summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSchmalzried, Terry (ts862m) <ts862m@att.com>2020-08-21 15:59:22 -0400
committerSchmalzried, Terry (ts862m) <ts862m@att.com>2020-08-27 11:08:13 -0400
commit15b4979453ac9e85dc8e03d30d7ca440179dfc73 (patch)
tree35c61bd7fdfb20120cac7daadc62b75494c4a01a
parent33b1137c1766a57aa1cb7e77e51c0593c776ef56 (diff)
Set Cloudify password3.2.0
Cloudify pod updates for sourcing password from CMPASS environment variable. Issue-ID: DCAEGEN2-1975 Change-Id: I5f297af9ad92389d0901eee463ea175751853838 Signed-off-by: Schmalzried, Terry (ts862m) <ts862m@att.com>
-rw-r--r--cm-container/Dockerfile-template9
-rw-r--r--cm-container/README.md2
-rw-r--r--cm-container/pom.xml2
-rw-r--r--cm-container/reset_admin.py54
-rw-r--r--cm-container/scripts/cloudify-ready.sh24
-rwxr-xr-xcm-container/scripts/dcae-cleanup.sh12
-rwxr-xr-xcm-container/scripts/load-plugins.sh8
-rwxr-xr-xcm-container/scripts/set-admin-password.sh39
-rwxr-xr-xcm-container/scripts/setup-secret.sh1
9 files changed, 134 insertions, 17 deletions
diff --git a/cm-container/Dockerfile-template b/cm-container/Dockerfile-template
index 5e6d846..e79099d 100644
--- a/cm-container/Dockerfile-template
+++ b/cm-container/Dockerfile-template
@@ -13,20 +13,23 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
-FROM cloudifyplatform/community:19.01.24
+FROM cloudifyplatform/community-cloudify-manager-aio:20.03.03
ENV PLUGIN_REPO {{ ONAPTEMPLATE_RAWREPOURL_org_onap_dcaegen2_platform_plugins_releases }}
# Store plugin files locally
RUN mkdir scripts
COPY scripts/* scripts/
+COPY reset_admin.py /opt/manager/
# Load our plugin files
# Setup rc.local to set up k8s credentials for CM
-RUN scripts/get-plugins.sh ${PLUGIN_REPO} \
+RUN chmod +x /opt/manager/reset_admin.py\
&& chmod +x scripts/*.sh\
+ && scripts/get-plugins.sh ${PLUGIN_REPO} \
&& /scripts/configure-tls.sh\
&& echo "/scripts/setup-secret.sh" >> /etc/rc.d/rc.local\
- && echo "/scripts/load-plugins.sh > /load-plugins.log 2>&1" >> /etc/rc.d/rc.local\
+ && echo "/scripts/set-admin-password.sh" >> /etc/rc.d/rc.local\
+ && echo "/scripts/load-plugins.sh >/load-plugins.log 2>&1" >> /etc/rc.d/rc.local\
&& chmod +x /etc/rc.d/rc.local
# Create mount point for CM config file
RUN mkdir -p /opt/onap && chown cfyuser:cfyuser /opt/onap
diff --git a/cm-container/README.md b/cm-container/README.md
index 3e3d45a..03b9634 100644
--- a/cm-container/README.md
+++ b/cm-container/README.md
@@ -58,7 +58,7 @@ The last command in the script is the command from the original Cloudify version
which then brings up the many other processes needed for a working instance of Cloudify Manager.
## The `setup-secret.sh` script
-When Kubernetes starts a container, it mounts a directory containing the credentials that the container needs to access the Kubernetes API on the local Kubernetes cluster. The mountpoint is `/var/run/secrets/kubernetes.io/serviceaccount`. Something about the way that Cloudify Manager is started (possibly because `/sbin/init` is run) causes this mountpoint to be hidden. `setup-secret.sh` will recreated the directory if it's not present and symbolically link it to a copy of the credentials mounted at `/secret` in the container file system. This gives Cloudify Manager the credentials that the Kubernetes plugin needs to deploy Kubernetes-based DCAE components.
+When Kubernetes starts a container, it mounts a directory containing the credentials that the container needs to access the Kubernetes API on the local Kubernetes cluster. The mountpoint is `/var/run/secrets/kubernetes.io/serviceaccount`. Something about the way that Cloudify Manager is started (possibly because `/sbin/init` is run) causes this mountpoint to be hidden. `setup-secret.sh` will recreate the directory if it's not present and symbolically link it to a copy of the credentials mounted at `/secret` in the container file system. This gives Cloudify Manager the credentials that the Kubernetes plugin needs to deploy Kubernetes-based DCAE components.
`setup-secret.sh` needs to run after '/sbin/init'. The Dockerfile installs it in the `rc.local` script that runs at startup.
diff --git a/cm-container/pom.xml b/cm-container/pom.xml
index 5024f25..8909a7e 100644
--- a/cm-container/pom.xml
+++ b/cm-container/pom.xml
@@ -27,7 +27,7 @@ limitations under the License.
<groupId>org.onap.dcaegen2.deployments</groupId>
<artifactId>cm-container</artifactId>
<name>dcaegen2-deployments-cm-container</name>
- <version>3.1.0</version>
+ <version>3.2.0</version>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/cm-container/reset_admin.py b/cm-container/reset_admin.py
new file mode 100644
index 0000000..c7a7672
--- /dev/null
+++ b/cm-container/reset_admin.py
@@ -0,0 +1,54 @@
+########
+# Copyright (c) 2018 Cloudify Platform Ltd. All rights reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+
+#!/usr/bin/env python
+
+import subprocess
+import json
+import argparse
+from flask_security.utils import encrypt_password
+from manager_rest.flask_utils import setup_flask_app
+
+
+def db_update_password(password):
+ password = encrypt_new_password(password)
+ password = password.replace('$', '\$')
+ sql_command = "\"update users set password='" + password + "' where username='admin'\""
+ cmd = "sudo -u postgres psql cloudify_db -c " + sql_command
+ subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
+
+
+def get_salt():
+ with open('/opt/manager/rest-security.conf') as f:
+ rest_security = json.load(f)
+
+ return rest_security['hash_salt']
+
+
+def encrypt_new_password(password):
+ app = setup_flask_app(hash_salt=get_salt())
+ with app.app_context():
+ password = encrypt_password(password)
+ return password
+
+
+if __name__ == '__main__':
+
+ parser = argparse.ArgumentParser(description=('Reset admin password in DB according to rest-security.conf'))
+ parser.add_argument('-p', '--password', required=True, help='New admin password')
+ args = parser.parse_args()
+
+ db_update_password(args.password)
+ print 'Done!\n'
diff --git a/cm-container/scripts/cloudify-ready.sh b/cm-container/scripts/cloudify-ready.sh
index 60b48e6..0cb3e6e 100644
--- a/cm-container/scripts/cloudify-ready.sh
+++ b/cm-container/scripts/cloudify-ready.sh
@@ -2,7 +2,7 @@
# ============LICENSE_START=======================================================
# org.onap.dcae
# ================================================================================
-# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -41,14 +41,32 @@
# | Riemann | running |
# +--------------------------------+---------+
#
-# When an individual service is not running, it will have a status other than "running".
+# or:
+#
+# cfy status
+# Retrieving manager services status... [ip=dcae-cloudify-manager]
+#
+# Services:
+# +--------------------------------+--------+
+# | service | status |
+# +--------------------------------+--------+
+# | Cloudify Console | Active |
+# | PostgreSQL | Active |
+# | AMQP-Postgres | Active |
+# | Manager Rest-Service | Active |
+# | RabbitMQ | Active |
+# | Webserver | Active |
+# | Management Worker | Active |
+# +--------------------------------+--------+
+#
+# When an individual service is not running, it will have a status other than "running" or "Active".
# If the Cloudify API cannot be reached, the "Services:" line will not appear.
STAT=$(cfy status)
if (echo "${STAT}" | grep "^Services:$")
then
echo "Got a status response"
- if !(echo "${STAT}" | egrep '^\| [[:alnum:]]+'| grep -iv '| running ')
+ if !(echo "${STAT}" | egrep '^\| [[:alnum:]]+'| egrep -iv ' Active | running ')
then
echo "All services running"
exit 0
diff --git a/cm-container/scripts/dcae-cleanup.sh b/cm-container/scripts/dcae-cleanup.sh
index ce5c56b..b95b639 100755
--- a/cm-container/scripts/dcae-cleanup.sh
+++ b/cm-container/scripts/dcae-cleanup.sh
@@ -1,6 +1,6 @@
#!/bin/bash
# ================================================================================
-# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -43,10 +43,12 @@
set -x
set +e
-# Get the CM admin password from the config file
-# Brittle, but the container is built with an unchanging version of CM,
-# so no real risk of a breaking change
-CMPASS=$(grep 'admin_password:' /etc/cloudify/config.yaml | cut -d ':' -f2 | tr -d ' ')
+# Expect Cloudify password to be in file mounted from Kubernetes secret,
+# but allow overriding by CMPASS environment variable,
+# and if not provided, use the default
+CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)}
+CMPASS=${CMPASS:-admin}
+
TYPENAMES=[\\\"dcae.nodes.ContainerizedServiceComponent\\\",\\\"dcae.nodes.ContainerizedServiceComponentUsingDmaap\\\",\\\"dcae.nodes.ContainerizedPlatformComponent\\\",\\\"dcae.nodes.ContainerizedApplication\\\"]
# Uninstall components managed by Cloudify
diff --git a/cm-container/scripts/load-plugins.sh b/cm-container/scripts/load-plugins.sh
index f4d1f66..5a342dd 100755
--- a/cm-container/scripts/load-plugins.sh
+++ b/cm-container/scripts/load-plugins.sh
@@ -25,8 +25,10 @@ CMADDR=${CMADDR:-dcae-cloudify-manager}
CMPROTO=${CMPROTO:-https}
CMPORT=${CMPORT:-443}
-# Password is currently fixed at the default
-# Eventually the password will be passed in as an environment variable
+# Expect Cloudify password to be in file mounted from Kubernetes secret,
+# but allow overriding by CMPASS environment variable,
+# and if not provided, use the default
+CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)}
CMPASS=${CMPASS:-admin}
# Set up additional parameters for using HTTPS
@@ -100,4 +102,4 @@ then
touch ${PLUGINS_LOADED}
else
echo "Plugins already loaded"
-fi \ No newline at end of file
+fi
diff --git a/cm-container/scripts/set-admin-password.sh b/cm-container/scripts/set-admin-password.sh
new file mode 100755
index 0000000..5b9ca27
--- /dev/null
+++ b/cm-container/scripts/set-admin-password.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+# Runs at deployment time to set cloudify's admin password
+
+# Wait for Cloudify Manager to come up
+while ! /scripts/cloudify-ready.sh
+do
+ echo "Waiting for CM to come up"
+ sleep 15
+done
+
+# Expect Cloudify password to be in file mounted from Kubernetes secret,
+# but allow overriding by CMPASS environment variable,
+# and if not provided, use the default
+CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)}
+CMPASS=${CMPASS:-admin}
+
+# Set Cloudify's admin password
+cd /opt/manager
+cfy_manager --reset_admin_password $CMPASS || ./env/bin/python reset_admin.py -p $CMPASS
+
+# Set the password used by the cfy client
+cfy profile set -p $CMPASS
+
+echo "Cloudify password set"
diff --git a/cm-container/scripts/setup-secret.sh b/cm-container/scripts/setup-secret.sh
index 848ed28..a3ee6c5 100755
--- a/cm-container/scripts/setup-secret.sh
+++ b/cm-container/scripts/setup-secret.sh
@@ -1,4 +1,3 @@
-
#!/bin/bash
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.