feat(password-file): generated by a job at each install/upgrade

charts/ontopic-studio/templates/config.yaml

@@ -14,11 +14,3 @@ data:
 {{- end }}
 {{- end }}
 {{- end }}
---- # Identity Service
-apiVersion: v1
-kind: Secret
-metadata:
-    name: password-file-db
-type: Opaque
-data:
-{{ (.Files.Glob "identity/password-file-db").AsSecrets | indent 4 }}

charts/ontopic-studio/templates/job.yaml → charts/ontopic-studio/templates/jobs/cookie.yaml

@@ -1,38 +1,39 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ .Release.Name }}-pre-install
+  name: {{ .Release.Name }}-secret
   annotations:
     helm.sh/hook: pre-install
     helm.sh/hook-weight: "-2"
 rules:
   - apiGroups: [""]
+    resourceNames: ["cookie-secret"]
     resources: ["secrets"]
     verbs: ["create"]
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Release.Name }}-pre-install
+  name: {{ .Release.Name }}-secret
   annotations:
     helm.sh/hook: pre-install
     helm.sh/hook-weight: "-2"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ .Release.Name }}-pre-install
+  name: {{ .Release.Name }}-secret
   annotations:
     helm.sh/hook: pre-install
     helm.sh/hook-weight: "-1"
 subjects:
   - kind: ServiceAccount
     namespace: {{ .Release.Namespace }}
-    name: {{ .Release.Name }}-pre-install
+    name: {{ .Release.Name }}-secret
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ .Release.Name }}-pre-install
+  name: {{ .Release.Name }}-secret
 ---
 apiVersion: batch/v1
 kind: Job
@@ -46,6 +47,7 @@ metadata:
   annotations:
     helm.sh/hook: pre-install
     helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: hook-succeeded,hook-failed
 spec:
   template:
     metadata:
@@ -55,7 +57,7 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     spec:
-      serviceAccountName: {{ .Release.Name }}-pre-install
+      serviceAccountName: {{ .Release.Name }}-secret
       restartPolicy: Never
       containers:
       - name: generate-secret

charts/ontopic-studio/templates/jobs/users.yaml

@@ -0,0 +1,134 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-generate-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-2"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-delete-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-2"
+rules:
+  - apiGroups: [""]
+    resourceNames: ["password-file-db"]
+    resources: ["secrets"]
+    verbs: ["delete"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-generate-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-2"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-generate-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-1"
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ .Release.Name }}-generate-users
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-generate-users
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-delete-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-1"
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ .Release.Name }}-generate-users
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-delete-users
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-generate-password-db-file
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: hook-succeeded,hook-failed
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    spec:
+      serviceAccountName: {{ .Release.Name }}-generate-users
+      restartPolicy: Never
+      containers:
+      - name: user-creation
+        image: ghcr.io/ontopic-vkg/ontopic-helm/user-creation:helm-v2024.1.3 #{{ .Chart.AppVersion }}
+        command:
+        command:
+        - "sh"
+        - "-c"
+        - >-
+            FILE="/users/users";
+            if [ -f "$FILE" ]; then
+              /usr/local/bin/entrypoint.sh -j $FILE -o /mnt/secret;
+            else
+              echo "No password-db-users secret found";
+            fi;
+            exit 0
+        volumeMounts:
+        - name: users
+          mountPath: /users
+          readOnly: true
+        - name: secret
+          mountPath: /mnt/secret
+      - name: create-secret
+        image: bitnami/kubectl:latest
+        command:
+        - "sh"
+        - "-c"
+        - >-
+            FILE="/mnt/secret/password-file-db";
+            NAME="password-file-db";
+            if [ -f "$FILE" ]; then
+              kubectl delete secret $NAME;
+              kubectl create secret generic $NAME --from-file=$NAME=$FILE;
+            fi;
+            exit 0
+        volumeMounts:
+        - name: secret
+          mountPath: /mnt/secret
+      restartPolicy: Never
+      volumes:
+      volumes:
+      - name: users
+        secret:
+          secretName: password-db-users
+      - name: secret
+        emptyDir: {}

charts/ontopic-studio/values.yaml

@@ -99,6 +99,7 @@ tolerations: []
 
 affinity: {}
 
+
 services:
   ##--- Angular frontend
   angular-frontend:
@@ -176,7 +177,7 @@ services:
       ONTOPIC_IDENTITY_SERVICE_SESSION_SCOPE:
       ONTOPIC_IDENTITY_SERVICE_SESSION_STORE_FILE: /etc/identity-service/data/session.db
       ONTOPIC_IDENTITY_SERVICE_CLIENT_ID:
-      ONTOPIC_IDENTITY_SERVICE_CLIENT_SECRET_FILE: 
+      ONTOPIC_IDENTITY_SERVICE_CLIENT_SECRET_FILE:
       ONTOPIC_IDENTITY_SERVICE_COOKIE_PREFIX: _ontopic-studio
       ONTOPIC_IDENTITY_SERVICE_COOKIE_SECRET_FILE: /run/secrets/cookie-secret/cookie-secret
       ONTOPIC_IDENTITY_SERVICE_COOKIE_SECURE: false
@@ -188,7 +189,6 @@ services:
       ONTOPIC_IDENTITY_SERVICE_CUSTOM_TEMPLATE_DIR: /etc/identity-service/templates
       ONTOPIC_IDENTITY_SERVICE_IDENTITY_REFRESH:
 
-
     secrets:
       cookie-secret: /run/secrets/cookie-secret
       password-file-db: /run/secrets/password-file-db

samples/users.json

@@ -0,0 +1,25 @@
+{
+    "users": [
+      {
+        "username": "sarahk",
+        "password": "$aprBe1/",
+        "email": "[email protected]",
+        "fullname": "test",
+        "groups": ["developers", "admin"]
+      },
+      {
+        "username": "test",
+        "password": "$apr1$C.",
+        "email": "[email protected]",
+        "fullname": "test",
+        "groups": ["developers"]
+      },
+      {
+        "username": "Robert",
+        "password": "$aprBe1/",
+        "email": "[email protected]",
+        "fullname": "test",
+        "groups": ["developers", "admin"]
+      }
+    ]
+  }