Ceph-RGW: Support rotation of s3 key pairs
This updates the helm-toolkit script for creating rgw s3 users to first check if a user exists, then create the user if it does not exist or modify the user's keys if it does exist. This is accomplished by using jq to identify all existing access keys for the specified user, removing those key pairs using the access key, then modifies the existing user with the supplied access/secret key pair for the given user This also updates the ceph-rgw chart to use the helm-toolkit s3 user script for creating the admin s3 user instead of using a similar script defined directly in the ceph-rgw chart Change-Id: I575b66415d44db7bb752102e45595305d86e623b
This commit is contained in:
parent
f4aa5dc574
commit
cf0ed142f6
@ -1,38 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
{{/*
|
||||
Copyright 2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
set -ex
|
||||
|
||||
function create_admin_user () {
|
||||
radosgw-admin user create \
|
||||
--uid=${S3_ADMIN_USERNAME} \
|
||||
--display-name=${S3_ADMIN_USERNAME}
|
||||
|
||||
radosgw-admin caps add \
|
||||
--uid=${S3_ADMIN_USERNAME} \
|
||||
--caps={{ .Values.conf.rgw_s3.admin_caps | quote }}
|
||||
|
||||
radosgw-admin key create \
|
||||
--uid=${S3_ADMIN_USERNAME} \
|
||||
--key-type=s3 \
|
||||
--access-key ${S3_ADMIN_ACCESS_KEY} \
|
||||
--secret-key ${S3_ADMIN_SECRET_KEY}
|
||||
}
|
||||
|
||||
radosgw-admin user stats --uid=${S3_ADMIN_USERNAME} || \
|
||||
create_admin_user
|
@ -39,7 +39,7 @@ data:
|
||||
ceph-admin-keyring.sh: |
|
||||
{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
rgw-s3-admin.sh: |
|
||||
{{ tuple "bin/rgw/_rgw-s3-admin.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
{{- include "helm-toolkit.scripts.create_s3_user" . | indent 4 }}
|
||||
helm-tests.sh: |
|
||||
{{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -92,17 +92,17 @@ spec:
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.rgw_s3_admin | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
env:
|
||||
- name: S3_ADMIN_USERNAME
|
||||
- name: S3_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3AdminSecret }}
|
||||
key: S3_ADMIN_USERNAME
|
||||
- name: S3_ADMIN_ACCESS_KEY
|
||||
- name: S3_ACCESS_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3AdminSecret }}
|
||||
key: S3_ADMIN_ACCESS_KEY
|
||||
- name: S3_ADMIN_SECRET_KEY
|
||||
- name: S3_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3AdminSecret }}
|
||||
|
@ -22,15 +22,51 @@ set -ex
|
||||
function create_s3_user () {
|
||||
radosgw-admin user create \
|
||||
--uid=${S3_USERNAME} \
|
||||
--display-name=${S3_USERNAME}
|
||||
|
||||
radosgw-admin key create \
|
||||
--uid=${S3_USERNAME} \
|
||||
--display-name=${S3_USERNAME} \
|
||||
--key-type=s3 \
|
||||
--access-key ${S3_ACCESS_KEY} \
|
||||
--secret-key ${S3_SECRET_KEY}
|
||||
}
|
||||
|
||||
radosgw-admin user stats --uid=${S3_USERNAME} || \
|
||||
function update_s3_user () {
|
||||
# Retrieve old access keys, if they exist
|
||||
old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
|
||||
| jq -r '.keys[].access_key' || true)
|
||||
|
||||
if [[ ! -z ${old_access_keys} ]]; then
|
||||
for access_key in $old_access_keys; do
|
||||
# If current access key is the same as the key supplied, do nothing.
|
||||
if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
|
||||
echo "Current key pair exists."
|
||||
continue
|
||||
else
|
||||
# If keys differ, remove previous key
|
||||
radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Perform one more additional check to account for scenarios where multiple
|
||||
# key pairs existed previously, but one existing key was the supplied key
|
||||
current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
|
||||
| jq -r '.keys[].access_key' || true)
|
||||
|
||||
# If the supplied key does not exist, modify the user
|
||||
if [[ -z ${current_access_key} ]]; then
|
||||
# Modify user with new access and secret keys
|
||||
echo "Updating key pair"
|
||||
radosgw-admin user modify \
|
||||
--uid=${S3_USERNAME}\
|
||||
--access-key ${S3_ACCESS_KEY} \
|
||||
--secret-key ${S3_SECRET_KEY}
|
||||
fi
|
||||
}
|
||||
|
||||
user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
|
||||
if [[ -z ${user_exists} ]]; then
|
||||
create_s3_user
|
||||
else
|
||||
update_s3_user
|
||||
fi
|
||||
|
||||
{{- end }}
|
||||
|
@ -123,10 +123,10 @@ data:
|
||||
delete:
|
||||
- type: job
|
||||
labels:
|
||||
release_group: osh-infra-radosgw-osh-infra
|
||||
release_group: osh-infra-osh-infra-radosgw
|
||||
- type: pod
|
||||
labels:
|
||||
release_group: osh-infra-radosgw-osh-infra
|
||||
release_group: osh-infra-osh-infra-radosgw
|
||||
component: test
|
||||
values:
|
||||
release_uuid: ${RELEASE_UUID}
|
||||
|
Loading…
Reference in New Issue
Block a user