feat: default platform admin user (#1770)

Co-authored-by: jeho <[email protected]>
Co-authored-by: Sander Rodenhuis <[email protected]>

Author: 3 people

helmfile.d/snippets/env.gotmpl

@@ -50,7 +50,7 @@ environments:
     {{- end }}
   {{- end }}
 {{- end }}
-{{- if eq (exec "bash" (list "-c" "( test -f $ENV_DIR/env/secrets.users.yaml && echo 'true' ) || echo 'false'") | trim) "true" }}
+{{- if eq (exec "bash" (list "-c" (printf "( test -f $ENV_DIR/env/secrets.users.yaml%s && echo 'true' ) || echo 'false'" (default "" $ext))) | trim) "true" }}
       - {{ $ENV_DIR }}/env/secrets.users.yaml{{ $ext }}
 {{- end }}
 {{- if eq (exec "bash" (list "-c" "( test -f $ENV_DIR/env/secrets.settings.yaml && echo 'true' ) || echo 'false'") | trim) "true" }}

src/cmd/bootstrap.test.ts

@@ -279,7 +279,10 @@ describe('Bootstrapping values', () => {
         terminal,
         validateValues: jest.fn().mockReturnValue(true),
         writeValues: jest.fn(),
+        getUsers: jest.fn().mockReturnValue(usersWithPasswords),
         generatePassword: jest.fn().mockReturnValue(generatedPassword),
+        addInitialPasswords: jest.fn().mockReturnValue(usersWithPasswords),
+        addPlatformAdmin: jest.fn().mockReturnValue(usersWithPasswords),
       }
     })
     describe('Creating CA', () => {
@@ -361,7 +364,7 @@ describe('Bootstrapping values', () => {
         deps.loadYaml.mockReturnValue({ ...values, users })
         deps.getStoredClusterSecrets.mockReturnValue(secrets)
         deps.generateSecrets.mockReturnValue(generatedSecrets)
-        deps.generatePassword.mockReturnValue(generatedPassword)
+        deps.getUsers.mockReturnValue(usersWithPasswords)
         await processValues(deps)
         expect(deps.writeValues).toHaveBeenNthCalledWith(2, writtenValues)
       })

src/cmd/bootstrap.ts

@@ -196,6 +196,47 @@ export const getKmsValues = async (deps = { generateAgeKeys, hfValues }) => {
   return { kms: { sops: { provider: 'age', age: ageKeys } } }
 }
 
+export const addPlatformAdmin = (users: any[], domainSuffix: string) => {
+  const defaultPlatformAdminEmail = `platform-admin@${domainSuffix}`
+  const platformAdminExists = users.find((user) => user.email === defaultPlatformAdminEmail)
+  if (platformAdminExists) return
+  const platformAdmin = {
+    email: defaultPlatformAdminEmail,
+    firstName: 'platform',
+    lastName: 'admin',
+    isPlatformAdmin: true,
+    isTeamAdmin: false,
+    teams: [],
+  }
+  users.push(platformAdmin)
+}
+
+export const addInitialPasswords = (users: any[], deps = { generatePassword }) => {
+  for (const user of users) {
+    if (!user.initialPassword) {
+      user.initialPassword = deps.generatePassword({
+        length: 20,
+        numbers: true,
+        symbols: true,
+        lowercase: true,
+        uppercase: true,
+        exclude: String(':,;"/=|%\\\''),
+      })
+    }
+  }
+}
+
+export const getUsers = (originalInput: any, deps = { generatePassword, addInitialPasswords, addPlatformAdmin }) => {
+  const users = get(originalInput, 'users', []) as any[]
+  const { hasExternalIDP } = get(originalInput, 'otomi', {})
+  if (!hasExternalIDP) {
+    const { domainSuffix }: { domainSuffix: string } = get(originalInput, 'cluster', {})
+    deps.addPlatformAdmin(users, domainSuffix)
+  }
+  deps.addInitialPasswords(users)
+  return users
+}
+
 export const copyBasicFiles = async (
   deps = { copy, copyFile, copySchema, mkdir, pathExists, terminal },
 ): Promise<void> => {
@@ -254,7 +295,10 @@ export const processValues = async (
     generateSecrets,
     createK8sSecret,
     createCustomCA,
+    getUsers,
     generatePassword,
+    addInitialPasswords,
+    addPlatformAdmin,
   },
 ): Promise<Record<string, any> | undefined> => {
   const d = deps.terminal(`cmd:${cmdName}:processValues`)
@@ -295,19 +339,8 @@ export const processValues = async (
     cloneDeep(generatedSecrets),
     cloneDeep(kmsValues),
   )
-  // generate initial passwords for users if they don't have one
-  const users = get(originalInput, 'users', [])
-  for (const user of users) {
-    if (!user.initialPassword) {
-      user.initialPassword = deps.generatePassword({
-        length: 16,
-        numbers: true,
-        symbols: true,
-        lowercase: true,
-        uppercase: true,
-      })
-    }
-  }
+  // add default platform admin & generate initial passwords for users if they don't have one
+  const users = deps.getUsers(originalInput)
   // we have generated all we need, now store everything by merging the original values over all the secrets
   await deps.writeValues(merge(cloneDeep(allSecrets), cloneDeep(originalInput), cloneDeep({ users })))
   // and do some context dependent post processing:

src/cmd/commit.ts

@@ -1,3 +1,5 @@
+import { CoreV1Api, CustomObjectsApi, KubeConfig } from '@kubernetes/client-node'
+import retry from 'async-retry'
 import { bootstrapGit, setIdentity } from 'src/common/bootstrap'
 import { prepareEnvironment } from 'src/common/cli'
 import { encrypt } from 'src/common/crypt'
@@ -12,8 +14,6 @@ import { Argv } from 'yargs'
 import { $, cd } from 'zx'
 import { Arguments as DroneArgs } from './gen-drone'
 import { validateValues } from './validate-values'
-import { CoreV1Api, CustomObjectsApi, KubeConfig } from '@kubernetes/client-node'
-import retry from 'async-retry'
 
 const cmdName = getFilename(__filename)
 
@@ -184,31 +184,36 @@ export async function checkIfPipelineRunExists(): Promise<void> {
   d.info(`There is a Tekton PipelineRuns continuing...`)
 }
 
-async function createRootCredentialsSecret(credentials: { adminUsername: string; adminPassword: string }) {
-  const secretData = {
-    username: credentials.adminUsername,
-    password: credentials.adminPassword,
-  }
+async function createCredentialsSecret(secretName: string, username: string, password: string): Promise<void> {
+  const secretData = { username, password }
   const kc = new KubeConfig()
   kc.loadFromDefault()
   const coreV1Api = kc.makeApiClient(CoreV1Api)
-  await createGenericSecret(coreV1Api, 'root-credentials', 'default', secretData)
+  await createGenericSecret(coreV1Api, secretName, 'keycloak', secretData)
 }
 
 export const printWelcomeMessage = async (): Promise<void> => {
   const d = terminal(`cmd:${cmdName}:commit`)
   const values = (await hfValues()) as Record<string, any>
-  const credentials = values.apps.keycloak
-  await createRootCredentialsSecret({
-    adminUsername: credentials.adminUsername,
-    adminPassword: credentials.adminPassword,
-  })
+  const { adminUsername, adminPassword }: { adminUsername: string; adminPassword: string } = values.apps.keycloak
+  await createCredentialsSecret('root-credentials', adminUsername, adminPassword)
+  const { hasExternalIDP } = values.otomi
+  const { domainSuffix } = values.cluster
+  const defaultPlatformAdminEmail = `platform-admin@${domainSuffix}`
+  const platformAdmin = values.users.find((user: any) => user.email === defaultPlatformAdminEmail)
+  if (platformAdmin && !hasExternalIDP) {
+    const { email, initialPassword }: { email: string; initialPassword: string } = platformAdmin
+    await createCredentialsSecret('platform-admin-initial-credentials', email, initialPassword)
+  }
+  const secretName = hasExternalIDP ? 'root-credentials' : 'platform-admin-initial-credentials'
   const message = `
   ########################################################################################################################################
   #
-  #  Visit the console at: https://console.${values.cluster.domainSuffix}
-  #  Perform: kubectl get secret root-credentials -n default -o yaml
-  #  To obtain access credentials in base64 encoded format
+  #  The Application Platform console is available at https://console.${domainSuffix}
+  #
+  #  Obtain login credentials by using the below commands:
+  #      kubectl get secret ${secretName} -n keycloak -o jsonpath='{.data.username}' | base64 -d
+  #      kubectl get secret ${secretName} -n keycloak -o jsonpath='{.data.password}' | base64 -d
   #
   ########################################################################################################################################`
   d.info(message)

tests/bootstrap/input.yaml

@@ -1,16 +1,16 @@
 # Minimal values file with defaults
 cluster:
   k8sContext: CONTEXT_PLACEHOLDER
-  domainSuffix: my.localhost
+  domainSuffix: local.host
 otomi:
   version: 'main'
 apps:
   metrics-server:
     enabled: false
 users:
-  - email: platform@admin.local
-    firstName: platform
-    lastName: admin
-    isPlatformAdmin: true
+  - email: team-member@local.host
+    firstName: team-member
+    lastName: localhost
+    isPlatformAdmin: false
     isTeamAdmin: false
-    teams: []
+    teams: ['demo']

values/otomi-api/otomi-api.gotmpl

@@ -7,6 +7,7 @@
 {{- $sops := $v | get "kms.sops" dict }}
 {{- $giteaValuesUrl := printf "gitea.%s/otomi/values" $v.cluster.domainSuffix }}
 {{- $helmChartCatalog := printf "https://gitea.%s/otomi/charts.git" $v.cluster.domainSuffix }}
+{{- $defaultPlatformAdminEmail := printf "platform-admin@%s" $v.cluster.domainSuffix }}
 {{- $sopsEnv := tpl (readFile "../../helmfile.d/snippets/sops-env.gotmpl") $sops }}
 
 replicaCount: 1
@@ -24,6 +25,7 @@ secrets:
 
 env:
   HELM_CHART_CATALOG: {{ $helmChartCatalog }}
+  DEFAULT_PLATFORM_ADMIN_EMAIL: {{ $defaultPlatformAdminEmail }}
   DEBUG: 'otomi:*,-otomi:authz,-otomi:repo'
   VERBOSITY: '1'
   GIT_REPO_URL: {{ $o | get "git.repoUrl" $giteaValuesUrl }}

versions.yaml

@@ -1,5 +1,5 @@
-api: 3.0.0
-console: 3.0.0
+api: main
+console: main
 consoleLogin: v3.0.0
-tasks: 3.3.0
+tasks: main
 tools: 2.7.0