def create_gcloud_secret():
if SECRET_NAME not in util.get_secrets():
with tempfile.TemporaryDirectory() as tmp:
target = join(tmp, 'gcloud.tar')
util.run("tar cvf %s --exclude gcloud/logs gcloud" % target,
path=os.path.join(os.environ['HOME'], '.config'))
util.create_secret(SECRET_NAME, tmp)
def ensure_ssh():
if 'storage-ssh' not in util.get_secrets():
# generate a public/private ssh key pair that will be used for sshfs
with tempfile.TemporaryDirectory() as tmp:
util.run([
'ssh-keygen', '-b', '2048', '-f',
join(tmp, 'id-rsa'), '-N', ''
])
util.create_secret('storage-ssh', tmp)
def load_ssl(args):
path = args.path
if not os.path.exists(path):
os.makedirs(path)
if not os.path.isdir(path):
raise RuntimeError("path='{path}' must be a directory".format(path=path))
pem = join(path,'nopassphrase.pem')
if not os.path.exists(pem):
raise RuntimeError("'{pem}' must exist".format(pem=pem))
util.create_secret('ssl-cert', path)
def ensure_ssl():
if 'ssl-cert' not in util.get_secrets():
# generate a self-signed cert and load, so at least things work
with tempfile.TemporaryDirectory() as tmp:
util.run(['openssl', 'req', '-new', '-x509', '-nodes', '-out', 'server.crt',
'-keyout', 'server.key',
'-subj', '/C=US/ST=WA/L=WA/O=Network/OU=IT Department/CN=sagemath'], path=tmp)
s = open(join(tmp, 'server.crt')).read() + open(join(tmp, 'server.key')).read()
open(join(tmp, 'nopassphrase.pem'),'w').write(s)
util.create_secret('ssl-cert', tmp)
def load_password(args):
"""
Load the admin password into Kubernetes from disk
"""
path = args.path
if not os.path.isdir(path):
raise RuntimeError('path must be a directory')
if not os.path.exists(os.path.join(path, 'rethinkdb')):
raise RuntimeError("the password filename must be named 'rethinkdb'")
util.create_secret('rethinkdb-password', path)
def load_secret(name, args):
path = args.path
if not os.path.exists(path):
os.makedirs(path)
if not os.path.isdir(path):
raise RuntimeError("path='{path}' must be a directory".format(path=path))
file = join(path, name)
if not os.path.exists(file):
raise RuntimeError("'{file}' must exist".format(file=file))
util.create_secret(name+'-api-key', file)
def load_password(args):
"""
Load the admin password into Kubernetes from disk
"""
path = args.path
if not os.path.isdir(path):
raise RuntimeError('path must be a directory')
if not os.path.exists(os.path.join(path, 'rethinkdb')):
raise RuntimeError("the password filename must be named 'rethinkdb'")
util.create_secret('rethinkdb-password', path)
def load_ssl(args):
path = args.path
if not os.path.exists(path):
os.makedirs(path)
if not os.path.isdir(path):
raise RuntimeError(
"path='{path}' must be a directory".format(path=path))
pem = join(path, 'nopassphrase.pem')
if not os.path.exists(pem):
raise RuntimeError("'{pem}' must exist".format(pem=pem))
util.create_secret('ssl-cert', path)
def ensure_ssl():
if 'ssl-cert' not in util.get_secrets():
# generate a self-signed cert and load, so at least things work
with tempfile.TemporaryDirectory() as tmp:
util.run([
'openssl', 'req', '-new', '-x509', '-nodes', '-out',
'server.crt', '-keyout', 'server.key', '-subj',
'/C=US/ST=WA/L=WA/O=Network/OU=IT Department/CN=sagemath'
],
path=tmp)
s = open(join(tmp, 'server.crt')).read() + open(
join(tmp, 'server.key')).read()
open(join(tmp, 'nopassphrase.pem'), 'w').write(s)
util.create_secret('ssl-cert', tmp)
def create_kubectl_secret():
"""
Ensure that the kubectl secret needed for using kubectl instead of the pod to
use this cluster/namespace exists.
"""
if SECRET_NAME not in util.get_secrets():
with tempfile.TemporaryDirectory() as tmp:
target = join(tmp, 'config')
config = json.loads(util.run(['kubectl', 'config', 'view', '--raw', '-o=json'], get_output=True, verbose=False))
prefix = util.get_cluster_prefix()
# Include only secret info that is relevant to this cluster (a mild security measure -- we can't restrict namespace btw).
for k in ['contexts', 'clusters', 'users']:
config[k] = [x for x in config[k] if x['name'].endswith(prefix)]
open(join(tmp, 'config'), 'w').write(yaml.dump(config))
util.create_secret(SECRET_NAME, tmp)
def create_password(args):
"""
Change the rethinkdb admin password.
"""
host = util.get_pod_ip(db='rethinkdb')
if not host:
raise RuntimeError(
"no running rethinkdb servers, so can't change password")
path = args.path
if not os.path.exists(path):
os.makedirs(path)
elif not os.path.isdir(path):
raise RuntimeError('path must be a directory')
new_password = util.random_password(63)
name = 'rethinkdb-password'
# Get the current RethinkDB password from Kubernetes
old_password = util.get_secret(name).get('rethinkdb', None)
if old_password:
if input(
"Password already set. Are you sure you want to change it? type 'YES'"
) != 'YES':
raise RuntimeError("NOT changing password")
if old_password == '':
old_password = None
# Write the new password to disk (better to have it so if we set it below and die then at least it isn't lost!)
open(os.path.join(path, 'rethinkdb'), 'w').write(new_password)
# Set the new password in rethinkdb
import rethinkdb as r
conn = r.connect(host=host, auth_key=old_password)
r.db('rethinkdb').table('users').get('admin').update({
'password':
new_password
}).run(conn)
# Load the new password into Kubernetes
util.create_secret(name, path)
def create_password(args):
"""
Change the rethinkdb admin password.
"""
host = util.get_pod_ip(db='rethinkdb')
if not host:
raise RuntimeError("no running rethinkdb servers, so can't change password")
path = args.path
if not os.path.exists(path):
os.makedirs(path)
elif not os.path.isdir(path):
raise RuntimeError('path must be a directory')
new_password = util.random_password(63)
name = 'rethinkdb-password'
# Get the current RethinkDB password from Kubernetes
old_password = util.get_secret(name).get('rethinkdb', None)
if old_password:
if input("Password already set. Are you sure you want to change it? type 'YES'") != 'YES':
raise RuntimeError("NOT changing password")
if old_password == '':
old_password = None
# Write the new password to disk (better to have it so if we set it below and die then at least it isn't lost!)
open(os.path.join(path, 'rethinkdb'), 'w').write(new_password)
# Set the new password in rethinkdb
import rethinkdb as r
conn = r.connect(host=host, auth_key=old_password)
r.db('rethinkdb').table('users').get('admin').update({'password': new_password}).run(conn)
# Load the new password into Kubernetes
util.create_secret(name, path)
def ensure_ssh():
if 'storage-ssh' not in util.get_secrets():
# generate a public/private ssh key pair that will be used for sshfs
with tempfile.TemporaryDirectory() as tmp:
util.run(['ssh-keygen', '-b', '2048', '-f', join(tmp, 'id-rsa'), '-N', ''])
util.create_secret('storage-ssh', tmp)
def create_gcloud_secret():
if SECRET_NAME not in util.get_secrets():
with tempfile.TemporaryDirectory() as tmp:
target = join(tmp, 'gcloud.tar')
util.run("tar cvf %s --exclude gcloud/logs gcloud"%target, path=os.path.join(os.environ['HOME'], '.config'))
util.create_secret(SECRET_NAME, tmp)