feat: replace ansible with PyMySQL for DB Creation #289
Conversation
intlabs
changed the title
|
you'll have to let me know when you want this reviewed. i was just about to pull in the other work from #206, and found you sprawled into this new PR. |
|
@v1k0d3n np, I'll remove the wip when it's ready :) The PR's in #206 are still needed for this to be functional:
A new PR was created as after 1 month it's simply not feasible to rebase :/ |
v1k0d3n
changed the title
v1k0d3n
changed the title
intlabs
changed the title
|
@alanmeadows, @v1k0d3n if you could have a look at this, its ready for initial review. Once we've got this looking sweet I'll expand the concept out to all the other charts. |
intlabs
changed the title
wilkers-steve
left a comment
wilkers-steve
left a comment
There was a problem hiding this comment.
Unless I'm missing something, this looks good to me @intlabs. I'm definitely looking forward to this change getting merged in and expanding the work to the other charts.
alanmeadows
left a comment
alanmeadows
left a comment
There was a problem hiding this comment.
Looks good @intlabs. A few comments, nothing major.
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| {{- define "helm-toolkit.db_init" }} |
There was a problem hiding this comment.
I still recommend we adopt full paths (even though I am sometimes not following my own advice), to locate where these methods are physically located:
define "helm-toolkit.scripts.db_init"
Also, we can probably do better then scripts, perhaps keystone foo, db foo, and so on.
There was a problem hiding this comment.
I agree with this sentiment, can we hit this in a separate PR though, so as to minimise disruption to work in flight?
There was a problem hiding this comment.
Agree with @alanmeadows here, I think it would be best to add a bit more detail to the path within helm-toolkit.
There was a problem hiding this comment.
I agree w/ @intlabs that this needs to be in another PR. and documented in an issue.
| print("Created database {0}".format(database)) | ||
| except: | ||
| print("Could not create database {0}".format(database)) | ||
| sys.exit(1) |
There was a problem hiding this comment.
I suppose you do not want to involve the standard logger for simplicity reasons (which could use LOG.traceback(foo) but this exception will lack a traceback that may include some hint at why if one should ever need it.
There is a balance between overloading the user and providing them curt errors but I'd appreciate a traceback if an action like this fails as sqlalchemy may provide some hint from the engine as to what went wrong.
Alternative to logger could be if your really trying to be print-locked:
import traceback
print traceback.format_exc()
There was a problem hiding this comment.
no reason to be bound to print. It was just the quickest and simplest way to implement this. I'm fine using the standard logger, or adding tracebacks.
| database, user, password)) | ||
| print("Created user {0} for {1}".format(user, database)) | ||
| except: | ||
| print("Could not create user {0} for {1}".format(user, database)) |
| print 'Database connection for user ok' | ||
| except: | ||
| print 'Could not connect to database as user' | ||
| sys.exit(1) |
| secretKeyRef: | ||
| name: keystone-db-root | ||
| key: DB_CONNECTION | ||
| - name: OPENSTACK_CONFIG_FILE |
There was a problem hiding this comment.
I like this approach. No need to pass data to this thing thats already in the config.
| print("Trying to load db config from {0}:{1}".format( | ||
| os_conf_section, os_conf_key)) | ||
| user_db_conn = config.get(os_conf_section, os_conf_key) | ||
| print("Got config from {0}".format(os_conf)) |
There was a problem hiding this comment.
For debugging do we perhaps want to print what we're working with (the final resulting db connect string) or do we feel security would be compromised?
There was a problem hiding this comment.
Plus @v1k0d3n for thoughts on stdout containing sensitive usernames and passwords. Helps debugging. Hurts security.
There was a problem hiding this comment.
@alanmeadows I'd be very hesitant to do that as a result of the security concerns you highlight. Printing passwords to stdout seems like a recipe for having a bad time to me.
There was a problem hiding this comment.
if we're getting down to it, we're already sending passwords/secrets in the clear today (via configmaps, and then sending them on to tiller).
i think we should fix the security issues we have soon, and start planning for proper secrets management (it's on the roadmap), but i also think we should include a helpful debug mechanism like @alanmeadows is suggesting. otherwise it just gets too magical for the average user starting to work with openstack-helm.
hopefully with a proper combination of the two, we'll give users/developers confidence that when they use debugging in OSH, passwords/secrets are only being passed at their command, which would make @intlabs and me much more happy.
I am removing my copywrite and transfering it to the OpenStack-Helm Authors for the DB Managment Script. As although this was primarily written while an independant OSS Developer, it is not currently present in any other codebase and will only be merged post commencing work on the project in an official capacity. This does not affect the copywrite of any other code contibuted to the project by myself or any other party.
intlabs
changed the title
larryrensing
left a comment
larryrensing
left a comment
There was a problem hiding this comment.
This looks great @intlabs, nice work.
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| {{- define "helm-toolkit.db_init" }} |
There was a problem hiding this comment.
Agree with @alanmeadows here, I think it would be best to add a bit more detail to the path within helm-toolkit.
wilkers-steve
left a comment
wilkers-steve
left a comment
There was a problem hiding this comment.
@intlabs This looks good to me. I'm leaning towards @alanmeadows and @larryrensing suggestions that we work with the paths a bit, but that should be handled separately. I don't see a reason for that to block getting this in finally.
6 participants
What is the purpose of this pull request?: To replace ansible with PyMySQL for DB Creation
What issue does this pull request address?: Superceeds #206, which in turn superseded #140.
Notes for reviewers to consider:
This PR will limit its scope to helm-toolkit and keystone until we have resolved the path ahead, once consensus is reached it will be expanded to the remaining services.
Specific reviewers for pull request:
@alanmeadows @v1k0d3n