From 0752943ce7abb384be75852c779666f1f55f4336 Mon Sep 17 00:00:00 2001 From: "pramodbelal8@gmail.com" Date: Fri, 30 Sep 2022 20:03:39 +0530 Subject: [PATCH 1/5] [MOSIP-15265] updated db-common-secrets to db-secrets in copy_secrets.sh and delete.sh file of config-server. --- deployment/v3/mosip/config-server/copy_secrets.sh | 2 +- deployment/v3/mosip/config-server/delete.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/v3/mosip/config-server/copy_secrets.sh b/deployment/v3/mosip/config-server/copy_secrets.sh index 09de4d032..4d4945deb 100755 --- a/deployment/v3/mosip/config-server/copy_secrets.sh +++ b/deployment/v3/mosip/config-server/copy_secrets.sh @@ -3,7 +3,7 @@ # DST_NS: Destination namespace COPY_UTIL=../../utils/copy_cm_func.sh DST_NS=config-server -$COPY_UTIL secret db-common-secrets postgres $DST_NS +$COPY_UTIL secret db-secrets postgres $DST_NS $COPY_UTIL secret keycloak keycloak $DST_NS $COPY_UTIL secret keycloak-client-secrets keycloak $DST_NS $COPY_UTIL secret activemq-activemq-artemis activemq $DST_NS diff --git a/deployment/v3/mosip/config-server/delete.sh b/deployment/v3/mosip/config-server/delete.sh index 2ad1309f9..7e52ecac5 100755 --- a/deployment/v3/mosip/config-server/delete.sh +++ b/deployment/v3/mosip/config-server/delete.sh @@ -12,7 +12,7 @@ while true; do if [ $yn = "Y" ] then kubectl -n $NS delete configmap global keycloak-host activemq-activemq-artemis-share s3 email-gateway - kubectl -n $NS delete secret db-common-secrets keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 email-gateway prereg-captcha + kubectl -n $NS delete secret db-secrets keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 email-gateway prereg-captcha helm -n $NS delete config-server break else From 3eafc45061cda8345b730ccc055867197818dfd3 Mon Sep 17 00:00:00 2001 From: "pramodbelal8@gmail.com" Date: Tue, 11 Oct 2022 20:34:52 +0530 Subject: [PATCH 2/5] [MOSIP-15265] updated postgres and config-server and masterdata-loader scripts. --- deployment/v3/external/all/install-all.sh | 1 + .../v3/external/postgres/copy_secrets.sh | 10 ++++++++ .../v3/external/postgres/db_password_gen.sh | 25 +++++++++++++++++++ deployment/v3/external/postgres/init_db.sh | 2 ++ .../v3/mosip/config-server/copy_secrets.sh | 11 +++++--- .../mosip/masterdata-loader/copy_secrets.sh | 2 +- 6 files changed, 47 insertions(+), 4 deletions(-) create mode 100755 deployment/v3/external/postgres/copy_secrets.sh create mode 100755 deployment/v3/external/postgres/db_password_gen.sh diff --git a/deployment/v3/external/all/install-all.sh b/deployment/v3/external/all/install-all.sh index f40242e8f..52ab8cc49 100755 --- a/deployment/v3/external/all/install-all.sh +++ b/deployment/v3/external/all/install-all.sh @@ -12,6 +12,7 @@ ROOT_DIR=`pwd`/../ echo Installing External services cd $ROOT_DIR/postgres +./db_password_gen.sh ./install.sh ./init_db.sh diff --git a/deployment/v3/external/postgres/copy_secrets.sh b/deployment/v3/external/postgres/copy_secrets.sh new file mode 100755 index 000000000..ab2acff9d --- /dev/null +++ b/deployment/v3/external/postgres/copy_secrets.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# Copy secrets from other namespaces +# DST_NS: Destination namespace +COPY_UTIL=../../utils/copy_cm_func.sh +DST_NS=postgres +SECRET_REGEX='db-.*-secret' +secrets_list=$(kubectl get secrets -n db-password --no-headers -o custom-columns=':.metadata.name' | grep "$SECRET_REGEX") +for secret in $secrets_list; do + $COPY_UTIL secret $secret db-password $DST_NS +done \ No newline at end of file diff --git a/deployment/v3/external/postgres/db_password_gen.sh b/deployment/v3/external/postgres/db_password_gen.sh new file mode 100755 index 000000000..425fb6e52 --- /dev/null +++ b/deployment/v3/external/postgres/db_password_gen.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Script to initialize the DB-PASSWORD. +## Usage: ./db_password_gen.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +NS=db-password +kubectl create ns $NS +CHART_VERSION=12.0.2 +helm repo update +while true; do + read -p "CAUTION: db-passwords will be recreated. Are you sure to regenerate?(Y/n)" yn + if [ $yn = "Y" ] + then + echo Removing any existing installation + helm -n $NS delete db-password-gen + echo Initializing DB-PASSWORD + helm -n $NS install db-password-gen mosip/db-password-gen -f init_values.yaml --version $CHART_VERSION + break + else + break + fi +done \ No newline at end of file diff --git a/deployment/v3/external/postgres/init_db.sh b/deployment/v3/external/postgres/init_db.sh index 9cf5f98ff..525b55e95 100755 --- a/deployment/v3/external/postgres/init_db.sh +++ b/deployment/v3/external/postgres/init_db.sh @@ -15,6 +15,8 @@ while true; do then echo Removing any existing installation helm -n $NS delete postgres-init + echo copying DB secrets + ./copy_secrets.sh echo Initializing DB helm -n $NS install postgres-init mosip/postgres-init -f init_values.yaml --version $CHART_VERSION --wait --wait-for-jobs break diff --git a/deployment/v3/mosip/config-server/copy_secrets.sh b/deployment/v3/mosip/config-server/copy_secrets.sh index 4d4945deb..01b0817a5 100755 --- a/deployment/v3/mosip/config-server/copy_secrets.sh +++ b/deployment/v3/mosip/config-server/copy_secrets.sh @@ -3,13 +3,18 @@ # DST_NS: Destination namespace COPY_UTIL=../../utils/copy_cm_func.sh DST_NS=config-server -$COPY_UTIL secret db-secrets postgres $DST_NS -$COPY_UTIL secret keycloak keycloak $DST_NS +$COPY_UTIL secret keycloak keycloak $DST_NS $COPY_UTIL secret keycloak-client-secrets keycloak $DST_NS -$COPY_UTIL secret activemq-activemq-artemis activemq $DST_NS +$COPY_UTIL secret activemq-activemq-artemis activemq $DST_NS $COPY_UTIL secret softhsm-kernel softhsm $DST_NS $COPY_UTIL secret softhsm-ida softhsm $DST_NS $COPY_UTIL secret s3 s3 $DST_NS $COPY_UTIL secret email-gateway msg-gateways $DST_NS $COPY_UTIL secret prereg-captcha prereg $DST_NS $COPY_UTIL secret conf-secrets-various conf-secrets $DST_NS + +SECRET_REGEX='db-.*-secret' +secrets_list=$(kubectl get secrets -n db-password --no-headers -o custom-columns=':.metadata.name' | grep "$SECRET_REGEX") +for secret in $secrets_list; do + $COPY_UTIL secret $secret db-password $DST_NS +done \ No newline at end of file diff --git a/deployment/v3/mosip/masterdata-loader/copy_secrets.sh b/deployment/v3/mosip/masterdata-loader/copy_secrets.sh index bd1229724..a5a4ef117 100755 --- a/deployment/v3/mosip/masterdata-loader/copy_secrets.sh +++ b/deployment/v3/mosip/masterdata-loader/copy_secrets.sh @@ -3,4 +3,4 @@ # DST_NS: Destination namespace COPY_UTIL=../../utils/copy_cm_func.sh DST_NS=masterdata-loader -$COPY_UTIL secret db-common-secrets postgres $DST_NS +$COPY_UTIL secret db-mosip-master-secret db-password $DST_NS From bdb411859ed8c67adffa7ac776124002739291bf Mon Sep 17 00:00:00 2001 From: "pramodbelal8@gmail.com" Date: Wed, 12 Oct 2022 11:05:40 +0530 Subject: [PATCH 3/5] [MOSIP-15265] updated config-server delete.sh script. --- deployment/v3/mosip/config-server/delete.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/v3/mosip/config-server/delete.sh b/deployment/v3/mosip/config-server/delete.sh index 7e52ecac5..17636e7e7 100755 --- a/deployment/v3/mosip/config-server/delete.sh +++ b/deployment/v3/mosip/config-server/delete.sh @@ -12,7 +12,7 @@ while true; do if [ $yn = "Y" ] then kubectl -n $NS delete configmap global keycloak-host activemq-activemq-artemis-share s3 email-gateway - kubectl -n $NS delete secret db-secrets keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 email-gateway prereg-captcha + kubectl -n $NS delete secret db-mosip-audit-secret db-mosip-authdevice-secret db-mosip-credential-secret db-mosip-digitalcard-secret db-mosip-hotlist-secret db-mosip-ida-secret db-mosip-idmap-secret db-mosip-idp-secret db-mosip-idrepo-secret db-mosip-kernel-secret db-mosip-keymgr-secret db-mosip-master-secret db-mosip-pms-secret db-mosip-prereg-secret db-mosip-regdevice-secret db-mosip-regprc-secret db-mosip-resident-secret db-mosip-toolkit-secret keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 email-gateway prereg-captcha helm -n $NS delete config-server break else From 12b185be7ac4a68c84187ead12db997715fc7ae1 Mon Sep 17 00:00:00 2001 From: "pramodbelal8@gmail.com" Date: Wed, 12 Oct 2022 13:35:09 +0530 Subject: [PATCH 4/5] [MOSIP-15265] updated config-server delete.sh script and init_values.yaml. --- deployment/v3/external/postgres/init_values.yaml | 3 --- deployment/v3/mosip/config-server/delete.sh | 7 ++++++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/deployment/v3/external/postgres/init_values.yaml b/deployment/v3/external/postgres/init_values.yaml index 3c14bd2a5..24a18b655 100644 --- a/deployment/v3/external/postgres/init_values.yaml +++ b/deployment/v3/external/postgres/init_values.yaml @@ -1,6 +1,3 @@ -dbUserPasswords: - dbuserPassword: "" - databases: mosip_master: enabled: true diff --git a/deployment/v3/mosip/config-server/delete.sh b/deployment/v3/mosip/config-server/delete.sh index 17636e7e7..1933b03b5 100755 --- a/deployment/v3/mosip/config-server/delete.sh +++ b/deployment/v3/mosip/config-server/delete.sh @@ -12,7 +12,12 @@ while true; do if [ $yn = "Y" ] then kubectl -n $NS delete configmap global keycloak-host activemq-activemq-artemis-share s3 email-gateway - kubectl -n $NS delete secret db-mosip-audit-secret db-mosip-authdevice-secret db-mosip-credential-secret db-mosip-digitalcard-secret db-mosip-hotlist-secret db-mosip-ida-secret db-mosip-idmap-secret db-mosip-idp-secret db-mosip-idrepo-secret db-mosip-kernel-secret db-mosip-keymgr-secret db-mosip-master-secret db-mosip-pms-secret db-mosip-prereg-secret db-mosip-regdevice-secret db-mosip-regprc-secret db-mosip-resident-secret db-mosip-toolkit-secret keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 email-gateway prereg-captcha + kubectl -n $NS delete secret keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 email-gateway prereg-captcha + DB_SECRET_REGEX='db-.*-secret' + db_secrets_list=$(kubectl get secrets -n $NS --no-headers -o custom-columns=':.metadata.name' | grep "$DB_SECRET_REGEX") + for db_secret in $db_secrets_list; do + kubectl -n $NS delete secret $db_secret + done helm -n $NS delete config-server break else From 2d201d636a0c5d1a6cfe04f77d418ba99d1d46fa Mon Sep 17 00:00:00 2001 From: "pramodbelal8@gmail.com" Date: Fri, 21 Oct 2022 19:40:27 +0530 Subject: [PATCH 5/5] [MOSIP-15265] Updated the db_password_gen.sh to README.md file for postgres. --- deployment/v3/external/postgres/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/deployment/v3/external/postgres/README.md b/deployment/v3/external/postgres/README.md index e274ec788..e2cad582c 100644 --- a/deployment/v3/external/postgres/README.md +++ b/deployment/v3/external/postgres/README.md @@ -6,6 +6,12 @@ ``` * A random password will get assigned for `postgres` user if you have not specified a password. The password may be obtained from Rancher console. +## Generate DB-Passwords +```sh +./db_password_gen.sh +``` +* For each DB it will generate separate passwords. + ## Test * Make sure docker is running from machine you are testing. * Postgres is accessible over "internal" channel, i.e. over Wireguard. Make sure you have the Wireguard setup along with credentials to connect to internal load balancer.