You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wi...@apache.org on 2023/01/09 16:30:00 UTC
[couchdb-helm] branch main updated: Simplify admin hash in the secret (#106)
This is an automated email from the ASF dual-hosted git repository.
willholley pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb-helm.git
The following commit(s) were added to refs/heads/main by this push:
new 3d244ba Simplify admin hash in the secret (#106)
3d244ba is described below
commit 3d244baadaf5962cafe698a05a4faf772c93d03d
Author: rileyai-dev <de...@riley.ai>
AuthorDate: Mon Jan 9 11:29:54 2023 -0500
Simplify admin hash in the secret (#106)
Replaces the `password.ini` field in the internal secret resource with a field `adminHash`. This simplifies the management of the admin hash but breaks compatibility with the previous `password.ini` if `createAdminSecret` is set to `false`, hence the major version bump.
---
couchdb/Chart.yaml | 2 +-
couchdb/NEWS.md | 4 ++
couchdb/README.md | 143 ++++++++++++++++++-------------------
couchdb/README.md.gotmpl | 134 +++++++++++++++++-----------------
couchdb/password.ini | 2 -
couchdb/templates/secrets.yaml | 2 +-
couchdb/templates/statefulset.yaml | 19 +++--
7 files changed, 156 insertions(+), 150 deletions(-)
diff --git a/couchdb/Chart.yaml b/couchdb/Chart.yaml
index 83b594d..2dfde9a 100644
--- a/couchdb/Chart.yaml
+++ b/couchdb/Chart.yaml
@@ -1,6 +1,6 @@
apiVersion: v1
name: couchdb
-version: 3.6.4
+version: 4.0.0
appVersion: 3.2.1
description: A database featuring seamless multi-master sync, that scales from
big data to mobile, with an intuitive HTTP/JSON API and designed for
diff --git a/couchdb/NEWS.md b/couchdb/NEWS.md
index 693bd1c..1aefac1 100644
--- a/couchdb/NEWS.md
+++ b/couchdb/NEWS.md
@@ -1,5 +1,9 @@
# NEWS
+## 4.0.0
+
+- Simplified the `adminHash` in the secret
+
# 3.6.4
- Add `service.labels` value to pass along labels to the client-facing service
diff --git a/couchdb/README.md b/couchdb/README.md
index 2ece127..5b6c8b0 100644
--- a/couchdb/README.md
+++ b/couchdb/README.md
@@ -1,6 +1,6 @@
# CouchDB
-![Version: 3.6.4](https://img.shields.io/badge/Version-3.6.4-informational?style=flat-square) ![AppVersion: 3.2.1](https://img.shields.io/badge/AppVersion-3.2.1-informational?style=flat-square)
+![Version: 4.0.0](https://img.shields.io/badge/Version-4.0.0-informational?style=flat-square) ![AppVersion: 3.2.1](https://img.shields.io/badge/AppVersion-3.2.1-informational?style=flat-square)
Apache CouchDB is a database featuring seamless multi-master sync, that scales
from big data to mobile, with an intuitive HTTP/JSON API and designed for
@@ -18,7 +18,7 @@ storage volumes to each Pod in the Deployment.
```bash
$ helm repo add couchdb https://apache.github.io/couchdb-helm
$ helm install couchdb/couchdb \
- --version=3.6.4 \
+ --version=4.0.0 \
--set allowAdminParty=true \
--set couchdbConfig.couchdb.uuid=$(curl https://www.uuidgenerator.net/api/version4 2>/dev/null | tr -d -)
```
@@ -44,7 +44,7 @@ Afterwards install the chart replacing the UUID
```bash
$ helm install \
--name my-release \
- --version=3.6.4 \
+ --version=4.0.0 \
--set couchdbConfig.couchdb.uuid=decafbaddecafbaddecafbaddecafbad \
couchdb/couchdb
```
@@ -64,20 +64,13 @@ $ kubectl create secret generic my-release-couchdb --from-literal=adminUsername
```
If you want to set the `adminHash` directly to achieve consistent salts between
-different nodes you need to addionally add the key `password.ini` to the secret:
+different nodes you need to add it to the secret:
```bash
$ kubectl create secret generic my-release-couchdb \
--from-literal=adminUsername=foo \
--from-literal=cookieAuthSecret=baz \
- --from-file=./my-password.ini
-```
-
-With the following contents in `my-password.ini`:
-
-```
-[admins]
-foo = <pbkdf2-hash>
+ --from-literal=adminHash=-pbkdf2-d4b887da....
```
and then install the chart while overriding the `createAdminSecret` setting:
@@ -85,7 +78,7 @@ and then install the chart while overriding the `createAdminSecret` setting:
```bash
$ helm install \
--name my-release \
- --version=3.6.4 \
+ --version=4.0.0 \
--set createAdminSecret=false \
--set couchdbConfig.couchdb.uuid=decafbaddecafbaddecafbaddecafbad \
couchdb/couchdb
@@ -116,7 +109,7 @@ incompatible breaking change needing manual actions.
### Upgrade to 3.0.0
Since version 3.0.0 setting the CouchDB server instance UUID is mandatory.
-Therefore you need to generate a UUID and supply it as a value during the
+Therefore, you need to generate a UUID and supply it as a value during the
upgrade as follows:
```bash
@@ -127,6 +120,12 @@ $ helm upgrade <release-name> \
couchdb/couchdb
```
+### Upgrade to 4.0.0
+
+Breaking change between v3 and v4 is the `adminHash` in the secret that no longer uses
+the `password.ini`. It stores the `adminHash` only instead, make sure to change it if you
+use your own secret.
+
## Migrating from stable/couchdb
This chart replaces the `stable/couchdb` chart previously hosted by Helm and continues the
@@ -134,7 +133,7 @@ version semantics. You can upgrade directly from `stable/couchdb` to this chart
```bash
$ helm repo add couchdb https://apache.github.io/couchdb-helm
-$ helm upgrade my-release --version=3.6.4 couchdb/couchdb
+$ helm upgrade my-release --version=4.0.0 couchdb/couchdb
```
## Configuration
@@ -165,63 +164,63 @@ required options to set:
A variety of other parameters are also configurable. See the comments in the
`values.yaml` file for further details:
-| Parameter | Default |
-|--------------------------------------|----------------------------------------|
-| `adminUsername` | admin |
-| `adminPassword` | auto-generated |
-| `adminHash` | |
-| `cookieAuthSecret` | auto-generated |
-| `image.repository` | couchdb |
-| `image.tag` | 3.2.1 |
-| `image.pullPolicy` | IfNotPresent |
-| `searchImage.repository` | kocolosk/couchdb-search |
-| `searchImage.tag` | 0.1.0 |
-| `searchImage.pullPolicy` | IfNotPresent |
-| `initImage.repository` | busybox |
-| `initImage.tag` | latest |
-| `initImage.pullPolicy` | Always |
-| `ingress.enabled` | false |
-| `ingress.hosts` | chart-example.local |
-| `ingress.annotations` | |
-| `ingress.path` | / |
-| `ingress.tls` | |
-| `persistentVolume.accessModes` | ReadWriteOnce |
-| `persistentVolume.storageClass` | Default for the Kube cluster |
-| `persistentVolume.annotations` | {} |
-| `podManagementPolicy` | Parallel |
-| `affinity` | |
-| `topologySpreadConstraints` | |
-| `annotations` | |
-| `tolerations` | |
-| `resources` | |
-| `service.annotations` | |
-| `service.enabled` | true |
-| `service.type` | ClusterIP |
-| `service.externalPort` | 5984 |
-| `dns.clusterDomainSuffix` | cluster.local |
-| `networkPolicy.enabled` | true |
-| `serviceAccount.enabled` | true |
-| `serviceAccount.create` | true |
-| `serviceAccount.imagePullSecrets` | |
-| `sidecars` | {} |
-| `livenessProbe.enabled` | true |
-| `livenessProbe.failureThreshold` | 3 |
-| `livenessProbe.initialDelaySeconds` | 0 |
-| `livenessProbe.periodSeconds` | 10 |
-| `livenessProbe.successThreshold` | 1 |
-| `livenessProbe.timeoutSeconds` | 1 |
-| `readinessProbe.enabled` | true |
-| `readinessProbe.failureThreshold` | 3 |
-| `readinessProbe.initialDelaySeconds` | 0 |
-| `readinessProbe.periodSeconds` | 10 |
-| `readinessProbe.successThreshold` | 1 |
-| `readinessProbe.timeoutSeconds` | 1 |
-| `prometheusPort.enabled` | false |
-| `prometheusPort.port` | 17896 |
-| `prometheusPort.bind_address` | 0.0.0.0 |
-| `placementConfig.enabled` | false |
-| `placementConfig.image.repository` | caligrafix/couchdb-autoscaler-placement-manager|
-| `placementConfig.image.tag` | 0.1.0 |
+| Parameter | Default |
+|--------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `adminUsername` | admin |
+| `adminPassword` | auto-generated |
+| `adminHash` | |
+| `cookieAuthSecret` | auto-generated |
+| `image.repository` | couchdb |
+| `image.tag` | 3.2.1 |
+| `image.pullPolicy` | IfNotPresent |
+| `searchImage.repository` | kocolosk/couchdb-search |
+| `searchImage.tag` | 0.1.0 |
+| `searchImage.pullPolicy` | IfNotPresent |
+| `initImage.repository` | busybox |
+| `initImage.tag` | latest |
+| `initImage.pullPolicy` | Always |
+| `ingress.enabled` | false |
+| `ingress.hosts` | chart-example.local |
+| `ingress.annotations` | |
+| `ingress.path` | / |
+| `ingress.tls` | |
+| `persistentVolume.accessModes` | ReadWriteOnce |
+| `persistentVolume.storageClass` | Default for the Kube cluster |
+| `persistentVolume.annotations` | {} |
+| `podManagementPolicy` | Parallel |
+| `affinity` | |
+| `topologySpreadConstraints` | |
+| `annotations` | |
+| `tolerations` | |
+| `resources` | |
+| `service.annotations` | |
+| `service.enabled` | true |
+| `service.type` | ClusterIP |
+| `service.externalPort` | 5984 |
+| `dns.clusterDomainSuffix` | cluster.local |
+| `networkPolicy.enabled` | true |
+| `serviceAccount.enabled` | true |
+| `serviceAccount.create` | true |
+| `serviceAccount.imagePullSecrets` | |
+| `sidecars` | {} |
+| `livenessProbe.enabled` | true |
+| `livenessProbe.failureThreshold` | 3 |
+| `livenessProbe.initialDelaySeconds` | 0 |
+| `livenessProbe.periodSeconds` | 10 |
+| `livenessProbe.successThreshold` | 1 |
+| `livenessProbe.timeoutSeconds` | 1 |
+| `readinessProbe.enabled` | true |
+| `readinessProbe.failureThreshold` | 3 |
+| `readinessProbe.initialDelaySeconds` | 0 |
+| `readinessProbe.periodSeconds` | 10 |
+| `readinessProbe.successThreshold` | 1 |
+| `readinessProbe.timeoutSeconds` | 1 |
+| `prometheusPort.enabled` | false |
+| `prometheusPort.port` | 17896 |
+| `prometheusPort.bind_address` | 0.0.0.0 |
+| `placementConfig.enabled` | false |
+| `placementConfig.image.repository` | caligrafix/couchdb-autoscaler-placement-manager |
+| `placementConfig.image.tag` | 0.1.0 |
## Feedback, Issues, Contributing
diff --git a/couchdb/README.md.gotmpl b/couchdb/README.md.gotmpl
index d1e154f..28d8761 100644
--- a/couchdb/README.md.gotmpl
+++ b/couchdb/README.md.gotmpl
@@ -63,21 +63,14 @@ Secret containing `adminUsername`, `adminPassword` and `cookieAuthSecret` keys:
$ kubectl create secret generic my-release-couchdb --from-literal=adminUsername=foo --from-literal=adminPassword=bar --from-literal=cookieAuthSecret=baz
```
-If you want to set the `adminHash` directly to achieve consistent salts between
-different nodes you need to addionally add the key `password.ini` to the secret:
+If you want to set the `adminHash` directly to achieve consistent salts between
+different nodes you need to add it to the secret:
```bash
$ kubectl create secret generic my-release-couchdb \
--from-literal=adminUsername=foo \
--from-literal=cookieAuthSecret=baz \
- --from-file=./my-password.ini
-```
-
-With the following contents in `my-password.ini`:
-
-```
-[admins]
-foo = <pbkdf2-hash>
+ --from-literal=adminHash=-pbkdf2-d4b887da....
```
and then install the chart while overriding the `createAdminSecret` setting:
@@ -121,12 +114,18 @@ upgrade as follows:
```bash
$ helm upgrade <release-name> \
- --version={{ template "chart.version" . }} \
+ --version=3.6.4 \
--reuse-values \
--set couchdbConfig.couchdb.uuid=<UUID> \
couchdb/couchdb
```
+### Upgrade to 4.0.0
+
+Breaking change between v3 and v4 is the `adminHash` in the secret that no longer uses
+the `password.ini`. It stores the `adminHash` only instead, make sure to change it if you
+use your own secret.
+
## Migrating from stable/couchdb
This chart replaces the `stable/couchdb` chart previously hosted by Helm and continues the
@@ -157,62 +156,63 @@ required options to set:
A variety of other parameters are also configurable. See the comments in the
`values.yaml` file for further details:
-| Parameter | Default |
-|--------------------------------------|----------------------------------------|
-| `adminUsername` | admin |
-| `adminPassword` | auto-generated |
-| `adminHash` | |
-| `cookieAuthSecret` | auto-generated |
-| `image.repository` | couchdb |
-| `image.tag` | 3.2.1 |
-| `image.pullPolicy` | IfNotPresent |
-| `searchImage.repository` | kocolosk/couchdb-search |
-| `searchImage.tag` | 0.1.0 |
-| `searchImage.pullPolicy` | IfNotPresent |
-| `initImage.repository` | busybox |
-| `initImage.tag` | latest |
-| `initImage.pullPolicy` | Always |
-| `ingress.enabled` | false |
-| `ingress.hosts` | chart-example.local |
-| `ingress.annotations` | |
-| `ingress.path` | / |
-| `ingress.tls` | |
-| `persistentVolume.accessModes` | ReadWriteOnce |
-| `persistentVolume.storageClass` | Default for the Kube cluster |
-| `podManagementPolicy` | Parallel |
-| `affinity` | |
-| `topologySpreadConstraints` | |
-| `annotations` | |
-| `tolerations` | |
-| `resources` | |
-| `service.annotations` | |
-| `service.enabled` | true |
-| `service.type` | ClusterIP |
-| `service.externalPort` | 5984 |
-| `dns.clusterDomainSuffix` | cluster.local |
-| `networkPolicy.enabled` | true |
-| `serviceAccount.enabled` | true |
-| `serviceAccount.create` | true |
-| `serviceAccount.imagePullSecrets` | |
-| `sidecars` | {} |
-| `livenessProbe.enabled` | true |
-| `livenessProbe.failureThreshold` | 3 |
-| `livenessProbe.initialDelaySeconds` | 0 |
-| `livenessProbe.periodSeconds` | 10 |
-| `livenessProbe.successThreshold` | 1 |
-| `livenessProbe.timeoutSeconds` | 1 |
-| `readinessProbe.enabled` | true |
-| `readinessProbe.failureThreshold` | 3 |
-| `readinessProbe.initialDelaySeconds` | 0 |
-| `readinessProbe.periodSeconds` | 10 |
-| `readinessProbe.successThreshold` | 1 |
-| `readinessProbe.timeoutSeconds` | 1 |
-| `prometheusPort.enabled` | false |
-| `prometheusPort.port` | 17896 |
-| `prometheusPort.bind_address` | 0.0.0.0 |
-| `placementConfig.enabled` | false |
-| `placementConfig.image.repository` | caligrafix/couchdb-autoscaler-placement-manager|
-| `placementConfig.image.tag` | 0.1.0 |
+| Parameter | Default |
+|--------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `adminUsername` | admin |
+| `adminPassword` | auto-generated |
+| `adminHash` | |
+| `cookieAuthSecret` | auto-generated |
+| `image.repository` | couchdb |
+| `image.tag` | 3.2.1 |
+| `image.pullPolicy` | IfNotPresent |
+| `searchImage.repository` | kocolosk/couchdb-search |
+| `searchImage.tag` | 0.1.0 |
+| `searchImage.pullPolicy` | IfNotPresent |
+| `initImage.repository` | busybox |
+| `initImage.tag` | latest |
+| `initImage.pullPolicy` | Always |
+| `ingress.enabled` | false |
+| `ingress.hosts` | chart-example.local |
+| `ingress.annotations` | |
+| `ingress.path` | / |
+| `ingress.tls` | |
+| `persistentVolume.accessModes` | ReadWriteOnce |
+| `persistentVolume.storageClass` | Default for the Kube cluster |
+| `persistentVolume.annotations` | {} |
+| `podManagementPolicy` | Parallel |
+| `affinity` | |
+| `topologySpreadConstraints` | |
+| `annotations` | |
+| `tolerations` | |
+| `resources` | | |
+| `service.annotations` | |
+| `service.enabled` | true |
+| `service.type` | ClusterIP |
+| `service.externalPort` | 5984 |
+| `dns.clusterDomainSuffix` | cluster.local |
+| `networkPolicy.enabled` | true |
+| `serviceAccount.enabled` | true |
+| `serviceAccount.create` | true |
+| `serviceAccount.imagePullSecrets` | |
+| `sidecars` | {} |
+| `livenessProbe.enabled` | true |
+| `livenessProbe.failureThreshold` | 3 |
+| `livenessProbe.initialDelaySeconds` | 0 |
+| `livenessProbe.periodSeconds` | 10 |
+| `livenessProbe.successThreshold` | 1 |
+| `livenessProbe.timeoutSeconds` | 1 |
+| `readinessProbe.enabled` | true |
+| `readinessProbe.failureThreshold` | 3 |
+| `readinessProbe.initialDelaySeconds` | 0 |
+| `readinessProbe.periodSeconds` | 10 |
+| `readinessProbe.successThreshold` | 1 |
+| `readinessProbe.timeoutSeconds` | 1 |
+| `prometheusPort.enabled` | false |
+| `prometheusPort.port` | 17896 |
+| `prometheusPort.bind_address` | 0.0.0.0 |
+| `placementConfig.enabled` | false |
+| `placementConfig.image.repository` | caligrafix/couchdb-autoscaler-placement-manager |
+| `placementConfig.image.tag` | 0.1.0 |
## Feedback, Issues, Contributing
diff --git a/couchdb/password.ini b/couchdb/password.ini
deleted file mode 100644
index 4ce8445..0000000
--- a/couchdb/password.ini
+++ /dev/null
@@ -1,2 +0,0 @@
-[admins]
-{{ .Values.adminUsername }} = {{ .Values.adminHash }}
diff --git a/couchdb/templates/secrets.yaml b/couchdb/templates/secrets.yaml
index 1028e53..38dace0 100644
--- a/couchdb/templates/secrets.yaml
+++ b/couchdb/templates/secrets.yaml
@@ -16,6 +16,6 @@ data:
erlangCookie: {{ template "couchdb.defaultsecret-stateful" $erlangCookieArgs }}
cookieAuthSecret: {{ template "couchdb.defaultsecret" .Values.cookieAuthSecret }}
{{- if .Values.adminHash }}
- password.ini: {{ tpl (.Files.Get "password.ini") . | b64enc }}
+ adminHash: {{ .Values.adminHash | b64enc | quote }}
{{- end -}}
{{- end -}}
diff --git a/couchdb/templates/statefulset.yaml b/couchdb/templates/statefulset.yaml
index 5dcd487..a71f6bc 100644
--- a/couchdb/templates/statefulset.yaml
+++ b/couchdb/templates/statefulset.yaml
@@ -52,11 +52,19 @@ spec:
- name: admin-hash-copy
image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
imagePullPolicy: {{ .Values.initImage.pullPolicy }}
- command: ['sh','-c','cp /tmp/password.ini /local.d/ ;']
+ env:
+ - name: "ADMINUSERNAME"
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "couchdb.fullname" . }}
+ key: adminUsername
+ - name: "ADMINHASH"
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "couchdb.fullname" . }}
+ key: adminHash
+ command: ['sh','-c','echo -e "[admins]\n$ADMINUSERNAME = $ADMINHASH" > /local.d/password.ini ;']
volumeMounts:
- - name: admin-password
- mountPath: /tmp/password.ini
- subPath: "password.ini"
- name: local-config-storage
mountPath: /local.d
{{- end }}
@@ -194,9 +202,6 @@ spec:
{{- if .Values.adminHash }}
- name: local-config-storage
emptyDir: {}
- - name: admin-password
- secret:
- secretName: {{ template "couchdb.fullname" . }}
{{- end -}}
{{- if not .Values.persistentVolume.enabled }}