Use Terraform to bcrypt the adminPassword.

Documentation/variables/config.md

@@ -7,7 +7,7 @@ This document gives an overview of variables used in all platforms of the Tecton
 | Name | Description | Type | Default |
 |------|-------------|:----:|:-----:|
 | tectonic_admin_email | The e-mail address used to: 1. login as the admin user to the Tectonic Console. 2. generate DNS zones for some providers.<br><br>Note: This field MUST be in all lower-case e-mail address format and set manually prior to creating the cluster. | string | - |
-| tectonic_admin_password_hash | The bcrypt hash of admin user password to login to the Tectonic Console. Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it.<br><br>Note: This field MUST be set manually prior to creating the cluster. | string | - |
+| tectonic_admin_password | The admin user password to login to the Tectonic Console.<br><br>Note: This field MUST be set manually prior to creating the cluster. Backslashes and double quotes must also be escaped. | string | - |
 | tectonic_base_domain | The base DNS domain of the cluster. It must NOT contain a trailing period. Some DNS providers will automatically add this if necessary.<br><br>Example: `openstack.dev.coreos.systems`.<br><br>Note: This field MUST be set manually prior to creating the cluster. This applies only to cloud platforms.<br><br>[Azure-specific NOTE] To use Azure-provided DNS, `tectonic_base_domain` should be set to `""` If using DNS records, ensure that `tectonic_base_domain` is set to a properly configured external DNS zone. Instructions for configuring delegated domains for Azure DNS can be found here: https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns | string | - |
 | tectonic_ca_cert | (optional) The content of the PEM-encoded CA certificate, used to generate Tectonic Console's server certificate. If left blank, a CA certificate will be automatically generated. | string | `` |
 | tectonic_ca_key | (optional) The content of the PEM-encoded CA key, used to generate Tectonic Console's server certificate. This field is mandatory if `tectonic_ca_cert` is set. | string | `` |

Jenkinsfile

@@ -19,7 +19,7 @@ def creds = [
     $class: 'UsernamePasswordMultiBinding',
     credentialsId: 'tectonic-console-login',
     passwordVariable: 'TF_VAR_tectonic_admin_email',
-    usernameVariable: 'TF_VAR_tectonic_admin_password_hash'
+    usernameVariable: 'TF_VAR_tectonic_admin_password'
   ],
   [
     $class: 'AmazonWebServicesCredentialsBinding',

config.tf

@@ -291,14 +291,14 @@ Note: This field MUST be in all lower-case e-mail address format and set manuall
 EOF
 }
 
-variable "tectonic_admin_password_hash" {
+variable "tectonic_admin_password" {
   type = "string"
 
   description = <<EOF
-The bcrypt hash of admin user password to login to the Tectonic Console.
-Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it.
+The admin user password to login to the Tectonic Console.
 
-Note: This field MUST be set manually prior to creating the cluster.
+Note: This field MUST be set manually prior to creating the cluster. Backslashes and double quotes must
+also be escaped.
 EOF
 }
 

examples/terraform.tfvars.aws

@@ -6,11 +6,11 @@
 // Note: This field MUST be in all lower-case e-mail address format and set manually prior to creating the cluster.
 tectonic_admin_email = ""
 
-// The bcrypt hash of admin user password to login to the Tectonic Console.
-// Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it.
+// The admin user password to login to the Tectonic Console.
 // 
-// Note: This field MUST be set manually prior to creating the cluster.
-tectonic_admin_password_hash = ""
+// Note: This field MUST be set manually prior to creating the cluster. Backslashes and double quotes must
+// also be escaped.
+tectonic_admin_password = ""
 
 // (optional) Extra AWS tags to be applied to created autoscaling group resources.
 // This is a list of maps having the keys `key`, `value` and `propagate_at_launch`.

examples/terraform.tfvars.azure

@@ -6,11 +6,11 @@
 // Note: This field MUST be in all lower-case e-mail address format and set manually prior to creating the cluster.
 tectonic_admin_email = ""
 
-// The bcrypt hash of admin user password to login to the Tectonic Console.
-// Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it.
+// The admin user password to login to the Tectonic Console.
 // 
-// Note: This field MUST be set manually prior to creating the cluster.
-tectonic_admin_password_hash = ""
+// Note: This field MUST be set manually prior to creating the cluster. Backslashes and double quotes must
+// also be escaped.
+tectonic_admin_password = ""
 
 // The client secret to use.
 tectonic_azure_client_secret = ""

examples/terraform.tfvars.metal

@@ -6,11 +6,11 @@
 // Note: This field MUST be in all lower-case e-mail address format and set manually prior to creating the cluster.
 tectonic_admin_email = ""
 
-// The bcrypt hash of admin user password to login to the Tectonic Console.
-// Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it.
+// The admin user password to login to the Tectonic Console.
 // 
-// Note: This field MUST be set manually prior to creating the cluster.
-tectonic_admin_password_hash = ""
+// Note: This field MUST be set manually prior to creating the cluster. Backslashes and double quotes must
+// also be escaped.
+tectonic_admin_password = ""
 
 // The base DNS domain of the cluster. It must NOT contain a trailing period. Some
 // DNS providers will automatically add this if necessary.

examples/terraform.tfvars.openstack-neutron

@@ -6,11 +6,11 @@
 // Note: This field MUST be in all lower-case e-mail address format and set manually prior to creating the cluster.
 tectonic_admin_email = ""
 
-// The bcrypt hash of admin user password to login to the Tectonic Console.
-// Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it.
+// The admin user password to login to the Tectonic Console.
 // 
-// Note: This field MUST be set manually prior to creating the cluster.
-tectonic_admin_password_hash = ""
+// Note: This field MUST be set manually prior to creating the cluster. Backslashes and double quotes must
+// also be escaped.
+tectonic_admin_password = ""
 
 // The base DNS domain of the cluster. It must NOT contain a trailing period. Some
 // DNS providers will automatically add this if necessary.

examples/terraform.tfvars.vmware

@@ -6,11 +6,11 @@
 // Note: This field MUST be in all lower-case e-mail address format and set manually prior to creating the cluster.
 tectonic_admin_email = ""
 
-// The bcrypt hash of admin user password to login to the Tectonic Console.
-// Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it.
+// The admin user password to login to the Tectonic Console.
 // 
-// Note: This field MUST be set manually prior to creating the cluster.
-tectonic_admin_password_hash = ""
+// Note: This field MUST be set manually prior to creating the cluster. Backslashes and double quotes must
+// also be escaped.
+tectonic_admin_password = ""
 
 // The base DNS domain of the cluster. It must NOT contain a trailing period. Some
 // DNS providers will automatically add this if necessary.

installer/frontend/__tests__/examples/aws-vpc.json

@@ -12,7 +12,7 @@
   "retry": false,
   "variables": {
     "tectonic_admin_email": "[email protected]",
-    "tectonic_admin_password_hash": "$2a$12$96LR7NxL/T7LaijR0fxl3.aVI8owkpq0B./ogZ8wNmzF1bGPEZPBK",
+    "tectonic_admin_password": "PASSWORD",
     "tectonic_aws_etcd_ec2_type": "t2.large",
     "tectonic_aws_etcd_root_volume_size": 300,
     "tectonic_aws_etcd_root_volume_type": "gp2",

installer/frontend/__tests__/examples/aws.json

@@ -11,7 +11,7 @@
   },
   "variables": {
     "tectonic_admin_email": "[email protected]",
-    "tectonic_admin_password_hash": "$2a$12$96LR7NxL/T7LaijR0fxl3.aVI8owkpq0B./ogZ8wNmzF1bGPEZPBK",
+    "tectonic_admin_password": "PASSWORD",
     "tectonic_aws_extra_tags": {
       "test_tag": "testing"
     },

installer/frontend/__tests__/examples/metal.json

@@ -7,7 +7,7 @@
   "retry": false,
   "variables": {
     "tectonic_admin_email": "[email protected]",
-    "tectonic_admin_password_hash": "$2a$12$96LR7NxL/T7LaijR0fxl3.aVI8owkpq0B./ogZ8wNmzF1bGPEZPBK",
+    "tectonic_admin_password": "PASSWORD",
     "tectonic_base_domain": "unused",
     "tectonic_cluster_cidr": "10.2.0.0/16",
     "tectonic_cluster_name": "my-cluster",

installer/frontend/cluster-config.js

@@ -1,11 +1,8 @@
 import _ from 'lodash';
-import bcrypt from 'bcryptjs';
 
 import { BARE_METAL_TF } from './platforms';
 import { keyToAlg } from './utils';
 
-const bcryptCost = 12;
-
 // TODO: (ggreer) clean up key names. Warning: Doing this will break progress files.
 export const AWS_ACCESS_KEY_ID = 'awsAccessKeyId';
 export const AWS_SUBNETS = 'awsSubnets';
@@ -196,7 +193,7 @@ export const DEFAULT_CLUSTER_CONFIG = {
 };
 
 
-export const toAWS_TF = (cc, FORMS, opts = {}) => {
+export const toAWS_TF = (cc, FORMS) => {
   const controllers = FORMS[AWS_CONTROLLERS].getData(cc);
   const etcds = FORMS[AWS_ETCDS].getData(cc);
   const workers = FORMS[AWS_WORKERS].getData(cc);
@@ -233,7 +230,7 @@ export const toAWS_TF = (cc, FORMS, opts = {}) => {
     },
     variables: {
       // eslint-disable-next-line no-sync
-      tectonic_admin_password_hash: bcrypt.hashSync(cc[ADMIN_PASSWORD], opts.salt || bcrypt.genSaltSync(bcryptCost)),
+      tectonic_admin_password: cc[ADMIN_PASSWORD],
       tectonic_aws_region: cc[AWS_REGION],
       tectonic_admin_email: cc[ADMIN_EMAIL],
       tectonic_aws_master_ec2_type: controllers[INSTANCE_TYPE],
@@ -297,7 +294,7 @@ export const toAWS_TF = (cc, FORMS, opts = {}) => {
   return ret;
 };
 
-export const toBaremetal_TF = (cc, FORMS, opts = {}) => {
+export const toBaremetal_TF = (cc, FORMS) => {
   const sshKey = FORMS[BM_SSH_KEY].getData(cc);
   const masters = cc[BM_MASTERS];
   const workers = cc[BM_WORKERS];
@@ -311,7 +308,7 @@ export const toBaremetal_TF = (cc, FORMS, opts = {}) => {
     retry: cc[RETRY],
     variables: {
       // eslint-disable-next-line no-sync
-      tectonic_admin_password_hash: bcrypt.hashSync(cc[ADMIN_PASSWORD], opts.salt || bcrypt.genSaltSync(bcryptCost)),
+      tectonic_admin_password: cc[ADMIN_PASSWORD],
       tectonic_cluster_name: cc[CLUSTER_NAME],
       tectonic_admin_email: cc[ADMIN_EMAIL],
       tectonic_metal_cl_version: cc[BM_OS_TO_USE],

installer/frontend/package.json

@@ -28,7 +28,6 @@
   "dependencies": {
     "babel-plugin-git-version": "github:coreos/babel-plugin-git-version-build",
     "babyparse": "0.4.x",
-    "bcryptjs": "2.x",
     "classnames": "2.2.x",
     "file-saver": "1.3.x",
     "immutable": "3.8.x",

installer/frontend/yarn.lock

@@ -759,10 +759,6 @@ bcrypt-pbkdf@^1.0.0:
   dependencies:
     tweetnacl "^0.14.3"
 
-[email protected]:
-  version "2.4.3"
-  resolved "https://registry.yarnpkg.com/bcryptjs/-/bcryptjs-2.4.3.tgz#9ab5627b93e60621ff7cdac5da9733027df1d0cb"
-
 binary-extensions@^1.0.0:
   version "1.9.0"
   resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-1.9.0.tgz#66506c16ce6f4d6928a5b3cd6a33ca41e941e37b"

modules/tectonic/assets.tf

@@ -54,7 +54,7 @@ resource "template_dir" "tectonic" {
 
     admin_user_id       = "${random_id.admin_user_id.b64}"
     admin_email         = "${lower(var.admin_email)}"
-    admin_password_hash = "${var.admin_password_hash}"
+    admin_password_hash = "${bcrypt(var.admin_password, 12)}"
 
     console_base_address = "${var.base_address}"
     console_client_id    = "${var.console_client_id}"

modules/tectonic/variables.tf

@@ -65,10 +65,10 @@ variable "admin_email" {
   default     = "[email protected]"
 }
 
-variable "admin_password_hash" {
-  description = "Hashed password used to by the cluster admin to login to the Tectonic Console. Generate with the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0)."
+variable "admin_password" {
+  description = "Password used to by the cluster admin to login to the Tectonic Console. Backslashes and double quotes must be escaped."
   type        = "string"
-  default     = "2a$12$k9wa31uE/4uD9aVtT/vNtOZwxXyEJ/9DwXXEYB/eUpb9fvEPsH/kO"
+  default     = "PASSWORD"
 }
 
 variable "update_server" {

platforms/aws/tectonic.tf

@@ -86,8 +86,8 @@ module "tectonic" {
   license_path     = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_license_path)}"
   pull_secret_path = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_pull_secret_path)}"
 
-  admin_email         = "${var.tectonic_admin_email}"
-  admin_password_hash = "${var.tectonic_admin_password_hash}"
+  admin_email    = "${var.tectonic_admin_email}"
+  admin_password = "${var.tectonic_admin_password}"
 
   update_channel = "${var.tectonic_update_channel}"
   update_app_id  = "${var.tectonic_update_app_id}"

platforms/azure/tectonic.tf

@@ -57,8 +57,8 @@ module "tectonic" {
   license_path     = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_license_path)}"
   pull_secret_path = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_pull_secret_path)}"
 
-  admin_email         = "${var.tectonic_admin_email}"
-  admin_password_hash = "${var.tectonic_admin_password_hash}"
+  admin_email    = "${var.tectonic_admin_email}"
+  admin_password = "${var.tectonic_admin_password}"
 
   update_channel = "${var.tectonic_update_channel}"
   update_app_id  = "${var.tectonic_update_app_id}"

platforms/metal/tectonic.tf

@@ -65,8 +65,8 @@ module "tectonic" {
   license_path     = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_license_path)}"
   pull_secret_path = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_pull_secret_path)}"
 
-  admin_email         = "${var.tectonic_admin_email}"
-  admin_password_hash = "${var.tectonic_admin_password_hash}"
+  admin_email    = "${var.tectonic_admin_email}"
+  admin_password = "${var.tectonic_admin_password}"
 
   update_channel = "${var.tectonic_update_channel}"
   update_app_id  = "${var.tectonic_update_app_id}"

platforms/openstack/neutron/main.tf

@@ -64,8 +64,8 @@ module "tectonic" {
   license_path     = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_license_path)}"
   pull_secret_path = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_pull_secret_path)}"
 
-  admin_email         = "${var.tectonic_admin_email}"
-  admin_password_hash = "${var.tectonic_admin_password_hash}"
+  admin_email    = "${var.tectonic_admin_email}"
+  admin_password = "${var.tectonic_admin_password}"
 
   update_channel = "${var.tectonic_update_channel}"
   update_app_id  = "${var.tectonic_update_app_id}"

platforms/vmware/tectonic.tf

@@ -67,8 +67,8 @@ module "tectonic" {
   license_path     = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_license_path)}"
   pull_secret_path = "${var.tectonic_vanilla_k8s ? "/dev/null" : pathexpand(var.tectonic_pull_secret_path)}"
 
-  admin_email         = "${var.tectonic_admin_email}"
-  admin_password_hash = "${var.tectonic_admin_password_hash}"
+  admin_email    = "${var.tectonic_admin_email}"
+  admin_password = "${var.tectonic_admin_password}"
 
   update_channel = "${var.tectonic_update_channel}"
   update_app_id  = "${var.tectonic_update_app_id}"

tests/conformance/conformance.sh

@@ -24,7 +24,7 @@ TF_VAR_tectonic_pull_secret_path=${TF_VAR_tectonic_pull_secret_path}
 TF_VAR_tectonic_license_path=${TF_VAR_tectonic_license_path}
 TF_VAR_tectonic_aws_ssh_key="jenkins"
 TF_VAR_tectonic_admin_email=${TF_VAR_tectonic_admin_email}
-TF_VAR_tectonic_admin_password_hash=${TF_VAR_tectonic_admin_password_hash}
+TF_VAR_tectonic_admin_password=${TF_VAR_tectonic_admin_password}
 EOF
 }
 

tests/smoke/bare-metal/vars/metal.tfvars

@@ -113,9 +113,8 @@ tectonic_ssh_authorized_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+a
 
 # Tectonic
 
-# generate a hash with the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) that will be used for your admin user.
 tectonic_admin_email = "[email protected]"
-tectonic_admin_password_hash = "$2a$12$T8hTe.NlOPDP0SS3DxNeDuVhHSFbdGXZEhGps/W.BG4QC7.1/nDaG"
+tectonic_admin_password = "PASSWORD"
 
 # Update Details
 # leave blank for default values