Merge pull request #99 from IQSS/75-password-provisioning

75 password provisioning

README.md

@@ -26,11 +26,15 @@ and https://github.com/IQSS/dataverse/issues/5448
 
 ## Usage
 
-*Quick'n'dirty on naked cluster:*
+*Quick'n'dirty demo on naked cluster:*
 ```
 kubectl apply -k .
 ```
-(This will of course need a recent `kubectl` and a configured cluster context.)
+
+**Notes:**
+- This will of course need a recent `kubectl` and a configured cluster context.
+- This is usable for demo purposes.
+- You really want to [provide a secure admin password](https://github.com/IQSS/dataverse-kubernetes/blob/master/docs/secrets.md) for anything serious.
 
 A number of utilities have been added for your convienience:
 have a look at [Little Helpers](https://github.com/IQSS/dataverse-kubernetes/blob/master/docs/little-helpers.md).

docker/dataverse-k8s/bin/bootstrap-job.sh

@@ -26,6 +26,12 @@ if [ ! -s "${SECRETS_DIR}/api/key" ]; then
   exit 126
 fi
 
+# Load dataverseAdmin password if present
+if [ -s "${SECRETS_DIR}/admin/password" ]; then
+  echo "Loading admin password from secret file."
+  ADMIN_PASSWORD=`cat ${SECRETS_DIR}/admin/password`
+fi
+
 # Drop the Postgres credentials into .pgpass
 echo "${POSTGRES_SERVER}:*:*:${POSTGRES_USER}:`cat ${SECRETS_DIR}/db/password`" > ${HOME_DIR}/.pgpass
 chmod 0600 ${HOME_DIR}/.pgpass
@@ -41,7 +47,7 @@ sed -i -e "s#localhost:8080#${DATAVERSE_SERVICE_HOST}:${DATAVERSE_SERVICE_PORT}#
 sed -i -e "s#[email protected]#${CONTACT_MAIL}#" data/dv-root.json
 sed -i -e "s#[email protected]#${CONTACT_MAIL}#" data/user-admin.json
 # 2c) Use script(s) to bootstrap the instance.
-./setup-all.sh --insecure
+./setup-all.sh --insecure -p="${ADMIN_PASSWORD}"
 
 # 4.) Configure Solr location
 curl -sS -X PUT -d "${SOLR_K8S_HOST}:8983" "${DATAVERSE_URL}/api/admin/settings/:SolrHostColonPort"

docker/dataverse-k8s/glassfish/bin/default.config

@@ -8,6 +8,7 @@ POSTGRES_DATABASE=${POSTGRES_DATABASE:-${POSTGRES_USER}}
 MAIL_SERVER=${MAIL_SERVER:-postfix}
 CONTACT_MAIL=${CONTACT_MAIL:-"[email protected]"}
 ADMIN_MAIL=${ADMIN_MAIL:-"Dataverse on K8S <[email protected]>"}
+ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin1}
 
 # System properties based Dataverse configuration options
 # (Exporting needed as they cannot be seen by `env` otherwise)

docs/release-notes/4.16-75-admin-password.md

@@ -0,0 +1,3 @@
+As of this release (4.16) you should be aware that the default
+`dataverseAdmin` password is no longer *admin*, but *admin1*. As
+IQSS/dataverse-ansible does the same, let's be consistent. See #75 for details.

docs/secrets.md

@@ -8,9 +8,11 @@ Currently understood secrets in the container, mounted at `SECRETS_DIR=/opt/data
 3. `db/password` - required - guess why?
 4. `api/key` - required because you want the *unblock-key* for anything serious.
 5. `s3/access-key` and `s3/secret-key` - needed when you want to use S3 storage. See #28.
+6. `admin/password` - optional, provision a password for the `dataverseAdmin` account.
 
-A [password alias](https://docs.oracle.com/cd/E19798-01/821-1751/ghgqc/index.html) is automatically created and used for those, no need to provide
-those yourself. (see [default.config](https://github.com/IQSS/dataverse-kubernetes/blob/master/docker/dataverse-k8s/bin/default.config))
+A [password alias](https://docs.oracle.com/cd/E19798-01/821-1751/ghgqc/index.html)
+is automatically created and used for those that are set via JVM options, no need
+to provide those yourself. (see [default.config](https://github.com/IQSS/dataverse-kubernetes/blob/master/docker/dataverse-k8s/bin/default.config))
 
 You can of course map other parts of the secret like usernames to an environment
 variable like `doi_username` etc.
@@ -26,3 +28,15 @@ kubectl create secret generic dataverse-postgresql \
             --from-literal=password='changeme' \
             --from-literal=database='mydataverse'
 ```
+
+### Provision a password for your superadmin account
+The password for the superadmin account `dataverseAdmin` defaults to
+**admin1**. *You really should change that to something more secure.*
+<small>*Note:* this password is the same as IQSS/dataverse-ansible uses!</small>
+
+During bootstrap, mount a secret at `${SECRETS_DIR}/admin/password` to provision
+it while creating the account. A less secure way is to provide it as environment
+variable `ADMIN_PASSWORD`.
+
+Using a password not matching the enabled password policies will force you
+to provide a new password on first login. See the [Dataverse guides](http://guides.dataverse.org/en/latest/installation/config.html#enforce-strong-passwords-for-user-accounts) for more details.

k8s/dataverse/jobs/bootstrap.yaml

@@ -42,6 +42,9 @@ spec:
             - name: api-secret
               mountPath: "/opt/dataverse/secrets/api"
               readOnly: true
+            - name: admin-secret
+              mountPath: "/opt/dataverse/secrets/admin"
+              readOnly: true
       initContainers:
         - name: check-db-ready
           image: postgres:9.6
@@ -65,5 +68,9 @@ spec:
         - name: api-secret
           secret:
             secretName: dataverse-api
+        - name: admin-secret
+          secret:
+            secretName: dataverse-admin
+            optional: true
       restartPolicy: Never
   backoffLimit: 4

k8s/utils/demo-secrets.yaml

@@ -42,3 +42,17 @@ metadata:
 type: Opaque
 stringData:
   key: supersecret
+---
+#apiVersion: v1
+#kind: Secret
+#metadata:
+#  name: dataverse-admin
+#  labels:
+#    app.kubernetes.io/name: dataverse-admin
+#    app.kubernetes.io/version: "1.0"
+#    app.kubernetes.io/component: secret
+#    app.kubernetes.io/part-of: dataverse
+#    app.kubernetes.io/managed-by: kubectl
+#type: Opaque
+#stringData:
+#  password: admin1