-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Solr Auth Binding #29
Changes from all commits
edb4012
4215780
062a2ed
f131250
7743719
25e2a70
b041d78
19032f9
9430105
4153ba8
a005fb7
5b592cc
e814a05
b476a03
7760f0b
c44ea71
8784d1f
736fe2d
d4c4e96
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -50,3 +50,4 @@ examples.json | |
tee | ||
.ash_history | ||
.terraform.d/ | ||
terraform/provision/.cache |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,33 +3,48 @@ | |
set -e | ||
|
||
CURRENT_CONTEXT=$(kubectl config current-context) | ||
SOLR_CLUSTER_CA_CERTIFICATE=$(kubectl config view --raw -o json | jq -r '.clusters[]| select(.name | contains("'${CURRENT_CONTEXT}'")) .cluster["certificate-authority-data"]') | ||
SOLR_TOKEN=$(kubectl get secret $( kubectl get serviceaccount default -n default -o json | jq -r '.secrets[0].name' ) -n default -o json | jq -r .data.token) | ||
CURRENT_CLUSTER=$(kubectl config view --raw -o json | jq -r '.contexts[]| select(.name | contains("'"${CURRENT_CONTEXT}"'")) .context.cluster') | ||
CURRENT_USER=$(kubectl config view --raw -o json | jq -r '.contexts[]| select(.name | contains("'"${CURRENT_CONTEXT}"'")) .context.user') | ||
SOLR_CLUSTER_CA_CERTIFICATE=$(kubectl config view --raw -o json | jq -r '.clusters[]| select(.name | contains("'"${CURRENT_CLUSTER}"'")) .cluster["certificate-authority-data"]') | ||
SOLR_TOKEN=$(echo -n `kubectl config view --raw -o json | jq -r '.users[]| select(.name | contains("'"${CURRENT_USER}"'")) .user["token"]'` | base64 -w 0) | ||
SOLR_SERVER=$(kubectl config view --raw -o json | jq -r '.clusters[]| select(.name | contains("'"${CURRENT_CLUSTER}"'")) .cluster["server"]') | ||
|
||
# We need the Docker-internal control plane URL to be resolved for the CSB | ||
# when running in a container | ||
SOLR_DOCKER_SERVER=$(kind get kubeconfig --internal --name=$(kind get clusters | grep datagov-broker-test) | grep server | cut -d ' ' -f 6-) | ||
SOLR_DOMAIN_NAME=${SOLR_DOMAIN_NAME:-ing.local.domain} | ||
|
||
# We need the localhost control plan URL to be used for direct access when we | ||
# work outside the CSB | ||
SOLR_LOCALHOST_SERVER=$(kind get kubeconfig --name=$(kind get clusters | grep datagov-broker-test) | grep server | cut -d ' ' -f 6-) | ||
if [[ "${CURRENT_CLUSTER}" == "kind-datagov-broker-test" ]]; then | ||
# If the test cluster is in KinD we need the CSB to use | ||
# a control plane URL resolvable from inside the CSB Docker container | ||
CURRENT_USER=kind-datagov-broker-test | ||
SOLR_CP_SERVER=$(kind get kubeconfig --internal --name="$(kind get clusters | grep datagov-broker-test)" | grep server | cut -d ' ' -f 6-) | ||
SOLR_TOKEN=$(kubectl get secret $(kubectl get secrets | grep -oh "default-token-[a-z]*\s") -o json | jq .data.token | tr -d '"') | ||
if [[ "$SOLR_TOKEN" == "null" ]]; then | ||
# The format of the secret is different if there are more than one token associated with a secret. | ||
# The first token works reliably | ||
SOLR_TOKEN=$(kubectl get secret $(kubectl get secrets | grep -oh "default-token-[a-z]*\s") -o json | jq .items[0].data.token | tr -d '"') | ||
fi | ||
else | ||
# Otherwise it's the same as the normal server control plane URL | ||
SOLR_CP_SERVER=${SOLR_SERVER} | ||
fi | ||
Comment on lines
5
to
+28
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Set up repo to cooperate with either a KiND cluster or real EKS cluster. |
||
|
||
# Generate the environment variables needed for configuring the CSB running in Docker | ||
echo SOLR_SERVER=${SOLR_DOCKER_SERVER} > .env | ||
echo SOLR_TOKEN=${SOLR_TOKEN} >> .env | ||
echo SOLR_CLUSTER_CA_CERTIFICATE=${SOLR_CLUSTER_CA_CERTIFICATE} >> .env | ||
echo SOLR_NAMESPACE=default >> .env | ||
echo SOLR_DOMAIN_NAME=ing.local.domain >> .env | ||
cat > .env << HEREDOC | ||
SOLR_SERVER=${SOLR_CP_SERVER} | ||
SOLR_TOKEN=${SOLR_TOKEN} | ||
SOLR_CLUSTER_CA_CERTIFICATE=${SOLR_CLUSTER_CA_CERTIFICATE} | ||
SOLR_NAMESPACE=default | ||
SOLR_DOMAIN_NAME=${SOLR_DOMAIN_NAME} | ||
HEREDOC | ||
|
||
# Generate terraform.tfvars needed for mucking about directly with terraform/provision | ||
cat > terraform/provision/terraform.tfvars << HEREDOC | ||
server="${SOLR_LOCALHOST_SERVER}" | ||
server="${SOLR_CP_SERVER}" | ||
token="${SOLR_TOKEN}" | ||
cluster_ca_certificate="${SOLR_CLUSTER_CA_CERTIFICATE}" | ||
namespace="default" | ||
domain_name="ing.local.domain" | ||
domain_name="${SOLR_DOMAIN_NAME}" | ||
replicas=3 | ||
solrImageTag="8.6" | ||
solrImageTag="8.11" | ||
solrJavaMem="-Xms300m -Xmx300m" | ||
cloud_name="example" | ||
solrCpu="1000m" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -70,23 +70,20 @@ resource "null_resource" "manage_solr_user" { | |
# Can't reuse containers because they are left in an unpredictable state after a single run | ||
# Wait for the command to run before deleting the container | ||
command = <<-EOF | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) run temp1 --image=curlimages/curl -- \ | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) exec ${self.triggers.cloud_name}-solrcloud-0 -- curl \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
-s -f -L \ | ||
-o /dev/null \ | ||
-w "%%{http_code}\n" \ | ||
--user admin:$${ADMIN_PASSWORD} \ | ||
'http://${self.triggers.cloud_name}-solrcloud-common/solr/admin/authentication' \ | ||
-H 'Content-type:application/json' --data "$CREATE_USER_JSON" | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) run temp2 --image=curlimages/curl -- \ | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) exec ${self.triggers.cloud_name}-solrcloud-0 -- curl \ | ||
-s -f -L \ | ||
-o /dev/null \ | ||
-w "%%{http_code}\n" \ | ||
--user admin:$${ADMIN_PASSWORD} \ | ||
'http://${self.triggers.cloud_name}-solrcloud-common/solr/admin/authorization' \ | ||
-H 'Content-type:application/json' --data "$SET_ROLE_JSON" | ||
sleep 10 | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) delete pod temp2 | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) delete pod temp1 | ||
EOF | ||
} | ||
|
||
|
@@ -103,23 +100,20 @@ resource "null_resource" "manage_solr_user" { | |
# Can't reuse containers because they are left in an unpredictable state after a single run | ||
# Wait for the command to run before deleting the container | ||
command = <<-EOF | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) run temp1 --image=curlimages/curl -- \ | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) exec ${self.triggers.cloud_name}-solrcloud-0 -- curl \ | ||
-s -f -L \ | ||
-o /dev/null \ | ||
-w "%%{http_code}\n" \ | ||
--user admin:$ADMIN_PASSWORD \ | ||
'http://${self.triggers.cloud_name}-solrcloud-common/solr/admin/authorization' \ | ||
-H 'Content-type:application/json' --data "$CLEAR_ROLE_JSON" | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) run temp2 --image=curlimages/curl -- \ | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) exec ${self.triggers.cloud_name}-solrcloud-0 -- curl \ | ||
-s -f -L \ | ||
-o /dev/null \ | ||
-w "%%{http_code}\n" \ | ||
--user admin:$ADMIN_PASSWORD \ | ||
'http://${self.triggers.cloud_name}-solrcloud-common/solr/admin/authentication' \ | ||
-H 'Content-type:application/json' --data "$DELETE_USER_JSON" | ||
sleep 10 | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) delete pod temp2 | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) delete pod temp1 | ||
EOF | ||
} | ||
|
||
|
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,7 +26,7 @@ resource "helm_release" "solrcloud" { | |
name = local.cloud_name | ||
chart = "solr" | ||
repository = "https://solr.apache.org/charts" | ||
namespace = data.kubernetes_namespace.namespace.id | ||
namespace = var.namespace | ||
cleanup_on_fail = true | ||
atomic = true | ||
wait = true | ||
|
@@ -45,6 +45,7 @@ resource "helm_release" "solrcloud" { | |
"replicas" = var.replicas # How many replicas you want | ||
"solrOptions.javaMemory" = var.solrJavaMem # How much memory to give each replica | ||
"solrOptions.security.authenticationType" = "Basic" | ||
"ingressOptions.annotations.nginx\\.ingress\\.kubernetes\\.io/proxy-body-size" = "999m" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Port update from earlier release, 574336a#diff-ba41f8c4953fba843cf840ae370b5681502661992bf51cede0ea49d92187a6aeR45 |
||
} | ||
content { | ||
name = set.key | ||
|
@@ -64,7 +65,7 @@ resource "helm_release" "solrcloud" { | |
} | ||
command = <<-EOF | ||
sleep 30 | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) wait --for=condition=ready --timeout=3600s -n ${data.kubernetes_namespace.namespace.id} pod -l solr-cloud=${local.cloud_name} | ||
kubectl --kubeconfig <(echo $KUBECONFIG | base64 -d) wait --for=condition=ready --timeout=3600s -n ${var.namespace} pod -l solr-cloud=${local.cloud_name} | ||
EOF | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the new image with curl for tests.