Create default passwords when dev mode is set. #441

[cmoulliard]

• Add new parameter to enable/disable: dev mode
• Set the default password for gitea
• [Feature] Have a --dev parameter able to configure gitea and argocd with default: username/password #441

[cmoulliard]

Question: Is it the best place to add the code able to generate a new password (= developer) when devMode is enabled -

idpbuilder/pkg/controllers/localbuild/argo.go

Line 53 in 71fefc7

if result, err := argocd.Install(ctx, resource, r.Client, r.Scheme, r.Config); err != nil {

? @nabuskey

[nabuskey]

Yeah after install() comes back with no errors.

[cmoulliard]

If what I did cannot work, we have 2 options:

• Create an Argocd PR to propose to use password instead of generating one usng a new parameter --dev or --insecure-password or --dev-password`
  OR
• Add to our project the 2 Kube secrets (argocd-secret and argocd-initial-admin-secret) with content populated and where we set the property adminAccount.Enabled to false

[nabuskey]

I am still not sure if the flag name is what we want to go with.

Is proving static password the only thing needed for dev mode? Does it describe what it does? If we add more config changes for dev mode in the future, do we want to provide ways to control each change?

If the names I proposed in the issue are too long, can we get away with a short flag?

I do like the idea of having a static default passwords for sure.

[cmoulliard]

Is proving static password the only thing needed for dev mode? Does it describe what it does? If we add more config changes for dev mode in the future, do we want to provide ways to control each change?

If we continue to develop idpbuilder, having a devMode help a lot as we do for quarkus devMode able to launch testcontainers: backstage, DB, argocd, gitea, etc and where developers can access many information using dev UI - https://quarkus.io/guides/dev-mode-differences#dev-mode-features :-)

[cmoulliard]

If the names I proposed in the issue are too long, can we get away with a short flag?

Let's review that later when we have a PR which is working as --dev is short, enough to test the PR

[cmoulliard]

I do like the idea of having a static default passwords for sure.

I will make a try to see if that works

[cmoulliard]

Apparently, we should be (to be investigated of course) to set the accounts directly within the argocd secret as discussed here: argoproj/argo-cd#4096 (comment)

I was able to play with a user developer where I installed or customized some resources.

RBAC

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    p, role:developer, applications, *, *, allow
    g, developer, role:developer

ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd
data:
  accounts.developer: apiKey, login
  application.resourceTrackingMethod: annotation
  resource.exclusions: |
    - kinds:
        - ProviderConfigUsage
      apiGroups:
        - "*"
  timeout.reconciliation: 60s

As the following secret is created on the flight by argocd when admin.enabled and generate an admin password using bcrypt, we should find a way to patch it with the developer password

Argocd Secret

apiVersion: v1
kind: Secret
metadata:
  labels:
    app.kubernetes.io/name: argocd-secret
    app.kubernetes.io/part-of: argocd
  name: argocd-secret
  namespace: argocd
type: Opaque
data:
  accounts.developer.password: JDJhJDEwJEYwakhFSmJMYTEvREQzWUZsOWtxN2U0TUZXUXdDclhZWXZNTXhYVXEwdGhVWWUuLi9WWUZL
  accounts.developer.passwordMtime: MjAyNC0xMS0xMlQwODo1NDoyNVo=
...

[cmoulliard]

The PR supports now to log on to the UI of Argocd using (developer/developer) with RBAC Applications - Admin or gitea (developer/developer)

Can you please review it ?
@nabuskey

[cmoulliard]

Apparently we cannot use for gitea developer/developer as we got such an error reported when we create a cluster

Nov 12 11:52:39 ERROR Reconciler error controller=gitrepository controllerGroup=idpbuilder.cnoe.io controllerKind=GitRepository name=argocd namespace=idpbuilder-dabou namespace=idpbuilder-dabou name=argocd reconcileID=1f80e800-276a-4b74-a868-b54ff4a26de5 err=creating repository: failed to create git repository: The repository with the same name already exists. 
Nov 12 11:52:39 ERROR Reconciler error controller=gitrepository controllerGroup=idpbuilder.cnoe.io controllerKind=GitRepository name=nginx namespace=idpbuilder-dabou namespace=idpbuilder-dabou name=nginx reconcileID=798effc7-600a-4035-8e39-eb8bcdcb79b3 err=creating repository: failed to create git repository: The repository with the same name already exists. 
Nov 12 11:52:39 ERROR Reconciler error controller=gitrepository controllerGroup=idpbuilder.cnoe.io controllerKind=GitRepository name=gitea namespace=idpbuilder-dabou namespace=idpbuilder-dabou name=gitea reconcileID=bbb8fbdd-2803-4904-b0c5-c680e2a9c0b9 err=creating repository: failed to create git repository: The repository with the same name already exists. 

I will then revert to the user giteaAdmin in the meantime

[nabuskey]

If you are having problems setting passwords on install, we can change them through APIs after install.

[nabuskey]

What's the purpose of having a separate account that has a very similar permissions as admin?

[cmoulliard]

This is an account for the developers and it only allows to handle applications

[nabuskey]

Can you tell me if this is inline with what you are thinking?

1. Use a random password for the developer and admin account if the dev password flag is unset.
2. Use a static, known password for the developer and admin account if the dev password flag is set.

[cmoulliard]

Option 2 => Use a known password for the developer and admin account if the dev password flag is set

[nabuskey]

Ok that sounds good to me. Looks like Gitea static password isn't working for some reason?

[cmoulliard]

Ok that sounds good to me. Looks like Gitea static password isn't working for some reason?

For gitea when using dev-mode, we should still use as user: giteaAdmin and password = developer

[nabuskey]

Since you are adding a user called developer to argocd, we may as well add the developer user in Gitea.

[nabuskey]

The reconciler has client already. You can just use that instead. e.g. r.Client.. You can also change passwords through ArgoCD api.

[cmoulliard]

You can also change passwords through ArgoCD api.

That will require to be done in a 2nd step while here the idea is to have the account developer/developer available when packages are installed too

[cmoulliard]

r.Client fixed. See: 7d81b27

[nabuskey]

You can also change passwords through ArgoCD api.

That will require to be done in a 2nd step while here the idea is to have the account developer/developer available when packages are installed too

Yeah I am starting to think we should set them through API for both Gitea and ArgoCD in every invocation of idpbuilder. Instead of relying on manifests.

[cmoulliard]

We should then (maybe) create some job(s) which are applied post installation of the core package like gitea or argocd and able to execute some additional steps based on parameters passed.

Until now, the first action could be to create a new user: developer able to log on using as user/pwd => developer/developer or idpbuilder/developer if the parameter passed is --dev-mode.

A second job could also patch existing resources if by example we pass a different DNS domain = --host

etc

[cmoulliard]

flag renamed from "dev" to "dev-mode". See: a8c3016

[nabuskey]

You can use server side apply instead here to simplify this process.

[cmoulliard]

Ok. I will review

[cmoulliard]

What do you mean by "server side" ? My code is similar to what we do here with the Gitea -

idpbuilder/pkg/controllers/localbuild/gitea.go

Line 189 in f31a08e

return r.Client.Patch(ctx, &u, client.Apply, client.ForceOwnership, client.FieldOwner(v1alpha1.FieldManager))

...

[nabuskey]

The way it's done in Gitea is server side apply. If you look further up, you'll see it's working with unstructured object to avoid having ownership of fields we do not care about. Sometimes we see errors like "object has been updated and version doesn't match". Server side apply avoids that.

This talks about it: https://eng.d2iq.com/blog/conflict-resolution-kubernetes-server-side-apply/

Here's where unstructured object is used:

idpbuilder/pkg/controllers/localbuild/gitea.go

Lines 163 to 166 in f31a08e

	u := unstructured.Unstructured{}
	u.SetName(giteaAdminSecret)
	u.SetNamespace(giteaNamespace)
	u.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret"))

Here's another example:

idpbuilder/pkg/util/util.go

Lines 78 to 86 in d14289a

	func ApplyAnnotation(ctx context.Context, kubeClient client.Client, obj client.Object, annotations map[string]string, opts ...client.PatchOption) error {
	// MUST be unstructured to avoid managing fields we do not care about.
	u := unstructured.Unstructured{}
	u.SetAnnotations(annotations)
	u.SetName(obj.GetName())
	u.SetNamespace(obj.GetNamespace())
	u.SetGroupVersionKind(obj.GetObjectKind().GroupVersionKind())
	return kubeClient.Patch(ctx, &u, client.Apply, opts...)
	}

[cmoulliard]

Fixed. See: 80a785b

[nabuskey]

These are already defined in other packages I think. Either export them or move them to globals or APIs

[cmoulliard]

Ok. I will review

[cmoulliard]

I removed 2 non used constants and others are non declared in another go file or package. See: 78e1e40

[nabuskey]

1. I am just not sold on the name dev mode. idpbuilder is primary used for development and testing purposes already. I think we should use more explicit name with a short flag.
2. Even if we accept dev mode, we shouldn't limit the flag name to just passwords. dev mode could mean a lot of different things. This should be a meta flag.

[cmoulliard]

1. idpbuilder is primary used for development and testing purposes already. I think we should use more explicit name with a short flag.

If this is the case, then we should install gitea and argocd using a non generated password ;-)

[cmoulliard]

2. Even if we accept dev mode, we shouldn't limit the flag name to just passwords. dev mode could mean a lot of different things. This should be a meta flag.

What about using the the parameter: --devPwd or --devPassword as boolean @nabuskey

[nabuskey]

I am ok with dev-pwd or dev-password since we use snake case for our flags. We can also have --dev-mode flag that is essentially a convenient flag that enables dev passwords and any other QOL stuff for dev purposes.

[cmoulliard]

Finally we aligned our paths => I will then use --dev-mode

[nabuskey]

To be clear, I meant to have two flags. (--dev-password OR --dev-pwd ) AND --dev-mode because we could enable other QOL features under --dev-mode other than static passwords.

[nabuskey]

I would rather not produce log messages in utility functions. Let's wrap the error instead. e.g. fmt.Errorf("Error creating kubernetes client: %w"

[cmoulliard]

ok

[cmoulliard]

Fixed with: 8158551

[cmoulliard]

I pushed a commit: 3c3511d to show the developer username/password @nabuskey

Remark: This code should be reviewed and improved as the secret containing the developer username/password is argocd-secret where the password has been bcrypted and by consequence we cannot get and decode it from the secret
This is why it has been included as such and will be displayed every time no matter if --dev-mode has been used or not

[nabuskey]

We can get the localbuild object from K8s since it's essentially our way of storing configurations. You added the DevMode field so you can just check the value. We should change that field name btw. devPassword makes sense. There's a typo: giteAdmin -> giteaAdmin

[cmoulliard]

We can get the localbuild object from K8s since it's essentially our way of storing configurations.

Yes but the flag --dev-mode or --dev-password is not passed at all to the command: idp get secrets and users will not like to perform such a command idp get secrets --dev-mode.

[nabuskey]

The more I think about it, I think it's cleaner to change passwords and add users post install. This enables flows like:

1. Create a cluster without specifying the static password flag. e.g. idpbuilder create
2. Run the same command except we specify the static password flag. idpbuilder create --dev-password

[cmoulliard]

The more I think about it, I think it's cleaner to change passwords and add users post install

I'm also in favor to go down that road as I mentioned also in a different comments where we could use job or something else able to perform additional config steps or let's say post install steps.

2 remarks:

• Such approach will nevertheless don't allow the user to watch directly using developr password the information avaialble from the web application using UI except if they use the generated password
• We should avoid to request to the user to re-apply the command idpbuilder create with additional flags as that will create confusion.
  A better approach would be to have a different command to install the packages and their config, execute some "actions" on a core package or package using a job, etc.
  Idea about such commands could be:
• idp package add <package_name> or <package1_name,package2_name2,etc>
• idp package execute <job1> // for the post-installation tasks:

[cmoulliard]

As the result about what I did and also what I discovered imply that finally we hack the existing code to support to generate a developer password, should we close it and come with a better solution as proposed here: #442 (comment)

WDYT ? @nabuskey

[nabuskey]

2 remarks:
Such approach will nevertheless don't allow the user to watch directly using developr password the information avaialble from the web application using UI except if they use the generated password
We should avoid to request to the user to re-apply the command idpbuilder create with additional flags as that will create confusion.
A better approach would be to have a different command to install the packages and their config, execute some "actions" on a core package or package using a job, etc.
Idea about such commands could be:
idp package add <package_name> or <package1_name,package2_name2,etc>
idp package execute // for the post-installation tasks:

What I meant was to do this in post-install (e.g. the core packages are ready) during the reconciliation loop. Essentially around here:

idpbuilder/pkg/controllers/localbuild/controller.go

Line 81 in 03559e6

go r.installCorePackages(instCtx, req, &localBuild, errChan)

Instead of using manifests to set initial passwords, change them to a known value if the dev password flag is set.

We should avoid to request to the user to re-apply the command idpbuilder create with additional flags as that will create confusion.

I agree with this. We should have a separate command to configure / reconfigure things.

package execute
This implies we need to create a configuration file for each package. I have been resisting the idea of creating yet another configuration file. Maybe we end up needing to create one because current approach of using argocd resource hooks is not too user friendly. BUT for this particular issue of setting static passwords, it's not necessary imo.