Skip to content

Commit

Permalink
#1904: more changes
Browse files Browse the repository at this point in the history
  • Loading branch information
jefflill committed Apr 20, 2024
1 parent cc3dc0a commit d713133
Show file tree
Hide file tree
Showing 8 changed files with 62 additions and 63 deletions.
9 changes: 4 additions & 5 deletions Lib/Neon.Kube.Setup/KubeSetup.Operations.cs
Original file line number Diff line number Diff line change
Expand Up @@ -5008,7 +5008,7 @@ await controlNode.InvokeIdempotentAsync("setup/harbor-login",

await Task.CompletedTask;
#if TODO
var user = await KubeHelper.GetClusterLdapUserAsync(k8s, "root");
var user = await KubeHelper.GetClusterLdapUserAsync(k8s, KubeConst.SysAdminUser);
var password = user.Password;
var command = $"echo '{password}' | podman login registry.neon.local --username {user.Name} --password-stdin";

Expand All @@ -5034,7 +5034,7 @@ await controlNode.InvokeIdempotentAsync("setup/harbor-login",
await controlNode.InvokeIdempotentAsync("setup/harbor-login-workstation",
async () =>
{
var user = await KubeHelper.GetClusterLdapUserAsync(k8s, "root");
var user = await KubeHelper.GetClusterLdapUserAsync(k8s, KubeConst.SysAdminUser);
var password = user.Password;

if (!string.IsNullOrEmpty(NeonHelper.DockerCli))
Expand All @@ -5046,8 +5046,7 @@ await controlNode.InvokeIdempotentAsync("setup/harbor-login-workstation",
{
"login",
$"{ClusterHost.HarborRegistry}.{cluster.SetupState.ClusterDomain}",
"--username",
"root",
"--username", KubeConst.SysAdminUser,
"--password-stdin"
},
input: new StringReader(cluster.SetupState.SsoPassword));
Expand Down Expand Up @@ -5898,7 +5897,7 @@ public static async Task InstallGlauthAsync(ISetupController controller, NodeSsh
values.Add("config.backend.database.user", KubeConst.NeonSystemDbServiceUser);
values.Add("config.backend.database.password", dbPassword);

values.Add("users.root.password", cluster.SetupState.SsoPassword);
values.Add("users.sysadmin.password", cluster.SetupState.SsoPassword);
values.Add("users.serviceuser.password", NeonHelper.GetCryptoRandomPassword(cluster.SetupState.ClusterDefinition.Security.PasswordLength));

if (serviceAdvice.PodMemoryRequest.HasValue && serviceAdvice.PodMemoryLimit.HasValue)
Expand Down
8 changes: 4 additions & 4 deletions Lib/Neon.Kube.Setup/KubeSetup.PrepareCluster.cs
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ public static async Task<ISetupController> CreateClusterPrepareControllerAsync(
//
// WARNING: This should never be used for production clusters!

setupState.SshPassword = KubeConst.SysAdminPassword;
setupState.SshPassword = KubeConst.SysAdminInsecurePassword;
}
else
{
Expand Down Expand Up @@ -326,9 +326,9 @@ public static async Task<ISetupController> CreateClusterPrepareControllerAsync(

if (desktopReadyToGo || options.Insecure)
{
// We're going to configure a fixed password for NEONDESKTOP clusters.
// We're going to configure a fixed password for NEONDESKTOP and insecure clusters.

setupState.SshPassword = KubeConst.SysAdminPassword;
setupState.SshPassword = KubeConst.SysAdminInsecurePassword;
}
else
{
Expand Down Expand Up @@ -371,7 +371,7 @@ public static async Task<ISetupController> CreateClusterPrepareControllerAsync(
controller.SetGlobalStepStatus("generate: SSO password");

setupState.SsoUsername = KubeConst.SysAdminUser;
setupState.SsoPassword = clusterDefinition.RootPassword ?? NeonHelper.GetCryptoRandomPassword(clusterDefinition.Security.PasswordLength);
setupState.SsoPassword = clusterDefinition.SsoPassword ?? NeonHelper.GetCryptoRandomPassword(clusterDefinition.Security.PasswordLength);

setupState.Save();
});
Expand Down
4 changes: 3 additions & 1 deletion Lib/Neon.Kube.Setup/KubeSetup.cs
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,9 @@ public static ClusterDefinition GetDesktopClusterDefinition(HostingEnvironment h
clusterDefinition.Hosting.Hypervisor.VCpus = 3;
}

clusterDefinition.RootPassword = KubeConst.RootDesktopPassword;
// Use the insecure password for NeonDESKTOP clusters.

clusterDefinition.SsoPassword = KubeConst.SysAdminInsecurePassword;

return clusterDefinition;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,13 @@ stringData:
# This user record shows all of the possible fields available
[[users]]
name = "root"
givenname="root"
name = "sysadmin"
givenname="sysadmin"
sn=""
mail = "sysadmin@{{ $clusterDomain }}"
uidnumber = 5001
primarygroup = 5501
passsha256 = "{{ .Values.users.root.password | sha256sum }}" # {{ .Values.users.root.password }}
passsha256 = "{{ .Values.users.sysadmin.password | sha256sum }}" # {{ .Values.users.sysadmin.password }}
[[users]]
name = "serviceuser"
givenname="serviceuser"
Expand Down
2 changes: 0 additions & 2 deletions Lib/Neon.Kube.Setup/Resources/Helm/glauth/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -109,8 +109,6 @@ config:
enabled: false

users:
root:
password: ""
sysadmin:
password: ""
user:
Expand Down
13 changes: 10 additions & 3 deletions Lib/Neon.Kube/ClusterDef/ClusterDefinition.cs
Original file line number Diff line number Diff line change
Expand Up @@ -617,14 +617,21 @@ internal bool IsSpecialNeonCluster
public Dictionary<string, NodeDefinition> NodeDefinitions { get; set; } = new Dictionary<string, NodeDefinition>(StringComparer.OrdinalIgnoreCase);

/// <summary>
/// <para>
/// Optionally specifies the cluster root single sign-on (SSO) password. A random password
/// with of <see cref="SecurityOptions.PasswordLength"/> will be created by default when no
/// password is specified here.
/// </para>
/// <note>
/// The NeonDESKTOP SSO cluster's SSO password is always set to <see cref="KubeConst.SysAdminInsecurePassword"/>
/// to make the cluster easier to use. This isn't a big security risk, because the desktop cluster is
/// not accessable from the LAN.
/// </note>>
/// </summary>
[JsonProperty(PropertyName = "RootPassword", Required = Required.Default)]
[YamlMember(Alias = "rootPassword", ApplyNamingConventions = false)]
[JsonProperty(PropertyName = "SsoPassword", Required = Required.Default)]
[YamlMember(Alias = "ssoPassword", ApplyNamingConventions = false)]
[DefaultValue(null)]
public string RootPassword { get; set; } = null;
public string SsoPassword { get; set; } = null;

/// <summary>
/// Clones the current cluster definition and then removes any hosting related
Expand Down
4 changes: 2 additions & 2 deletions Lib/Neon.Kube/Kube/KubeHelper.cs
Original file line number Diff line number Diff line change
Expand Up @@ -1957,9 +1957,9 @@ private static string GetSshKeyGenPath()
/// Creates a SSH key for a NEONKUBE cluster.
/// </summary>
/// <param name="clusterName">The cluster name.</param>
/// <param name="userName">Optionally specifies the user name (defaults to <b>root</b>).</param>
/// <param name="userName">Specifies the user name.</param>
/// <returns>A <see cref="KubeSshKey"/> holding the public and private parts of the key.</returns>
public static KubeSshKey GenerateSshKey(string clusterName, string userName = "root")
public static KubeSshKey GenerateSshKey(string clusterName, string userName)
{
Covenant.Requires<ArgumentNullException>(!string.IsNullOrEmpty(clusterName), nameof(clusterName));
Covenant.Requires<ArgumentNullException>(!string.IsNullOrEmpty(userName), nameof(userName));
Expand Down
79 changes: 36 additions & 43 deletions Lib/Neon.Kube/KubeConst.cs
Original file line number Diff line number Diff line change
Expand Up @@ -49,94 +49,87 @@ public static class KubeConst
public static readonly TimeSpan MaxJitter = TimeSpan.FromMilliseconds(250);

/// <summary>
/// The maximum number of cluster control-plane nodes.
/// Specifies the maximum number of cluster control-plane nodes.
/// </summary>
public const int MaxControlPlaneNodes = 5;

/// <summary>
/// The minimum number of vCPUs required by control-plane nodes.
/// Specifies the minimum number of vCPUs required by control-plane nodes.
/// </summary>
public const int MinControlNodeVCpus = 2;

/// <summary>
/// The minimum number of vCPUs required by worker nodes.
/// Specifies the minimum number of vCPUs required by worker nodes.
/// </summary>
public const int MinWorkerNodeVCpus = 4;

/// <summary>
/// The minimum RAM (MiB) required for control-plane nodes.
/// Specifies the minimum RAM (MiB) required for control-plane nodes.
/// </summary>
public const int MinControlPlaneNodeRamMiB = 8192;

/// <summary>
/// The minimum RAM (MiB) required for worker nodes.
/// Specifies the minimum RAM (MiB) required for worker nodes.
/// </summary>
public const int MinWorkerNodeRamMiB = 8192;

/// <summary>
/// The minimum required network interface cards for control-plane nodes.
/// Specifies the minimum required network interface cards for control-plane nodes.
/// </summary>
public const int MinControlPlaneNodeNics = 1;

/// <summary>
/// The minimum required network interface cards for worker nodes.
/// Specifies the minimum required network interface cards for worker nodes.
/// </summary>
public const int MinWorkerNodeNics = 1;

/// <summary>
/// <para>
/// The fixed SSO password for desktop clusters.
/// </para>
/// <note>
/// This isn't really a security risk because the desktop cluster cannot be
/// reached from outside the computer because the cluster IP address is not
/// routable.
/// </note>
/// </summary>
public const string RootDesktopPassword = "root";

/// <summary>
/// The NEONKUBE domain used to host NEONKUBE cluster DNS records.
/// Specifies the NEONKUBE domain used to host NEONKUBE cluster DNS records.
/// </summary>
public const string NeonClusterDomain = "neoncluster.io";

/// <summary>
/// The fixed ID for all desktop clusters.
/// Specifies the fixed ID for all desktop clusters.
/// </summary>
public const string DesktopClusterId = $"desktop";

/// <summary>
/// The fixed domain for all desktop clusters.
/// Specifies the fixed domain for all desktop clusters.
/// </summary>
public const string DesktopClusterDomain = $"{DesktopClusterId}.{NeonClusterDomain}";

/// <summary>
/// The default host machine sysadmin username.
/// Specifies the default host machine sysadmin username.
/// </summary>
public const string SysAdminUser = "sysadmin";

/// <summary>
/// The default host machine sysadmin user ID.
/// Specifies the default host machine sysadmin user ID.
/// </summary>
public const int SysAdminUID = 1000;

/// <summary>
/// The default host machine sysadmin group.
/// Specifies the default host machine sysadmin group.
/// </summary>
public const string SysAdminGroup = "sysadmin";

/// <summary>
/// The default host machine sysadmin group ID.
/// Specifies the default host machine sysadmin group ID.
/// </summary>
public const int SysAdminGID = 1000;

/// <summary>
/// The default <b>sysadmin</b> account password baked into NEONKUBE
/// Specifies the default <b>sysadmin</b> account password baked into NEONKUBE
/// base images. This will generally be changed to a secure password
/// during cluster provisioning.
/// </summary>
public const string SysAdminPassword = "sysadmin0000";

/// <summary>
/// Specifies the SSH and SSO passwords to be used for NeonDESKTOP and insecure clusters.
/// </summary>
public const string SysAdminInsecurePassword = "sysadmin";

/// <summary>
/// <b>$/etc/hosts</b> section name used by NEONKUBE applications for persisting
/// DNS host entries via <see cref="NetHelper.ModifyLocalHosts(string, Dictionary{string, System.Net.IPAddress})"/>.
Expand All @@ -145,14 +138,14 @@ public static class KubeConst

/// <summary>
/// <para>
/// The default name for the local <see cref="k8s.Models.V1StorageClass"/>
/// Specifies the default name for the local <see cref="k8s.Models.V1StorageClass"/>
/// </para>
/// </summary>
public const string LocalStorageClassName = "local-storage";

/// <summary>
/// <para>
/// The default path for the <see cref="LocalStorageClassName"/>
/// Specifies the default path for the <see cref="LocalStorageClassName"/>
/// </para>
/// <note>
/// This is temporary, once Kubernetes supports dynamic provisioning of local storage volumes, we'll use
Expand All @@ -178,7 +171,7 @@ public static class KubeConst
public const string ImagePrebuiltDesktopPath = "/etc/neonkube/prebuilt-desktop";

/// <summary>
/// The number of IP addresses reserved by cloud deployments at the beginning of the
/// Specifies the number of IP addresses reserved by cloud deployments at the beginning of the
/// node subnet by the cloud provider and also for future NEONKUBE features.
/// This typically includes the cloud default gateway and DNS forwarding IPs as well
/// as potential future NEONKUBE features such as an integrated VPN and perhaps
Expand All @@ -187,7 +180,7 @@ public static class KubeConst
public const int CloudSubnetStartReservedIPs = 10;

/// <summary>
/// The number of IP addresses reserved by cloud deployments at the end of the node
/// Specifies the number of IP addresses reserved by cloud deployments at the end of the node
/// subnet by the cloud provider. This typically includes the network UDP broadcast
/// address.
/// </summary>
Expand All @@ -204,19 +197,19 @@ public static class KubeConst
public const string DefaultServiceSubnet = "10.253.0.0/16";

/// <summary>
/// The container image tag used to reference cluster container images tagged
/// Specifies the container image tag used to reference cluster container images tagged
/// our prefix and the cluster version number.
/// </summary>
public const string NeonKubeImageTag = "neonkube-" + KubeVersions.NeonKube;

/// <summary>
/// The size of the OS disk used for base images.
/// Specifies the size of the OS disk used for base images.
/// </summary>
public const int BaseDiskSizeGiB = 10;

/// <summary>
/// <para>
/// The minimum supported cluster node disk size in GiB.
/// Specifies the minimum supported cluster node disk size in GiB.
/// </para>
/// <note>
/// This size should match the size of the virtual disks created the base
Expand All @@ -226,7 +219,7 @@ public static class KubeConst
public const int MinNodeDiskSizeGiB = 48;

/// <summary>
/// The maximum support cluster node disk size in GiB.
/// Specifies the maximum support cluster node disk size in GiB.
/// </summary>
public const int MaxNodeDiskSizeGiB = 16 * 1024;

Expand All @@ -253,7 +246,7 @@ public static class KubeConst
public const string LocalClusterRegistryHostName = $"registry.{ClusterNodeDomain}";

/// <summary>
/// The local cluster registry project.
/// Specifies the local cluster registry project.
/// </summary>
public const string LocalClusterRegistryProject = "neonkube";

Expand All @@ -266,7 +259,7 @@ public static class KubeConst
/// User name used to log CRI-O on the cluster nodes into the local
/// Harbor registry via <b>podman</b>.
/// </summary>
public const string HarborCrioUser = "root"; // $todo(jefflill): change this to "neon-harbor-crio" (https://github.com/nforgeio/neonKUBE/issues/1404)
public const string HarborCrioUser = "sysadmin"; // $todo(jefflill): change this to "neon-harbor-crio" (https://github.com/nforgeio/neonKUBE/issues/1404)

/// <summary>
/// Returns the Harbor Project name.
Expand Down Expand Up @@ -391,14 +384,14 @@ public static class KubeConst
public const string ClusterImagesLastChecked = "cluster-images-last-checked";

/// <summary>
/// The name used by the <see cref="HostingEnvironment.HyperV"/> hosting manager
/// Specifies the name used by the <see cref="HostingEnvironment.HyperV"/> hosting manager
/// for creating the internal virtual switch where the NEONDESKTOP cluster
/// as well as user-defined internal clusters will be attached.
/// </summary>
public const string HyperVInternalSwitchName = "neon-internal";

/// <summary>
/// The NEONDESKTOP cluster name.
/// Specifies the NEONDESKTOP cluster name.
/// </summary>
public const string NeonDesktopClusterName = "neon-desktop";

Expand All @@ -418,7 +411,7 @@ public static class KubeConst
public const string ClusterLogName = "cluster.log";

/// <summary>
/// The maximum size in bytes of a node image part published as a GitHub release.
/// Specifies the maximum size in bytes of a node image part published as a GitHub release.
/// </summary>
public const long NodeImagePartSize = (long)(100 * ByteUnits.MebiBytes);

Expand All @@ -428,17 +421,17 @@ public static class KubeConst
public const string NeonKubeResourceGroup = "neonkube.io";

/// <summary>
/// The minimum amount of OS disk on a cluster node after accounting for Minio volumes.
/// Specifies the minimum amount of OS disk on a cluster node after accounting for Minio volumes.
/// </summary>
public const string MinimumOsDiskAfterMinio = "40 GiB";

/// <summary>
/// The CIR-O socket.
/// Specifies the CIR-O socket path.
/// </summary>
public const string CrioSocketPath = "/var/run/crio/crio.sock";

/// <summary>
/// The maximum label length allowed.
/// Specifies the maximum label length allowed.
/// </summary>
public const byte MaxLabelLength = 63;

Expand Down

0 comments on commit d713133

Please sign in to comment.