From c6f8706f751312eab1487460352e219af9ace3c9 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 21 Nov 2019 22:48:12 +0100 Subject: Add password generation template Currently there is a number of hardcoded passwords in OOM helm charts that are reused for almost all ONAP deployments in different labs. One possible solution for this issue could be to generate a random password for every deployment but this may cause number of issues while doing helm upgrade. That's why instead of generating a random password we generate a password for particular use case, based on chart name, master password provided by the deployer and additional UID. This is done using derivePassword function so check its documentation for more details how this password is derived. From a user perspective, the most important fact is that he or she can achieve reproductible deployment. Every time when ONAP is deployed with the same masterPassword all derived passwords are going to be also the same. Issue-ID: OOM-2052 Signed-off-by: Krzysztof Opasiak Change-Id: I666d597e6daab8b79e630917ad75f17cc70f897b --- .../common/common/templates/_createPassword.tpl | 62 ++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 kubernetes/common/common/templates/_createPassword.tpl (limited to 'kubernetes') diff --git a/kubernetes/common/common/templates/_createPassword.tpl b/kubernetes/common/common/templates/_createPassword.tpl new file mode 100644 index 0000000000..938b0ee514 --- /dev/null +++ b/kubernetes/common/common/templates/_createPassword.tpl @@ -0,0 +1,62 @@ +{{/* +# Copyright © 2019 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* + Resolve the master password to be used to derive other passwords. The value of + .Values.masterPassword is used by default, unless either override mechanism is + used: + + - .Values.global.masterPassword : override default master password for all charts + - .Values.masterPasswordOverride : override global and default masterPassword on a per chart basis +*/}} +{{- define "common.masterPassword" -}} + {{ if .Values.masterPasswordOverride }} + {{- printf "%d" .Values.masterPasswordOverride -}} + {{ else if .Values.global.masterPassword }} + {{- printf "%d" .Values.global.masterPassword -}} + {{ else if .Values.masterPassword }} + {{- printf "%d" .Values.masterPassword -}} + {{ else }} + {{ fail "masterPassword not provided" }} + {{ end }} +{{- end -}} + +{{/* + Generate a new password based on masterPassword. The new password is not + random, it is derived from masterPassword, fully qualified chart name and + additional uid provided by the user. This ensures that every time when we + run this function from the same place, with the same password and uid we + get the same results. This allows to avoid password changes while you are + doing upgrade. + + The function can take from one to three arguments (inside a dictionary): + - .dot : environment (.) + - .uid : unique identifier of password to be generated within this particular chart. Use only when you create more than a single password within one chart + - .strength : complexity of derived password. See derivePassword documentation for more details + + Example calls: + + {{ include "common.createPassword" . }} + {{ include "common.createPassword" (dict "dot" . "uid" "mysqlRootPasswd") }} + +*/}} +{{- define "common.createPassword" -}} + {{- $dot := default . .dot -}} + {{- $uid := default "onap" .uid -}} + {{- $strength := default "long" .strength -}} + {{- $mp := include "common.masterPassword" $dot -}} + {{- derivePassword 1 $strength $mp (include "common.fullname" $dot) $uid -}} +{{- end -}} -- cgit 1.2.3-korg