diff --git a/components/automate-backend-ctl/habitat/lib/automate/backend/automate_config.rb b/components/automate-backend-ctl/habitat/lib/automate/backend/automate_config.rb index 080d67ff373..3a2b3327242 100644 --- a/components/automate-backend-ctl/habitat/lib/automate/backend/automate_config.rb +++ b/components/automate-backend-ctl/habitat/lib/automate/backend/automate_config.rb @@ -1,5 +1,6 @@ require 'erb' require 'openssl' +require 'base64' module Automate module Backend @@ -64,6 +65,10 @@ def create_fqdn_cert() [fqdn_key.to_pem, fqdn_cert.to_pem] end + def encode_string(input_string) + encoded_string = Base64.encode64(input_string).chomp + end + def render ERB.new(content(template_path), nil, '-').result(binding) end diff --git a/components/automate-backend-deployment/README.md b/components/automate-backend-deployment/README.md index ae169c36ac9..6e1c988db21 100644 --- a/components/automate-backend-deployment/README.md +++ b/components/automate-backend-deployment/README.md @@ -5,3 +5,5 @@ This provides the `automate-backend-deployment` package. This package will build a package using terraform/a2ha-terraform, inspecs, test, certs and Makefile. This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package. + + diff --git a/components/automate-cli/cmd/chef-automate/automateHAAwsDeployment.go b/components/automate-cli/cmd/chef-automate/automateHAAwsDeployment.go index d5519618419..a3ebcb3c75a 100644 --- a/components/automate-cli/cmd/chef-automate/automateHAAwsDeployment.go +++ b/components/automate-cli/cmd/chef-automate/automateHAAwsDeployment.go @@ -3,6 +3,7 @@ package main import ( "container/list" "crypto/x509" + "encoding/base64" "encoding/pem" "fmt" "net/http" @@ -146,6 +147,7 @@ func (a *awsDeployment) generateConfig(state string) error { } a.setDefaultBasePath() + a.encodePasswordFields() return writeHAConfigFiles(awsA2harbTemplate, a.config, state) } @@ -547,3 +549,18 @@ func (a *awsDeployment) isIamRolePresent() error { } return nil } + +func (a *awsDeployment) encodePasswordFields() { + if a.config.Aws.Config.SetupManagedServices { + writer.Println("Encoding password fields") + if len(a.config.Aws.Config.OpensearchUserPassword) > 0 { + a.config.Aws.Config.OpensearchUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.OpensearchUserPassword))) + } + if len(a.config.Aws.Config.RDSSuperUserPassword) > 0 { + a.config.Aws.Config.RDSSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.RDSSuperUserPassword))) + } + if len(a.config.Aws.Config.RDSDBUserPassword) > 0 { + a.config.Aws.Config.RDSDBUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.RDSDBUserPassword))) + } + } +} diff --git a/components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go b/components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go index 6f37e8d8f2c..d90defbff4f 100644 --- a/components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go +++ b/components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go @@ -2,6 +2,7 @@ package main import ( "container/list" + "encoding/base64" "encoding/json" "encoding/pem" "fmt" @@ -96,6 +97,7 @@ func (e *existingInfra) generateConfig(state string) error { } e.setDefaultBasePath() + e.encodePasswordFields() return writeHAConfigFiles(existingNodesA2harbTemplate, e.config, state) } @@ -776,3 +778,18 @@ func writeGoogleserviceJsonFile(filePath string, serviceAccount GoogleServiceAcc return nil } + +func (e *existingInfra) encodePasswordFields() { + if e.config.ExternalDB.Database.Type == "aws" || e.config.ExternalDB.Database.Type == "self-managed" { + writer.Println("Encoding password fields") + if len(e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword) > 0 { + e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword))) + } + if len(e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword) > 0 { + e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword))) + } + if len(e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword) > 0 { + e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword))) + } + } +} diff --git a/components/automate-cli/cmd/chef-automate/decode_password.go b/components/automate-cli/cmd/chef-automate/decode_password.go new file mode 100644 index 00000000000..1c058376dc9 --- /dev/null +++ b/components/automate-cli/cmd/chef-automate/decode_password.go @@ -0,0 +1,107 @@ +package main + +import ( + "encoding/base64" + + dc "github.com/chef/automate/api/config/deployment" + "github.com/chef/automate/components/automate-cli/pkg/docs" + "github.com/chef/automate/lib/io/fileutils" + "github.com/chef/toml" + "github.com/spf13/cobra" +) + +var decodePasswordCmdFlags = struct { + config string +}{} + +func init() { + RootCmd.AddCommand(decodePasswordCmd) + decodePasswordCmd.PersistentFlags().StringVarP( + &decodePasswordCmdFlags.config, + "config", + "c", + "", + "Config file that needs to be updated with decoded passwords") +} + +var decodePasswordCmd = &cobra.Command{ + Use: "decode-password [/path/to/config.toml]", + Short: "Decodes the password fields", + Long: "Decodes the password fields in the specified config.toml file", + RunE: runDecodePasswordCmd, + Args: cobra.ExactArgs(1), + Hidden: true, + Annotations: map[string]string{ + docs.Tag: docs.BastionHost, + }, +} + +func runDecodePasswordCmd(cmd *cobra.Command, args []string) error { + if len(args) > 0 { + configFile := args[0] + if len(configFile) > 0 { + if checkIfFileExist(configFile) { + tomlbyte, _ := fileutils.ReadFile(configFile) // nosemgrep + configString := string(tomlbyte) + var config dc.AutomateConfig + if _, err := toml.Decode(configString, &config); err != nil { + return err + } + if config.Global != nil && config.Global.V1 != nil && config.Global.V1.External != nil { + if config.Global.V1.External.Postgresql != nil && config.Global.V1.External.Postgresql.Auth != nil && config.Global.V1.External.Postgresql.Auth.Password != nil { + if config.Global.V1.External.Postgresql.Auth.Password.Superuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password != nil { + superUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value + if superUserPassword != "" { + superUserPswd, decErr := base64.StdEncoding.DecodeString(superUserPassword) + if decErr != nil { + return decErr + } + config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value = string(superUserPswd) + } + } + if config.Global.V1.External.Postgresql.Auth.Password.Dbuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password != nil { + dbUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value + if dbUserPassword != "" { + dbUserPswd, decErr := base64.StdEncoding.DecodeString(dbUserPassword) + if decErr != nil { + return decErr + } + config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value = string(dbUserPswd) + } + } + } + if config.Global.V1.External.Opensearch != nil && config.Global.V1.External.Opensearch.Auth != nil && config.Global.V1.External.Opensearch.Auth.Scheme != nil { + if config.Global.V1.External.Opensearch.Auth.Scheme.Value == "basic_auth" && config.Global.V1.External.Opensearch.Auth.BasicAuth != nil && config.Global.V1.External.Opensearch.Auth.BasicAuth.Password != nil { + password := config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value + decodedPassword, err := decodeString(password) + if err == nil && decodedPassword != "" { + config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value = decodedPassword + } + }else if config.Global.V1.External.Opensearch.Auth.Scheme.Value == "aws_os" && config.Global.V1.External.Opensearch.Auth.AwsOs != nil && config.Global.V1.External.Opensearch.Auth.AwsOs.Password != nil { + password := config.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value + decodedPassword, err := decodeString(password) + if err == nil && decodedPassword != "" { + config.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value = decodedPassword + + } + } + } + _, err := fileutils.CreateTomlFileFromConfig(&config, configFile) + if err != nil { + return err + } + + } + } + } + } + return nil +} + +func decodeString (encodedStr string) (string, error) { + decodedStr, decErr := base64.StdEncoding.DecodeString(encodedStr) + if decErr != nil { + return "", decErr + } + return string(decodedStr), nil +} \ No newline at end of file diff --git a/components/automate-cli/cmd/chef-automate/decode_password_test.go b/components/automate-cli/cmd/chef-automate/decode_password_test.go new file mode 100644 index 00000000000..a67539a4abb --- /dev/null +++ b/components/automate-cli/cmd/chef-automate/decode_password_test.go @@ -0,0 +1,21 @@ +package main + +import ( + "testing" + + dc "github.com/chef/automate/api/config/deployment" + "github.com/chef/automate/lib/io/fileutils" + "github.com/chef/toml" + "github.com/stretchr/testify/assert" +) + +func TestRunDecodePasswordCmd(t *testing.T) { + runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"}) + tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml") + configString := string(tomlbyte) + var config dc.AutomateConfig + toml.Decode(configString, &config) + assert.Equal(t, "admin", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value) + assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value) + assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value) +} \ No newline at end of file diff --git a/components/automate-cli/cmd/chef-automate/encode_password.go b/components/automate-cli/cmd/chef-automate/encode_password.go new file mode 100644 index 00000000000..c9a5f8f94b9 --- /dev/null +++ b/components/automate-cli/cmd/chef-automate/encode_password.go @@ -0,0 +1,94 @@ +package main + +import ( + "encoding/base64" + + dc "github.com/chef/automate/api/config/deployment" + "github.com/chef/automate/components/automate-cli/pkg/docs" + "github.com/chef/automate/lib/io/fileutils" + "github.com/chef/toml" + "github.com/spf13/cobra" +) + +var encodePasswordCmdFlags = struct { + config string +}{} + +var encodePasswordCmd = &cobra.Command{ + Use: "encode-password [/path/to/config.toml]", + Short: "Encodes the password fields", + Long: "Encodes the password fields in the specified config.toml file", + RunE: runEncodePasswordCmd, + Args: cobra.ExactArgs(1), + Hidden: true, + Annotations: map[string]string{ + docs.Tag: docs.BastionHost, + }, +} + +func init() { + RootCmd.AddCommand(encodePasswordCmd) + encodePasswordCmd.PersistentFlags().StringVarP( + &encodePasswordCmdFlags.config, + "config", + "c", + "", + "Config file that needs to be updated with encoded passwords") + +} + +func runEncodePasswordCmd(cmd *cobra.Command, args []string) error { + if len(args) > 0 { + configFile := args[0] + if len(configFile) > 0 { + if checkIfFileExist(configFile) { + tomlbyte, _ := fileutils.ReadFile(configFile) // nosemgrep + configString := string(tomlbyte) + var config dc.AutomateConfig + if _, err := toml.Decode(configString, &config); err != nil { + return err + } + if config.Global != nil && config.Global.V1 != nil && config.Global.V1.External != nil { + if config.Global.V1.External.Postgresql != nil && config.Global.V1.External.Postgresql.Auth != nil && config.Global.V1.External.Postgresql.Auth.Password != nil { + if config.Global.V1.External.Postgresql.Auth.Password.Superuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password != nil { + superUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value + if superUserPassword != "" { + superUserPassword = base64.StdEncoding.EncodeToString([]byte(superUserPassword)) + config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value = superUserPassword + } + } + if config.Global.V1.External.Postgresql.Auth.Password.Dbuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password != nil { + dbUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value + if dbUserPassword != "" { + dbUserPassword = base64.StdEncoding.EncodeToString([]byte(dbUserPassword)) + config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value = dbUserPassword + } + } + } + if config.Global.V1.External.Opensearch != nil && config.Global.V1.External.Opensearch.Auth != nil && config.Global.V1.External.Opensearch.Auth.Scheme != nil { + if config.Global.V1.External.Opensearch.Auth.Scheme.Value == "basic_auth" && config.Global.V1.External.Opensearch.Auth.BasicAuth != nil && config.Global.V1.External.Opensearch.Auth.BasicAuth.Password != nil { + userPassword := config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value + if userPassword != "" { + userPassword = base64.StdEncoding.EncodeToString([]byte(userPassword)) + config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value = userPassword + } + }else if config.Global.V1.External.Opensearch.Auth.Scheme.Value == "aws_os" && config.Global.V1.External.Opensearch.Auth.AwsOs != nil && config.Global.V1.External.Opensearch.Auth.AwsOs.Password != nil { + userPassword := config.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value + if userPassword != "" { + userPassword = base64.StdEncoding.EncodeToString([]byte(userPassword)) + config.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value = userPassword + } + } + + } + _, err := fileutils.CreateTomlFileFromConfig(&config, configFile) + if err != nil { + return err + } + + } + } + } + } + return nil +} \ No newline at end of file diff --git a/components/automate-cli/cmd/chef-automate/encode_password_test.go b/components/automate-cli/cmd/chef-automate/encode_password_test.go new file mode 100644 index 00000000000..6041a1594b2 --- /dev/null +++ b/components/automate-cli/cmd/chef-automate/encode_password_test.go @@ -0,0 +1,27 @@ +package main + +import ( + "testing" + + dc "github.com/chef/automate/api/config/deployment" + "github.com/chef/automate/lib/io/fileutils" + "github.com/chef/toml" + "github.com/spf13/cobra" + "github.com/stretchr/testify/assert" +) + +const CONFIG_PATH = "../../pkg/testfiles/onprem" + +var cmd = &cobra.Command{} + +func TestRunEncodePasswordCmd(t *testing.T) { + runEncodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"}) + tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml") + configString := string(tomlbyte) + var config dc.AutomateConfig + toml.Decode(configString, &config) + assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value) + assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value) + assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value) + runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"}) +} \ No newline at end of file diff --git a/components/automate-cli/cmd/chef-automate/pullAndGenerateConfig.go b/components/automate-cli/cmd/chef-automate/pullAndGenerateConfig.go index 736ff8e2800..1175c7e3f6e 100644 --- a/components/automate-cli/cmd/chef-automate/pullAndGenerateConfig.go +++ b/components/automate-cli/cmd/chef-automate/pullAndGenerateConfig.go @@ -1,6 +1,7 @@ package main import ( + "encoding/base64" "encoding/json" "errors" "fmt" @@ -21,6 +22,9 @@ import ( ) const GET_OS_PASSWORD = "sudo HAB_LICENSE=accept-no-persist hab pkg exec chef/automate-platform-tools secrets-helper show userconfig.os_password" +const GET_AWS_OS_PASSWORD = "sudo HAB_LICENSE=accept-no-persist hab pkg exec chef/automate-platform-tools secrets-helper show userconfig.aws_os_password" +const GET_PG_SUPERUSER_PASSWORD = "sudo HAB_LICENSE=accept-no-persist hab pkg exec chef/automate-platform-tools secrets-helper show userconfig.pg_superuser_password" +const GET_PG_DBUSER_PASSWORD = "sudo HAB_LICENSE=accept-no-persist hab pkg exec chef/automate-platform-tools secrets-helper show userconfig.pg_dbuser_password" const AUTOMATE_HA_WORKSPACE_GOOGLE_SERVICE_FILE = "/hab/a2_deploy_workspace/googleServiceAccount.json" type ConfigKeys struct { @@ -540,7 +544,7 @@ func (p *PullConfigsImpl) fetchInfraConfig(removeUnreachableNodes bool) (*Existi sharedConfigToml.ExternalDB.Database.Opensearch.AWS.OsUserAccessKeyId = externalOsDetails.AWS.OsUserAccessKeyId sharedConfigToml.ExternalDB.Database.Opensearch.AWS.OsUserAccessKeySecret = externalOsDetails.AWS.OsUserAccessKeySecret } - externalPgDetails := getExternalPGDetails(a2ConfigMap) + externalPgDetails, err := p.getExternalPGDetails(a2ConfigMap) if externalPgDetails != nil { sharedConfigToml.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserName = externalPgDetails.PostgreSQLDBUserName sharedConfigToml.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword = externalPgDetails.PostgreSQLDBUserPassword @@ -701,20 +705,19 @@ func findCommonPath(path1, path2 string) (common, unique1, unique2 string) { return } -func (p *PullConfigsImpl) getOSpassword() (string, error) { +func (p *PullConfigsImpl) getPasswordFromSecretHelper(pwdConfigValue string) (string, error) { for _, ip := range p.infra.Outputs.AutomatePrivateIps.Value { if stringutils.SliceContains(p.exceptionIps, ip) { continue } p.sshUtil.getSSHConfig().hostIP = ip - rawOutput, err := p.sshUtil.connectAndExecuteCommandOnRemote(GET_OS_PASSWORD, true) + rawOutput, err := p.sshUtil.connectAndExecuteCommandOnRemote(pwdConfigValue, true) if err != nil { return "", err } return strings.TrimSpace(rawOutput), nil } return "", nil - } func (p *PullConfigsImpl) getExternalOpensearchDetails(a2ConfigMap map[string]*dc.AutomateConfig, dbType string) (*ExternalOpensearchToml, error) { @@ -731,9 +734,19 @@ func (p *PullConfigsImpl) getExternalOpensearchDetails(a2ConfigMap map[string]*d if ele.Global.V1.External.Opensearch != nil && ele.Global.V1.External.Opensearch.Auth != nil && ele.Global.V1.External.Opensearch.Auth.AwsOs != nil { + var osPwd string + if ele.Global.V1.External.Opensearch.Auth.AwsOs.Password != nil && ele.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value != "" { + osPwd = ele.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value + } else { + osPass, err := p.getPasswordFromSecretHelper(GET_AWS_OS_PASSWORD) + if err != nil { + return nil, status.Wrap(err, status.ConfigError, "unable to fetch Opensearch password") + } + osPwd = osPass + } return setExternalOpensearchDetails(ele.Global.V1.External.Opensearch.Nodes[0].Value, ele.Global.V1.External.Opensearch.Auth.AwsOs.Username.Value, - ele.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value, + base64.StdEncoding.EncodeToString([]byte(osPwd)), ele.Global.V1.External.Opensearch.Ssl.RootCert.Value, ele.Global.V1.External.Opensearch.Ssl.ServerName.Value, ele.Global.V1.External.Opensearch.Auth.AwsOs.AccessKey.Value, @@ -742,7 +755,7 @@ func (p *PullConfigsImpl) getExternalOpensearchDetails(a2ConfigMap map[string]*d ), nil } } else if dbType == TYPE_SELF_MANAGED { - osPass, err := p.getOSpassword() + osPass, err := p.getPasswordFromSecretHelper(GET_OS_PASSWORD) if err != nil { return nil, status.Wrap(err, status.ConfigError, "unable to fetch Opensearch password") } @@ -751,7 +764,7 @@ func (p *PullConfigsImpl) getExternalOpensearchDetails(a2ConfigMap map[string]*d ele.Global.V1.External.Opensearch.Auth.BasicAuth != nil { return setExternalOpensearchDetails(ele.Global.V1.External.Opensearch.Nodes[0].Value, ele.Global.V1.External.Opensearch.Auth.BasicAuth.Username.Value, - osPass, + base64.StdEncoding.EncodeToString([]byte(osPass)), ele.Global.V1.External.Opensearch.Ssl.RootCert.Value, ele.Global.V1.External.Opensearch.Ssl.ServerName.Value, "", @@ -783,22 +796,41 @@ func setExternalOpensearchDetails(instanceUrl, superUserName, superPassword, roo } } -func getExternalPGDetails(a2ConfigMap map[string]*dc.AutomateConfig) *ExternalPostgreSQLToml { +func (p *PullConfigsImpl) getExternalPGDetails(a2ConfigMap map[string]*dc.AutomateConfig) (*ExternalPostgreSQLToml, error) { for _, ele := range a2ConfigMap { if ele.Global.V1.External.Postgresql.Nodes != nil && ele.Global.V1.External.Postgresql.Auth.Password.Superuser != nil && ele.Global.V1.External.Postgresql.Auth.Password.Dbuser != nil { + var spwd, dpwd string + if ele.Global.V1.External.Postgresql.Auth.Password.Superuser.Password != nil && ele.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value != "" { + spwd = ele.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value + } else { + supwd, err := p.getPasswordFromSecretHelper(GET_PG_SUPERUSER_PASSWORD) + if err != nil { + return nil, status.Wrap(err, status.ConfigError, "unable to fetch Postgres superuser password") + } + spwd = supwd + } + if ele.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password != nil && ele.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value != "" { + dpwd = ele.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value + } else { + dbpwd, err := p.getPasswordFromSecretHelper(GET_PG_DBUSER_PASSWORD) + if err != nil { + return nil, status.Wrap(err, status.ConfigError, "unable to fetch Postgres Dbuser password") + } + dpwd = dbpwd + } return setExternalPGDetails( ele.Global.V1.External.Postgresql.Nodes[0].Value, ele.Global.V1.External.Postgresql.Auth.Password.Superuser.Username.Value, - ele.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value, + base64.StdEncoding.EncodeToString([]byte(spwd)), ele.Global.V1.External.Postgresql.Auth.Password.Dbuser.Username.Value, - ele.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value, + base64.StdEncoding.EncodeToString([]byte(dpwd)), ele.Global.V1.External.Postgresql.Ssl.RootCert.Value, - ) + ), nil } } - return nil + return nil, nil } func setExternalPGDetails(instanceUrl, superUserName, superUserPassword, dBUserName, dBUserPassword, rootCerts string) *ExternalPostgreSQLToml { @@ -1003,7 +1035,7 @@ func (p *PullConfigsImpl) fetchAwsConfig(removeUnreachableNodes bool) (*AwsConfi sharedConfigToml.Aws.Config.OsUserAccessKeyId = externalOsDetails.AWS.OsUserAccessKeyId sharedConfigToml.Aws.Config.OsUserAccessKeySecret = externalOsDetails.AWS.OsUserAccessKeySecret } - externalPgDetails := getExternalPGDetails(a2ConfigMap) + externalPgDetails, err := p.getExternalPGDetails(a2ConfigMap) if externalPgDetails != nil { sharedConfigToml.Aws.Config.RDSDBUserName = externalPgDetails.PostgreSQLDBUserName sharedConfigToml.Aws.Config.RDSDBUserPassword = externalPgDetails.PostgreSQLDBUserPassword diff --git a/components/automate-cli/pkg/testfiles/onprem/config_externaldb.toml b/components/automate-cli/pkg/testfiles/onprem/config_externaldb.toml new file mode 100644 index 00000000000..6ac1e391c38 --- /dev/null +++ b/components/automate-cli/pkg/testfiles/onprem/config_externaldb.toml @@ -0,0 +1,18 @@ +[global] + [global.v1] + [global.v1.external] + [global.v1.external.postgresql] + [global.v1.external.postgresql.auth] + [global.v1.external.postgresql.auth.password] + [global.v1.external.postgresql.auth.password.superuser] + username = "admin" + password = "admin" + [global.v1.external.postgresql.auth.password.dbuser] + username = "admin" + password = "admin" + [global.v1.external.opensearch] + [global.v1.external.opensearch.auth] + scheme = "basic_auth" + [global.v1.external.opensearch.auth.basic_auth] + username = "admin" + password = "admin" diff --git a/terraform/a2ha-terraform/modules/automate/files/config.toml.erb b/terraform/a2ha-terraform/modules/automate/files/config.toml.erb index 72f6e5c0cd7..d7af4b1300d 100644 --- a/terraform/a2ha-terraform/modules/automate/files/config.toml.erb +++ b/terraform/a2ha-terraform/modules/automate/files/config.toml.erb @@ -29,7 +29,7 @@ scheme = "basic_auth" [global.v1.external.opensearch.auth.basic_auth] username = "<%= svc_configs[:opensearch]['opensearch_auth']['admin_username'] -%>" - password = "<%= svc_configs[:opensearch]['opensearch_auth']['admin_password'] -%>" + password = "<%= encode_string(svc_configs[:opensearch]['opensearch_auth']['admin_password']) -%>" [global.v1.external.opensearch.ssl] <% if overrides[:opensearch_custom_certs_enabled] == true -%> server_name = "<%= cn(svc_configs[:opensearch]['tls']['ssl_cert']) -%>" @@ -2679,11 +2679,11 @@ rM2p0kk= [global.v1.external.postgresql.auth.password.superuser] username = "<%= svc_configs[:postgresql]['superuser']['name'] -%>" - password = "<%= svc_configs[:postgresql]['superuser']['password'] -%>" + password = "<%= encode_string(svc_configs[:postgresql]['superuser']['password']) -%>" [global.v1.external.postgresql.auth.password.dbuser] username = "<%= svc_configs[:postgresql]['superuser']['name'] -%>" - password = "<%= svc_configs[:postgresql]['superuser']['password'] -%>" + password = "<%= encode_string(svc_configs[:postgresql]['superuser']['password']) -%>" [global.v1.external.postgresql.backup] enable = true diff --git a/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl b/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl index 85254011dc7..ea9beb62467 100644 --- a/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl +++ b/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl @@ -330,10 +330,11 @@ wait_for_backend_ctl mkdir -p /etc/chef-automate timestamp=$(date +"%Y%m%d%H%M%S") +config="/etc/chef-automate/config.toml" export timestamp -[ -e "/etc/chef-automate/config.toml" ] && cp -f /etc/chef-automate/config.toml /etc/chef-automate/config.toml.$timestamp -mv ${tmp_path}/automate_conf.toml /etc/chef-automate/config.toml +[ -e "/etc/chef-automate/config.toml" ] && cp -f $config /etc/chef-automate/config.toml.$timestamp +mv ${tmp_path}/automate_conf.toml $config chmod 0600 /etc/chef-automate/config.toml* rm ${automate_custom_config} @@ -392,11 +393,11 @@ if [ -e "/hab/user/deployment-service/config/user.toml" ]; then chef-automate upgrade run --airgap-bundle ${frontend_aib_file} wait_for_upgrade - + chef-automate decode-password $config # Below command is commented as patch is not required during upgrade and add/remove node # Also when it is being applied, it was reverting patched configs (automate) to the older ones - echo "Applying /etc/chef-automate/config.toml" - chef-automate config patch /etc/chef-automate/config.toml + echo "Applying $config" + chef-automate config patch $config echo "MAINTENANCE MODE OFF" chef-automate maintenance off @@ -406,9 +407,11 @@ else # Skip checks for the hab user as we create and manage that separately. # Fixes issues when the hab user/group is setup via LDAP in nsswitch configs. export CHEF_AUTOMATE_SKIP_HAB_USER=true - chef-automate deploy /etc/chef-automate/config.toml $DEPLOY_BUNDLES --accept-terms-and-mlsa | grep --line-buffered -v "\┤\|\┘\|\└\|\┴\|\├\|\┌\|\┬\|\┴\|\┐" + chef-automate decode-password $config + chef-automate deploy $config $DEPLOY_BUNDLES --accept-terms-and-mlsa | grep --line-buffered -v "\┤\|\┘\|\└\|\┴\|\├\|\┌\|\┬\|\┴\|\┐" fi +chef-automate encode-password $config create_bootstrap_bundle save_space