Skip to content
Permalink
Browse files
Prehashed pw (#26)
* Use Chart Testing v3
* Allow setting of consistent admin password hash

Co-authored-by: Arne Diekmann <arne@neoskop.de>
  • Loading branch information
willholley and arnediekmann committed May 22, 2020
1 parent 6272fee commit bb174048094a498604cdcc35e95cf6a046f0b0d5
Showing 10 changed files with 86 additions and 35 deletions.
@@ -1,6 +1,6 @@
apiVersion: v1
name: couchdb
version: 3.2.0
version: 3.3.0
appVersion: 2.3.1
description: A database featuring seamless multi-master sync, that scales from
big data to mobile, with an intuitive HTTP/JSON API and designed for
@@ -59,6 +59,23 @@ Secret containing `adminUsername`, `adminPassword` and `cookieAuthSecret` keys:
$ kubectl create secret generic my-release-couchdb --from-literal=adminUsername=foo --from-literal=adminPassword=bar --from-literal=cookieAuthSecret=baz
```

If you want to set the `adminHash` directly to achieve consistent salts between
different nodes you need to addionally add the key `password.ini` to the secret:

```bash
$ kubectl create secret generic my-release-couchdb \
--from-literal=adminUsername=foo \
--from-literal=cookieAuthSecret=baz \
--from-file=./my-password.ini
```

With the following contents in `my-password.ini`:

```
[admins]
foo = <pbkdf2-hash>
```

and then install the chart while overriding the `createAdminSecret` setting:

```bash
@@ -148,6 +165,7 @@ A variety of other parameters are also configurable. See the comments in the
|--------------------------------------|----------------------------------------|
| `adminUsername` | admin |
| `adminPassword` | auto-generated |
| `adminHash` | |
| `cookieAuthSecret` | auto-generated |
| `image.repository` | couchdb |
| `image.tag` | 2.3.1 |
@@ -0,0 +1,2 @@
[admins]
{{ .Values.adminUsername }} = {{ .Values.adminHash }}
@@ -13,4 +13,7 @@ data:
adminUsername: {{ template "couchdb.defaultsecret" .Values.adminUsername }}
adminPassword: {{ template "couchdb.defaultsecret" .Values.adminPassword }}
cookieAuthSecret: {{ template "couchdb.defaultsecret" .Values.cookieAuthSecret }}
{{- if .Values.adminHash }}
password.ini: {{ tpl (.Files.Get "password.ini") . | b64enc }}
{{- end -}}
{{- end -}}
@@ -39,6 +39,18 @@ spec:
mountPath: /tmp/
- name: config-storage
mountPath: /default.d
{{- if .Values.adminHash }}
- name: admin-hash-copy
image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
imagePullPolicy: {{ .Values.initImage.pullPolicy }}
command: ['sh','-c','cp /tmp/password.ini /local.d/ ;']
volumeMounts:
- name: admin-password
mountPath: /tmp/password.ini
subPath: "password.ini"
- name: local-config-storage
mountPath: /local.d
{{- end }}
containers:
- name: couchdb
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -112,6 +124,10 @@ spec:
volumeMounts:
- name: config-storage
mountPath: /opt/couchdb/etc/default.d
{{- if .Values.adminHash }}
- name: local-config-storage
mountPath: /opt/couchdb/etc/local.d
{{- end }}
- name: database-storage
mountPath: /opt/couchdb/data
{{- if .Values.enableSearch }}
@@ -149,6 +165,14 @@ spec:
- key: seedlistinifile
path: seedlist.ini

{{- if .Values.adminHash }}
- name: local-config-storage
emptyDir: {}
- name: admin-password
secret:
secretName: {{ template "couchdb.fullname" . }}
{{- end -}}

{{- if not .Values.persistentVolume.enabled }}
- name: database-storage
emptyDir: {}
@@ -13,16 +13,18 @@ allowAdminParty: false
## be created containing auto-generated credentials. Users who prefer to set
## these values themselves have a couple of options:
##
## 1) The `adminUsername`, `adminPassword`, and `cookieAuthSecret` can be
## defined directly in the chart's values. Note that all of a chart's values
## are currently stored in plaintext in a ConfigMap in the tiller namespace.
## 1) The `adminUsername`, `adminPassword`, `adminHash`, and `cookieAuthSecret`
## can be defined directly in the chart's values. Note that all of a chart's
## values are currently stored in plaintext in a ConfigMap in the tiller
## namespace.
##
## 2) This flag can be disabled and a Secret with the required keys can be
## created ahead of time.
createAdminSecret: true

adminUsername: admin
# adminPassword: this_is_not_secure
# adminHash: -pbkdf2-this_is_not_necessarily_secure_either
# cookieAuthSecret: neither_is_this

## When enabled, will deploy a networkpolicy that allows CouchDB pods to
@@ -129,7 +131,8 @@ ingress:

## Optional resource requests and limits for the CouchDB container
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources: {}
resources:
{}
# requests:
# cpu: 100m
# memory: 128Mi
@@ -160,7 +163,6 @@ couchdbConfig:
# 5984 when is set to true.
require_valid_user: false


# Kubernetes local cluster domain.
# This is used to generate FQDNs for peers when joining the CouchDB cluster.
dns:
BIN +9.27 KB docs/couchdb-3.3.0.tgz
Binary file not shown.
@@ -1,6 +1,29 @@
apiVersion: v1
entries:
couchdb:
- apiVersion: v1
appVersion: 2.3.1
created: "2020-05-22T13:16:19.793936+01:00"
description: A database featuring seamless multi-master sync, that scales from
big data to mobile, with an intuitive HTTP/JSON API and designed for reliability.
digest: 0d2613f898fd6f6d86e396e2f64f21e85d3d07889fe3fcc76e03cdb741ecce74
home: https://couchdb.apache.org/
icon: http://couchdb.apache.org/CouchDB-visual-identity/logo/CouchDB-couch-symbol.svg
keywords:
- couchdb
- database
- nosql
maintainers:
- email: kocolosk@apache.org
name: kocolosk
- email: willholley@apache.org
name: willholley
name: couchdb
sources:
- https://github.com/apache/couchdb-docker
urls:
- https://apache.github.io/couchdb-helm/couchdb-3.3.0.tgz
version: 3.3.0
- apiVersion: v1
appVersion: 2.3.1
created: "2020-02-24T14:28:33.088976214+01:00"
@@ -162,4 +185,4 @@ entries:
urls:
- https://apache.github.io/couchdb-helm/couchdb-2.2.0.tgz
version: 2.2.0
generated: "2020-02-24T14:28:33.083464834+01:00"
generated: "2020-05-22T13:16:19.792815+01:00"
@@ -1 +1 @@
helm-extra-args: --timeout 800
helm-extra-args: --timeout 800s
@@ -4,10 +4,10 @@ set -o errexit
set -o nounset
set -o pipefail

readonly CT_VERSION=v2.3.3
readonly KIND_VERSION=v0.5.1
readonly CT_VERSION=v3.0.0-rc.1
readonly KIND_VERSION=v0.7.0
readonly CLUSTER_NAME=chart-testing
readonly K8S_VERSION=v1.14.3
readonly K8S_VERSION=v1.17.0

run_ct_container() {
echo 'Running ct container...'
@@ -45,9 +45,10 @@ create_kind_cluster() {
docker_exec mkdir -p /root/.kube

echo 'Copying kubeconfig to container...'
local kubeconfig
kubeconfig="$(kind get kubeconfig-path --name "$CLUSTER_NAME")"
local kubeconfig=$(mktemp)
kind get kubeconfig --name "$CLUSTER_NAME" >"$kubeconfig"
docker cp "$kubeconfig" ct:/root/.kube/config
rm "$kubeconfig"

docker_exec kubectl cluster-info
echo
@@ -59,26 +60,6 @@ create_kind_cluster() {
echo
}

install_tiller() {
echo 'Installing Tiller...'
docker_exec kubectl --namespace kube-system create sa tiller
docker_exec kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
docker_exec helm init --service-account tiller --upgrade --wait
echo
}

install_local-path-provisioner() {
# kind doesn't support Dynamic PVC provisioning yet, this is one ways to get it working
# https://github.com/rancher/local-path-provisioner

# Remove default storage class. It will be recreated by local-path-provisioner
docker_exec kubectl delete storageclass standard

echo 'Installing local-path-provisioner...'
docker_exec kubectl apply -f test/local-path-provisioner.yaml
echo
}

install_charts() {
docker_exec ct lint-and-install --charts couchdb --upgrade --chart-dirs .
echo
@@ -89,8 +70,6 @@ main() {
trap cleanup EXIT

create_kind_cluster
install_local-path-provisioner
install_tiller
install_charts
}

0 comments on commit bb17404

Please sign in to comment.