From a7161ec6108624f9283d8ec7f6031e2a7dbfbf1e Mon Sep 17 00:00:00 2001
From: chok <maxime.picaud@harchibald.com>
Date: Mon, 12 Aug 2024 13:26:23 +0200
Subject: [PATCH] feat(password-file): generated by a job at each
 install/upgrade

---
 charts/ontopic-studio/templates/config.yaml   |   8 --
 .../templates/{job.yaml => jobs/cookie.yaml}  |  14 +-
 .../ontopic-studio/templates/jobs/users.yaml  | 134 ++++++++++++++++++
 charts/ontopic-studio/values.yaml             |   4 +-
 .../k3d}/ontopic-cluster.yaml                 |   0
 samples/users.json                            |  25 ++++
 6 files changed, 169 insertions(+), 16 deletions(-)
 rename charts/ontopic-studio/templates/{job.yaml => jobs/cookie.yaml} (86%)
 create mode 100644 charts/ontopic-studio/templates/jobs/users.yaml
 rename {k3d-example => samples/k3d}/ontopic-cluster.yaml (100%)
 create mode 100644 samples/users.json

diff --git a/charts/ontopic-studio/templates/config.yaml b/charts/ontopic-studio/templates/config.yaml
index 5ebc3fb..7a417b6 100644
--- a/charts/ontopic-studio/templates/config.yaml
+++ b/charts/ontopic-studio/templates/config.yaml
@@ -14,11 +14,3 @@ data:
 {{- end }}
 {{- end }}
 {{- end }}
---- # Identity Service
-apiVersion: v1
-kind: Secret
-metadata:
-    name: password-file-db
-type: Opaque
-data:
-{{ (.Files.Glob "identity/password-file-db").AsSecrets | indent 4 }}
diff --git a/charts/ontopic-studio/templates/job.yaml b/charts/ontopic-studio/templates/jobs/cookie.yaml
similarity index 86%
rename from charts/ontopic-studio/templates/job.yaml
rename to charts/ontopic-studio/templates/jobs/cookie.yaml
index 187910a..61f9923 100644
--- a/charts/ontopic-studio/templates/job.yaml
+++ b/charts/ontopic-studio/templates/jobs/cookie.yaml
@@ -1,19 +1,20 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ .Release.Name }}-pre-install
+  name: {{ .Release.Name }}-secret
   annotations:
     helm.sh/hook: pre-install
     helm.sh/hook-weight: "-2"
 rules:
   - apiGroups: [""]
+    resourceNames: ["cookie-secret"]
     resources: ["secrets"]
     verbs: ["create"]
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Release.Name }}-pre-install
+  name: {{ .Release.Name }}-secret
   annotations:
     helm.sh/hook: pre-install
     helm.sh/hook-weight: "-2"
@@ -21,18 +22,18 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ .Release.Name }}-pre-install
+  name: {{ .Release.Name }}-secret
   annotations:
     helm.sh/hook: pre-install
     helm.sh/hook-weight: "-1"
 subjects:
   - kind: ServiceAccount
     namespace: {{ .Release.Namespace }}
-    name: {{ .Release.Name }}-pre-install
+    name: {{ .Release.Name }}-secret
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ .Release.Name }}-pre-install
+  name: {{ .Release.Name }}-secret
 ---
 apiVersion: batch/v1
 kind: Job
@@ -46,6 +47,7 @@ metadata:
   annotations:
     helm.sh/hook: pre-install
     helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: hook-succeeded,hook-failed
 spec:
   template:
     metadata:
@@ -55,7 +57,7 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     spec:
-      serviceAccountName: {{ .Release.Name }}-pre-install
+      serviceAccountName: {{ .Release.Name }}-secret
       restartPolicy: Never
       containers:
       - name: generate-secret
diff --git a/charts/ontopic-studio/templates/jobs/users.yaml b/charts/ontopic-studio/templates/jobs/users.yaml
new file mode 100644
index 0000000..10f450e
--- /dev/null
+++ b/charts/ontopic-studio/templates/jobs/users.yaml
@@ -0,0 +1,134 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-generate-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-2"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-delete-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-2"
+rules:
+  - apiGroups: [""]
+    resourceNames: ["password-file-db"]
+    resources: ["secrets"]
+    verbs: ["delete"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-generate-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-2"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-generate-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-1"
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ .Release.Name }}-generate-users
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-generate-users
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-delete-users
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-1"
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ .Release.Name }}-generate-users
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-delete-users
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-generate-password-db-file
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: hook-succeeded,hook-failed
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    spec:
+      serviceAccountName: {{ .Release.Name }}-generate-users
+      restartPolicy: Never
+      containers:
+      - name: user-creation
+        image: ghcr.io/ontopic-vkg/ontopic-helm/user-creation:helm-v2024.1.3 #{{ .Chart.AppVersion }}
+        command:
+        command:
+        - "sh"
+        - "-c"
+        - >-
+            FILE="/users/users";
+            if [ -f "$FILE" ]; then
+              /usr/local/bin/entrypoint.sh -j $FILE -o /mnt/secret;
+            else
+              echo "No password-db-users secret found";
+            fi;
+            exit 0
+        volumeMounts:
+        - name: users
+          mountPath: /users
+          readOnly: true
+        - name: secret
+          mountPath: /mnt/secret
+      - name: create-secret
+        image: bitnami/kubectl:latest
+        command:
+        - "sh"
+        - "-c"
+        - >-
+            FILE="/mnt/secret/password-file-db";
+            NAME="password-file-db";
+            if [ -f "$FILE" ]; then
+              kubectl delete secret $NAME;
+              kubectl create secret generic $NAME --from-file=$NAME=$FILE;
+            fi;
+            exit 0
+        volumeMounts:
+        - name: secret
+          mountPath: /mnt/secret
+      restartPolicy: Never
+      volumes:
+      volumes:
+      - name: users
+        secret:
+          secretName: password-db-users
+      - name: secret
+        emptyDir: {}
diff --git a/charts/ontopic-studio/values.yaml b/charts/ontopic-studio/values.yaml
index 848bff5..0c017dc 100644
--- a/charts/ontopic-studio/values.yaml
+++ b/charts/ontopic-studio/values.yaml
@@ -99,6 +99,7 @@ tolerations: []
 
 affinity: {}
 
+
 services:
   ##--- Angular frontend
   angular-frontend:
@@ -176,7 +177,7 @@ services:
       ONTOPIC_IDENTITY_SERVICE_SESSION_SCOPE:
       ONTOPIC_IDENTITY_SERVICE_SESSION_STORE_FILE: /etc/identity-service/data/session.db
       ONTOPIC_IDENTITY_SERVICE_CLIENT_ID:
-      ONTOPIC_IDENTITY_SERVICE_CLIENT_SECRET_FILE: 
+      ONTOPIC_IDENTITY_SERVICE_CLIENT_SECRET_FILE:
       ONTOPIC_IDENTITY_SERVICE_COOKIE_PREFIX: _ontopic-studio
       ONTOPIC_IDENTITY_SERVICE_COOKIE_SECRET_FILE: /run/secrets/cookie-secret/cookie-secret
       ONTOPIC_IDENTITY_SERVICE_COOKIE_SECURE: false
@@ -188,7 +189,6 @@ services:
       ONTOPIC_IDENTITY_SERVICE_CUSTOM_TEMPLATE_DIR: /etc/identity-service/templates
       ONTOPIC_IDENTITY_SERVICE_IDENTITY_REFRESH:
 
-
     secrets:
       cookie-secret: /run/secrets/cookie-secret
       password-file-db: /run/secrets/password-file-db
diff --git a/k3d-example/ontopic-cluster.yaml b/samples/k3d/ontopic-cluster.yaml
similarity index 100%
rename from k3d-example/ontopic-cluster.yaml
rename to samples/k3d/ontopic-cluster.yaml
diff --git a/samples/users.json b/samples/users.json
new file mode 100644
index 0000000..a9851d6
--- /dev/null
+++ b/samples/users.json
@@ -0,0 +1,25 @@
+{
+    "users": [
+      {
+        "username": "sarahk",
+        "password": "$aprBe1/",
+        "email": "test@email.it",
+        "fullname": "test",
+        "groups": ["developers", "admin"]
+      },
+      {
+        "username": "test",
+        "password": "$apr1$C.",
+        "email": "test@email.it",
+        "fullname": "test",
+        "groups": ["developers"]
+      },
+      {
+        "username": "Robert",
+        "password": "$aprBe1/",
+        "email": "maxime@email.it",
+        "fullname": "test",
+        "groups": ["developers", "admin"]
+      }
+    ]
+  }