Merge pull request #120 from cloudymax/password-fix

Fix issues with random passwords when username is templated via env var

Author: cloudymax

charts/cloud-init/Chart.yaml

@@ -2,6 +2,6 @@ apiVersion: v2
 name: cloud-init
 description: A Helm chart that generates cloud-init config files
 type: application
-version: 0.5.0
+version: 0.5.1
 maintainers:
   - name: cloudymax

charts/cloud-init/README.md

@@ -1,6 +1,6 @@
 # cloud-init
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.5.1](https://img.shields.io/badge/Version-0.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart that generates cloud-init config files
 
@@ -28,7 +28,7 @@ A Helm chart that generates cloud-init config files
 | extraEnvVars[1].value | string | `"b8:a3:86:70:cc:e6"` |  |
 | fs_setup | list | `[]` |  |
 | hostname | string | `"random"` | virtual-machine hostname |
-| image | string | `"deserializeme/kv-cloud-init:v0.0.1"` | image version |
+| image | string | `"deserializeme/kv-cloud-init:v0.0.2"` | image version |
 | mounts | list | `[]` | Set up mount points. mounts contains a list of lists. The inner list contains entries for an /etc/fstab line |
 | namespace | string | `"default"` | namespace in which to create resources |
 | network | object | `{"config":"disabled"}` | networking options |
@@ -44,7 +44,7 @@ A Helm chart that generates cloud-init config files
 | secret_name | string | `"max-scrapmetal-user-data"` | name of secret in which to save the user-data file |
 | serviceAccount | object | `{"create":true,"existingServiceAccountName":"cloud-init-sa","name":"cloud-init-sa"}` | Choose weather to create a service-account or not. Once a SA has been created you should set this to false on subsequent runs. |
 | swap | object | `{"enabled":false,"filename":"/swapfile","maxsize":"1G","size":"1G"}` | creates a swap file using human-readable values. |
-| users | list | `[{"groups":"users, admin, docker, sudo, kvm","lock_passwd":false,"name":"pool","password":{"random":true},"shell":"/bin/bash","ssh_authorized_keys":[],"ssh_import_id":[],"sudo":"ALL=(ALL) NOPASSWD:ALL"}]` | user configuration options See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups do NOT use 'admin' as username - it conflicts with multiele cloud-images |
+| users | list | `[{"groups":"users, admin, docker, sudo, kvm","lock_passwd":false,"name":"$USERNAME","password":{"random":true},"shell":"/bin/bash","ssh_authorized_keys":[],"ssh_import_id":[],"sudo":"ALL=(ALL) NOPASSWD:ALL"}]` | user configuration options See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups do NOT use 'admin' as username - it conflicts with multiele cloud-images |
 | users[0].password | object | `{"random":true}` | set user password from existing secret or generate random |
 | users[0].ssh_authorized_keys | list | `[]` | provider user ssh pub key as plaintext |
 | users[0].ssh_import_id | list | `[]` | import user ssh public keys from github, gitlab, or launchpad See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#ssh |

charts/cloud-init/scripts/optimize.sh

@@ -41,6 +41,38 @@ run_envsubst(){
     fi
 }
 
+# Create a random password and save it as a kubernetes secret. Must be run after
+# envsubst to avoid issues where no username is present
+random_password(){
+    log "Generating a random password for ${USERNAME}."
+    INPUT=$(golang-petname --words 2)
+    OUTPUT=""
+    LENGTH=${#INPUT}
+
+    for (( i=0; i<LENGTH; i++ )); do
+      char="${INPUT:$i:1}"
+      if (( RANDOM % 2 == 0 )); then
+        # Convert to uppercase
+        OUTPUT+="$(echo "$char" | tr '[:lower:]' '[:upper:]')"
+      else
+        # Convert to lowercase
+        OUTPUT+="$(echo "$char" | tr '[:upper:]' '[:lower:]')"
+      fi
+    done
+
+    export GENERATED_PASSWORD="$OUTPUT-$RANDOM"
+
+    export SECRET_EXISTS=$(kubectl get secret ${USERNAME}-password -o yaml |grep -o ${USERNAME}-password |wc -l)
+
+    if [ "${SECRET_EXISTS}" -gt 0 ]; then
+        log "Kubernetes secret ${USERNAME}-password exists and will be replaced"
+        kubectl patch secret ${USERNAME}-password -p '{"metadata":{"finalizers":null}}' --type=merge
+        kubectl delete secret ${USERNAME}-password
+        kubectl create secret generic ${USERNAME}-password --from-literal=password="$GENERATED_PASSWORD"
+    fi
+
+}
+
 # Hash and insert passwd field for each specified user
 admin_password(){
     read -ra users <<< $(yq '.users[].name' $USER_DATA_PATH |xargs)
@@ -50,8 +82,16 @@ admin_password(){
         CHECK=$(yq '.users[env(COUNT)].passwd' $USER_DATA_PATH)
         if [ "${CHECK}" != "null" ]; then
             log "Setting hashed password for user: $user\n"
+
             CAP_USER=$(echo "${user}" | tr '[:lower:]' '[:upper:]')
-            PASSWORD=$(env |grep "${CAP_USER}_PASSWORD" |cut -d '=' -f2)
+
+            if [ ${RANDOM_PASSWORD} == "true" ]; then
+                random_password
+                export PASSWORD=$GENERATED_PASSWORD
+            else
+                export PASSWORD=$(env |grep "${CAP_USER}_PASSWORD" |cut -d '=' -f2)
+            fi
+
             export HASHED_PASSWORD=$(mkpasswd --method=SHA-512 --rounds=4096 "${PASSWORD}" -s "${SALT}")
             yq -i '.users[env(COUNT)].passwd = env(HASHED_PASSWORD)' $USER_DATA_PATH
         fi
@@ -116,7 +156,6 @@ create_secret(){
         kubectl delete secret ${SECRET_NAME}
     fi
 
-
     if [ "$NETWORK_DATA_PRESENT" == "true" ]; then
         log "Creating kubernetes secret ${SECRET_NAME} from ${USER_DATA_PATH} & ${NETWORK_DATA_PATH}"
         kubectl create secret generic ${SECRET_NAME} \
@@ -127,12 +166,15 @@ create_secret(){
         kubectl create secret generic ${SECRET_NAME} --from-file=userdata="${USER_DATA_PATH}"
     fi
 
+    log "Adding argocd tracking annotation."
     kubectl annotate --overwrite secret ${SECRET_NAME} \
         argocd.argoproj.io/tracking-id="${ARGOCD_APP_NAME}:v1/Secret:${NAMESPACE}/${SECRET_NAME}"
 
+    log "Adding argocd sync options."
     kubectl annotate --overwrite secret ${SECRET_NAME} \
         argocd.argoproj.io/sync-options="Prune=false,Delete=false"
 
+    log "Adding argocd comparison options."
     kubectl annotate --overwrite secret ${SECRET_NAME} \
         argocd.argoproj.io/compare-options="IgnoreExtraneous"
 

charts/cloud-init/templates/cluster-role-binding.yaml

@@ -3,9 +3,6 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cloud-init
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-1"
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.serviceAccount.name}}

charts/cloud-init/templates/job.yaml

@@ -44,11 +44,8 @@ spec:
                 key: {{ $props.password.existingSecret.key }}
 	  {{- end }}
           {{- if $props.password.random }}
-          - name: {{ upper $props.name }}_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: {{ $props.name }}-password
-                key: password
+          - name: RANDOM_PASSWORD
+            value: "true"
 	  {{- end }}
 	  {{- end }}
           {{- with .Values.extraEnvVars }}

charts/cloud-init/templates/password-secret.yaml

@@ -8,7 +8,7 @@ argocdAppName: cloud-init-test
 secret_name: max-scrapmetal-user-data
 
 # -- image version
-image: deserializeme/kv-cloud-init:v0.0.1
+image: deserializeme/kv-cloud-init:v0.0.2
 
 # -- Choose weather to create a service-account or not. Once a SA has been created
 # you should set this to false on subsequent runs.
@@ -106,7 +106,7 @@ wireguard: []
 # See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups
 # do NOT use 'admin' as username - it conflicts with multiele cloud-images
 users:
-  - name: pool
+  - name: $USERNAME
     groups: users, admin, docker, sudo, kvm
     sudo: ALL=(ALL) NOPASSWD:ALL
     shell: /bin/bash