You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wi...@apache.org on 2020/06/27 09:00:10 UTC
[couchdb-helm] 34/43: Prehashed pw (#26)
This is an automated email from the ASF dual-hosted git repository.
willholley pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/couchdb-helm.git
commit bb174048094a498604cdcc35e95cf6a046f0b0d5
Author: Will Holley <wi...@apache.org>
AuthorDate: Fri May 22 14:21:34 2020 +0100
Prehashed pw (#26)
* Use Chart Testing v3
* Allow setting of consistent admin password hash
Co-authored-by: Arne Diekmann <ar...@neoskop.de>
---
couchdb/Chart.yaml | 2 +-
couchdb/README.md | 18 ++++++++++++++++++
couchdb/password.ini | 2 ++
couchdb/templates/secrets.yaml | 3 +++
couchdb/templates/statefulset.yaml | 24 ++++++++++++++++++++++++
couchdb/values.yaml | 12 +++++++-----
docs/couchdb-3.3.0.tgz | Bin 0 -> 9496 bytes
docs/index.yaml | 25 ++++++++++++++++++++++++-
test/ct.yaml | 2 +-
test/e2e-kind.sh | 33 ++++++---------------------------
10 files changed, 86 insertions(+), 35 deletions(-)
diff --git a/couchdb/Chart.yaml b/couchdb/Chart.yaml
index f253fd9..63e5571 100644
--- a/couchdb/Chart.yaml
+++ b/couchdb/Chart.yaml
@@ -1,6 +1,6 @@
apiVersion: v1
name: couchdb
-version: 3.2.0
+version: 3.3.0
appVersion: 2.3.1
description: A database featuring seamless multi-master sync, that scales from
big data to mobile, with an intuitive HTTP/JSON API and designed for
diff --git a/couchdb/README.md b/couchdb/README.md
index b67e77e..ca3716b 100644
--- a/couchdb/README.md
+++ b/couchdb/README.md
@@ -59,6 +59,23 @@ Secret containing `adminUsername`, `adminPassword` and `cookieAuthSecret` keys:
$ kubectl create secret generic my-release-couchdb --from-literal=adminUsername=foo --from-literal=adminPassword=bar --from-literal=cookieAuthSecret=baz
```
+If you want to set the `adminHash` directly to achieve consistent salts between
+different nodes you need to addionally add the key `password.ini` to the secret:
+
+```bash
+$ kubectl create secret generic my-release-couchdb \
+ --from-literal=adminUsername=foo \
+ --from-literal=cookieAuthSecret=baz \
+ --from-file=./my-password.ini
+```
+
+With the following contents in `my-password.ini`:
+
+```
+[admins]
+foo = <pbkdf2-hash>
+```
+
and then install the chart while overriding the `createAdminSecret` setting:
```bash
@@ -148,6 +165,7 @@ A variety of other parameters are also configurable. See the comments in the
|--------------------------------------|----------------------------------------|
| `adminUsername` | admin |
| `adminPassword` | auto-generated |
+| `adminHash` | |
| `cookieAuthSecret` | auto-generated |
| `image.repository` | couchdb |
| `image.tag` | 2.3.1 |
diff --git a/couchdb/password.ini b/couchdb/password.ini
new file mode 100644
index 0000000..4ce8445
--- /dev/null
+++ b/couchdb/password.ini
@@ -0,0 +1,2 @@
+[admins]
+{{ .Values.adminUsername }} = {{ .Values.adminHash }}
diff --git a/couchdb/templates/secrets.yaml b/couchdb/templates/secrets.yaml
index 06513bb..92f55c6 100644
--- a/couchdb/templates/secrets.yaml
+++ b/couchdb/templates/secrets.yaml
@@ -13,4 +13,7 @@ data:
adminUsername: {{ template "couchdb.defaultsecret" .Values.adminUsername }}
adminPassword: {{ template "couchdb.defaultsecret" .Values.adminPassword }}
cookieAuthSecret: {{ template "couchdb.defaultsecret" .Values.cookieAuthSecret }}
+{{- if .Values.adminHash }}
+ password.ini: {{ tpl (.Files.Get "password.ini") . | b64enc }}
+{{- end -}}
{{- end -}}
diff --git a/couchdb/templates/statefulset.yaml b/couchdb/templates/statefulset.yaml
index 2f3d54d..c631dfa 100644
--- a/couchdb/templates/statefulset.yaml
+++ b/couchdb/templates/statefulset.yaml
@@ -39,6 +39,18 @@ spec:
mountPath: /tmp/
- name: config-storage
mountPath: /default.d
+{{- if .Values.adminHash }}
+ - name: admin-hash-copy
+ image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+ imagePullPolicy: {{ .Values.initImage.pullPolicy }}
+ command: ['sh','-c','cp /tmp/password.ini /local.d/ ;']
+ volumeMounts:
+ - name: admin-password
+ mountPath: /tmp/password.ini
+ subPath: "password.ini"
+ - name: local-config-storage
+ mountPath: /local.d
+{{- end }}
containers:
- name: couchdb
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -112,6 +124,10 @@ spec:
volumeMounts:
- name: config-storage
mountPath: /opt/couchdb/etc/default.d
+{{- if .Values.adminHash }}
+ - name: local-config-storage
+ mountPath: /opt/couchdb/etc/local.d
+{{- end }}
- name: database-storage
mountPath: /opt/couchdb/data
{{- if .Values.enableSearch }}
@@ -149,6 +165,14 @@ spec:
- key: seedlistinifile
path: seedlist.ini
+{{- if .Values.adminHash }}
+ - name: local-config-storage
+ emptyDir: {}
+ - name: admin-password
+ secret:
+ secretName: {{ template "couchdb.fullname" . }}
+{{- end -}}
+
{{- if not .Values.persistentVolume.enabled }}
- name: database-storage
emptyDir: {}
diff --git a/couchdb/values.yaml b/couchdb/values.yaml
index bc1b9c6..bc74922 100644
--- a/couchdb/values.yaml
+++ b/couchdb/values.yaml
@@ -13,9 +13,10 @@ allowAdminParty: false
## be created containing auto-generated credentials. Users who prefer to set
## these values themselves have a couple of options:
##
-## 1) The `adminUsername`, `adminPassword`, and `cookieAuthSecret` can be
-## defined directly in the chart's values. Note that all of a chart's values
-## are currently stored in plaintext in a ConfigMap in the tiller namespace.
+## 1) The `adminUsername`, `adminPassword`, `adminHash`, and `cookieAuthSecret`
+## can be defined directly in the chart's values. Note that all of a chart's
+## values are currently stored in plaintext in a ConfigMap in the tiller
+## namespace.
##
## 2) This flag can be disabled and a Secret with the required keys can be
## created ahead of time.
@@ -23,6 +24,7 @@ createAdminSecret: true
adminUsername: admin
# adminPassword: this_is_not_secure
+# adminHash: -pbkdf2-this_is_not_necessarily_secure_either
# cookieAuthSecret: neither_is_this
## When enabled, will deploy a networkpolicy that allows CouchDB pods to
@@ -129,7 +131,8 @@ ingress:
## Optional resource requests and limits for the CouchDB container
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
-resources: {}
+resources:
+ {}
# requests:
# cpu: 100m
# memory: 128Mi
@@ -160,7 +163,6 @@ couchdbConfig:
# 5984 when is set to true.
require_valid_user: false
-
# Kubernetes local cluster domain.
# This is used to generate FQDNs for peers when joining the CouchDB cluster.
dns:
diff --git a/docs/couchdb-3.3.0.tgz b/docs/couchdb-3.3.0.tgz
new file mode 100644
index 0000000..90ca60e
Binary files /dev/null and b/docs/couchdb-3.3.0.tgz differ
diff --git a/docs/index.yaml b/docs/index.yaml
index 01fb9a1..94d1bec 100644
--- a/docs/index.yaml
+++ b/docs/index.yaml
@@ -3,6 +3,29 @@ entries:
couchdb:
- apiVersion: v1
appVersion: 2.3.1
+ created: "2020-05-22T13:16:19.793936+01:00"
+ description: A database featuring seamless multi-master sync, that scales from
+ big data to mobile, with an intuitive HTTP/JSON API and designed for reliability.
+ digest: 0d2613f898fd6f6d86e396e2f64f21e85d3d07889fe3fcc76e03cdb741ecce74
+ home: https://couchdb.apache.org/
+ icon: http://couchdb.apache.org/CouchDB-visual-identity/logo/CouchDB-couch-symbol.svg
+ keywords:
+ - couchdb
+ - database
+ - nosql
+ maintainers:
+ - email: kocolosk@apache.org
+ name: kocolosk
+ - email: willholley@apache.org
+ name: willholley
+ name: couchdb
+ sources:
+ - https://github.com/apache/couchdb-docker
+ urls:
+ - https://apache.github.io/couchdb-helm/couchdb-3.3.0.tgz
+ version: 3.3.0
+ - apiVersion: v1
+ appVersion: 2.3.1
created: "2020-02-24T14:28:33.088976214+01:00"
description: A database featuring seamless multi-master sync, that scales from
big data to mobile, with an intuitive HTTP/JSON API and designed for reliability.
@@ -162,4 +185,4 @@ entries:
urls:
- https://apache.github.io/couchdb-helm/couchdb-2.2.0.tgz
version: 2.2.0
-generated: "2020-02-24T14:28:33.083464834+01:00"
+generated: "2020-05-22T13:16:19.792815+01:00"
diff --git a/test/ct.yaml b/test/ct.yaml
index d40aa57..1ba45a4 100644
--- a/test/ct.yaml
+++ b/test/ct.yaml
@@ -1 +1 @@
-helm-extra-args: --timeout 800
+helm-extra-args: --timeout 800s
diff --git a/test/e2e-kind.sh b/test/e2e-kind.sh
index 4cb57b4..6fe31c2 100755
--- a/test/e2e-kind.sh
+++ b/test/e2e-kind.sh
@@ -4,10 +4,10 @@ set -o errexit
set -o nounset
set -o pipefail
-readonly CT_VERSION=v2.3.3
-readonly KIND_VERSION=v0.5.1
+readonly CT_VERSION=v3.0.0-rc.1
+readonly KIND_VERSION=v0.7.0
readonly CLUSTER_NAME=chart-testing
-readonly K8S_VERSION=v1.14.3
+readonly K8S_VERSION=v1.17.0
run_ct_container() {
echo 'Running ct container...'
@@ -45,9 +45,10 @@ create_kind_cluster() {
docker_exec mkdir -p /root/.kube
echo 'Copying kubeconfig to container...'
- local kubeconfig
- kubeconfig="$(kind get kubeconfig-path --name "$CLUSTER_NAME")"
+ local kubeconfig=$(mktemp)
+ kind get kubeconfig --name "$CLUSTER_NAME" >"$kubeconfig"
docker cp "$kubeconfig" ct:/root/.kube/config
+ rm "$kubeconfig"
docker_exec kubectl cluster-info
echo
@@ -59,26 +60,6 @@ create_kind_cluster() {
echo
}
-install_tiller() {
- echo 'Installing Tiller...'
- docker_exec kubectl --namespace kube-system create sa tiller
- docker_exec kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
- docker_exec helm init --service-account tiller --upgrade --wait
- echo
-}
-
-install_local-path-provisioner() {
- # kind doesn't support Dynamic PVC provisioning yet, this is one ways to get it working
- # https://github.com/rancher/local-path-provisioner
-
- # Remove default storage class. It will be recreated by local-path-provisioner
- docker_exec kubectl delete storageclass standard
-
- echo 'Installing local-path-provisioner...'
- docker_exec kubectl apply -f test/local-path-provisioner.yaml
- echo
-}
-
install_charts() {
docker_exec ct lint-and-install --charts couchdb --upgrade --chart-dirs .
echo
@@ -89,8 +70,6 @@ main() {
trap cleanup EXIT
create_kind_cluster
- install_local-path-provisioner
- install_tiller
install_charts
}