From eba923a74e8d68520f1f09c403874a42ef4632b2 Mon Sep 17 00:00:00 2001 From: Stuart Douglas Date: Fri, 19 Jan 2024 13:09:40 +1100 Subject: [PATCH] Changes for the management console --- .../overlays/dev-template/kustomization.yaml | 1 + deploy/overlays/dev-template/rbac.yaml | 65 +++++++++++++++++++ java-components/management-console/pom.xml | 4 ++ .../management/watcher/InitialUserSetup.java | 56 +++++++++------- 4 files changed, 103 insertions(+), 23 deletions(-) create mode 100644 deploy/overlays/dev-template/rbac.yaml diff --git a/deploy/overlays/dev-template/kustomization.yaml b/deploy/overlays/dev-template/kustomization.yaml index 1d0e5f9c1..43dcc22a3 100644 --- a/deploy/overlays/dev-template/kustomization.yaml +++ b/deploy/overlays/dev-template/kustomization.yaml @@ -8,6 +8,7 @@ resources: - ../../operator/overlays/dev-template # - ../../console/overlays/dev-template - quota.yaml +- rbac.yaml patches: - path: config.yaml diff --git a/deploy/overlays/dev-template/rbac.yaml b/deploy/overlays/dev-template/rbac.yaml new file mode 100644 index 000000000..d78f0b9b0 --- /dev/null +++ b/deploy/overlays/dev-template/rbac.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: jbs-management + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: + - jvmbuildservice.io + resources: + - artifactbuilds + verbs: + - get + - list + - watch + - create + - patch + - update + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + verbs: + - get + - list + - watch + - patch + - update + - apiGroups: + - tekton.dev + resources: + - taskruns/status + - pipelineruns/status + - taskruns/status + - pipelineruns/status + verbs: + - get + - list + - watch +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: jbs-management +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: jbs-management +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: jbs-management +subjects: + - kind: ServiceAccount + name: jbs-management +--- +apiVersion: v1 +kind: Secret +metadata: + name: jbs-management-secret + annotations: + kubernetes.io/service-account.name: jbs-management +type: kubernetes.io/service-account-token diff --git a/java-components/management-console/pom.xml b/java-components/management-console/pom.xml index 194721c0b..36f8b38f1 100644 --- a/java-components/management-console/pom.xml +++ b/java-components/management-console/pom.xml @@ -9,6 +9,10 @@ 999-SNAPSHOT management-console + + yyyyMMddHHmmss + ${maven.build.timestamp} + io.github.redhat-appstudio.jvmbuild diff --git a/java-components/management-console/src/main/java/com/redhat/hacbs/management/watcher/InitialUserSetup.java b/java-components/management-console/src/main/java/com/redhat/hacbs/management/watcher/InitialUserSetup.java index 07be589f4..f3d9d5124 100644 --- a/java-components/management-console/src/main/java/com/redhat/hacbs/management/watcher/InitialUserSetup.java +++ b/java-components/management-console/src/main/java/com/redhat/hacbs/management/watcher/InitialUserSetup.java @@ -7,6 +7,7 @@ import java.util.Objects; import jakarta.annotation.PostConstruct; +import jakarta.enterprise.inject.Instance; import jakarta.inject.Inject; import org.eclipse.microprofile.config.inject.ConfigProperty; @@ -32,43 +33,52 @@ public class InitialUserSetup { public static final String JBS_USER_SECRET = "jbs-user-secret"; @Inject - KubernetesClient kubernetesClient; + Instance kubernetesClient; @ConfigProperty(name = "kube.disabled", defaultValue = "false") boolean disabled; @PostConstruct public void setup() { - if ((LaunchMode.current() == LaunchMode.TEST - && !Objects.equals(System.getProperty(Config.KUBERNETES_NAMESPACE_SYSTEM_PROPERTY), "test")) || disabled) { - //don't start in tests, as kube might not be present - Log.warnf("Kubernetes client disabled so unable to initiate admin user setup"); - return; + String userName = "admin"; + String password = System.getenv("JBS_ADMIN_PASSWORD"); + if (password == null) { + if ((LaunchMode.current() == LaunchMode.TEST + && !Objects.equals(System.getProperty(Config.KUBERNETES_NAMESPACE_SYSTEM_PROPERTY), "test")) || disabled) { + //don't start in tests, as kube might not be present + Log.warnf("Kubernetes client disabled so unable to initiate admin user setup"); + return; + } + Secret secret = kubernetesClient.get().resources(Secret.class).withName(JBS_USER_SECRET).get(); + if (secret == null) { + var sr = new SecureRandom(); + byte[] data = new byte[21]; + sr.nextBytes(data); + var pw = Base64.getEncoder().encodeToString(data); + secret = new Secret(); + secret.setMetadata(new ObjectMeta()); + secret.getMetadata().setName(JBS_USER_SECRET); + secret.setData(Map.of("username", Base64.getEncoder().encodeToString("admin".getBytes(StandardCharsets.UTF_8)), + "password", Base64.getEncoder().encodeToString(pw.getBytes(StandardCharsets.UTF_8)))); + kubernetesClient.get().resource(secret).create(); + } + userName = new String(Base64.getDecoder().decode(secret.getData().get("username")), StandardCharsets.UTF_8); + password = new String(Base64.getDecoder().decode(secret.getData().get("password")), StandardCharsets.UTF_8); + } else { + Log.infof("Initial user set in JBS_ADMIN_PASSWORD"); } - Secret secret = kubernetesClient.resources(Secret.class).withName(JBS_USER_SECRET).get(); - if (secret == null) { - var sr = new SecureRandom(); - byte[] data = new byte[21]; - sr.nextBytes(data); - var pw = Base64.getEncoder().encodeToString(data); - secret = new Secret(); - secret.setMetadata(new ObjectMeta()); - secret.getMetadata().setName(JBS_USER_SECRET); - secret.setData(Map.of("username", Base64.getEncoder().encodeToString("admin".getBytes(StandardCharsets.UTF_8)), - "password", Base64.getEncoder().encodeToString(pw.getBytes(StandardCharsets.UTF_8)))); - kubernetesClient.resource(secret).create(); - } - var userName = new String(Base64.getDecoder().decode(secret.getData().get("username")), StandardCharsets.UTF_8); - var password = new String(Base64.getDecoder().decode(secret.getData().get("password")), StandardCharsets.UTF_8); + var u = userName; + var p = password; User user = User.find("username", userName).firstResult(); if (user == null) { + Log.infof("Creating initial user"); QuarkusTransaction.requiringNew().run(new Runnable() { @Override public void run() { User user = new User(); - user.username = userName; - user.pass = BcryptUtil.bcryptHash(password); + user.username = u; + user.pass = BcryptUtil.bcryptHash(p); user.persistAndFlush(); } });