summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-04-23 20:37:00 +0000
committerGerrit Code Review <gerrit@onap.org>2020-04-23 20:37:00 +0000
commita3210a7f84335fe4626ccd52ff5d633e7fd3c70e (patch)
treefa4146b86f8f289abb929b119d3d692cbd2a4b96
parent2aceb30bd007dbe558419210f2f3a0753b909d98 (diff)
parentc88bcc9611987c44efec88acab6f0261350a4968 (diff)
Merge "[POLICY] Remove hardcoded credentials from policy-xacml-pdp"
-rw-r--r--kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json8
-rw-r--r--kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml29
-rw-r--r--kubernetes/policy/charts/policy-xacml-pdp/values.yaml19
3 files changed, 51 insertions, 5 deletions
diff --git a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json
index a52cc0f6d4..3b72d8ed90 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json
+++ b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json
@@ -21,16 +21,16 @@
"restServerParameters": {
"host": "0.0.0.0",
"port": 6969,
- "userName": "healthcheck",
- "password": "zb!XztG34",
+ "userName": "${RESTSERVER_USER}",
+ "password": "${RESTSERVER_PASSWORD}",
"https": true,
"aaf": false
},
"policyApiParameters": {
"host": "policy-api",
"port": 6969,
- "userName": "healthcheck",
- "password": "zb!XztG34",
+ "userName": "${API_USER}",
+ "password": "${API_PASSWORD}",
"https": true,
"aaf": false
},
diff --git a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
index 5b02c177b5..9ac5d68a89 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
@@ -31,6 +31,28 @@ spec:
image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-readiness
+ - command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: RESTSERVER_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }}
+ - name: RESTSERVER_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }}
+ - name: API_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }}
+ - name: API_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: pdpxconfig
+ - mountPath: /config
+ name: pdpxconfig-processed
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -63,7 +85,9 @@ spec:
name: localtime
readOnly: true
- mountPath: /opt/app/policy/pdpx/etc/mounted
- name: pdpxconfig
+ name: pdpxconfig-processed
+ emptyDir:
+ medium: Memory
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
@@ -82,5 +106,8 @@ spec:
configMap:
name: {{ include "common.fullname" . }}-configmap
defaultMode: 0755
+ - name: pdpxconfig-processed
+ emptyDir:
+ medium: Memory
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
index a2c0aa0e63..63f50fd7fa 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
+++ b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
@@ -21,6 +21,7 @@
#################################################################
global:
persistence: {}
+ envsubstImage: dibi/envsubst
#################################################################
# Secrets metaconfig
@@ -32,6 +33,18 @@ secrets:
login: '{{ .Values.db.user }}'
password: '{{ .Values.db.password }}'
passwordPolicy: required
+ - uid: restserver-creds
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}'
+ login: '{{ .Values.restServer.user }}'
+ password: '{{ .Values.restServer.password }}'
+ passwordPolicy: required
+ - uid: api-creds
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}'
+ login: '{{ .Values.apiServer.user }}'
+ password: '{{ .Values.apiServer.password }}'
+ passwordPolicy: required
#################################################################
# Application configuration defaults.
@@ -49,6 +62,12 @@ debugEnabled: false
db:
user: policy_user
password: policy_user
+restServer:
+ user: healthcheck
+ password: zb!XztG34
+apiServer:
+ user: healthcheck
+ password: zb!XztG34
# default number of instances
replicaCount: 1