chef · rensycthomas · Jan 24, 2025 · Jan 27, 2025 · Jan 28, 2025 · Jan 29, 2025
diff --git a/components/automate-backend-deployment/README.md b/components/automate-backend-deployment/README.md
@@ -5,4 +5,3 @@ This provides the `automate-backend-deployment` package.
 This package will build a package using terraform/a2ha-terraform, inspecs, test, certs and Makefile.
 
 This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package.
-
diff --git a/components/automate-cli/cmd/chef-automate/automateHAAwsDeployment.go b/components/automate-cli/cmd/chef-automate/automateHAAwsDeployment.go
@@ -3,6 +3,7 @@ package main
 import (
 	"container/list"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"net/http"
@@ -146,6 +147,7 @@ func (a *awsDeployment) generateConfig(state string) error {
 	}
 
 	a.setDefaultBasePath()
+	a.encodePasswordFields()
 
 	return writeHAConfigFiles(awsA2harbTemplate, a.config, state)
 }
@@ -547,3 +549,18 @@ func (a *awsDeployment) isIamRolePresent() error {
 	}
 	return nil
 }
+
+func (a *awsDeployment) encodePasswordFields() {
+	if a.config.Aws.Config.SetupManagedServices {
+
+		if len(a.config.Aws.Config.OpensearchUserPassword) > 0 {
+			a.config.Aws.Config.OpensearchUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.OpensearchUserPassword)))
+		}
+		if len(a.config.Aws.Config.RDSSuperUserPassword) > 0 {
+			a.config.Aws.Config.RDSSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.RDSSuperUserPassword)))
+		}
+		if len(a.config.Aws.Config.RDSDBUserPassword) > 0 {
+			a.config.Aws.Config.RDSDBUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.RDSDBUserPassword)))
+		}
+	}
+}
diff --git a/components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go b/components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go
@@ -2,6 +2,7 @@
 
 import (
 	"container/list"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -96,6 +97,7 @@
 	}
 
 	e.setDefaultBasePath()
+	e.encodePasswordFields()
 
 	return writeHAConfigFiles(existingNodesA2harbTemplate, e.config, state)
 }
@@ -776,3 +778,25 @@
 	return nil
 
 }
+
+func (e *existingInfra) encodePasswordFields() {
+	e.log.Debug("RT Value of isManagedServicesOn", isManagedServicesOn())
+	if isManagedServicesOn() {
+        e.log.Debug("RT Inside ManagedServices", isManagedServicesOn()) 
+		if len(e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword) > 0 {
+			e.log.Debug("RT OS SUP", e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword) 
+			e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword)))
+			e.log.Debug("RT OS SUP Encoded", e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword) 
+		}
+		if len(e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword) > 0 {
+			e.log.Debug("RT PS SUP", e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword)
+			e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword)))
+			e.log.Debug("RT PS SUP Encoded", e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword)
+		}
+		if len(e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword) > 0 {
+			e.log.Debug("RT PS DBUP", e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword)
+			e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword)))
+			e.log.Debug("RT PS DBUP Encoded", e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword)
+		}
+	}
+}
diff --git a/components/automate-cli/cmd/chef-automate/decode_password.go b/components/automate-cli/cmd/chef-automate/decode_password.go
@@ -0,0 +1,93 @@
+package main
+
+import (
+	"encoding/base64"
+
+	dc "github.com/chef/automate/api/config/deployment"
+	"github.com/chef/automate/components/automate-cli/pkg/docs"
+	"github.com/chef/automate/lib/io/fileutils"
+	"github.com/chef/toml"
+	"github.com/spf13/cobra"
+)
+
+var decodePasswordCmdFlags = struct {
+	config string
+}{}
+
+func init() {
+	RootCmd.AddCommand(decodePasswordCmd)
+	decodePasswordCmd.PersistentFlags().StringVarP(
+		&decodePasswordCmdFlags.config,
+		"config",
+		"c",
+		"",
+		"Config file that needs to be updated with decoded passwords")
+}
+
+var decodePasswordCmd = &cobra.Command{
+	Use:    "decode-password [/path/to/config.toml]",
+	Short:  "Decodes the password fields",
+	Long:   "Decodes the password fields in the specified config.toml file",
+	RunE:   runDecodePasswordCmd,
+	Args:   cobra.ExactArgs(1),
+	Hidden: true,
+	Annotations: map[string]string{
+		docs.Tag: docs.BastionHost,
+	},
+}
+
+func runDecodePasswordCmd(cmd *cobra.Command, args []string) error {
+	if len(args) > 0 {
+		configFile := args[0]
+		if len(configFile) > 0 {
+			if checkIfFileExist(configFile) {
+				tomlbyte, _ := fileutils.ReadFile(configFile) // nosemgrep
+				configString := string(tomlbyte)
+				var config dc.AutomateConfig
+				if _, err := toml.Decode(configString, &config); err != nil {
+					return err
+				}
+				if config.Global != nil && config.Global.V1 != nil && config.Global.V1.External != nil {
+					if config.Global.V1.External.Postgresql != nil && config.Global.V1.External.Postgresql.Auth != nil && config.Global.V1.External.Postgresql.Auth.Password != nil {
+						if config.Global.V1.External.Postgresql.Auth.Password.Superuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password != nil {
+							superUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value
+							if superUserPassword != "" {
+								superUserPswd, decErr := base64.StdEncoding.DecodeString(superUserPassword)
+								if decErr != nil {
+									return decErr
+								}
+								config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value = string(superUserPswd)
+							}
+						}
+						if config.Global.V1.External.Postgresql.Auth.Password.Dbuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password != nil {
+							dbUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value
+							if dbUserPassword != "" {
+								dbUserPswd, decErr := base64.StdEncoding.DecodeString(dbUserPassword)
+								if decErr != nil {
+									return decErr
+								}
+								config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value = string(dbUserPswd)
+							}
+						}
+					}
+					if config.Global.V1.External.Opensearch != nil && config.Global.V1.External.Opensearch.Auth != nil && config.Global.V1.External.Opensearch.Auth.BasicAuth != nil && config.Global.V1.External.Opensearch.Auth.BasicAuth.Password != nil {
+						userPassword := config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value
+						if userPassword != "" {
+							userPswd, decErr := base64.StdEncoding.DecodeString(userPassword)
+							if decErr != nil {
+								return decErr
+							}
+							config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value = string(userPswd)
+						}
+					}
+					_, err := fileutils.CreateTomlFileFromConfig(&config, configFile)
+					if err != nil {
+						return err
+					}
+
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/components/automate-cli/cmd/chef-automate/decode_password_test.go b/components/automate-cli/cmd/chef-automate/decode_password_test.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"testing"
+
+	dc "github.com/chef/automate/api/config/deployment"
+	"github.com/chef/automate/lib/io/fileutils"
+	"github.com/chef/toml"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRunDecodePasswordCmd(t *testing.T) {
+	runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"})
+	tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml")
+	configString := string(tomlbyte)
+	var config dc.AutomateConfig
+	toml.Decode(configString, &config)
+	assert.Equal(t, "admin", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value)
+	assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value)
+	assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value)
+}
diff --git a/components/automate-cli/cmd/chef-automate/encode_password.go b/components/automate-cli/cmd/chef-automate/encode_password.go
@@ -0,0 +1,85 @@
+package main
+
+import (
+	"encoding/base64"
+
+	dc "github.com/chef/automate/api/config/deployment"
+	"github.com/chef/automate/components/automate-cli/pkg/docs"
+	"github.com/chef/automate/lib/io/fileutils"
+	"github.com/chef/toml"
+	"github.com/spf13/cobra"
+)
+
+var encodePasswordCmdFlags = struct {
+	config string
+}{}
+
+var encodePasswordCmd = &cobra.Command{
+	Use:    "encode-password [/path/to/config.toml]",
+	Short:  "Encodes the password fields",
+	Long:   "Encodes the password fields in the specified config.toml file",
+	RunE:   runEncodePasswordCmd,
+	Args:   cobra.ExactArgs(1),
+	Hidden: true,
+	Annotations: map[string]string{
+		docs.Tag: docs.BastionHost,
+	},
+}
+
+func init() {
+	RootCmd.AddCommand(encodePasswordCmd)
+	encodePasswordCmd.PersistentFlags().StringVarP(
+		&encodePasswordCmdFlags.config,
+		"config",
+		"c",
+		"",
+		"Config file that needs to be updated with encoded passwords")
+
+}
+
+func runEncodePasswordCmd(cmd *cobra.Command, args []string) error {
+	if len(args) > 0 {
+		configFile := args[0]
+		if len(configFile) > 0 {
+			if checkIfFileExist(configFile) {
+				tomlbyte, _ := fileutils.ReadFile(configFile) // nosemgrep
+				configString := string(tomlbyte)
+				var config dc.AutomateConfig
+				if _, err := toml.Decode(configString, &config); err != nil {
+					return err
+				}
+				if config.Global != nil && config.Global.V1 != nil && config.Global.V1.External != nil {
+					if config.Global.V1.External.Postgresql != nil && config.Global.V1.External.Postgresql.Auth != nil && config.Global.V1.External.Postgresql.Auth.Password != nil {
+						if config.Global.V1.External.Postgresql.Auth.Password.Superuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password != nil {
+							superUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value
+							if superUserPassword != "" {
+								superUserPassword = base64.StdEncoding.EncodeToString([]byte(superUserPassword))
+								config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value = superUserPassword
+							}
+						}
+						if config.Global.V1.External.Postgresql.Auth.Password.Dbuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password != nil {
+							dbUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value
+							if dbUserPassword != "" {
+								dbUserPassword = base64.StdEncoding.EncodeToString([]byte(dbUserPassword))
+								config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value = dbUserPassword
+							}
+						}
+					}
+					if config.Global.V1.External.Opensearch != nil && config.Global.V1.External.Opensearch.Auth != nil && config.Global.V1.External.Opensearch.Auth.BasicAuth != nil && config.Global.V1.External.Opensearch.Auth.BasicAuth.Password != nil {
+						userPassword := config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value
+						if userPassword != "" {
+							userPassword = base64.StdEncoding.EncodeToString([]byte(userPassword))
+							config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value = userPassword
+						}
+					}
+					_, err := fileutils.CreateTomlFileFromConfig(&config, configFile)
+					if err != nil {
+						return err
+					}
+
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/components/automate-cli/cmd/chef-automate/encode_password_test.go b/components/automate-cli/cmd/chef-automate/encode_password_test.go
@@ -0,0 +1,27 @@
+package main
+
+import (
+	"testing"
+
+	dc "github.com/chef/automate/api/config/deployment"
+	"github.com/chef/automate/lib/io/fileutils"
+	"github.com/chef/toml"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+const CONFIG_PATH = "../../pkg/testfiles/onprem"
+
+var cmd = &cobra.Command{}
+
+func TestRunEncodePasswordCmd(t *testing.T) {
+	runEncodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"})
+	tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml")
+	configString := string(tomlbyte)
+	var config dc.AutomateConfig
+	toml.Decode(configString, &config)
+	assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value)
+	assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value)
+	assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value)
+	runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"})
+}
diff --git a/components/automate-cli/pkg/testfiles/onprem/config_externaldb.toml b/components/automate-cli/pkg/testfiles/onprem/config_externaldb.toml
@@ -0,0 +1,18 @@
+[global]
+  [global.v1]
+    [global.v1.external]
+      [global.v1.external.postgresql]
+        [global.v1.external.postgresql.auth]
+          [global.v1.external.postgresql.auth.password]
+            [global.v1.external.postgresql.auth.password.superuser]
+              username = "admin"
+              password = "admin"
+            [global.v1.external.postgresql.auth.password.dbuser]
+              username = "admin"
+              password = "admin"
+      [global.v1.external.opensearch]
+        [global.v1.external.opensearch.auth]
+          scheme = "basic_auth"
+          [global.v1.external.opensearch.auth.basic_auth]
+            username = "admin"
+            password = "admin"
diff --git a/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl b/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl
@@ -402,7 +402,9 @@ else
   # Skip checks for the hab user as we create and manage that separately.
   # Fixes issues when the hab user/group is setup via LDAP in nsswitch configs.
   export CHEF_AUTOMATE_SKIP_HAB_USER=true
+  chef-automate decode-password /etc/chef-automate/config.toml
   chef-automate deploy /etc/chef-automate/config.toml $DEPLOY_BUNDLES --accept-terms-and-mlsa | grep --line-buffered -v "\┤\|\┘\|\└\|\┴\|\├\|\┌\|\┬\|\┴\|\┐"
+  chef-automate encode-password /etc/chef-automate/config.toml
 fi
 
 create_bootstrap_bundle

diff --git a/terraform/a2ha-terraform/modules/habitat/templates/install_hab.sh.tpl b/terraform/a2ha-terraform/modules/habitat/templates/install_hab.sh.tpl
@@ -157,7 +157,7 @@ if  which hab-sup &> /dev/null; then
 fi
 
 # For frontend and backend nodes
-for pkg in ${tmp_path}/aib_workspace/hab/cache/artifacts/{core-hab,*automate-ha-ctl,chef-automate-cli}*hart; do
+for pkg in ${tmp_path}/aib_workspace/hab/cache/artifacts/{core-hab,*automate-ha-ctl,*automate-cli}*hart; do
   export pkg
   bash -c 'eval hab pkg install --force --binlink --binlink-dir /bin $pkg "$LOGCMD"' || true
 done
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,4 +5,3 @@ This provides the `automate-backend-deployment` package.
		This package will build a package using terraform/a2ha-terraform, inspecs, test, certs and Makefile.

		This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package.