-
-
Save headconnect/f9e1ce508c253eda9dc0dadebaa9d807 to your computer and use it in GitHub Desktop.
Crazy wabbit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const fs = require('fs'); | |
const yaml = require('js-yaml'); | |
import * as pulumi from "@pulumi/pulumi"; | |
import * as azure from "@pulumi/azure-native"; | |
import * as k8s from "@pulumi/kubernetes"; | |
import * as crd from "../crds/nodejs"; | |
import * as random from "@pulumi/random"; | |
import {createHash, randomBytes} from 'crypto' | |
export const createRabbit = async (cluster : k8s.Provider, environment: any, helmRepos : { [index: string]: any }) => { | |
const rabbitPassHasher = (pass2hash : string, salt?: Buffer) => { | |
//let salt = Buffer.from([0x90,0x8D,0xC6,0x0A]) | |
if (salt) { | |
} else { | |
salt = randomBytes(32) | |
} | |
//console.log(salt) | |
//let concated = Buffer.concat([salt, Buffer.from("test12")]) | |
let pass = Buffer.from(pass2hash) | |
let concated : Buffer = Buffer.concat([salt, pass]) | |
let hash = createHash('sha256') | |
hash.write(concated) | |
let hashDigest = hash.digest() | |
return Buffer.concat([salt, hashDigest]).toString('base64') | |
} | |
const salt = Buffer.from([0xDE,0xAD,0xCA,0xFE]) | |
const rabbitUsers : { [index: string]: random.RandomPassword } = { | |
orchestratorclient: new random.RandomPassword("orchestratorclient", {length:32}), | |
orchestratoruser: new random.RandomPassword("orchestratoruser", {length:32}), | |
subscriptionuser: new random.RandomPassword("subscriptionuser", {length:32}), | |
orchestrator: new random.RandomPassword("orchestrator", {length:32}), | |
admin: new random.RandomPassword("admin", {length:32}), | |
producer: new random.RandomPassword("producer", {length:32}), | |
testreader: new random.RandomPassword("testreader", {length:32}) | |
} | |
/*** | |
* Just the first user password + the rest of the object so I don't have to repeat myself | |
*/ | |
let orchestratorclientLoadFile = rabbitUsers.orchestratorclient.result.apply(pass => { | |
return { | |
"rabbit_version": "3.8.14", | |
"users": [{ | |
"name": "orchestratorclient", | |
"password_hash": rabbitPassHasher(pass, salt), | |
"hashing_algorithm": "rabbit_password_hashing_sha256", | |
"tags": "" | |
}], | |
"vhosts": [{"name": "xyz"}, {"name": "/"}], | |
"permissions": [{ | |
"user": "admin", | |
"vhost": "/", | |
"configure": ".*", | |
"write": ".*", | |
"read": ".*" | |
}, { | |
"user": "admin", | |
"vhost": "xyz", | |
"configure": ".*", | |
"write": ".*", | |
"read": ".*" | |
}, { | |
"user": "subscriptionuser", | |
"vhost": "/", | |
"configure": ".*", | |
"write": ".*", | |
"read": ".*" | |
}, { | |
"user": "orchestratorclient", | |
"vhost": "xyz", | |
"configure": ".*", | |
"write": ".*", | |
"read": ".*" | |
}, { | |
"user": "testreader", | |
"vhost": "/", | |
"configure": "subscription|amq.*", | |
"write": "subscription", | |
"read": ".*" | |
}, { | |
"user": "orchestratoruser", | |
"vhost": "xyz", | |
"configure": ".*", | |
"write": ".*", | |
"read": ".*" | |
}, { | |
"user": "producer", | |
"vhost": "/", | |
"configure": ".*", | |
"write": ".*", | |
"read": ".*" | |
}, { | |
"user": "orchestrator", | |
"vhost": "xyz", | |
"configure": ".*", | |
"write": ".*", | |
"read": ".*" | |
}], | |
"topic_permissions": [{ | |
"user": "admin", | |
"vhost": "/", | |
"exchange": "", | |
"write": ".*", | |
"read": ".*" | |
}, { | |
"user": "producer", | |
"vhost": "/", | |
"exchange": "", | |
"write": ".*", | |
"read": ".*" | |
}] | |
} | |
}) | |
/** | |
* Now for the rest of the users | |
*/ | |
const orchestratoruserLoadfile = pulumi.all([orchestratorclientLoadFile, rabbitUsers.orchestratoruser.result]).apply(([loadfile, pass]) => { | |
loadfile.users.push({ | |
"name": "orchestratoruser", | |
"password_hash": rabbitPassHasher(pass, salt), | |
"hashing_algorithm": "rabbit_password_hashing_sha256", | |
"tags": "" | |
}) | |
return loadfile; | |
}) | |
const subscriptionuserLoadfile = pulumi.all([orchestratoruserLoadfile, rabbitUsers.subscriptionuser.result]).apply(([loadfile, pass]) => { | |
loadfile.users.push({ | |
"name": "subscriptionuser", | |
"password_hash": rabbitPassHasher(pass, salt), | |
"hashing_algorithm": "rabbit_password_hashing_sha256", | |
"tags": "" | |
}) | |
return loadfile; | |
}) | |
const orchestratorLoadfile = pulumi.all([subscriptionuserLoadfile, rabbitUsers.orchestrator.result]).apply(([loadfile, pass]) => { | |
loadfile.users.push({ | |
"name": "orchestrator", | |
"password_hash": rabbitPassHasher(pass, salt), | |
"hashing_algorithm": "rabbit_password_hashing_sha256", | |
"tags": "" | |
}) | |
return loadfile; | |
}) | |
const adminLoadfile = pulumi.all([orchestratorLoadfile, rabbitUsers.admin.result]).apply(([loadfile, pass]) => { | |
loadfile.users.push({ | |
"name": "admin", | |
"password_hash": rabbitPassHasher(pass, salt), | |
"hashing_algorithm": "rabbit_password_hashing_sha256", | |
"tags": "" | |
}) | |
return loadfile; | |
}) | |
const producerLoadfile = pulumi.all([adminLoadfile, rabbitUsers.producer.result]).apply(([loadfile, pass]) => { | |
loadfile.users.push({ | |
"name": "producer", | |
"password_hash": rabbitPassHasher(pass, salt), | |
"hashing_algorithm": "rabbit_password_hashing_sha256", | |
"tags": "" | |
}) | |
return loadfile; | |
}) | |
const rabbitLoadFile = pulumi.all([producerLoadfile, rabbitUsers.testreader.result]).apply(([loadfile, pass]) => { | |
loadfile.users.push({ | |
"name": "testreader", | |
"password_hash": rabbitPassHasher(pass, salt), | |
"hashing_algorithm": "rabbit_password_hashing_sha256", | |
"tags": "" | |
}) | |
return loadfile; | |
}) | |
/** | |
* Lets get those passwords into the vault, and propegated back to the cluster | |
*/ | |
for (const user in rabbitUsers) { | |
let userSecret = new azure.keyvault.Secret(`rabbit-user-${user}`, { | |
resourceGroupName: environment.rg, | |
vaultName: environment.vault.name, | |
secretName: `rabbit-user-${user}`, | |
properties: { | |
value: rabbitUsers[user].result | |
} | |
}) | |
new crd.spv.v2beta1.AzureKeyVaultSecret(`akv2k8s-rabbit-user-${user}`, { | |
metadata: { | |
name: `rabbit-user-${user}`, | |
namespace: "default" | |
}, | |
spec: { | |
vault: { | |
name: environment.vault.name, | |
object: { | |
name: userSecret.name.apply(name => name), | |
type: "secret" | |
} | |
}, | |
output:{ | |
secret: { | |
name: userSecret.name.apply(name => name), | |
dataKey: "password" | |
} | |
} | |
} | |
},{ | |
provider: cluster, | |
dependsOn: userSecret | |
}) | |
} | |
/** | |
* LoadFile to the vault, and back to cluster | |
*/ | |
const rabbitLoadSecret = new azure.keyvault.Secret(`rabbit-load-definition`, { | |
resourceGroupName: environment.rg, | |
vaultName: environment.vault.name, | |
secretName: `rabbit-load-definition`, | |
properties: { | |
value: rabbitLoadFile.apply(x => { return JSON.stringify(x)}) | |
} | |
}) | |
const rabbitLoadSecretReplication = new crd.spv.v2beta1.AzureKeyVaultSecret(`akv2k8s-rabbit-load-definition`, { | |
metadata: { | |
name: `rabbitmq-load-definition`, | |
namespace: "default" | |
}, | |
spec: { | |
vault: { | |
name: environment.vault.name, | |
object: { | |
name: rabbitLoadSecret.name, | |
type: "secret" | |
} | |
}, | |
output:{ | |
secret: { | |
name: "rabbitmq-load-definition", | |
dataKey: "load_definition.json" | |
} | |
} | |
} | |
},{ | |
provider: cluster | |
}) | |
//const rabbitPass = new random.RandomPassword("rabbitpass", {length: 42, special: true}) | |
//rabbitValues.auth.rootPassword = rabbitPass; | |
let rabbitValues = yaml.load(fs.readFileSync("./components/chart-values/rabbitmq-production.yml")) | |
rabbitValues.loadDefinition.existingSecret = "rabbitmq-load-definition" | |
const rabbit = new k8s.helm.v3.Chart("rabbit",{ | |
chart: "rabbitmq", | |
version: "8.11.5", | |
fetchOpts: { | |
repo: helmRepos.bitnami.url | |
}, | |
values: rabbitValues | |
},{ | |
provider: cluster, | |
dependsOn: [rabbitLoadSecretReplication] | |
}) | |
return true | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment