Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking β€œSign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated cs components to access pg password from secrets #8723

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open
154 changes: 151 additions & 3 deletions api/config/pg_gateway/config_request.pb.a2svc.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 21 additions & 5 deletions api/config/shared/global.go
Original file line number Diff line number Diff line change
@@ -257,7 +257,7 @@ func (c *GlobalConfig) Validate() error { // nolint gocyclo
"show",
"userconfig.es_password",
}
execGetPass := exec.Command(getLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
execGetPass := exec.Command(GetLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
getPass, err := execGetPass.Output()
if err != nil || string(getPass) == "" {
cfgErr.AddMissingKey("global.v1.external.elasticsearch.auth.basic_auth.password")
@@ -314,7 +314,7 @@ func (c *GlobalConfig) Validate() error { // nolint gocyclo
"show",
"userconfig.os_password",
}
execGetPass := exec.Command(getLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
execGetPass := exec.Command(GetLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
getPass, err := execGetPass.Output()
if err != nil || string(getPass) == "" {
cfgErr.AddMissingKey("global.v1.external.opensearch.auth.basic_auth.password")
@@ -348,7 +348,15 @@ func (c *GlobalConfig) Validate() error { // nolint gocyclo
cfgErr.AddMissingKey("global.v1.external.postgresql.auth.password.superuser.username")
}
if sp == "" {
cfgErr.AddMissingKey("global.v1.external.postgresql.auth.password.superuser.password")
args := []string{
"show",
"userconfig.pg_superuser_password",
}
execGetPass := exec.Command(GetLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
getPass, err := execGetPass.Output()
if err != nil || string(getPass) == "" {
cfgErr.AddMissingKey("global.v1.external.postgresql.auth.password.superuser.password")
}
}

// dbuser username and password
@@ -358,7 +366,15 @@ func (c *GlobalConfig) Validate() error { // nolint gocyclo
cfgErr.AddMissingKey("global.v1.external.postgresql.auth.password.dbuser.username")
}
if dp == "" {
cfgErr.AddMissingKey("global.v1.external.postgresql.auth.password.dbuser.password")
args := []string{
"show",
"userconfig.pg_dbuser_password",
}
execGetPass := exec.Command(GetLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
getPass, err := execGetPass.Output()
if err != nil || string(getPass) == "" {
cfgErr.AddMissingKey("global.v1.external.postgresql.auth.password.dbuser.password")
}
}
}
}
@@ -448,7 +464,7 @@ func (c *GlobalConfig) ValidateReDirectSysLogConfig() error {
return nil
}

func getLatestPlatformToolsPath() string {
func GetLatestPlatformToolsPath() string {
cmd, err := exec.Command("/bin/sh", "-c", habPkgPlatformToolsPath).Output()
if err != nil {
fmt.Printf("error %s", err)
120 changes: 120 additions & 0 deletions api/config/shared/global.pb.a2svc.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1,387 changes: 735 additions & 652 deletions api/config/shared/global.pb.go

Large diffs are not rendered by default.

13 changes: 9 additions & 4 deletions api/config/shared/global.proto
Original file line number Diff line number Diff line change
@@ -189,12 +189,17 @@ message External {

message Authentication {
message PasswordAuthentication {
message User {
message SuperUser {
google.protobuf.StringValue username = 1;
google.protobuf.StringValue password = 2;
google.protobuf.StringValue password = 2 [(chef.automate.api.secret) = { name: "pg_superuser_password" }];
}
User superuser = 1;
User dbuser = 2;

message DBUser {
google.protobuf.StringValue username = 1;
google.protobuf.StringValue password = 2 [(chef.automate.api.secret) = { name: "pg_dbuser_password" }];
}
SuperUser superuser = 1;
DBUser dbuser = 2;
}
google.protobuf.StringValue scheme = 1;
PasswordAuthentication password = 2;
4 changes: 2 additions & 2 deletions api/config/shared/global_test.go
Original file line number Diff line number Diff line change
@@ -419,8 +419,8 @@ format = "json"
Auth: &External_Postgresql_Authentication{
Scheme: w.String("password"),
Password: &External_Postgresql_Authentication_PasswordAuthentication{
Superuser: &External_Postgresql_Authentication_PasswordAuthentication_User{},
Dbuser: &External_Postgresql_Authentication_PasswordAuthentication_User{},
Superuser: &External_Postgresql_Authentication_PasswordAuthentication_SuperUser{},
Dbuser: &External_Postgresql_Authentication_PasswordAuthentication_DBUser{},
},
},
},
7 changes: 6 additions & 1 deletion components/automate-cs-bookshelf/habitat/hooks/run
Original file line number Diff line number Diff line change
@@ -36,4 +36,9 @@ else
fi


exec secrets-helper exec --secret bookshelf.access_key_id --secret bookshelf.secret_access_key -- bookshelf foreground
exec secrets-helper exec \
--optional-secret userconfig.pg_superuser_password \
--secret bookshelf.access_key_id \
--secret bookshelf.secret_access_key \
-- \
bookshelf foreground
4 changes: 2 additions & 2 deletions components/automate-cs-bookshelf/habitat/plan.sh
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ pkg_description="Wrapper package for chef/bookshelf"
pkg_origin="chef"

# WARNING: Version managed by .expeditor/update_chef_server.sh
pkg_version="15.10.22"
pkg_version="15.10.28"
vendor_origin="chef"
pkg_maintainer="Chef Software Inc. <support@chef.io>"
pkg_license=("Chef-MLSA")
@@ -17,7 +17,7 @@ pkg_deps=(
chef/mlsa
"${local_platform_tools_origin:-chef}/automate-platform-tools"
# WARNING: Version pin managed by .expeditor/update_chef_server.sh
"${vendor_origin}/bookshelf/15.10.22/20241216151651"
"${vendor_origin}/bookshelf/15.10.28/20250110073641"
)

pkg_binds=(
6 changes: 5 additions & 1 deletion components/automate-cs-oc-bifrost/habitat/hooks/run
Original file line number Diff line number Diff line change
@@ -29,4 +29,8 @@ fi

secrets-helper generate oc_bifrost.superuser_id 32 --if-not-exists

exec secrets-helper exec --secret oc_bifrost.superuser_id -- oc_bifrost foreground
exec secrets-helper exec \
--secret oc_bifrost.superuser_id \
--optional-secret userconfig.pg_superuser_password \
-- \
oc_bifrost foreground
4 changes: 2 additions & 2 deletions components/automate-cs-oc-bifrost/habitat/plan.sh
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ pkg_description="Wrapper package for chef/oc_bifrost"
pkg_origin="chef"

# WARNING: Version managed by .expeditor/update_chef_server.sh
pkg_version="15.10.22"
pkg_version="15.10.28"
vendor_origin="chef"
pkg_maintainer="Chef Software Inc. <support@chef.io>"
pkg_license=("Chef-MLSA")
@@ -17,7 +17,7 @@ pkg_deps=(
chef/mlsa
"${local_platform_tools_origin:-chef}/automate-platform-tools"
# WARNING: Version pin managed by .expeditor/update_chef_server.sh
"${vendor_origin}/oc_bifrost/15.10.22/20241216151651"
"${vendor_origin}/oc_bifrost/15.10.28/20250110073640"
)

pkg_binds=(
1 change: 1 addition & 0 deletions components/automate-cs-oc-erchef/habitat/hooks/run
Original file line number Diff line number Diff line change
@@ -76,6 +76,7 @@ exec secrets-helper exec \
--secret bookshelf.access_key_id \
--secret bookshelf.secret_access_key \
--secret chef-server.webui_pub_key \
--optional-secret userconfig.pg_superuser_password \
--optional-secret data_collector.token \
-- \
{{~#if cfg.memory.max_bytes}}
4 changes: 2 additions & 2 deletions components/automate-cs-oc-erchef/habitat/plan.sh
Original file line number Diff line number Diff line change
@@ -11,7 +11,7 @@ pkg_svc_user=root
pkg_svc_group=root

# WARNING: Version managed by .expeditor/update_chef_server.sh
pkg_version="15.10.22"
pkg_version="15.10.28"
vendor_origin="chef"
pkg_maintainer="Chef Software Inc. <support@chef.io>"
pkg_license=("Chef-MLSA")
@@ -22,7 +22,7 @@ pkg_deps=(
chef/mlsa
"${local_platform_tools_origin:-chef}/automate-platform-tools"
# WARNING: Version pin managed by .expeditor/update_chef_server.sh
"${vendor_origin}/oc_erchef/15.10.22/20241216151651"
"${vendor_origin}/oc_erchef/15.10.28/20250110073640"
)

pkg_build_deps=(
16 changes: 13 additions & 3 deletions components/automate-deployment/pkg/server/gather-logs.go
Original file line number Diff line number Diff line change
@@ -8,19 +8,20 @@ import (
"io"
"io/ioutil"
"os"
"os/exec"
"path"
"strconv"
"strings"
"time"

"github.com/chef/automate/api/config/shared"
api "github.com/chef/automate/api/interservice/deployment"
"github.com/chef/automate/components/automate-deployment/pkg/airgap"
"github.com/chef/automate/components/automate-deployment/pkg/gatherlogs"
"github.com/chef/automate/components/automate-deployment/pkg/manifest"
"github.com/chef/automate/components/automate-deployment/pkg/preflight"
"github.com/chef/automate/lib/platform/pg"

"github.com/chef/automate/lib/io/chunks"
"github.com/chef/automate/lib/platform/pg"

log "github.com/sirupsen/logrus"
"google.golang.org/grpc/codes"
@@ -170,7 +171,16 @@ func (s *server) GatherLogs(ctx context.Context, req *api.GatherLogsRequest,
}
if s.deployment.Config.Global.V1.GetExternal().GetPostgresql().GetAuth().GetPassword().GetSuperuser() != nil {
user = s.deployment.Config.Global.V1.GetExternal().GetPostgresql().GetAuth().GetPassword().GetSuperuser().GetUsername().GetValue()
password = s.deployment.Config.Global.V1.GetExternal().GetPostgresql().GetAuth().GetPassword().GetSuperuser().GetPassword().GetValue()
args := []string{
"show",
"userconfig.pg_superuser_password",
}
execGetPass := exec.Command(shared.GetLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
getPass, err := execGetPass.Output()
if err != nil || string(getPass) == "" {
return nil, err
}
password = strings.TrimSpace(string(getPass))
}
certs = pg.TLSCertPaths{
RootCert: "/hab/svc/automate-pg-gateway/config/_a2_platform_external_pg_root_ca.crt",
1 change: 1 addition & 0 deletions components/automate-dex/habitat/config/run_environment.sh
Original file line number Diff line number Diff line change
@@ -7,3 +7,4 @@ export LDAP_BINDPW=$(secrets-helper show userconfig.ldap_password || echo "")
export LDAP_BINDDN=$(sed 's/^\"\(.*\)\"$/\1/' {{pkg.svc_config_path}}/ldap_bind_dn)
export LDAP_BINDPW=$(secrets-helper show userconfig.msad_password || echo "")
{{~/if}}
export POSTGRES_DB_PW=$(secrets-helper show userconfig.pg_dbuser_password || echo "")
1 change: 1 addition & 0 deletions components/automate-dex/habitat/hooks/run
Original file line number Diff line number Diff line change
@@ -29,4 +29,5 @@ exec secrets-helper exec \
--watch \
--optional-secret userconfig.ldap_password \
--optional-secret userconfig.msad_password \
--optional-secret userconfig.pg_dbuser_password \
-- dex serve {{pkg.svc_var_path}}/etc/config.yml
2 changes: 1 addition & 1 deletion components/automate-dex/habitat/templates/config.yml
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@ storage:
{{- if is_external_pg }}
{{- if eq "password" .Platform.GetPlatform.GetExternalPostgresql.GetAuth.GetScheme.GetValue }}
user: {{ .Platform.GetPlatform.GetExternalPostgresql.GetAuth.GetPassword.GetDbuser.GetUsername.GetValue }}
password: {{ .Platform.GetPlatform.GetExternalPostgresql.GetAuth.GetPassword.GetDbuser.GetPassword.GetValue }}
password: $POSTGRES_DB_PW
{{- else }}
{{ fail "unsupported auth scheme" }}
{{- end }}
6 changes: 5 additions & 1 deletion components/notifications-service/habitat/hooks/run
Original file line number Diff line number Diff line change
@@ -27,4 +27,8 @@ if [[ ! -f "$erl_cookie" ]]; then
chmod 400 "$erl_cookie"
fi

exec "{{pkg.path}}/bin/notifications" start
# exec "{{pkg.path}}/bin/notifications" start
exec secrets-helper exec \
--watch \
--optional-secret userconfig.pg_dbuser_password \
-- "{{pkg.path}}/bin/notifications" start
2 changes: 1 addition & 1 deletion components/notifications-service/habitat/templates/pg-env
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@ export SQERL_DBPORT="{{pg_gateway_port}}"
export SQERL_DBUSER="{{pg_svc_user}}"
{{- if is_external_pg }}
{{- if eq "password" .Platform.GetPlatform.GetExternalPostgresql.GetAuth.GetScheme.GetValue }}
export SQERL_DBPASSWORD="{{ .Platform.GetPlatform.GetExternalPostgresql.GetAuth.GetPassword.GetDbuser.GetPassword.GetValue }}"
export SQERL_DBPASSWORD=$(secrets-helper show userconfig.pg_dbuser_password || echo "")
{{- if .Platform.GetPlatform.GetExternalPostgresql.GetSsl.GetEnable.GetValue }}
export SQERL_NO_SSL_AUTH="true"
export EXTERNAL_PG_ROOT_CA_CERT="{{pg_root_ca_cert_path}}"
5 changes: 5 additions & 0 deletions integration/tests/ha_chef_server.sh
Original file line number Diff line number Diff line change
@@ -6,6 +6,11 @@ test_external_services=(ha_backend)

source integration/services/common.sh

SSL_CERT_FILE="/hab/pkgs/$(hab pkg list core/cacerts)/ssl/cert.pem"
export SSL_CERT_FILE
SSL_CERT_DIR="/hab/pkgs/$(hab pkg list core/cacerts)/ssl/cert"
export SSL_CERT_DIR

_frontend1_container_name="$(service_container_name "cs1")"
_frontend2_container_name="$(service_container_name "cs2")"

24 changes: 22 additions & 2 deletions lib/platform/config/config.go
Original file line number Diff line number Diff line change
@@ -4,13 +4,15 @@ import (
"fmt"
"net/url"
"os"
"os/exec"
"path"
"strings"

"github.com/golang/protobuf/jsonpb"
"github.com/pkg/errors"

"github.com/chef/automate/api/config/platform"
"github.com/chef/automate/api/config/shared"
)

const (
@@ -247,9 +249,27 @@ func (c *Config) GetPGConnInfoURI(user string) (*PGConnInfo, error) {
password := ""

if user == passwordAuth.GetDbuser().GetUsername().GetValue() {
password = passwordAuth.GetDbuser().GetPassword().GetValue()
args := []string{
"show",
"userconfig.pg_dbuser_password",
}
execGetPass := exec.Command(shared.GetLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
getPass, err := execGetPass.Output()
if err != nil || string(getPass) == "" {
return nil, errors.Errorf("External postgres password auth missing password")
}
password = strings.TrimSpace(string(getPass))
} else if user == passwordAuth.GetSuperuser().GetUsername().GetValue() {
password = passwordAuth.GetSuperuser().GetPassword().GetValue()
args := []string{
"show",
"userconfig.pg_superuser_password",
}
execGetPass := exec.Command(shared.GetLatestPlatformToolsPath()+"/bin/secrets-helper", args...)
getPass, err := execGetPass.Output()
if err != nil || string(getPass) == "" {
return nil, errors.Errorf("External postgres password auth missing password")
}
password = strings.TrimSpace(string(getPass))
} else {
return nil, errors.Errorf("Invalid external postgres user %q", user)
}
2 changes: 1 addition & 1 deletion lib/scaffolding/templates/sqerl.config
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[{sqerl, [
{{- if is_external_pg }}
{{- if eq "password" .Platform.GetPlatform.GetExternalPostgresql.GetAuth.GetScheme.GetValue }}
{db_pass, "{{ .Platform.GetPlatform.GetExternalPostgresql.GetAuth.GetPassword.GetDbuser.GetPassword.GetValue }}" },
{config_cb, {chef_secrets_sqerl, config, [{<<"userconfig">>, <<"pg_superuser_password">>}]}},
{{- if .Platform.GetPlatform.GetExternalPostgresql.GetSsl.GetEnable.GetValue }}
{db_options, [
{ssl, true},