diff options
| author |   Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-03-28 02:14:37 +0100 |
|---|---|---|
| committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-03-28 02:14:37 +0100 |
| commit | c53ff54815a8d716c12395293a8c75a5b6a7fa91 (patch) | |
| tree | da614c3f8fdeb01253aae189d995122c6f3baeda | |
| parent | f68b72895b2fe13a50d7a059b25b42ba37469091 (diff) | |
[SO] Use common secret template in so
Generate passwords for:
- so_user
- so_admin
and distribute them to all SO subcharts.
mariadb-galera root password is taken as a reference to existing
secret (shared mariadb instance) or also generated if local cluster is
used.
Three other DB users also have generated passwords but they are not
distributed outside of so-mariadb as they were never used.
Issue-ID: OOM-2328
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Ic4af5c9b12b00d2a52d2597e3fe1161d0d1a9f20
| -rwxr-xr-x | kubernetes/so/charts/so-bpmn-infra/values.yaml | 4 | ||||
| -rwxr-xr-x | kubernetes/so/charts/so-catalog-db-adapter/values.yaml | 4 | ||||
| -rwxr-xr-x | kubernetes/so/charts/so-mariadb/values.yaml | 14 | ||||
| -rw-r--r-- | kubernetes/so/charts/so-monitoring/values.yaml | 4 | ||||
| -rwxr-xr-x | kubernetes/so/charts/so-openstack-adapter/values.yaml | 4 | ||||
| -rwxr-xr-x | kubernetes/so/charts/so-request-db-adapter/values.yaml | 4 | ||||
| -rwxr-xr-x | kubernetes/so/charts/so-sdc-controller/values.yaml | 4 | ||||
| -rwxr-xr-x | kubernetes/so/charts/so-sdnc-adapter/values.yaml | 4 | ||||
| -rwxr-xr-x | kubernetes/so/charts/so-vfc-adapter/values.yaml | 4 | ||||
| -rwxr-xr-x | kubernetes/so/templates/deployment.yaml | 20 | ||||
| -rw-r--r-- | kubernetes/so/templates/secret.yaml | 15 | ||||
| -rwxr-xr-x | kubernetes/so/values.yaml | 84 |
12 files changed, 125 insertions, 40 deletions
diff --git a/kubernetes/so/charts/so-bpmn-infra/values.yaml b/kubernetes/so/charts/so-bpmn-infra/values.yaml index 357a8fd62c..4c64caf304 100755 --- a/kubernetes/so/charts/so-bpmn-infra/values.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/values.yaml @@ -30,14 +30,14 @@ secrets: - uid: db-user-creds name: '{{ include "common.release" . }}-so-bpmn-infra-db-user-creds' type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds name: '{{ include "common.release" . }}-so-bpmn-infra-db-admin-creds' type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml index 889f2e83ec..c276649a02 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml @@ -30,14 +30,14 @@ secrets: - uid: db-user-creds name: '{{ include "common.release" . }}-so-catalog-db-adapter-db-user-creds' type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds name: '{{ include "common.release" . }}-so-catalog-db-adapter-db-admin-creds' type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-mariadb/values.yaml b/kubernetes/so/charts/so-mariadb/values.yaml index d1f3f8061d..5e7b2fef76 100755 --- a/kubernetes/so/charts/so-mariadb/values.yaml +++ b/kubernetes/so/charts/so-mariadb/values.yaml @@ -32,13 +32,13 @@ secrets: - uid: db-root-pass name: '{{ include "common.release" . }}-so-mariadb-root-pass' type: password - externalSecret: '{{ .Values.db.rootPasswordExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.rootPasswordExternalSecret) . }}' password: '{{ .Values.db.rootPassword }}' passwordPolicy: required - uid: db-backup-creds name: '{{ include "common.release" . }}-so-mariadb-backup-creds' type: basicAuth - externalSecret: '{{ .Values.db.backupCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.backupCredsExternalSecret) . }}' login: '{{ .Values.db.backupUser }}' password: '{{ .Values.db.backupPassword }}' passwordPolicy: required @@ -48,27 +48,27 @@ secrets: helm.sh/hook-delete-policy: before-hook-creation - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' - uid: camunda-db-creds type: basicAuth - externalSecret: '{{ .Values.db.camunda.dbCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.camunda.dbCredsExternalSecret) . }}' login: '{{ .Values.db.camunda.userName }}' password: '{{ .Values.db.camunda.password }}' - uid: request-db-creds type: basicAuth - externalSecret: '{{ .Values.db.request.dbCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.request.dbCredsExternalSecret) . }}' login: '{{ .Values.db.request.userName }}' password: '{{ .Values.db.request.password }}' - uid: catalog-db-creds type: basicAuth - externalSecret: '{{ .Values.db.catalog.dbCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.catalog.dbCredsExternalSecret) . }}' login: '{{ .Values.db.catalog.userName }}' password: '{{ .Values.db.catalog.password }}' diff --git a/kubernetes/so/charts/so-monitoring/values.yaml b/kubernetes/so/charts/so-monitoring/values.yaml index d3904234e2..357c61cc45 100644 --- a/kubernetes/so/charts/so-monitoring/values.yaml +++ b/kubernetes/so/charts/so-monitoring/values.yaml @@ -34,13 +34,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-openstack-adapter/values.yaml b/kubernetes/so/charts/so-openstack-adapter/values.yaml index 13556c6ee4..6a0b04b4d1 100755 --- a/kubernetes/so/charts/so-openstack-adapter/values.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-request-db-adapter/values.yaml b/kubernetes/so/charts/so-request-db-adapter/values.yaml index f15b7c27c6..6324cab35a 100755 --- a/kubernetes/so/charts/so-request-db-adapter/values.yaml +++ b/kubernetes/so/charts/so-request-db-adapter/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-sdc-controller/values.yaml b/kubernetes/so/charts/so-sdc-controller/values.yaml index 0e3bdf4084..6d8adf7338 100755 --- a/kubernetes/so/charts/so-sdc-controller/values.yaml +++ b/kubernetes/so/charts/so-sdc-controller/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-sdnc-adapter/values.yaml b/kubernetes/so/charts/so-sdnc-adapter/values.yaml index b6724aaa98..b736253f56 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/charts/so-sdnc-adapter/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-vfc-adapter/values.yaml b/kubernetes/so/charts/so-vfc-adapter/values.yaml index 028f2b51b5..f442860ab3 100755 --- a/kubernetes/so/charts/so-vfc-adapter/values.yaml +++ b/kubernetes/so/charts/so-vfc-adapter/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index c0ac078039..ca6be72273 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -66,25 +66,13 @@ spec: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.readwrite.port - name: DB_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.readwrite.rolename + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.readwrite.password + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} - name: DB_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.admin.rolename + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.admin.password + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} {{- if eq .Values.global.security.aaf.enabled true }} - name: TRUSTSTORE value: /app/org.onap.so.trust.jks diff --git a/kubernetes/so/templates/secret.yaml b/kubernetes/so/templates/secret.yaml new file mode 100644 index 0000000000..bd7eb8ea40 --- /dev/null +++ b/kubernetes/so/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 807d2a6c7e..b2a8b681b3 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -26,7 +26,8 @@ global: nameOverride: mariadb-galera serviceName: mariadb-galera servicePort: "3306" - mariadbRootPassword: secretpassword + # mariadbRootPassword: secretpassword + # rootPasswordExternalSecret: some secret #This flag allows SO to instantiate its own mariadb-galera cluster, #serviceName and nameOverride should be so-mariadb-galera if this flag is enabled localCluster: false @@ -40,6 +41,7 @@ global: dbPort: 3306 dbUser: root dbPassword: secretpassword + # dbCredsExternalSecret: some secret msbEnabled: true security: aaf: @@ -69,9 +71,55 @@ global: certs: trustStorePassword: b25hcDRzbw== keyStorePassword: c280b25hcA== + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-pass + name: &dbRootPassSecretName '{{ include "common.release" . }}-so-db-root-pass' + type: password + externalSecret: '{{ ternary .Values.global.mariadbGalera.rootPasswordExternalSecret (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.rootPasswordExternalSecret) .Values.global.mariadbGalera.localCluster }}' + password: '{{ .Values.global.mariadbGalera.mariadbRootpassword }}' + - uid: db-backup-creds + name: &dbBackupCredsSecretName '{{ include "common.release" . }}-so-db-backup-creds' + type: basicAuth + externalSecret: '{{ ternary .Values.global.migration.dbCredsExternalSecret "migrationDisabled" .Values.global.migration.enabled }}' + login: '{{ ternary .Values.global.migration.dbUser "migrationDisabled" .Values.global.migration.enabled }}' + password: '{{ ternary .Values.global.migration.dbPassword "migrationDisabled" .Values.global.migration.enabled }}' + passwordPolicy: required + annotations: + helm.sh/hook: pre-upgrade,pre-install + helm.sh/hook-weight: "0" + helm.sh/hook-delete-policy: before-hook-creation + - uid: db-user-creds + name: &dbUserCredsSecretName '{{ include "common.release" . }}-so-db-user-creds' + type: basicAuth + externalSecret: '{{ .Values.dbCreds.userCredsExternalSecret }}' + login: '{{ .Values.dbCreds.userName }}' + password: '{{ .Values.dbCreds.userPassword }}' + passwordPolicy: generate + - uid: db-admin-creds + name: &dbAdminCredsSecretName '{{ include "common.release" . }}-so-db-admin-creds' + type: basicAuth + externalSecret: '{{ .Values.dbCreds.adminCredsExternalSecret }}' + login: '{{ .Values.dbCreds.adminName }}' + password: '{{ .Values.dbCreds.adminPassword }}' + passwordPolicy: generate + ################################################################# # Application configuration defaults. ################################################################# + +dbSecrets: &dbSecrets + userCredsExternalSecret: *dbUserCredsSecretName + adminCredsExternalSecret: *dbAdminCredsSecretName + +# unused in this, just to pass to subcharts +dbCreds: + userName: so_user + adminName: so_admin + repository: nexus3.onap.org:10001 image: onap/so/api-handler-infra:1.5.3 pullPolicy: Always @@ -133,6 +181,8 @@ config: # --set so.global.mariadbGalera.nameOverride=so-mariadb-galera \ # --set so.global.mariadbGalera.serviceName=so-mariadb-galera mariadb-galera: + config: + mariadbRootPasswordExternalSecret: *dbRootPassSecretName nameOverride: so-mariadb-galera replicaCount: 1 service: @@ -172,7 +222,10 @@ mso: auth: 51EA5414022D7BE536E7516C4D1A6361416921849B72C0D6FC1C7F262FD9F2BBC2AD124190A332D9845A188AD80955567A4F975C84C221EEA8243BFD92FFE6896CDD1EA16ADD34E1E3D47D4A health: auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ= + so-bpmn-infra: + db: + <<: *dbSecrets cds: auth: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== aai: @@ -204,7 +257,10 @@ so-bpmn-infra: vnfm: adapter: auth: Basic dm5mbTpwYXNzd29yZDEk + so-catalog-db-adapter: + db: + <<: *dbSecrets mso: config: cadi: @@ -215,7 +271,10 @@ so-catalog-db-adapter: adapters: db: auth: Basic YnBlbDpwYXNzd29yZDEk + so-openstack-adapter: + db: + <<: *dbSecrets aaf: auth: encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F @@ -240,7 +299,10 @@ so-openstack-adapter: noAuthn: /manage/health db: auth: Basic YnBlbDpwYXNzd29yZDEk + so-request-db-adapter: + db: + <<: *dbSecrets mso: config: cadi: @@ -251,7 +313,10 @@ so-request-db-adapter: adapters: requestDb: auth: Basic YnBlbDpwYXNzd29yZDEk + so-sdc-controller: + db: + <<: *dbSecrets aai: auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 mso: @@ -271,6 +336,8 @@ so-sdc-controller: asdc-controller1: password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F so-sdnc-adapter: + db: + <<: *dbSecrets org: onap: so: @@ -292,7 +359,10 @@ so-sdnc-adapter: auth: Basic YnBlbDpwYXNzd29yZDEk rest: aafEncrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 + so-vfc-adapter: + db: + <<: *dbSecrets mso: config: cadi: @@ -322,3 +392,15 @@ so-vnfm-adapter: aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 apiEnforcement: org.onap.so.vnfmAdapterPerm noAuthn: /manage/health + +so-monitoring: + db: + <<: *dbSecrets + +so-mariadb: + db: + rootPasswordExternalSecretLocalDb: *dbRootPassSecretName + rootPasswordExternalSecret: '{{ ternary .Values.db.rootPasswordExternalSecretLocalDb (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.localCluster }}' + backupCredsExternalSecret: *dbBackupCredsSecretName + userCredsExternalSecret: *dbUserCredsSecretName + adminCredsExternalSecret: *dbAdminCredsSecretName |