create a separate couchdb.yml.admin that contains the couchdb admin privileges, putting the unprivileged ones in as user webapp in couchdb.yml. This allows us to migrate the couchdb design docs on deployment, but use an unprivileged user the remainder of the time

4 files changed, 32 insertions, 16 deletions

diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 477d5f17..0288a0cd 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -2,9 +2,8 @@
   "webapp": {
     "modules": ["user", "billing", "help"],
     "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]",
-    // NOTE: this is bad, but pending a fix to https://leap.se/code/issues/1163
-    // before we can use user "webapp"
-    "couchdb_user": "= global.services[:couchdb].couch.users[:admin]",
+    "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]",
+    "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]",
     "favicon": "= file_path 'branding/favicon.ico'",
     "tail_scss": "= file_path 'branding/tail.scss'",
     "head_scss": "= file_path 'branding/head.scss'",
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 760706aa..e89880fe 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -1,19 +1,27 @@
 class site_webapp::couchdb {
 
-  $x509             = hiera('x509')
-  $key              = $x509['key']
-  $cert             = $x509['cert']
-  $ca               = $x509['ca_cert']
-  $webapp           = hiera('webapp')
-  $couchdb_hosts    = $webapp['couchdb_hosts']
+  $x509                    = hiera('x509')
+  $key                     = $x509['key']
+  $cert                    = $x509['cert']
+  $ca                      = $x509['ca_cert']
+  $webapp                  = hiera('webapp')
+  $couchdb_hosts           = $webapp['couchdb_hosts']
   # haproxy listener on port localhost:4096, see site_webapp::haproxy
-  $couchdb_host     = 'localhost'
-  $couchdb_port     = '4096'
-  $couchdb_user     = $webapp['couchdb_user']['username']
-  $couchdb_password = $webapp['couchdb_user']['password']
+  $couchdb_host            = 'localhost'
+  $couchdb_port            = '4096'
+  $couchdb_admin_user      = $webapp['couchdb_admin_user']['username']
+  $couchdb_admin_password  = $webapp['couchdb_admin_user']['password']
+  $couchdb_webapp_user     = $webapp['couchdb_webapp_user']['username']
+  $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
 
   file {
-    '/srv/leap-webapp/config/couchdb.yml':
+    '/srv/leap-webapp/config/couchdb.yml.admin':
+      content => template('site_webapp/couchdb.yml.admin.erb'),
+      owner   => leap-webapp,
+      group   => leap-webapp,
+      mode    => '0600';
+
+    '/srv/leap-webapp/config/couchdb.yml.webapp':
       content => template('site_webapp/couchdb.yml.erb'),
       owner   => leap-webapp,
       group   => leap-webapp,
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb
new file mode 100644
index 00000000..a0921add
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb
@@ -0,0 +1,9 @@
+production:
+  prefix: ""
+  protocol: 'http'
+  host: <%= @couchdb_host %>
+  port: <%= @couchdb_port %>
+  auto_update_design_doc: false
+  username: <%= @couchdb_admin_user %>
+  password: <%= @couchdb_admin_password %>
+
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb
index 4855abd8..2bef0af5 100644
--- a/puppet/modules/site_webapp/templates/couchdb.yml.erb
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb
@@ -4,6 +4,6 @@ production:
   host: <%= @couchdb_host %>
   port: <%= @couchdb_port %>
   auto_update_design_doc: false
-  username: <%= @couchdb_user %>
-  password: <%= @couchdb_password %>
+  username: <%= @couchdb_webapp_user %>
+  password: <%= @couchdb_webapp_password %>