Ejemplo n.º 1
0
def create_gcloud_secret():
    if SECRET_NAME not in util.get_secrets():
        with tempfile.TemporaryDirectory() as tmp:
            target = join(tmp, 'gcloud.tar')
            util.run("tar cvf %s --exclude gcloud/logs gcloud" % target,
                     path=os.path.join(os.environ['HOME'], '.config'))
            util.create_secret(SECRET_NAME, tmp)
Ejemplo n.º 2
0
def ensure_ssh():
    if 'storage-ssh' not in util.get_secrets():
        # generate a public/private ssh key pair that will be used for sshfs
        with tempfile.TemporaryDirectory() as tmp:
            util.run([
                'ssh-keygen', '-b', '2048', '-f',
                join(tmp, 'id-rsa'), '-N', ''
            ])
            util.create_secret('storage-ssh', tmp)
Ejemplo n.º 3
0
def load_ssl(args):
    path = args.path
    if not os.path.exists(path):
        os.makedirs(path)
    if not os.path.isdir(path):
        raise RuntimeError("path='{path}' must be a directory".format(path=path))
    pem = join(path,'nopassphrase.pem')
    if not os.path.exists(pem):
        raise RuntimeError("'{pem}' must exist".format(pem=pem))
    util.create_secret('ssl-cert', path)
Ejemplo n.º 4
0
def ensure_ssl():
    if 'ssl-cert' not in util.get_secrets():
        # generate a self-signed cert and load, so at least things work
        with tempfile.TemporaryDirectory() as tmp:
            util.run(['openssl', 'req', '-new', '-x509', '-nodes', '-out', 'server.crt',
                      '-keyout', 'server.key',
                      '-subj', '/C=US/ST=WA/L=WA/O=Network/OU=IT Department/CN=sagemath'], path=tmp)
            s  = open(join(tmp, 'server.crt')).read() + open(join(tmp, 'server.key')).read()
            open(join(tmp, 'nopassphrase.pem'),'w').write(s)
            util.create_secret('ssl-cert', tmp)
Ejemplo n.º 5
0
def load_password(args):
    """
    Load the admin password into Kubernetes from disk
    """
    path = args.path
    if not os.path.isdir(path):
        raise RuntimeError('path must be a directory')
    if not os.path.exists(os.path.join(path, 'rethinkdb')):
        raise RuntimeError("the password filename must be named 'rethinkdb'")
    util.create_secret('rethinkdb-password', path)
Ejemplo n.º 6
0
def load_secret(name, args):
    path = args.path
    if not os.path.exists(path):
        os.makedirs(path)
    if not os.path.isdir(path):
        raise RuntimeError("path='{path}' must be a directory".format(path=path))
    file = join(path, name)
    if not os.path.exists(file):
        raise RuntimeError("'{file}' must exist".format(file=file))
    util.create_secret(name+'-api-key', file)
Ejemplo n.º 7
0
def load_password(args):
    """
    Load the admin password into Kubernetes from disk
    """
    path = args.path
    if not os.path.isdir(path):
        raise RuntimeError('path must be a directory')
    if not os.path.exists(os.path.join(path, 'rethinkdb')):
        raise RuntimeError("the password filename must be named 'rethinkdb'")
    util.create_secret('rethinkdb-password', path)
Ejemplo n.º 8
0
def load_ssl(args):
    path = args.path
    if not os.path.exists(path):
        os.makedirs(path)
    if not os.path.isdir(path):
        raise RuntimeError(
            "path='{path}' must be a directory".format(path=path))
    pem = join(path, 'nopassphrase.pem')
    if not os.path.exists(pem):
        raise RuntimeError("'{pem}' must exist".format(pem=pem))
    util.create_secret('ssl-cert', path)
Ejemplo n.º 9
0
def ensure_ssl():
    if 'ssl-cert' not in util.get_secrets():
        # generate a self-signed cert and load, so at least things work
        with tempfile.TemporaryDirectory() as tmp:
            util.run([
                'openssl', 'req', '-new', '-x509', '-nodes', '-out',
                'server.crt', '-keyout', 'server.key', '-subj',
                '/C=US/ST=WA/L=WA/O=Network/OU=IT Department/CN=sagemath'
            ],
                     path=tmp)
            s = open(join(tmp, 'server.crt')).read() + open(
                join(tmp, 'server.key')).read()
            open(join(tmp, 'nopassphrase.pem'), 'w').write(s)
            util.create_secret('ssl-cert', tmp)
Ejemplo n.º 10
0
def create_kubectl_secret():
    """
    Ensure that the kubectl secret needed for using kubectl instead of the pod to
    use this cluster/namespace exists.
    """
    if SECRET_NAME not in util.get_secrets():
        with tempfile.TemporaryDirectory() as tmp:
            target = join(tmp, 'config')
            config = json.loads(util.run(['kubectl', 'config', 'view', '--raw', '-o=json'], get_output=True, verbose=False))
            prefix = util.get_cluster_prefix()
            # Include only secret info that is relevant to this cluster (a mild security measure -- we can't restrict namespace btw).
            for k in ['contexts', 'clusters', 'users']:
                config[k] = [x for x in config[k] if x['name'].endswith(prefix)]
            open(join(tmp, 'config'), 'w').write(yaml.dump(config))
            util.create_secret(SECRET_NAME, tmp)
Ejemplo n.º 11
0
def create_password(args):
    """
    Change the rethinkdb admin password.
    """
    host = util.get_pod_ip(db='rethinkdb')
    if not host:
        raise RuntimeError(
            "no running rethinkdb servers, so can't change password")

    path = args.path
    if not os.path.exists(path):
        os.makedirs(path)
    elif not os.path.isdir(path):
        raise RuntimeError('path must be a directory')

    new_password = util.random_password(63)

    name = 'rethinkdb-password'

    # Get the current RethinkDB password from Kubernetes
    old_password = util.get_secret(name).get('rethinkdb', None)
    if old_password:
        if input(
                "Password already set.  Are you sure you want to change it?  type 'YES'"
        ) != 'YES':
            raise RuntimeError("NOT changing password")
    if old_password == '':
        old_password = None

    # Write the new password to disk (better to have it so if we set it below and die then at least it isn't lost!)
    open(os.path.join(path, 'rethinkdb'), 'w').write(new_password)

    # Set the new password in rethinkdb
    import rethinkdb as r
    conn = r.connect(host=host, auth_key=old_password)
    r.db('rethinkdb').table('users').get('admin').update({
        'password':
        new_password
    }).run(conn)

    # Load the new password into Kubernetes
    util.create_secret(name, path)
Ejemplo n.º 12
0
def create_password(args):
    """
    Change the rethinkdb admin password.
    """
    host = util.get_pod_ip(db='rethinkdb')
    if not host:
        raise RuntimeError("no running rethinkdb servers, so can't change password")

    path = args.path
    if not os.path.exists(path):
        os.makedirs(path)
    elif not os.path.isdir(path):
        raise RuntimeError('path must be a directory')

    new_password = util.random_password(63)

    name = 'rethinkdb-password'

    # Get the current RethinkDB password from Kubernetes
    old_password = util.get_secret(name).get('rethinkdb', None)
    if old_password:
        if input("Password already set.  Are you sure you want to change it?  type 'YES'") != 'YES':
            raise RuntimeError("NOT changing password")
    if old_password == '':
        old_password = None

    # Write the new password to disk (better to have it so if we set it below and die then at least it isn't lost!)
    open(os.path.join(path, 'rethinkdb'), 'w').write(new_password)

    # Set the new password in rethinkdb
    import rethinkdb as r
    conn = r.connect(host=host, auth_key=old_password)
    r.db('rethinkdb').table('users').get('admin').update({'password': new_password}).run(conn)

    # Load the new password into Kubernetes
    util.create_secret(name, path)
Ejemplo n.º 13
0
def ensure_ssh():
    if 'storage-ssh' not in util.get_secrets():
        # generate a public/private ssh key pair that will be used for sshfs
        with tempfile.TemporaryDirectory() as tmp:
            util.run(['ssh-keygen', '-b', '2048', '-f', join(tmp, 'id-rsa'), '-N', ''])
            util.create_secret('storage-ssh', tmp)
Ejemplo n.º 14
0
def create_gcloud_secret():
    if SECRET_NAME not in util.get_secrets():
        with tempfile.TemporaryDirectory() as tmp:
            target = join(tmp, 'gcloud.tar')
            util.run("tar cvf %s --exclude gcloud/logs gcloud"%target, path=os.path.join(os.environ['HOME'], '.config'))
            util.create_secret(SECRET_NAME, tmp)