chore(passport): add initApplications to charts

Author: duanhongyi

charts/passport/templates/_helpers.tpl

@@ -16,75 +16,16 @@ rbac.authorization.k8s.io/v1
 env:
 - name: "TZ"
   value: {{ .Values.time_zone | default "UTC" | quote }}
-{{- if (.Values.initGrafanaKey) }}
-- name: "DRYCC_GRAFANA_DOMAIN"
-{{- if .Values.global.certManagerEnabled }}
-  value: https://drycc-monitor-grafana.{{ .Values.global.platformDomain }}
-{{- else }}
-  value: http://drycc-monitor-grafana.{{ .Values.global.platformDomain }}
-{{- end }}
-- name: DRYCC_PASSPORT_GRAFANA_KEY
-  valueFrom:
-    secretKeyRef:
-      name: passport-creds
-      key: drycc-passport-grafana-key
-- name: DRYCC_PASSPORT_GRAFANA_SECRET
-  valueFrom:
-    secretKeyRef:
-      name: passport-creds
-      key: drycc-passport-grafana-secret
-{{- end }}
-{{- if (.Values.initManagerKey) }}
-- name: "DRYCC_MANAGER_DOMAIN"
-{{- if .Values.global.certManagerEnabled }}
-  value: https://drycc-manager.{{ .Values.global.platformDomain }}
-{{- else }}
-  value: http://drycc-manager.{{ .Values.global.platformDomain }}
-{{- end }}
-- name: DRYCC_PASSPORT_MANAGER_KEY
-  valueFrom:
-    secretKeyRef:
-      name: passport-creds
-      key: drycc-passport-manager-key
-- name: DRYCC_PASSPORT_MANAGER_SECRET
-  valueFrom:
-    secretKeyRef:
-      name: passport-creds
-      key: drycc-passport-manager-secret
-{{- end }}
-{{- if (.Values.initControllerKey) }}
-- name: "DRYCC_CONTROLLER_DOMAIN"
-{{- if .Values.global.certManagerEnabled }}
-  value: https://drycc.{{ .Values.global.platformDomain }}
-{{- else }}
-  value: http://drycc.{{ .Values.global.platformDomain }}
-{{- end }}
-- name: DRYCC_SECRET_KEY
-  valueFrom:
-    secretKeyRef:
-      name: passport-creds
-      key: django-secret-key
-- name: DRYCC_PASSPORT_CONTROLLER_KEY
-  valueFrom:
-    secretKeyRef:
-      name: passport-creds
-      key: drycc-passport-controller-key
-- name: DRYCC_PASSPORT_CONTROLLER_SECRET
-  valueFrom:
-    secretKeyRef:
-      name: passport-creds
-      key: drycc-passport-controller-secret
-{{- end }}
-- name: WORKFLOW_NAMESPACE
-  valueFrom:
-    fieldRef:
-      fieldPath: metadata.namespace
 - name: ADMIN_USERNAME
   value: {{ .Values.adminUsername | default "admin" | quote }}
 - name: ADMIN_PASSWORD
   value: {{ .Values.adminPassword | default "admin" | quote }}
 - name: ADMIN_EMAIL
   value: {{ .Values.adminEmail | default "admin@email.com" | quote }}
+- name: PLATFORM_DOMAIN
+  value: {{ .Values.global.platformDomain }}
+- name: CERT_MANAGER_ENABLED
+  value: "{{ .Values.global.certManagerEnabled }}"
 {{- if (.Values.databaseUrl) }}
 - name: DRYCC_DATABASE_URL
   valueFrom:
@@ -152,6 +93,9 @@ volumeMounts:
   - name: passport-creds
     mountPath: /var/run/secrets/drycc/passport
     readOnly: true
+  - name: passport-config
+    mountPath: /etc/drycc/passport
+    readOnly: true
 {{- end }}
 
 
@@ -161,4 +105,7 @@ volumes:
   - name: passport-creds
     secret:
       secretName: passport-creds
+  - name: passport-config
+    configMap:
+      name: passport-config
 {{- end }}

charts/passport/templates/passport-configmap.yaml

@@ -0,0 +1,12 @@
+{{- if eq .Values.global.passportLocation "on-cluster" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: passport-config
+  labels:
+    heritage: drycc
+data:
+data:
+  init-applications.json: |-
+{{ toPrettyJson .Values.initApplications | indent 4 }}
+{{- end }}

charts/passport/templates/passport-secret-creds.yaml

@@ -16,16 +16,10 @@ data:
   {{- end }}
   django-secret-key: {{ randAscii 64 | b64enc }}
   oidc-rsa-private-key: "{{genPrivateKey "rsa" | b64enc}}"
-  {{- if (.Values.initGrafanaKey) }}
-  drycc-passport-grafana-key: {{ randAlphaNum 40 | b64enc }}
-  drycc-passport-grafana-secret: {{ randAlphaNum 64 | b64enc }}
+  {{- range $item := .Values.initApplications }}
+  {{- if ($item.prefix) }}
+  drycc-passport-{{$item.name | replace " " "-" | lower}}-key: {{ if $item.key | default "" | ne "" }}{{ $item.key | b64enc }}{{ else }}{{ randAlphaNum 40 | b64enc }}{{ end }}
+  drycc-passport-{{$item.name | replace " " "-" | lower}}-secret: {{ if $item.secret | default "" | ne "" }}{{ $item.secret | b64enc }}{{ else }}{{ randAlphaNum 64 | b64enc }}{{ end }}
   {{- end }}
-  {{- if (.Values.initManagerKey) }}
-  drycc-passport-manager-key: {{ randAlphaNum 40 | b64enc }}
-  drycc-passport-manager-secret: {{ randAlphaNum 64 | b64enc }}
-  {{- end }}
-  {{- if (.Values.initControllerKey) }}
-  drycc-passport-controller-key: {{ randAlphaNum 40 | b64enc }}
-  drycc-passport-controller-secret: {{ randAlphaNum 64 | b64enc }}
   {{- end }}
 {{- end }}

charts/passport/values.yaml

@@ -66,10 +66,22 @@ adminUsername: "admin"
 adminPassword: "admin"
 adminEmail: "admin@email.com"
 
-# The following configurations represent whether to initialize oauth2 application key
-initGrafanaKey: true
-initManagerKey: false
-initControllerKey: true
+# The following configurations to initialize oauth2 application
+# Names are all lowercase letters
+# The key and secret are generated automatically if they are empty
+# If prefix is not empty, it represents internal application.
+#
+initApplications:
+- name: "controller"
+  key: ""
+  secret: ""
+  prefix: "drycc"
+  redirect_uri: "/v2/complete/drycc/"
+- name: "grafana"
+  key: ""
+  secret: ""
+  prefix: "drycc-monitor-grafana"
+  redirect_uri: "/login/generic_oauth"
 
 # Service
 service:

rootfs/api/management/commands/create_oauth2_application.py

@@ -1,57 +1,70 @@
 import os
+import json
+import random
+import string
+import pathlib
 from django.contrib.auth import get_user_model
 from django.core.management.base import BaseCommand
 from oauth2_provider.models import Application
 
+
 User = get_user_model()
+secrets_path = "/var/run/secrets/drycc/passport"
 
 
 class Command(BaseCommand):
     """Management command for create Oauth2 application"""
 
+    def add_arguments(self, parser):
+        super(Command, self).add_arguments(parser)
+        parser.add_argument(
+            '--path', dest='path', default=None,
+            help='Specifies the path for the secret.',
+        )
+
     def handle(self, *args, **options):
-        app_list = []
-        if os.environ.get('DRYCC_GRAFANA_DOMAIN'):
-            app_list.append({
-                "name": "GRAFANA",
-                 "redirect_uri": f"{os.environ.get('DRYCC_GRAFANA_DOMAIN')}/login/generic_oauth"  # noqa
-            })
-        if os.environ.get('DRYCC_MANAGER_DOMAIN'):
-            app_list.append({
-                "name": "MANAGER",
-                 "redirect_uri": f"{os.environ.get('DRYCC_MANAGER_DOMAIN')}/v1/complete/drycc/"  # noqa
-            })
-        if os.environ.get('DRYCC_CONTROLLER_DOMAIN'):
-            app_list.append({
-                "name": "CONTROLLER",
-                "redirect_uri": f"{os.environ.get('DRYCC_CONTROLLER_DOMAIN')}/v2/complete/drycc/"  # noqa
-            })
-        for app in app_list:
-            client_id = os.environ.get(
-                f'DRYCC_PASSPORT_{app["name"]}_KEY') if os.environ.get(
-                f'DRYCC_PASSPORT_{app["name"]}_KEY') else None
-            client_secret = os.environ.get(
-                f'DRYCC_PASSPORT_{app["name"]}_SECRET') if os.environ.get(
-                f'DRYCC_PASSPORT_{app["name"]}_SECRET') else None
-            if not all([client_id, client_secret]):
-                self.stdout.write('client_id or client_secret non-existent')
-                return
-            user = User.objects.filter(is_superuser=True).first()
-            if not user:
-                self.stdout.write("Cannot create because there is no superuser")
+        base_path = options.get('path', '')
+        user = User.objects.filter(is_superuser=True).first()
+        for item in json.loads(pathlib.Path(base_path).read_text()):
+            name = item["name"]
+            key = self._get_creds(item, "key", 40)
+            secret = self._get_creds(item, "secret", 60)
+            redirect_uri = self._get_redirect_uri(item)
             _, updated = Application.objects.update_or_create(
-                name='Drycc ' + app["name"].title(),
+                name=name.lower(),
                 defaults={
-                    'client_id': client_id,
-                    'client_secret': client_secret,
+                    'client_id': key,
+                    'client_secret': secret,
                     'user': user,
-                    'redirect_uris': app["redirect_uri"],
+                    'redirect_uris': redirect_uri,
                     'authorization_grant_type': 'authorization-code',
-                    'client_type': 'Public',
+                    'client_type': 'public',
                     'algorithm': 'RS256'
                 }
             )
             if updated:
-                self.stdout.write(f'Drycc {app["name"]} app created')
+                self.stdout.write('Drycc % app created' % name)
+            else:
+                self.stdout.write('Drycc % app updated' % name)
+
+    def _get_creds(self, item, suffix, size):
+        name, secret, prefix = item["name"], item[suffix], item["prefix"]
+        if not secret:
+            default_secret_path = os.path.join(
+                secrets_path, "drycc-passport-%s-%s" % (name, suffix))
+            if prefix and os.path.exists(default_secret_path):
+                secret = pathlib.Path(default_secret_path).read_text()
+            else:
+                secret = ''.join([random.choice(string.ascii_letters) for _ in range(size)])
+        return secret
+
+    def _get_redirect_uri(self, item):
+        prefix = item["prefix"]
+        domain = os.environ.get("PLATFORM_DOMAIN")
+        redirect_uri = item["redirect_uri"]
+        if prefix:
+            if os.environ.get("CERT_MANAGER_ENABLED") == "true":
+                redirect_uri = f"https://{prefix}.{domain}{redirect_uri}"
             else:
-                self.stdout.write(f'Drycc {app["name"]} app updated')
+                redirect_uri = f"http://{prefix}.{domain}{redirect_uri}"
+        return redirect_uri

rootfs/bin/boot

@@ -38,7 +38,7 @@ fi
 
 echo ""
 echo "Create application for drycc controller "
-python /workspace/manage.py create_oauth2_application
+python /workspace/manage.py create_oauth2_application --path /etc/drycc/passport/init-applications.json
 
 # spawn a gunicorn server in the background
 echo ""