create application-db user from master password #24

davidcheung · 2020-07-06T18:07:02Z

The backend service expects a sercet with DB_PASSWORD and DB_USERNAME
Currently we provision an RDS with a master password, and its a horrible idea for application to use master password to connect to db, this PR creates an extra step during apply to create a application specific user in the db and a k8s-secret

the manifest creates 4 things
- Namespace: db-ops
- Secret in db-ops: db-create-users (with master password, and a .sql file
- Job in db-ops: db-create-users (runs the .sql file against the RDS given master_password from env)
- Secret in Application namespace with DB_USERNAME / DB_PASSWORD
then it deletes the db-ops namespace leaving only the Secret in Application namespace behind

bmonkman · 2020-07-06T18:50:58Z

db-ops/create-db-user.sh

+# docker image with postgres client only
+DOCKER_IMAGE_TAG=governmentpaas/psql:latest
+
+DB_ENDPOINT=$(aws rds describe-db-instances --region=$REGION --query "DBInstances[?DBName=='$PROJECT_NAME'].Endpoint.Address" | jq '.[0]' |  sed "s/\"//g")


Another alternative we may want to explore here which would make this easier to use is in the aws-eks repo we could create an "externalname" service in the cluster which points to the database, then we could refer to it by a static name rather than having to get the RDS hostname.

Also if you use jq -r you don't need that sed at the end.

db-ops/create-db-user.sh

db-ops/job-create-db.yml.tpl

bmonkman

Nice! Requested a couple changes.

db-ops/create-db-user.sh

bmonkman · 2020-07-06T20:23:45Z

db-ops/create-db-user.sh

+
+# Deleting the entire db-ops namespace, leaving ONLY application-namespace's secret behind
+kubectl wait --for=condition=complete --timeout=10s job db-create-users
+kubectl delete namespace db-ops


If the intent is for the previous command to kill the script if it fails you should use set -e at the top but it's probably a better ideal to check if the return value of the previous command is zero and then delete the namespace. We probably want to keep the namespace if the job failed to debug.

somelike like?

Suggested change

kubectl delete namespace db-ops

EXIT_CODE=$?

if [ $EXIT_CODE -eq 0 ]

then

kubectl delete namespace db-ops

if

Yeah! (Though needs syntax fix, and you could just have $? in the comparison without assigning it.)
And you could have an else in there with a nicer message like "Failed to create an application user in the database - you can find out more by running kubectl -n db-ops get logs blahblah"

db-ops/create-db-user.sh

bmonkman · 2020-07-06T21:12:39Z

db-ops/create-db-user.sh

+then 
+  kubectl delete namespace db-ops
+else 
+  POD_NAME=$(kubectl -n db-ops get po | grep db-create-users |awk '{print $1}')


You could clean this up a bit by giving the pod spec in the job a label like app: db-create-users and then a user could run kubectl logs -n db-ops -l app=db-create-users

oh nice, didnt know it supports labels 👁️

looks like they come with a job-name label, gonna use that instead

davidcheung requested a review from bmonkman July 6, 2020 18:07

davidcheung mentioned this pull request Jul 6, 2020

Adding PROJECT_NAME to env for makefile commitdev/zero#194

Merged

davidcheung force-pushed the create-db-user branch 3 times, most recently from d4b1e03 to 84c467d Compare July 6, 2020 18:19