{{- $data := default dict (lookup "v1" "Secret" .Release.Namespace "postgres").data -}}
{{- if $data -}}
{{- index $data .Values.hedgedoc.random_pw_secret_key | b64dec -}}
{{- end -}}
{{- else -}}
{{- if and (required "You must pass postgres (the name of a secret to retrieve password from on upgrade)" "postgres") (required "You must pass .Values.hedgedoc.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.hedgedoc.random_pw_secret_key) -}}
{{- (include "generate_static_password" .) -}}
{{- end -}}
{{- end -}}
{{- end -}}
10 changes: 6 additions & 4 deletions charts/hedgedoc/templates/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
apiVersion: v1
stringData:
database-name: postgres
database-user: postgres
{{- include "hedgedoc.postgresPassword" . | nindent 2 }}
kind: Secret
metadata:
labels:
app: postgresql
name: postgres
{{- if .Values.hedgedoc.secret }}
data:
{{- range $key, $val := .Values.hedgedoc.secret }}
"{{ $key }}": "{{ tpl $val $ | b64enc }}"
{{- end }}
{{- end }}
type: Opaque
5 changes: 5 additions & 0 deletions charts/hedgedoc/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@ hedgedoc:
storageSpace: 5Gi
service:
type: ClusterIP
random_pw_secret_key: database-password
secret:
database-name: postgres
database-user: postgres
database-password: '{{- include "random_pw_reusable" . -}}'

# Parameters related to the deployment of PostgreSQL
postgresql:
Expand Down
2 changes: 1 addition & 1 deletion charts/matomo/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@ apiVersion: v2
name: matomo-helm
description: Matomo Helm Chart for Rahti platform
Link to the repo https://github.com/CSCfi/helm-charts
version: 1.0.0
version: 1.1.0
sources:
- https://github.com/CSCfi/helm-charts
28 changes: 18 additions & 10 deletions charts/matomo/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,12 @@ helm upgrade --install matomo . -f {custom_values.yaml}
| `mariadb.service.type` | Set the Service type | `ClusterIP` |
| `mariadb.pvc.storageSize` | Storage size for the PersistentVolume | `5Gi` |
| `mariadb.pvc.storageClassName` | Storage Class Name for the PersistentVolume | `standard-csi` |
| `mariadb.secret.databaseName` | Name of your database | `matomodb` |
| `mariadb.secret.databaseUser` | Name of the database user | `matomouser` |
| `mariadb.random_pw_secret_key` | Key to store the password | `database-password` |
| `mariadb.random_root_pw_secret_key` | Key to store the root password | `database-root-password` |
| `mariadb.secret.database-name` | Name of the database | `matomodb` |
| `mariadb.secret.database-user` | Name of the database user | `matomouser` |
| `mariadb.secret.database-password` | Function that retrieve the generated password | `'{{- include "random_mariadb_pw_reusable" . -}}'` |
| `mariadb.secret.database-password` | Function that retrieve the generated root password | `'{{- include "random_mariadb_root_pw_reusable" . -}}'` |
| `mariadb.livenessProbe.enabled` | Enable or not `livenessProbe` | `true` |
| `mariadb.livenessProbe.initialDelaySeconds` | Set the `livenessProbe.initialDelaySeconds` | `30` |
| `mariadb.livenessProbe.timeoutSeconds` | Set the `livenessProbe.timeoutSeconds` | `1` |
Expand All @@ -36,18 +40,22 @@ helm upgrade --install matomo . -f {custom_values.yaml}

### Matomo parameters

| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------------------------- | ----------------------- |
| `matomo.image` | Name of the `matomo` image. | `bitnami/matomo:latest` |
| `matomo.name` | Name of your app. | `matomo` |
| `matomo.service.type` | Set the Service type | `ClusterIP` |
| `matomo.route.tls.insecureEdgeTerminationPolicy` | Set the termination policy regarding insecure traffic for the route | `Redirect` |
| `matomo.route.tls.termination` | Set the termination for the route | `edge` |
| `matomo.secret.matomoUser` | Name of the database user | `matomouser` |
| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------------------------- | ------------------------------------------------- |
| `matomo.image` | Name of the `matomo` image. | `bitnami/matomo:latest` |
| `matomo.name` | Name of your app. | `matomo` |
| `matomo.service.type` | Set the Service type | `ClusterIP` |
| `matomo.route.tls.insecureEdgeTerminationPolicy` | Set the termination policy regarding insecure traffic for the route | `Redirect` |
| `matomo.route.tls.termination` | Set the termination for the route | `edge` |
| `matomo.random_pw_secret_key` | Key to store the password | `matomo-password` |
| `matomo.secret.matomo-username` | Name of the matomo user | `matomouser` |
| `matomo.secret.matomo-password` | Function that retrieve the generated password | `'{{- include "random_matomo_pw_reusable" . -}}'` |

The password for the mariadb database and the root password are generated randomly. A function is created in the `_helpers.tpl` file.
It's the same behavior for the matomo user password.

The passwords won't change if you upgrade the Chart.

Follow the instructions after deploying the Helm Chart to retrieve the passwords.

## Cleanup
Expand Down
113 changes: 103 additions & 10 deletions charts/matomo/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,17 +61,110 @@ Create the name of the service account to use
{{- end }}
{{- end }}

{{/*
Generate mariadb passwords
## MARIADB PASSWORD
{{/*
Define a function that generate static mariadb password
*/}}
{{- define "matomo.mariadbPasswords" -}}
database-password: {{ randAlphaNum 16 | quote }}
database-root-password: {{ randAlphaNum 32 | quote }}
{{- end }}
{{- define "generate_static_mariadb_password" -}}
{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
{{- if not (index .Release "tmp_vars_mariadb") -}}
{{- $_ := set .Release "tmp_vars_mariadb" dict -}}
{{- end -}}
{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
{{- $key := printf "%s_%s" .Release.Name "mariadb_password" -}}
{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
{{- if not (index .Release.tmp_vars_mariadb $key) -}}
{{- /* ... store random password under the $key */ -}}
{{- $_ := set .Release.tmp_vars_mariadb $key (randAlphaNum 20) -}}
{{- end -}}
{{- /* Retrieve previously generated value. */ -}}
{{- index .Release.tmp_vars_mariadb $key -}}
{{- end -}}

{{/*
Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
*/}}
{{- define "random_mariadb_pw_reusable" -}}
{{- if .Release.IsUpgrade -}}
{{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.mariadb.name).data -}}
{{- if $data -}}
{{- index $data .Values.mariadb.random_pw_secret_key | b64dec -}}
{{- end -}}
{{- else -}}
{{- if and (required "You must pass .Values.mariadb.name (the name of a secret to retrieve password from on upgrade)" .Values.mariadb.name) (required "You must pass .Values.mariadb.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.mariadb.random_pw_secret_key) -}}
{{- (include "generate_static_mariadb_password" .) -}}
{{- end -}}
{{- end -}}
{{- end -}}

## MARIADB ROOT PASSWORD
{{/*
Define a function that generate static mariadb root password
*/}}
{{- define "generate_static_mariadb_root_password" -}}
{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
{{- if not (index .Release "tmp_vars_mariadb_root") -}}
{{- $_ := set .Release "tmp_vars_mariadb_root" dict -}}
{{- end -}}
{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
{{- $key := printf "%s_%s" .Release.Name "mariadb_root_password" -}}
{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
{{- if not (index .Release.tmp_vars_mariadb_root $key) -}}
{{- /* ... store random password under the $key */ -}}
{{- $_ := set .Release.tmp_vars_mariadb_root $key (randAlphaNum 20) -}}
{{- end -}}
{{- /* Retrieve previously generated value. */ -}}
{{- index .Release.tmp_vars_mariadb_root $key -}}
{{- end -}}

{{/*
Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
*/}}
{{- define "random_mariadb_root_pw_reusable" -}}
{{- if .Release.IsUpgrade -}}
{{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.mariadb.name).data -}}
{{- if $data -}}
{{- index $data .Values.mariadb.random_root_pw_secret_key | b64dec -}}
{{- end -}}
{{- else -}}
{{- if and (required "You must pass .Values.mariadb.name (the name of a secret to retrieve password from on upgrade)" .Values.mariadb.name) (required "You must pass .Values.mariadb.random_root_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.mariadb.random_root_pw_secret_key) -}}
{{- (include "generate_static_mariadb_root_password" .) -}}
{{- end -}}
{{- end -}}
{{- end -}}

## MATOMO PASSWORD
{{/*
Define a function that generate static matomo password
*/}}
{{- define "generate_static_matomo_password" -}}
{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
{{- if not (index .Release "tmp_vars_matomo") -}}
{{- $_ := set .Release "tmp_vars_matomo" dict -}}
{{- end -}}
{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
{{- $key := printf "%s_%s" .Release.Name "matomo_password" -}}
{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
{{- if not (index .Release.tmp_vars_matomo $key) -}}
{{- /* ... store random password under the $key */ -}}
{{- $_ := set .Release.tmp_vars_matomo $key (randAlphaNum 20) -}}
{{- end -}}
{{- /* Retrieve previously generated value. */ -}}
{{- index .Release.tmp_vars_matomo $key -}}
{{- end -}}

{{/*
Generate matomo password
Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
*/}}
{{- define "matomo.userPassword" -}}
matomo-password: {{ randAlphaNum 16 | quote }}
{{- end }}
{{- define "random_matomo_pw_reusable" -}}
{{- if .Release.IsUpgrade -}}
{{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.matomo.name).data -}}
{{- if $data -}}
{{- index $data .Values.matomo.random_pw_secret_key | b64dec -}}
{{- end -}}
{{- else -}}
{{- if and (required "You must pass .Values.matomo.name (the name of a secret to retrieve password from on upgrade)" .Values.matomo.name) (required "You must pass .Values.matomo.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.matomo.random_pw_secret_key) -}}
{{- (include "generate_static_matomo_password" .) -}}
{{- end -}}
{{- end -}}
{{- end -}}
20 changes: 12 additions & 8 deletions charts/matomo/templates/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,21 @@ metadata:
template.openshift.io/expose-root_password: '{.data[''database-root-password'']}'
template.openshift.io/expose-username: '{.data[''database-user'']}'
name: {{ .Values.mariadb.name }}
stringData:
database-name: {{ .Values.mariadb.secret.databaseName }}
database-user: {{ .Values.mariadb.secret.databaseUser }}
{{- include "matomo.mariadbPasswords" . | nindent 2 }}
{{- if .Values.mariadb.secret }}
data:
{{- range $key, $val := .Values.mariadb.secret }}
"{{ $key }}": "{{ tpl $val $ | b64enc }}"
{{- end }}
{{- end }}

---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.matomo.name }}
stringData:
matomo-username: {{ .Values.matomo.secret.matomoUser }}
{{- include "matomo.userPassword" . | nindent 2 }}
type: Opaque
{{- if .Values.matomo.secret }}
data:
{{- range $key, $val := .Values.matomo.secret }}
"{{ $key }}": "{{ tpl $val $ | b64enc }}"
{{- end }}
{{- end }}
12 changes: 9 additions & 3 deletions charts/matomo/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,13 @@ mariadb:
pvc:
storageSize: 5Gi
storageClassName: standard-csi
random_pw_secret_key: database-password
random_root_pw_secret_key: database-root-password
secret:
databaseName: matomodb
databaseUser: matomouser
database-name: matomodb
database-user: matomouser
database-password: '{{- include "random_mariadb_pw_reusable" . -}}'
database-root-password: '{{- include "random_mariadb_root_pw_reusable" . -}}'
livenessProbe:
enabled: true
initialDelaySeconds: 30
Expand All @@ -34,5 +38,7 @@ matomo:
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
random_pw_secret_key: matomo-password
secret:
matomoUser: matomouser
matomo-username: matomouser
matomo-password: '{{- include "random_matomo_pw_reusable" . -}}'
2 changes: 1 addition & 1 deletion charts/minio/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@ apiVersion: v2
name: minio-helm
description: Minio Helm Chart for Rahti platform
Link to the repo https://github.com/CSCfi/helm-charts
version: 1.0.0
version: 1.1.0
sources:
- https://github.com/CSCfi/helm-charts
Loading