INTLY-1301 Add namespace params for backend and encryption secrets

* Use the namespace param for the component secret * Introduce namespace params for backend and encryption secrets
integr8ly · Mar 21, 2019 · e43e6cb · e43e6cb
1 parent dc776f4
commit e43e6cb
Show file tree

Hide file tree

Showing 9 changed files with 61 additions and 35 deletions.
diff --git a/image/tools/entrypoint.sh b/image/tools/entrypoint.sh
@@ -2,7 +2,6 @@
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 component=''
-component_secret_namespace='default'
 archive_backend='s3'
 encryption_engine='gpg'
 debug=''
@@ -12,9 +11,6 @@ while getopts "c:n:b:e:d:" opt; do
     c)
         component="$OPTARG"
         ;;
-    n)
-        component_secret_namespace="$OPTARG"
-        ;;
     b)
         archive_backend="$OPTARG"
         ;;

diff --git a/image/tools/lib/backend/s3.sh b/image/tools/lib/backend/s3.sh
@@ -1,5 +1,5 @@
 function check_backup_enabled {
-    local result=$(oc get secret -n default ${BACKEND_SECRET_NAME} -o template --template='{{.metadata.name}}')
+    local result=$(oc get secret -n ${BACKEND_SECRET_NAMESPACE} ${BACKEND_SECRET_NAME} -o template --template='{{.metadata.name}}')
     if [[ "$result" == "${BACKEND_SECRET_NAME}" ]]; then
         return 0
     else
@@ -8,15 +8,15 @@ function check_backup_enabled {
 }
 
 function get_s3_bucket_name {
-    echo "`oc get secret -n default ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_S3_BUCKET_NAME}' | base64 --decode`"
+    echo "`oc get secret -n ${BACKEND_SECRET_NAMESPACE} ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_S3_BUCKET_NAME}' | base64 --decode`"
 }
 
 function get_s3_key_id {
-    echo "`oc get secret -n default ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 --decode`"
+    echo "`oc get secret -n ${BACKEND_SECRET_NAMESPACE} ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 --decode`"
 }
 
 function get_s3_access_key {
-    echo "`oc get secret -n default ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 --decode`"
+    echo "`oc get secret -n ${BACKEND_SECRET_NAMESPACE} ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 --decode`"
 }
 
 function upload_archive {

diff --git a/image/tools/lib/component/mysql.sh b/image/tools/lib/component/mysql.sh
@@ -1,5 +1,5 @@
 function check_mysql_backup_enabled {
-    local result=$(oc get secret -n default ${COMPONENT_SECRET_NAME} -o template --template='{{.metadata.name}}')
+    local result=$(oc get secret -n ${COMPONENT_SECRET_NAMESPACE} ${COMPONENT_SECRET_NAME} -o template --template='{{.metadata.name}}')
     if [[ "$result" == "${COMPONENT_SECRET_NAME}" ]]; then
         return 0
     else
@@ -8,15 +8,15 @@ function check_mysql_backup_enabled {
 }
 
 function get_mysql_host {
-    echo "`oc get secret ${COMPONENT_SECRET_NAME} -n default -o jsonpath={.data.MYSQL_HOST} | base64 --decode`"
+    echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.MYSQL_HOST} | base64 --decode`"
 }
 
 function get_mysql_user {
-    echo "`oc get secret ${COMPONENT_SECRET_NAME} -n default -o jsonpath={.data.MYSQL_USER} | base64 --decode`"
+    echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.MYSQL_USER} | base64 --decode`"
 }
 
 function get_mysql_password {
-    echo "`oc get secret ${COMPONENT_SECRET_NAME} -n default -o jsonpath={.data.MYSQL_PASSWORD} | base64 --decode`"
+    echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.MYSQL_PASSWORD} | base64 --decode`"
 }
 
 function component_dump_data {

diff --git a/image/tools/lib/component/postgres.sh b/image/tools/lib/component/postgres.sh
@@ -1,23 +1,23 @@
 #!/usr/bin/env bash
 
 function get_postgres_username {
-  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_USERNAME} | base64 --decode`"
+  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_USERNAME} | base64 --decode`"
 }
 
 function get_postgres_password {
-  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_PASSWORD} | base64 --decode`"
+  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_PASSWORD} | base64 --decode`"
 }
 
 function get_postgres_host {
-  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_HOST} | base64 --decode`"
+  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_HOST} | base64 --decode`"
 }
 
 function get_postgres_database {
-  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_DATABASE} | base64 --decode`"
+  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_DATABASE} | base64 --decode`"
 }
 
 function get_postgres_superuser {
-  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_SUPERUSER} | base64 --decode`"
+  echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_SUPERUSER} | base64 --decode`"
 }
 
 function component_dump_data {
@@ -54,4 +54,4 @@ function component_dump_data {
     done
 
   fi
-}
+}
diff --git a/image/tools/lib/encryption/gpg.sh b/image/tools/lib/encryption/gpg.sh
@@ -1,5 +1,5 @@
 function check_encryption_enabled {
-    local result=$(oc get secret -n default ${ENCRYPTION_SECRET_NAME} -o template --template='{{.metadata.name}}')
+    local result=$(oc get secret -n ${ENCRYPTION_SECRET_NAMESPACE} ${ENCRYPTION_SECRET_NAME} -o template --template='{{.metadata.name}}')
     if [[ "$result" == "${ENCRYPTION_SECRET_NAME}" ]]; then
         return 0
     else
@@ -8,15 +8,15 @@ function check_encryption_enabled {
 }
 
 function get_public_key {
-    echo -e "`oc get secret ${ENCRYPTION_SECRET_NAME} -n default -o jsonpath={.data.GPG_PUBLIC_KEY} | base64 --decode`"
+    echo -e "`oc get secret ${ENCRYPTION_SECRET_NAME} -n ${ENCRYPTION_SECRET_NAMESPACE} -o jsonpath={.data.GPG_PUBLIC_KEY} | base64 --decode`"
 }
 
 function get_trust_model {
-    echo "`oc get secret ${ENCRYPTION_SECRET_NAME} -n default -o jsonpath={.data.GPG_TRUST_MODEL} | base64 --decode`"
+    echo "`oc get secret ${ENCRYPTION_SECRET_NAME} -n ${ENCRYPTION_SECRET_NAMESPACE} -o jsonpath={.data.GPG_TRUST_MODEL} | base64 --decode`"
 }
 
 function get_recipient {
-    echo "`oc get secret ${ENCRYPTION_SECRET_NAME} -n default -o jsonpath={.data.GPG_RECIPIENT} | base64 --decode`"
+    echo "`oc get secret ${ENCRYPTION_SECRET_NAME} -n ${ENCRYPTION_SECRET_NAMESPACE} -o jsonpath={.data.GPG_RECIPIENT} | base64 --decode`"
 }
 
 function encrypt_prepare {

diff --git a/templates/openshift/backup-cronjob-template.yaml b/templates/openshift/backup-cronjob-template.yaml
@@ -42,8 +42,12 @@ objects:
                   env:
                     - name: BACKEND_SECRET_NAME
                       value: "${BACKEND_SECRET_NAME}"
+                    - name: BACKEND_SECRET_NAMESPACE
+                      value: "${BACKEND_SECRET_NAMESPACE}"
                     - name: ENCRYPTION_SECRET_NAME
                       value: "${ENCRYPTION_SECRET_NAME}"
+                    - name: ENCRYPTION_SECRET_NAMESPACE
+                      value: "${ENCRYPTION_SECRET_NAMESPACE}"
                     - name: COMPONENT_SECRET_NAME
                       value: "${COMPONENT_SECRET_NAME}"
                     - name: COMPONENT_SECRET_NAMESPACE
@@ -74,8 +78,14 @@ parameters:
   - name: BACKEND_SECRET_NAME
     description: Backend secret name to create environment variables from
     required: true
+  - name: BACKEND_SECRET_NAMESPACE
+    description: Backend secret namespace to create environment variables from
+    value: default
   - name: ENCRYPTION_SECRET_NAME
-    description: Encruption secret name to create environment variables from
+    description: Encryption secret name to create environment variables from
+  - name: ENCRYPTION_SECRET_NAMESPACE
+    description: Encryption secret namespace to create environment variables from
+    value: default
   - name: CRON_SCHEDULE
     description: 'Job schedule in Cron Format [Default is to trigger a job every minute for development purposes]'
     value: '*/1 * * * *'

diff --git a/templates/openshift/backup-job-template.yaml b/templates/openshift/backup-job-template.yaml
@@ -30,8 +30,6 @@ objects:
                 - "/opt/intly/tools/entrypoint.sh"
                 - "-c"
                 - "${COMPONENT}"
-                - "-n"
-                - "${COMPONENT_SECRET_NAMESPACE}"
                 - '-b'
                 - "${BACKEND}"
                 - "-e"
@@ -41,8 +39,12 @@ objects:
               env:
                 - name: BACKEND_SECRET_NAME
                   value: "${BACKEND_SECRET_NAME}"
+                - name: BACKEND_SECRET_NAMESPACE
+                  value: "${BACKEND_SECRET_NAMESPACE}"
                 - name: ENCRYPTION_SECRET_NAME
                   value: "${ENCRYPTION_SECRET_NAME}"
+                - name: ENCRYPTION_SECRET_NAMESPACE
+                  value: "${ENCRYPTION_SECRET_NAMESPACE}"
                 - name: COMPONENT_SECRET_NAME
                   value: "${COMPONENT_SECRET_NAME}"
                 - name: COMPONENT_SECRET_NAMESPACE
@@ -74,8 +76,14 @@ parameters:
     description: Backend secret name to create environment variables from
     required: true
     value: s3-credentials
+  - name: BACKEND_SECRET_NAMESPACE
+    description: Backend secret namespace to create environment variables from
+    value: default
   - name: ENCRYPTION_SECRET_NAME
     description: Encruption secret name to create environment variables from
+  - name: ENCRYPTION_SECRET_NAMESPACE
+    description: Encruption secret namespace to create environment variables from
+    value: default
   - name: IMAGE
     description: 'Backup docker image URL'
     value: 'quay.io/integreatly/backup-container:master'

diff --git a/templates/openshift/rbac/role-binding-template.yaml b/templates/openshift/rbac/role-binding-template.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Template
+metadata:
+  name: integreatly-backup-rolebinding-template
+  annotations:
+    description: RoleBinding for Integreatly backups
+objects:
+  - apiVersion: authorization.openshift.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: backupjob
+    roleRef:
+      name: backupjob
+    subjects:
+      - kind: ServiceAccount
+        name: backupjob
+        namespace: "${SA_NAMESPACE}"
+parameters:
+  - name: SA_NAMESPACE
+    description: The namespace the ServiceAccount is stored in
+    value: default
diff --git a/templates/openshift/rbac/role-binding.yaml b/templates/openshift/rbac/role-binding.yaml