diff --git a/CHANGELOG.md b/CHANGELOG.md index e6aa4560..6317d9ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,9 +9,9 @@ cloud and more. - Local backups support saving the GraphDB backup archives in volume from an existing persistent volume claim, configured with `backup.local` - - Cloud backups support uploading the GraphDB backup archives in one of the supported cloud object storage services, configured - with `backup.cloud` - - Added a new example under [examples/backup-local](examples/backup-local) showing how to use the local backup feature + - Cloud backups support uploading the GraphDB backup archives in one of the supported cloud object storage services, configured with `backup.cloud` + - Added a new example under [examples/backup-local](examples/backup-local) showing how to use the local backup feature with `backup.local` +- Added a new property `security.provisioner.passwordHash` to define an initial password for the provisioner user as a bcrypt hash. ### Fixed diff --git a/files/config/users.js b/files/config/users.js index d9e30566..65200050 100644 --- a/files/config/users.js +++ b/files/config/users.js @@ -16,7 +16,7 @@ {{- include "grahdb.security.extra-users.json" . | nindent 4 }} "{{ .Values.security.provisioner.username }}" : { "username" : "{{ .Values.security.provisioner.username }}", - "password" : "{bcrypt}{{ htpasswd .Values.security.provisioner.username .Values.security.provisioner.password | trimPrefix (printf "%s:" .Values.security.provisioner.username) }}", + "password" : {{ .Values.security.provisioner.passwordHash | default ( include "graphdb.security.provisioner.passwordHash" . ) | quote }}, "grantedAuthorities" : [ "ROLE_ADMIN" ], "appSettings" : { "DEFAULT_INFERENCE" : true, diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f856502a..8e719ace 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -97,3 +97,10 @@ Converts custom users YAML to a pretty JSON for insertion in users.js {{- end -}} {{- end -}} {{- end -}} + +{{/* +Calculate provisoner's bcrypt-hashed password +*/}} +{{- define "graphdb.security.provisioner.passwordHash" -}} + {{- printf "{bcrypt}%s" ( htpasswd .Values.security.provisioner.username .Values.security.provisioner.password | trimPrefix (printf "%s:" .Values.security.provisioner.username)) -}} +{{- end -}} diff --git a/values.yaml b/values.yaml index 5cd01243..5ae6e5f4 100644 --- a/values.yaml +++ b/values.yaml @@ -258,6 +258,10 @@ security: # Note: The user is created regardless of if the existingSecret is provided or not. username: provisioner password: iHaveSuperpowers + # Define an initial password for the provisioner user as a bcrypt hash. + # If the password is not specified, it will use the default one specified in the provisioner.password. + # Important: This value must be a bcrypt encrypted hash, not a plaintext string. The format is "{bcrypt}" + passwordHash: "" # Reference to Secret with a basic authentication token of an existing user to use for provisioning tasks instead of the default user in the initial # user.js that is created using the plaintext username and password configurations from above. # Note that the user must already exist in GraphDB for this to work properly.