Cloudify pod updates for sourcing password from CMPASS environment variable.
Issue-ID: DCAEGEN2-1975
Change-Id: I5f297af9ad92389d0901eee463ea175751853838
Signed-off-by: Schmalzried, Terry (ts862m) <ts862m@att.com>
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
-FROM cloudifyplatform/community:19.01.24
+FROM cloudifyplatform/community-cloudify-manager-aio:20.03.03
ENV PLUGIN_REPO {{ ONAPTEMPLATE_RAWREPOURL_org_onap_dcaegen2_platform_plugins_releases }}
# Store plugin files locally
RUN mkdir scripts
COPY scripts/* scripts/
+COPY reset_admin.py /opt/manager/
# Load our plugin files
# Setup rc.local to set up k8s credentials for CM
-RUN scripts/get-plugins.sh ${PLUGIN_REPO} \
+RUN chmod +x /opt/manager/reset_admin.py\
&& chmod +x scripts/*.sh\
+ && scripts/get-plugins.sh ${PLUGIN_REPO} \
&& /scripts/configure-tls.sh\
&& echo "/scripts/setup-secret.sh" >> /etc/rc.d/rc.local\
- && echo "/scripts/load-plugins.sh > /load-plugins.log 2>&1" >> /etc/rc.d/rc.local\
+ && echo "/scripts/set-admin-password.sh" >> /etc/rc.d/rc.local\
+ && echo "/scripts/load-plugins.sh >/load-plugins.log 2>&1" >> /etc/rc.d/rc.local\
&& chmod +x /etc/rc.d/rc.local
# Create mount point for CM config file
RUN mkdir -p /opt/onap && chown cfyuser:cfyuser /opt/onap
which then brings up the many other processes needed for a working instance of Cloudify Manager.
## The `setup-secret.sh` script
-When Kubernetes starts a container, it mounts a directory containing the credentials that the container needs to access the Kubernetes API on the local Kubernetes cluster. The mountpoint is `/var/run/secrets/kubernetes.io/serviceaccount`. Something about the way that Cloudify Manager is started (possibly because `/sbin/init` is run) causes this mountpoint to be hidden. `setup-secret.sh` will recreated the directory if it's not present and symbolically link it to a copy of the credentials mounted at `/secret` in the container file system. This gives Cloudify Manager the credentials that the Kubernetes plugin needs to deploy Kubernetes-based DCAE components.
+When Kubernetes starts a container, it mounts a directory containing the credentials that the container needs to access the Kubernetes API on the local Kubernetes cluster. The mountpoint is `/var/run/secrets/kubernetes.io/serviceaccount`. Something about the way that Cloudify Manager is started (possibly because `/sbin/init` is run) causes this mountpoint to be hidden. `setup-secret.sh` will recreate the directory if it's not present and symbolically link it to a copy of the credentials mounted at `/secret` in the container file system. This gives Cloudify Manager the credentials that the Kubernetes plugin needs to deploy Kubernetes-based DCAE components.
`setup-secret.sh` needs to run after '/sbin/init'. The Dockerfile installs it in the `rc.local` script that runs at startup.
<groupId>org.onap.dcaegen2.deployments</groupId>
<artifactId>cm-container</artifactId>
<name>dcaegen2-deployments-cm-container</name>
- <version>3.1.0</version>
+ <version>3.2.0</version>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
--- /dev/null
+########
+# Copyright (c) 2018 Cloudify Platform Ltd. All rights reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+
+#!/usr/bin/env python
+
+import subprocess
+import json
+import argparse
+from flask_security.utils import encrypt_password
+from manager_rest.flask_utils import setup_flask_app
+
+
+def db_update_password(password):
+ password = encrypt_new_password(password)
+ password = password.replace('$', '\$')
+ sql_command = "\"update users set password='" + password + "' where username='admin'\""
+ cmd = "sudo -u postgres psql cloudify_db -c " + sql_command
+ subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
+
+
+def get_salt():
+ with open('/opt/manager/rest-security.conf') as f:
+ rest_security = json.load(f)
+
+ return rest_security['hash_salt']
+
+
+def encrypt_new_password(password):
+ app = setup_flask_app(hash_salt=get_salt())
+ with app.app_context():
+ password = encrypt_password(password)
+ return password
+
+
+if __name__ == '__main__':
+
+ parser = argparse.ArgumentParser(description=('Reset admin password in DB according to rest-security.conf'))
+ parser.add_argument('-p', '--password', required=True, help='New admin password')
+ args = parser.parse_args()
+
+ db_update_password(args.password)
+ print 'Done!\n'
# ============LICENSE_START=======================================================
# org.onap.dcae
# ================================================================================
-# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# | Riemann | running |
# +--------------------------------+---------+
#
-# When an individual service is not running, it will have a status other than "running".
+# or:
+#
+# cfy status
+# Retrieving manager services status... [ip=dcae-cloudify-manager]
+#
+# Services:
+# +--------------------------------+--------+
+# | service | status |
+# +--------------------------------+--------+
+# | Cloudify Console | Active |
+# | PostgreSQL | Active |
+# | AMQP-Postgres | Active |
+# | Manager Rest-Service | Active |
+# | RabbitMQ | Active |
+# | Webserver | Active |
+# | Management Worker | Active |
+# +--------------------------------+--------+
+#
+# When an individual service is not running, it will have a status other than "running" or "Active".
# If the Cloudify API cannot be reached, the "Services:" line will not appear.
STAT=$(cfy status)
if (echo "${STAT}" | grep "^Services:$")
then
echo "Got a status response"
- if !(echo "${STAT}" | egrep '^\| [[:alnum:]]+'| grep -iv '| running ')
+ if !(echo "${STAT}" | egrep '^\| [[:alnum:]]+'| egrep -iv ' Active | running ')
then
echo "All services running"
exit 0
#!/bin/bash
# ================================================================================
-# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
set -x
set +e
-# Get the CM admin password from the config file
-# Brittle, but the container is built with an unchanging version of CM,
-# so no real risk of a breaking change
-CMPASS=$(grep 'admin_password:' /etc/cloudify/config.yaml | cut -d ':' -f2 | tr -d ' ')
+# Expect Cloudify password to be in file mounted from Kubernetes secret,
+# but allow overriding by CMPASS environment variable,
+# and if not provided, use the default
+CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)}
+CMPASS=${CMPASS:-admin}
+
TYPENAMES=[\\\"dcae.nodes.ContainerizedServiceComponent\\\",\\\"dcae.nodes.ContainerizedServiceComponentUsingDmaap\\\",\\\"dcae.nodes.ContainerizedPlatformComponent\\\",\\\"dcae.nodes.ContainerizedApplication\\\"]
# Uninstall components managed by Cloudify
CMPROTO=${CMPROTO:-https}
CMPORT=${CMPORT:-443}
-# Password is currently fixed at the default
-# Eventually the password will be passed in as an environment variable
+# Expect Cloudify password to be in file mounted from Kubernetes secret,
+# but allow overriding by CMPASS environment variable,
+# and if not provided, use the default
+CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)}
CMPASS=${CMPASS:-admin}
# Set up additional parameters for using HTTPS
touch ${PLUGINS_LOADED}
else
echo "Plugins already loaded"
-fi
\ No newline at end of file
+fi
--- /dev/null
+#!/bin/bash
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+# Runs at deployment time to set cloudify's admin password
+
+# Wait for Cloudify Manager to come up
+while ! /scripts/cloudify-ready.sh
+do
+ echo "Waiting for CM to come up"
+ sleep 15
+done
+
+# Expect Cloudify password to be in file mounted from Kubernetes secret,
+# but allow overriding by CMPASS environment variable,
+# and if not provided, use the default
+CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)}
+CMPASS=${CMPASS:-admin}
+
+# Set Cloudify's admin password
+cd /opt/manager
+cfy_manager --reset_admin_password $CMPASS || ./env/bin/python reset_admin.py -p $CMPASS
+
+# Set the password used by the cfy client
+cfy profile set -p $CMPASS
+
+echo "Cloudify password set"
-
#!/bin/bash
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Code Review / dcaegen2 / deployments.git / commitdiff