Use Terraform to bcrypt the admin password #1771
Conversation
edevenport
changed the title
|
@squat Do you have some time to review the code and test results? |
|
Thanks @edevenport, I'll TAL now. |
|
Jenkins & GitHub are complaining about the same merge conflicts. |
sym3tri
changed the title
|
ok to test |
|
@edevenport there are two small issues in the lint for the frontend. |
|
ok to test |
|
Thank you @cpanato - the lint errors should be resolved now. |
|
@edevenport looking better! now the frontend tests are failing with: To fix this we need to update the |
|
ok to test |
| @@ -0,0 +1,277 @@ | |||
| # Install Tectonic on Azure with Terraform | |||
There was a problem hiding this comment.
@edevenport why was this included in this PR? could we remove this doc?
There was a problem hiding this comment.
@squat Sorry about that. It was updated in my original PR before it was removed from master and seems to have gotten restored during my pull. I rebased and removed the file.
|
Thank you @squat - looks like the tests are passing now. |
|
@edevenport the tests look good. The one main outstanding issue is the azure doc. Did that sneak in accidentally? |
edevenport
force-pushed
the
terraform_bcrypt_643
branch
from
56b7ed2 to
3d630f0
Compare
|
ok to test |
config.tf
Outdated
| type = "string" | ||
|
|
||
| description = <<EOF | ||
| The bcrypt hash of admin user password to login to the Tectonic Console. | ||
| Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it. | ||
| The admin user password to login to the Tectonic Console. Backslashes and double quotes should |
There was a problem hiding this comment.
s/should/must/ to convey that it is a requirement.
There was a problem hiding this comment.
Done. I also moved the special character requirement to the Note line for better division between parameter description and requirements.
modules/tectonic/variables.tf
Outdated
| variable "admin_password_hash" { | ||
| description = "Hashed password used to by the cluster admin to login to the Tectonic Console. Generate with the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0)." | ||
| variable "admin_password" { | ||
| description = "Password used to by the cluster admin to login to the Tectonic Console. Backslashes and double quotes should be escaped." |
There was a problem hiding this comment.
s/should/must/ to convey that it is a requirement.
Documentation/variables/config.md
Outdated
| @@ -7,7 +7,7 @@ This document gives an overview of variables used in all platforms of the Tecton | |||
| | Name | Description | Type | Default | | |||
| |------|-------------|:----:|:-----:| | |||
| | tectonic_admin_email | The e-mail address used to: 1. login as the admin user to the Tectonic Console. 2. generate DNS zones for some providers.<br><br>Note: This field MUST be in all lower-case e-mail address format and set manually prior to creating the cluster. | string | - | | |||
| | tectonic_admin_password_hash | The bcrypt hash of admin user password to login to the Tectonic Console. Use the bcrypt-hash tool (https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0) to generate it.<br><br>Note: This field MUST be set manually prior to creating the cluster. | string | - | | |||
| | tectonic_admin_password | The admin user password to login to the Tectonic Console. Backslashes and double quotes should be escaped.<br><br>Note: This field MUST be set manually prior to creating the cluster. | string | - | | |||
There was a problem hiding this comment.
Thanks for making that change. Looks like we need to make docs && make examples again now
edevenport
force-pushed
the
terraform_bcrypt_643
branch
2 times, most recently
from
c728dca to
367441d
Compare
|
The tests are failing with the following error: This is because the smoke tests use Terraform 0.9.x, which does not have support for bcrypt. We'll need to bump that or wait for #1841. |
|
@edevenport do you mind to rebase this PR? Thanks! |
edevenport
force-pushed
the
terraform_bcrypt_643
branch
from
367441d to
55c25d5
Compare
|
A merge conflict was introduced recently, so I rebased the branch and corrected the issue. |
edevenport
force-pushed
the
terraform_bcrypt_643
branch
from
55c25d5 to
44b5e6a
Compare
|
@squat We are ready for a review (and hopefully merger) again. |
| tectonic_admin_email = "[email protected]" | ||
| tectonic_admin_password_hash = "$2a$12$T8hTe.NlOPDP0SS3DxNeDuVhHSFbdGXZEhGps/W.BG4QC7.1/nDaG" | ||
| tectonic_admin_password = "password" |
modules/tectonic/variables.tf
Outdated
| type = "string" | ||
| default = "2a$12$k9wa31uE/4uD9aVtT/vNtOZwxXyEJ/9DwXXEYB/eUpb9fvEPsH/kO" | ||
| default = "password" |
There was a problem hiding this comment.
I strongly suggest to remove this default value here.
| @@ -37,7 +37,7 @@ | |||
| "tectonicLicense": "<TECTONIC_LICENSE>", | |||
| "pullSecret": "<TECTONIC_PULL_SECRET>", | |||
| "adminEmail": "[email protected]", | |||
| "adminPassword": "PASSWORD", | |||
| "adminPassword": "password", | |||
There was a problem hiding this comment.
Looks good, but I second @s-urbaniak 's suggestion of removing the hardcoded password value from the test configs. We will inject that from CI.
I'm asking myself if we should rather also keep the old variable there for a while (and fall back to using it) to provide a migration path. This is a rather sensitive change since it alters the confidentiality level of the tfvars file. I'd rather users have some time to adjust their workflows around it.
|
ping @edevenport: do you mind to rebase+address the review comments? |
jasmingacic
force-pushed
the
terraform_bcrypt_643
branch
from
09fd997 to
b130bc8
Compare
edevenport
force-pushed
the
terraform_bcrypt_643
branch
from
4e2b8fa to
cebf485
Compare
|
@s-urbaniak The rebase is completed. I'll see if @cpanato can assist with the Jenkins piece. |
|
retest this please |
Jenkinsfile
Outdated
| $class: 'UsernamePasswordMultiBinding', | ||
| credentialsId: 'tectonic-console-login', | ||
| passwordVariable: 'TF_VAR_tectonic_admin_email', | ||
| usernameVariable: 'TF_VAR_tectonic_admin_password' |
There was a problem hiding this comment.
We dont need to set the admin_email/password because in the rspec tests we randon generate those.
There was a problem hiding this comment.
can you please remove this change?
Fixed trailed comma in frontend test. Changed test password to be lowercase due to failing test.
cpanato
force-pushed
the
terraform_bcrypt_643
branch
from
d476dea to
6dbacb3
Compare
|
@edevenport @alexsomesan @s-urbaniak @squat all green now :) |
bcrypt support landed in coreos#1771 but the change was not promoted to GCP. This fixes it.
* modules/tectonic: add kube_dns_service_ip variable This fixes a regression introduced in #2014. * platforms/gcp: replace admin_password_hash with admin_password bcrypt support landed in #1771 but the change was not promoted to GCP. This fixes it. * modules/tectonic: use literals for values of data keys ConfigMaps in k8s are key-value pairs in a data section. The values need to be literal YAML strings otherwise the nested YAML will be interpreted causing a failure in deploying the ConfigMap. This fixes another regression introduced in #2014
Frontend and backend have been adjusted to use Terraform bcrypt interpolation for the adminPassword per issue #643. I have tested locally with
make applyand through the UI with localterraformversions 0.9.11 and 0.10.2.Password has been tested with the following special characters:
Backslashes and double quotes will need to be escaped when setting the password in
terraform.tfvarsmanually (template descriptions updated accordingly), but all above special characters handled successfully through the UI.I am unable to validate tests through Jenkins, but
TF_VAR_tectonic_admin_password_hashis nowTF_VAR_tectonic_admin_passwordand requires a plain text password.