Merge "Deleting non-used dependecy on the secret with s3-admin"

2025-09-23 19:15:46 +00:00
parent eed4908b39 fef3d19e95
commit 8438bf34f7
7 changed files with 23 additions and 45 deletions
--- a/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
+++ b/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
@@ -31,8 +31,6 @@ function modify_bucket_acl () {
  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
 }
 ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
 {{- $envAll := . }}
 {{- range $bucket := .Values.storage.s3.buckets }}
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -401,7 +401,6 @@ network_policy:
 secrets:
  rgw:
    admin: radosgw-s3-admin-creds
    elasticsearch: elasticsearch-s3-user-creds
  elasticsearch:
    user: elasticsearch-user-secrets
@@ -919,7 +918,7 @@ storage:
    #       # endpoint: Defaults to the ceph-rgw endpoint
    #       # protocol: Defaults to http
    #       path_style_access: true # Required for ceph-rgw S3 API
-    #     create_user: true # Attempt to create the user at the ceph_object_store endpoint, authenticating using the secret named at .Values.secrets.rgw.admin
+    #     create_user: true # Attempt to create the user at the ceph_object_store endpoint
    #   backup:
    #     auth:
    #       username: elasticsearch
--- a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -86,9 +86,6 @@ spec:
            - -c
            - /tmp/create-s3-bucket.sh
          env:
 {{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
 {{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
 {{- end }}
 {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
          volumeMounts:
            - name: pod-tmp
--- a/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -104,9 +104,6 @@ spec:
            - -c
            - /tmp/create-s3-user.sh
          env:
 {{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
 {{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
 {{- end }}
 {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
            - name: RGW_HOST
              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
--- a/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
+++ b/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -1,35 +0,0 @@
 {{/*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 {{- define "helm-toolkit.scripts.create_s3_bucket" }}
 #!/bin/bash
 set -e
 CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
 if [ "$RGW_PROTO" = "http" ]; then
  CONNECTION_ARGS+=" --no-ssl"
 else
  CONNECTION_ARGS+=" --no-check-certificate"
 fi
 ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
 USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
 function check_rgw_s3_bucket () {
  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
 }
 function create_rgw_s3_bucket () {
  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
 }
 function modify_bucket_acl () {
  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
 }
 check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
 {{- end }}
--- a/releasenotes/notes/elasticsearch-ba314935c85c3b25.yaml
+++ b/releasenotes/notes/elasticsearch-ba314935c85c3b25.yaml
@@ -0,0 +1,7 @@
 ---
 elasticsearch:
  - |
    Elasticsearch job responsible for creation of s3 user and bucket
    required a secret radosgw-s3-admin-creds to be created,
    but its data wasn't used. Getting rid of this.
 ...
--- a/releasenotes/notes/helm-toolkit-5fa68b35be3378b3.yaml
+++ b/releasenotes/notes/helm-toolkit-5fa68b35be3378b3.yaml
@@ -0,0 +1,15 @@
 ---
 helm-toolkit:
  - |
    Removing non-used script which allows to create bucket using admin user.
    Actually any user can do this and there is better script which is
    utilized by elasticsearch chart:
    elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
    The only requirement is - to create the user.
    Also, removing S3_ADMIN_<> env vars from job manifests
    (see helm-toolkit.snippets.rgw_s3_admin_env_vars)
    because those vars are not used by actual scripts.
    We now use ceph.conf and keyring to create a user.
    ceph.conf and keyring can be provisioned by either
    ceph chart or ceph-adapter-rook chart.
 ...