secrets-tool command for bootstrapping database.
This additional secrets-tool command can be used to run the database bootsrapping script (`script/database_setup.py`) inside an ATAT docker container against the Azure database. It sources the necessary keys from Key Vault.
This commit is contained in:
dandds
@@ -15,7 +15,7 @@ With both usernames and passwords generated, the application only needs to make
|
||||
Ex.
|
||||
```
|
||||
{
|
||||
'postgres_root_user': 'EzTEzSNLKQPHuJyPdPloIDCAlcibbl',
|
||||
'postgres_root_user': 'EzTEzSNLKQPHuJyPdPloIDCAlcibbl',
|
||||
'postgres_root_password': "2+[A@E4:C=ubb/#R#'n<p|wCW-|%q^"
|
||||
}
|
||||
```
|
||||
@@ -30,6 +30,40 @@ Terraform typically expects user defined secrets to be stored in either a file,
|
||||
|
||||
This provides a number of security benefits. First, secrets are not on disk. Secondly, users/operators never see the secrets fly by (passerbys or voyeurs that like to look over your shoulder when deploying to production)
|
||||
|
||||
## Setting up the initial ATAT database
|
||||
|
||||
This handles bootstrapping the ATAT database with a user, schema, and initial data.
|
||||
|
||||
It does the following:
|
||||
|
||||
- Sources the Postgres root user credentials
|
||||
- Source the Postgres ATAT user password
|
||||
- Runs a script inside an ATAT docker container to set up the initial database user, schema, and seed data in the database
|
||||
|
||||
Requirements:
|
||||
|
||||
- docker
|
||||
- A copy of the ATAT docker image. This can be built in the repo root with: `docker build . --build-arg CSP=azure -f ./Dockerfile -t atat:latest`
|
||||
- You need to know the hostname for the Postgres database. Your IP must either be whitelisted in its firewall rules or you must be behind the VPN.
|
||||
- There should be a password for the ATAT database user in the application Key Vault, preferably named `PGPASSWORD`. You can load this by running `secrets-tool --keyvault [operator key vault url] load -f postgres-user.yml` and supplying YAML like:
|
||||
|
||||
```
|
||||
---
|
||||
- PGPASSWORD:
|
||||
type: 'password'
|
||||
length: 30
|
||||
```
|
||||
|
||||
This command takes a lot of arguments. Run `secrets-tool database --keyvault [operator key vault url] provision -- help` to see the full list of available options.
|
||||
|
||||
The command supplies some defaults by assuming you've followed the patterns in sample-secrets.yml and elsewhere.
|
||||
|
||||
An example would be:
|
||||
|
||||
```
|
||||
secrets-tool database --keyvault [operator key vault URL] provision --app-keyvault [application key vault URL] --dbname jedidev-atat --dbhost [database host name] --ccpo-users /full/path/to/users.yml
|
||||
```
|
||||
|
||||
# Setup
|
||||
|
||||
*Requirements*
|
||||
@@ -76,4 +110,4 @@ secrets-tool secrets --keyvault https://operator-dev-keyvault.vault.azure.net/ l
|
||||
This will fetch all secrets from the keyvault specified. `secrets-tool` then converts the keys to a variable name that terraform will look for. Essentially it prepends the keys found in KeyVault with `TF_VAR` and then executes terraform as a subprocess with the injected environment variables.
|
||||
```
|
||||
secrets-tool terraform --keyvault https://operator-dev-keyvault.vault.azure.net/ plan
|
||||
```
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user