From e43e6cb6749a8717a7ac839f3bc887e4bb45c10a Mon Sep 17 00:00:00 2001 From: Aiden Keating Date: Tue, 19 Mar 2019 11:45:15 +0000 Subject: [PATCH] INTLY-1301 Add namespace params for backend and encryption secrets * Use the namespace param for the component secret * Introduce namespace params for backend and encryption secrets --- image/tools/entrypoint.sh | 4 ---- image/tools/lib/backend/s3.sh | 8 +++---- image/tools/lib/component/mysql.sh | 8 +++---- image/tools/lib/component/postgres.sh | 12 +++++----- image/tools/lib/encryption/gpg.sh | 8 +++---- .../openshift/backup-cronjob-template.yaml | 12 +++++++++- templates/openshift/backup-job-template.yaml | 12 ++++++++-- .../openshift/rbac/role-binding-template.yaml | 22 +++++++++++++++++++ templates/openshift/rbac/role-binding.yaml | 10 --------- 9 files changed, 61 insertions(+), 35 deletions(-) create mode 100644 templates/openshift/rbac/role-binding-template.yaml delete mode 100644 templates/openshift/rbac/role-binding.yaml diff --git a/image/tools/entrypoint.sh b/image/tools/entrypoint.sh index 87c505c..d585d87 100755 --- a/image/tools/entrypoint.sh +++ b/image/tools/entrypoint.sh @@ -2,7 +2,6 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" component='' -component_secret_namespace='default' archive_backend='s3' encryption_engine='gpg' debug='' @@ -12,9 +11,6 @@ while getopts "c:n:b:e:d:" opt; do c) component="$OPTARG" ;; - n) - component_secret_namespace="$OPTARG" - ;; b) archive_backend="$OPTARG" ;; diff --git a/image/tools/lib/backend/s3.sh b/image/tools/lib/backend/s3.sh index 6dc4a2a..2d2bb47 100644 --- a/image/tools/lib/backend/s3.sh +++ b/image/tools/lib/backend/s3.sh @@ -1,5 +1,5 @@ function check_backup_enabled { - local result=$(oc get secret -n default ${BACKEND_SECRET_NAME} -o template --template='{{.metadata.name}}') + local result=$(oc get secret -n ${BACKEND_SECRET_NAMESPACE} ${BACKEND_SECRET_NAME} -o template --template='{{.metadata.name}}') if [[ "$result" == "${BACKEND_SECRET_NAME}" ]]; then return 0 else @@ -8,15 +8,15 @@ function check_backup_enabled { } function get_s3_bucket_name { - echo "`oc get secret -n default ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_S3_BUCKET_NAME}' | base64 --decode`" + echo "`oc get secret -n ${BACKEND_SECRET_NAMESPACE} ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_S3_BUCKET_NAME}' | base64 --decode`" } function get_s3_key_id { - echo "`oc get secret -n default ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 --decode`" + echo "`oc get secret -n ${BACKEND_SECRET_NAMESPACE} ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 --decode`" } function get_s3_access_key { - echo "`oc get secret -n default ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 --decode`" + echo "`oc get secret -n ${BACKEND_SECRET_NAMESPACE} ${BACKEND_SECRET_NAME} -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 --decode`" } function upload_archive { diff --git a/image/tools/lib/component/mysql.sh b/image/tools/lib/component/mysql.sh index a677753..d717d2e 100644 --- a/image/tools/lib/component/mysql.sh +++ b/image/tools/lib/component/mysql.sh @@ -1,5 +1,5 @@ function check_mysql_backup_enabled { - local result=$(oc get secret -n default ${COMPONENT_SECRET_NAME} -o template --template='{{.metadata.name}}') + local result=$(oc get secret -n ${COMPONENT_SECRET_NAMESPACE} ${COMPONENT_SECRET_NAME} -o template --template='{{.metadata.name}}') if [[ "$result" == "${COMPONENT_SECRET_NAME}" ]]; then return 0 else @@ -8,15 +8,15 @@ function check_mysql_backup_enabled { } function get_mysql_host { - echo "`oc get secret ${COMPONENT_SECRET_NAME} -n default -o jsonpath={.data.MYSQL_HOST} | base64 --decode`" + echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.MYSQL_HOST} | base64 --decode`" } function get_mysql_user { - echo "`oc get secret ${COMPONENT_SECRET_NAME} -n default -o jsonpath={.data.MYSQL_USER} | base64 --decode`" + echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.MYSQL_USER} | base64 --decode`" } function get_mysql_password { - echo "`oc get secret ${COMPONENT_SECRET_NAME} -n default -o jsonpath={.data.MYSQL_PASSWORD} | base64 --decode`" + echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.MYSQL_PASSWORD} | base64 --decode`" } function component_dump_data { diff --git a/image/tools/lib/component/postgres.sh b/image/tools/lib/component/postgres.sh index ed0cf4d..e1d44ee 100644 --- a/image/tools/lib/component/postgres.sh +++ b/image/tools/lib/component/postgres.sh @@ -1,23 +1,23 @@ #!/usr/bin/env bash function get_postgres_username { - echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_USERNAME} | base64 --decode`" + echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_USERNAME} | base64 --decode`" } function get_postgres_password { - echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_PASSWORD} | base64 --decode`" + echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_PASSWORD} | base64 --decode`" } function get_postgres_host { - echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_HOST} | base64 --decode`" + echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_HOST} | base64 --decode`" } function get_postgres_database { - echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_DATABASE} | base64 --decode`" + echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_DATABASE} | base64 --decode`" } function get_postgres_superuser { - echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${component_secret_namespace} -o jsonpath={.data.POSTGRES_SUPERUSER} | base64 --decode`" + echo "`oc get secret ${COMPONENT_SECRET_NAME} -n ${COMPONENT_SECRET_NAMESPACE} -o jsonpath={.data.POSTGRES_SUPERUSER} | base64 --decode`" } function component_dump_data { @@ -54,4 +54,4 @@ function component_dump_data { done fi -} \ No newline at end of file +} diff --git a/image/tools/lib/encryption/gpg.sh b/image/tools/lib/encryption/gpg.sh index b804234..a913c29 100644 --- a/image/tools/lib/encryption/gpg.sh +++ b/image/tools/lib/encryption/gpg.sh @@ -1,5 +1,5 @@ function check_encryption_enabled { - local result=$(oc get secret -n default ${ENCRYPTION_SECRET_NAME} -o template --template='{{.metadata.name}}') + local result=$(oc get secret -n ${ENCRYPTION_SECRET_NAMESPACE} ${ENCRYPTION_SECRET_NAME} -o template --template='{{.metadata.name}}') if [[ "$result" == "${ENCRYPTION_SECRET_NAME}" ]]; then return 0 else @@ -8,15 +8,15 @@ function check_encryption_enabled { } function get_public_key { - echo -e "`oc get secret ${ENCRYPTION_SECRET_NAME} -n default -o jsonpath={.data.GPG_PUBLIC_KEY} | base64 --decode`" + echo -e "`oc get secret ${ENCRYPTION_SECRET_NAME} -n ${ENCRYPTION_SECRET_NAMESPACE} -o jsonpath={.data.GPG_PUBLIC_KEY} | base64 --decode`" } function get_trust_model { - echo "`oc get secret ${ENCRYPTION_SECRET_NAME} -n default -o jsonpath={.data.GPG_TRUST_MODEL} | base64 --decode`" + echo "`oc get secret ${ENCRYPTION_SECRET_NAME} -n ${ENCRYPTION_SECRET_NAMESPACE} -o jsonpath={.data.GPG_TRUST_MODEL} | base64 --decode`" } function get_recipient { - echo "`oc get secret ${ENCRYPTION_SECRET_NAME} -n default -o jsonpath={.data.GPG_RECIPIENT} | base64 --decode`" + echo "`oc get secret ${ENCRYPTION_SECRET_NAME} -n ${ENCRYPTION_SECRET_NAMESPACE} -o jsonpath={.data.GPG_RECIPIENT} | base64 --decode`" } function encrypt_prepare { diff --git a/templates/openshift/backup-cronjob-template.yaml b/templates/openshift/backup-cronjob-template.yaml index 10e5882..8cf57d0 100644 --- a/templates/openshift/backup-cronjob-template.yaml +++ b/templates/openshift/backup-cronjob-template.yaml @@ -42,8 +42,12 @@ objects: env: - name: BACKEND_SECRET_NAME value: "${BACKEND_SECRET_NAME}" + - name: BACKEND_SECRET_NAMESPACE + value: "${BACKEND_SECRET_NAMESPACE}" - name: ENCRYPTION_SECRET_NAME value: "${ENCRYPTION_SECRET_NAME}" + - name: ENCRYPTION_SECRET_NAMESPACE + value: "${ENCRYPTION_SECRET_NAMESPACE}" - name: COMPONENT_SECRET_NAME value: "${COMPONENT_SECRET_NAME}" - name: COMPONENT_SECRET_NAMESPACE @@ -74,8 +78,14 @@ parameters: - name: BACKEND_SECRET_NAME description: Backend secret name to create environment variables from required: true + - name: BACKEND_SECRET_NAMESPACE + description: Backend secret namespace to create environment variables from + value: default - name: ENCRYPTION_SECRET_NAME - description: Encruption secret name to create environment variables from + description: Encryption secret name to create environment variables from + - name: ENCRYPTION_SECRET_NAMESPACE + description: Encryption secret namespace to create environment variables from + value: default - name: CRON_SCHEDULE description: 'Job schedule in Cron Format [Default is to trigger a job every minute for development purposes]' value: '*/1 * * * *' diff --git a/templates/openshift/backup-job-template.yaml b/templates/openshift/backup-job-template.yaml index aa93528..22292aa 100644 --- a/templates/openshift/backup-job-template.yaml +++ b/templates/openshift/backup-job-template.yaml @@ -30,8 +30,6 @@ objects: - "/opt/intly/tools/entrypoint.sh" - "-c" - "${COMPONENT}" - - "-n" - - "${COMPONENT_SECRET_NAMESPACE}" - '-b' - "${BACKEND}" - "-e" @@ -41,8 +39,12 @@ objects: env: - name: BACKEND_SECRET_NAME value: "${BACKEND_SECRET_NAME}" + - name: BACKEND_SECRET_NAMESPACE + value: "${BACKEND_SECRET_NAMESPACE}" - name: ENCRYPTION_SECRET_NAME value: "${ENCRYPTION_SECRET_NAME}" + - name: ENCRYPTION_SECRET_NAMESPACE + value: "${ENCRYPTION_SECRET_NAMESPACE}" - name: COMPONENT_SECRET_NAME value: "${COMPONENT_SECRET_NAME}" - name: COMPONENT_SECRET_NAMESPACE @@ -74,8 +76,14 @@ parameters: description: Backend secret name to create environment variables from required: true value: s3-credentials + - name: BACKEND_SECRET_NAMESPACE + description: Backend secret namespace to create environment variables from + value: default - name: ENCRYPTION_SECRET_NAME description: Encruption secret name to create environment variables from + - name: ENCRYPTION_SECRET_NAMESPACE + description: Encruption secret namespace to create environment variables from + value: default - name: IMAGE description: 'Backup docker image URL' value: 'quay.io/integreatly/backup-container:master' diff --git a/templates/openshift/rbac/role-binding-template.yaml b/templates/openshift/rbac/role-binding-template.yaml new file mode 100644 index 0000000..2581234 --- /dev/null +++ b/templates/openshift/rbac/role-binding-template.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Template +metadata: + name: integreatly-backup-rolebinding-template + annotations: + description: RoleBinding for Integreatly backups +objects: + - apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: backupjob + roleRef: + name: backupjob + subjects: + - kind: ServiceAccount + name: backupjob + namespace: "${SA_NAMESPACE}" +parameters: + - name: SA_NAMESPACE + description: The namespace the ServiceAccount is stored in + value: default diff --git a/templates/openshift/rbac/role-binding.yaml b/templates/openshift/rbac/role-binding.yaml deleted file mode 100644 index e5e55c3..0000000 --- a/templates/openshift/rbac/role-binding.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: authorization.openshift.io/v1 -kind: ClusterRoleBinding -metadata: - name: backupjob -roleRef: - name: backupjob -subjects: - - kind: ServiceAccount - name: backupjob - namespace: default