diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2019-11-21 22:48:12 +0100 |
---|---|---|
committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2019-11-21 23:00:37 +0100 |
commit | c6f8706f751312eab1487460352e219af9ace3c9 (patch) | |
tree | d39a12359fd8f313daf98fec67682ec01fd0135f | |
parent | 17804e20a22090d3c0b2333528dd6f0ca7809567 (diff) |
Add password generation template
Currently there is a number of hardcoded passwords in OOM helm charts
that are reused for almost all ONAP deployments in different labs.
One possible solution for this issue could be to generate a random
password for every deployment but this may cause number of issues
while doing helm upgrade.
That's why instead of generating a random password we generate a
password for particular use case, based on chart name, master
password provided by the deployer and additional UID. This is done
using derivePassword function so check its documentation for more
details how this password is derived.
From a user perspective, the most important fact is that he or she can
achieve reproductible deployment. Every time when ONAP is deployed
with the same masterPassword all derived passwords are going
to be also the same.
Issue-ID: OOM-2052
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I666d597e6daab8b79e630917ad75f17cc70f897b
-rw-r--r-- | kubernetes/common/common/templates/_createPassword.tpl | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/kubernetes/common/common/templates/_createPassword.tpl b/kubernetes/common/common/templates/_createPassword.tpl new file mode 100644 index 0000000000..938b0ee514 --- /dev/null +++ b/kubernetes/common/common/templates/_createPassword.tpl @@ -0,0 +1,62 @@ +{{/* +# Copyright © 2019 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* + Resolve the master password to be used to derive other passwords. The value of + .Values.masterPassword is used by default, unless either override mechanism is + used: + + - .Values.global.masterPassword : override default master password for all charts + - .Values.masterPasswordOverride : override global and default masterPassword on a per chart basis +*/}} +{{- define "common.masterPassword" -}} + {{ if .Values.masterPasswordOverride }} + {{- printf "%d" .Values.masterPasswordOverride -}} + {{ else if .Values.global.masterPassword }} + {{- printf "%d" .Values.global.masterPassword -}} + {{ else if .Values.masterPassword }} + {{- printf "%d" .Values.masterPassword -}} + {{ else }} + {{ fail "masterPassword not provided" }} + {{ end }} +{{- end -}} + +{{/* + Generate a new password based on masterPassword. The new password is not + random, it is derived from masterPassword, fully qualified chart name and + additional uid provided by the user. This ensures that every time when we + run this function from the same place, with the same password and uid we + get the same results. This allows to avoid password changes while you are + doing upgrade. + + The function can take from one to three arguments (inside a dictionary): + - .dot : environment (.) + - .uid : unique identifier of password to be generated within this particular chart. Use only when you create more than a single password within one chart + - .strength : complexity of derived password. See derivePassword documentation for more details + + Example calls: + + {{ include "common.createPassword" . }} + {{ include "common.createPassword" (dict "dot" . "uid" "mysqlRootPasswd") }} + +*/}} +{{- define "common.createPassword" -}} + {{- $dot := default . .dot -}} + {{- $uid := default "onap" .uid -}} + {{- $strength := default "long" .strength -}} + {{- $mp := include "common.masterPassword" $dot -}} + {{- derivePassword 1 $strength $mp (include "common.fullname" $dot) $uid -}} +{{- end -}} |