Merge pull request #49 from marklogic/feature/CLD-568

pengzhouml · web-flow · commit 5a22f575fcd2 · 2022-12-01T09:21:07.000-08:00
CLD-568: Use Random Password for Admin
diff --git a/README.md b/README.md
@@ -1,5 +1,6 @@
 # MarkLogic Kubernetes Helm Chart
 
+- [MarkLogic Kubernetes Helm Chart](#marklogic-kubernetes-helm-chart)
 - [Introduction](#introduction)
 - [Prerequisites](#prerequisites)
   - [Set Up the Required Tools](#set-up-the-required-tools)
@@ -17,6 +18,11 @@
   - [Configuration Options](#configuration-options)
     - [--values](#--values)
     - [--set](#--set)
+    - [Setting MarkLogic admin password](#setting-marklogic-admin-password)
+    - [Log Collection](#log-collection)
+  - [Adding and Removing Hosts from Clusters](#adding-and-removing-hosts-from-clusters)
+    - [Adding Hosts](#adding-hosts)
+    - [Removing Hosts](#removing-hosts)
 - [Access the MarkLogic Server](#access-the-marklogic-server)
   - [Service](#service)
     - [Get the ClusterIP Service Name](#get-the-clusterip-service-name)
@@ -221,6 +227,22 @@ helm install my-release marklogic/marklogic --version=1.0.0-ea1 \
 
 We recommend that you use the `values.yaml` file for configuring your installation.
 
+### Setting MarkLogic admin password
+
+If the password does not provided when installing the MarkLogic Chart, a randomly generated aphanumeric value will be set for MarkLogic admin password. This value is stored in Kuberenetes secrets. 
+User can also set a custom password by setting auth.adminPassword value during installation.
+To retrieve the randomly generated admin password, use the following commands:
+
+1. List the secrets for MarkLogic deployment:
+```
+kubectl get secrets
+```
+Identify the name of the secret.
+
+2. Save the secret name from step 1 and get the admin password using the following script:
+```
+kubectl get secret SECRET_NAME -o jsonpath='{.data.marklogic-password}' | base64 --decode
+```
 ### Log Collection
 
 To enable log collection for all Marklogic logs set logCollection.enabled to true. Set each option in logCollection.files to true of false depending on if you want to track each type of Marklogic log file.
diff --git a/charts/templates/secret.yaml b/charts/templates/secret.yaml
@@ -1,11 +1,18 @@
+{{- $adminPassword := (default (randAlphaNum 10) .Values.auth.adminPassword) | b64enc | quote }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-admin" (include "marklogic.fullname" .))) }}
+{{- if $secret }}
+{{- $adminPassword = index $secret.data "password" }}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "marklogic.fullname" . }}
+  name: {{ include "marklogic.fullname" . }}-admin
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "marklogic.labels" . | nindent 4 }}
 type: kubernetes.io/basic-auth
-stringData:
-  username: {{ .Values.auth.adminUsername}}
-  password: {{ .Values.auth.adminPassword}}
+data:
+    password: {{ $adminPassword }}
+    username: {{ .Values.auth.adminUsername | b64enc | quote }}
+
diff --git a/charts/templates/statefulset.yaml b/charts/templates/statefulset.yaml
@@ -72,12 +72,12 @@ spec:
         - name: MARKLOGIC_ADMIN_USERNAME
           valueFrom:
             secretKeyRef:
-              name: {{ include "marklogic.fullname" . }}
+              name: {{ include "marklogic.fullname" . }}-admin
               key: username
         - name: MARKLOGIC_ADMIN_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ include "marklogic.fullname" . }}
+              name: {{ include "marklogic.fullname" . }}-admin
               key: password
         - name: POD_NAME
           valueFrom:
@@ -100,13 +100,13 @@ spec:
           env:
             - name: MARKLOGIC_ADMIN_USERNAME
               valueFrom:
-                secretKeyRef:
-                  name: {{ include "marklogic.fullname" . }}
-                  key: username
+                  secretKeyRef:
+                    name: {{ include "marklogic.fullname" . }}-admin
+                    key: username
             - name: MARKLOGIC_ADMIN_PASSWORD
               valueFrom:
                   secretKeyRef:
-                    name: {{ include "marklogic.fullname" . }}
+                    name: {{ include "marklogic.fullname" . }}-admin
                     key: password
             - name: MARKLOGIC_GROUP
               value: {{ .Values.group.name }}
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -50,7 +50,7 @@ fullnameOverride: ""
 # Configure Marklogic Admin Username and Password
 auth:
   adminUsername: admin
-  adminPassword: admin
+  adminPassword: ""
 
 # Configure Affinity property for scheduling pods to nodes
 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
diff --git a/test/e2e/install_test.go b/test/e2e/install_test.go
@@ -15,6 +15,7 @@ import (
 	http_helper "github.com/gruntwork-io/terratest/modules/http-helper"
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/gruntwork-io/terratest/modules/random"
+	"github.com/stretchr/testify/assert"
 	"github.com/tidwall/gjson"
 	digestAuth "github.com/xinsnake/go-http-digest-auth-client"
 )
@@ -27,8 +28,6 @@ func TestHelmInstall(t *testing.T) {
 	}
 	imageRepo, repoPres := os.LookupEnv("dockerRepository")
 	imageTag, tagPres := os.LookupEnv("dockerVersion")
-	username := "admin"
-	password := "admin"
 	var resp *http.Response
 	var body []byte
 	var err error
@@ -52,8 +51,6 @@ func TestHelmInstall(t *testing.T) {
 			"replicaCount":          "2",
 			"image.repository":      imageRepo,
 			"image.tag":             imageTag,
-			"auth.adminUsername":    username,
-			"auth.adminPassword":    password,
 			"logCollection.enabled": "false",
 		},
 	}
@@ -72,16 +69,15 @@ func TestHelmInstall(t *testing.T) {
 	podName := releaseName + "-marklogic-0"
 	// wait until the pod is in Ready status
 	k8s.WaitUntilPodAvailable(t, kubectlOptions, podName, 10, 15*time.Second)
-	tunnel := k8s.NewTunnel(
-		kubectlOptions, k8s.ResourceTypePod, podName, 7997, 7997)
-	defer tunnel.Close()
-	tunnel.ForwardPort(t)
-	endpoint := fmt.Sprintf("http://%s", tunnel.Endpoint())
-	t.Logf(`Endpoint: %s`, endpoint)
+	tunnel7997 := k8s.NewTunnel(kubectlOptions, k8s.ResourceTypePod, podName, 7997, 7997)
+	defer tunnel7997.Close()
+	tunnel7997.ForwardPort(t)
+	endpoint7997 := fmt.Sprintf("http://%s", tunnel7997.Endpoint())
 
+	// verify if 7997 health check endpoint returns 200
 	http_helper.HttpGetWithRetryWithCustomValidation(
 		t,
-		endpoint,
+		endpoint7997,
 		&tlsConfig,
 		10,
 		15*time.Second,
@@ -90,12 +86,34 @@ func TestHelmInstall(t *testing.T) {
 		},
 	)
 
-	tunnel8002 := k8s.NewTunnel(
-		kubectlOptions, k8s.ResourceTypePod, podName, 8002, 8002)
+	t.Log("====Testing Generated Random Password====")
+	secretName := releaseName + "-marklogic-admin"
+	secret := k8s.GetSecret(t, kubectlOptions, secretName)
+	passwordArr := secret.Data["password"]
+	password := string(passwordArr[:])
+	// the generated random password should have length of 10
+	assert.Equal(t, 10, len(password))
+	usernameArr := secret.Data["username"]
+	username := string(usernameArr[:])
+	expectedUsername := "admin"
+	// the username from secret expected to be "admin"
+	assert.Equal(t, expectedUsername, username)
+
+	tunnel8002 := k8s.NewTunnel(kubectlOptions, k8s.ResourceTypePod, podName, 8002, 8002)
 	defer tunnel8002.Close()
 	tunnel8002.ForwardPort(t)
+	endpointManage := fmt.Sprintf("http://%s/manage/v2", tunnel8002.Endpoint())
+
+	request := digestAuth.NewRequest(username, password, "GET", endpointManage, "")
+	response, err := request.Execute()
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer response.Body.Close()
+	// the generated password should be able to access the manage endpoint
+	assert.Equal(t, 200, response.StatusCode)
 
-	// Verify no groups beyond enode were created/modified
+	t.Log("====Verify no groups beyond enode were created/modified====")
 	groupStatusEndpoint := fmt.Sprintf("http://%s/manage/v2/groups?format=json", tunnel8002.Endpoint())
 	groupStatus := digestAuth.NewRequest(username, password, "GET", groupStatusEndpoint, "")
 	t.Logf(`groupStatusEndpoint: %s`, groupStatusEndpoint)
diff --git a/test/e2e/upgrade_test.go b/test/e2e/upgrade_test.go
@@ -13,6 +13,7 @@ import (
 	http_helper "github.com/gruntwork-io/terratest/modules/http-helper"
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/gruntwork-io/terratest/modules/random"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestHelmUpgrade(t *testing.T) {
@@ -56,6 +57,12 @@ func TestHelmUpgrade(t *testing.T) {
 	releaseName := "test-upgrade"
 	helm.Install(t, options, helmChartPath, releaseName)
 
+	// save the generated password from first installation
+	secretName := releaseName + "-marklogic-admin"
+	secret := k8s.GetSecret(t, kubectlOptions, secretName)
+	passwordArr := secret.Data["password"]
+	passwordAfterInstall := string(passwordArr[:])
+
 	newOptions := &helm.Options{
 		KubectlOptions: kubectlOptions,
 		SetValues: map[string]string{
@@ -92,4 +99,10 @@ func TestHelmUpgrade(t *testing.T) {
 			return statusCode == 200
 		},
 	)
+
+	t.Log("====Test password in secret should not change after upgrade====")
+	secret = k8s.GetSecret(t, kubectlOptions, secretName)
+	passwordArr = secret.Data["password"]
+	passwordAfterUpgrade := string(passwordArr[:])
+	assert.Equal(t, passwordAfterUpgrade, passwordAfterInstall)
 }
