Merge "Deleting non-used dependecy on the secret with s3-admin"

2025-09-23 19:15:46 +00:00
parent eed4908b39 fef3d19e95
commit 8438bf34f7
7 changed files with 23 additions and 45 deletions
--- a/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
+++ b/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
@@ -31,8 +31,6 @@ function modify_bucket_acl () {
  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
 }

-ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
-
 {{- $envAll := . }}
 {{- range $bucket := .Values.storage.s3.buckets }}

--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -401,7 +401,6 @@ network_policy:

 secrets:
  rgw:
-    admin: radosgw-s3-admin-creds
    elasticsearch: elasticsearch-s3-user-creds
  elasticsearch:
    user: elasticsearch-user-secrets
@@ -919,7 +918,7 @@ storage:
    #       # endpoint: Defaults to the ceph-rgw endpoint
    #       # protocol: Defaults to http
    #       path_style_access: true # Required for ceph-rgw S3 API
-    #     create_user: true # Attempt to create the user at the ceph_object_store endpoint, authenticating using the secret named at .Values.secrets.rgw.admin
+    #     create_user: true # Attempt to create the user at the ceph_object_store endpoint
    #   backup:
    #     auth:
    #       username: elasticsearch
--- a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -86,9 +86,6 @@ spec:
            - -c
            - /tmp/create-s3-bucket.sh
          env:
-{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
-{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
-{{- end }}
 {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
          volumeMounts:
            - name: pod-tmp
--- a/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -104,9 +104,6 @@ spec:
            - -c
            - /tmp/create-s3-user.sh
          env:
-{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
-{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
-{{- end }}
 {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
            - name: RGW_HOST
              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
--- a/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
+++ b/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -1,35 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-{{- define "helm-toolkit.scripts.create_s3_bucket" }}
-#!/bin/bash
-set -e
-CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
-if [ "$RGW_PROTO" = "http" ]; then
-  CONNECTION_ARGS+=" --no-ssl"
-else
-  CONNECTION_ARGS+=" --no-check-certificate"
-fi
-ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
-USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
-function check_rgw_s3_bucket () {
-  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
-}
-function create_rgw_s3_bucket () {
-  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
-}
-function modify_bucket_acl () {
-  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
-}
-check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
-{{- end }}
--- a/releasenotes/notes/elasticsearch-ba314935c85c3b25.yaml
+++ b/releasenotes/notes/elasticsearch-ba314935c85c3b25.yaml
@@ -0,0 +1,7 @@
+---
+elasticsearch:
+  - |
+    Elasticsearch job responsible for creation of s3 user and bucket
+    required a secret radosgw-s3-admin-creds to be created,
+    but its data wasn't used. Getting rid of this.
+...
--- a/releasenotes/notes/helm-toolkit-5fa68b35be3378b3.yaml
+++ b/releasenotes/notes/helm-toolkit-5fa68b35be3378b3.yaml
@@ -0,0 +1,15 @@
+---
+helm-toolkit:
+  - |
+    Removing non-used script which allows to create bucket using admin user.
+    Actually any user can do this and there is better script which is
+    utilized by elasticsearch chart:
+    elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
+    The only requirement is - to create the user.
+    Also, removing S3_ADMIN_<> env vars from job manifests
+    (see helm-toolkit.snippets.rgw_s3_admin_env_vars)
+    because those vars are not used by actual scripts.
+    We now use ceph.conf and keyring to create a user.
+    ceph.conf and keyring can be provisioned by either
+    ceph chart or ceph-adapter-rook chart.
+...