diff --git a/grafana/templates/bin/_set-admin-password.sh.tpl b/grafana/templates/bin/_set-admin-password.sh.tpl new file mode 100644 index 000000000..879e150ed --- /dev/null +++ b/grafana/templates/bin/_set-admin-password.sh.tpl @@ -0,0 +1,26 @@ +#!/bin/bash +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +echo "Attempting to update Grafana admin user password" +grafana-cli admin reset-admin-password --homepath "/usr/share/grafana" --config /etc/grafana/grafana.ini ${GF_SECURITY_ADMIN_PASSWORD} + +if [ "$?" == 1 ]; then + echo "The Grafana admin user does not exist yet, so no need to update password" + exit 0; +else + exit 0; +fi diff --git a/grafana/templates/configmap-bin.yaml b/grafana/templates/configmap-bin.yaml index a5c975c61..01c1bbfa0 100644 --- a/grafana/templates/configmap-bin.yaml +++ b/grafana/templates/configmap-bin.yaml @@ -32,4 +32,6 @@ data: {{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} grafana.sh: | {{ tuple "bin/_grafana.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + set-admin-password.sh: | +{{ tuple "bin/_set-admin-password.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} diff --git a/grafana/templates/job-set-admin-user.yaml b/grafana/templates/job-set-admin-user.yaml new file mode 100644 index 000000000..3fbd542b3 --- /dev/null +++ b/grafana/templates/job-set-admin-user.yaml @@ -0,0 +1,79 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_set_admin_user }} +{{- $envAll := . }} + +{{- $serviceAccountName := "grafana-set-admin-user" }} +{{ tuple $envAll "set_admin_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: grafana-set-admin-user + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +spec: + template: + metadata: + labels: +{{ tuple $envAll "grafana" "set-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value | quote }} + initContainers: +{{ tuple $envAll "set_admin_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: grafana-set-admin-password +{{ tuple $envAll "grafana" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.set_admin_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + command: + - /tmp/set-admin-password.sh + env: + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: grafana-admin-creds + key: GRAFANA_ADMIN_USERNAME + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: grafana-admin-creds + key: GRAFANA_ADMIN_PASSWORD + volumeMounts: + - name: grafana-etc + mountPath: /etc/grafana/grafana.ini + subPath: grafana.ini + - name: grafana-bin + mountPath: /tmp/set-admin-password.sh + subPath: set-admin-password.sh + readOnly: true + volumes: + - name: pod-etc-grafana + emptyDir: {} + - name: grafana-bin + configMap: + name: grafana-bin + defaultMode: 0555 + - name: grafana-etc + secret: + secretName: grafana-etc + defaultMode: 0444 +{{- end }} diff --git a/grafana/values.yaml b/grafana/values.yaml index 6a263e72b..4eaaf06c5 100644 --- a/grafana/values.yaml +++ b/grafana/values.yaml @@ -107,6 +107,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + set_admin_user: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" tests: requests: memory: "128Mi" @@ -264,6 +271,7 @@ dependencies: jobs: - grafana-db-init - grafana-db-session-sync + - grafana-set-admin-user services: - endpoint: internal service: oslo_db @@ -271,6 +279,12 @@ dependencies: services: - endpoint: internal service: local_image_registry + set_admin_user: + jobs: + - grafana-db-init + services: + - endpoint: internal + service: oslo_db tests: services: - endpoint: internal @@ -314,6 +328,7 @@ manifests: job_db_init_session: true job_db_session_sync: true job_image_repo_sync: true + job_set_admin_user: true network_policy: false secret_db: true secret_db_session: true diff --git a/tools/deployment/armada/040-armada-update-passwords.sh b/tools/deployment/armada/040-armada-update-passwords.sh index 8aa39400d..a1ca9bacf 100755 --- a/tools/deployment/armada/040-armada-update-passwords.sh +++ b/tools/deployment/armada/040-armada-update-passwords.sh @@ -34,6 +34,7 @@ fi export CEPH_NETWORK=$(./tools/deployment/multinode/kube-node-subnet.sh) export CEPH_FS_ID="$(cat /tmp/ceph-fs-uuid.txt)" +export RELEASE_UUID=$(uuidgen) export OSH_INFRA_PATH # NOTE(srwilkers): We add this here due to envsubst expanding the ${tag} placeholder in