a8f6befc17
This additional secrets-tool command can be used to run the database bootsrapping script (`script/database_setup.py`) inside an ATAT docker container against the Azure database. It sources the necessary keys from Key Vault.
135 lines
3.4 KiB
Python
135 lines
3.4 KiB
Python
import os
|
|
import click
|
|
import logging
|
|
import subprocess
|
|
|
|
from utils.keyvault.secrets import SecretsClient
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
def _run_cmd(command):
|
|
try:
|
|
env = os.environ.copy()
|
|
with subprocess.Popen(
|
|
command, env=env, stdout=subprocess.PIPE, shell=True
|
|
) as proc:
|
|
for line in proc.stdout:
|
|
logging.info(line.decode("utf-8"))
|
|
except Exception as e:
|
|
print(e)
|
|
|
|
|
|
@click.group()
|
|
@click.option("--keyvault", required=True, help="Specify the keyvault to operate on")
|
|
@click.pass_context
|
|
def database(ctx, keyvault):
|
|
ctx.ensure_object(dict)
|
|
ctx.obj["keyvault"] = keyvault
|
|
|
|
|
|
# root password, root username
|
|
@click.command("provision")
|
|
@click.option(
|
|
"--app-keyvault",
|
|
"app_keyvault",
|
|
required=True,
|
|
help="The username for the new Postgres user.",
|
|
)
|
|
@click.option(
|
|
"--user-username",
|
|
"user_username",
|
|
default="atat",
|
|
required=True,
|
|
help="The username for the new Postgres user.",
|
|
)
|
|
@click.option(
|
|
"--user-password-key",
|
|
"user_password_key",
|
|
default="PGPASSWORD",
|
|
required=True,
|
|
help="The name of the user's password key in the specified vault.",
|
|
)
|
|
@click.option(
|
|
"--root-username-key",
|
|
"root_username_key",
|
|
default="postgres-root-user",
|
|
required=True,
|
|
help="The name of the user's password key in the specified vault.",
|
|
)
|
|
@click.option(
|
|
"--root-password-key",
|
|
"root_password_key",
|
|
default="postgres-root-password",
|
|
required=True,
|
|
help="The name of the user's password key in the specified vault.",
|
|
)
|
|
@click.option(
|
|
"--dbname",
|
|
"dbname",
|
|
required=True,
|
|
help="The name of the database the user will be given full access to.",
|
|
)
|
|
@click.option(
|
|
"--dbhost",
|
|
"dbhost",
|
|
required=True,
|
|
help="The name of the database the user will be given full access to.",
|
|
)
|
|
@click.option(
|
|
"--container",
|
|
"container",
|
|
default="atat:latest",
|
|
required=True,
|
|
help="The container to run the provisioning command in.",
|
|
)
|
|
@click.option(
|
|
"--ccpo-users",
|
|
"ccpo_users",
|
|
required=True,
|
|
help="The full path to a YAML file listing CCPO users to be seeded to the database.",
|
|
)
|
|
@click.pass_context
|
|
def provision(
|
|
ctx,
|
|
app_keyvault,
|
|
user_username,
|
|
user_password_key,
|
|
root_username_key,
|
|
root_password_key,
|
|
dbname,
|
|
dbhost,
|
|
container,
|
|
ccpo_users,
|
|
):
|
|
"""
|
|
Set up the initial ATAT database.
|
|
"""
|
|
logger.info("obtaining postgres root user credentials")
|
|
operator_keyvault = SecretsClient(vault_url=ctx.obj["keyvault"])
|
|
root_password = operator_keyvault.get_secret(root_password_key)
|
|
root_name = operator_keyvault.get_secret(root_username_key)
|
|
|
|
logger.info("obtaining postgres database user password")
|
|
app_keyvault = SecretsClient(vault_url=app_keyvault)
|
|
user_password = app_keyvault.get_secret(user_password_key)
|
|
|
|
logger.info("starting docker process")
|
|
|
|
cmd = (
|
|
f"docker run -e PGHOST={dbhost}"
|
|
+f" -e PGPASSWORD=\"{root_password}\""
|
|
+f" -e PGUSER='{root_name}@{dbhost}'"
|
|
+f" -e PGDATABASE=\"{dbname}\""
|
|
+f" -e REDIS_HOST=host.docker.internal"
|
|
+f" -e PGSSLMODE=require"
|
|
+f" -v {ccpo_users}:/opt/atat/atst/users.yml"
|
|
+f" {container}"
|
|
+f" .venv/bin/python script/database_setup.py {user_username} '{user_password}' users.yml"
|
|
)
|
|
print(cmd)
|
|
_run_cmd(cmd)
|
|
|
|
|
|
database.add_command(provision)
|