diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-02-21 00:38:56 +0100 |
---|---|---|
committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-02-21 00:43:14 +0100 |
commit | d67492e508c00597f3d22e4fa5422d365fee7c0d (patch) | |
tree | ef543edee5e0e408a39ed8092a51d5096125400a | |
parent | 62cb98b8def94cd365d2f19b5daac596e546f5bb (diff) |
[SDNC] Use common secret template in dmaap-listener
Whole SDNC strongly depends on the assumption that it is using a
common mariadb-galera instance and that root password is secret
password. Also user and password to sdnc DB is hardcoded.
Let's start working on removing this assumption and component by
component add support for local and shared mariadb instance without
hardcoding any passwords to the database.
In this patch all passwords are still hardcoded in the helm chart to
not break other parts of SDNC. Those values will be removed in a final patch.
Issue-ID: OOM-2309
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I3280f9d7ff4933d4e50b94ca248676ed9aa6688d
6 files changed, 85 insertions, 17 deletions
diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties index 66e62672b2..f9640a95db 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties @@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000 AFT_DME2_EP_READ_TIMEOUT_MS=50000 sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt -sdnc.odl.user=admin -sdnc.odl.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U +sdnc.odl.user=${ODL_USER} +sdnc.odl.password=${ODL_PASSWORD} sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations
\ No newline at end of file diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties index 8a0a102396..beb514e583 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties @@ -1,7 +1,6 @@ ### # ============LICENSE_START======================================================= -# Copyright (C) 2018 ONAP Intellectual Property. All rights -# reserved. +# Copyright (C) 2018 ONAP Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,11 +17,11 @@ ### org.onap.ccsdk.sli.dbtype=jdbc org.onap.ccsdk.sli.jdbc.hosts=sdnctldb01 -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}:{{.Values.config.mariadbGalera.internalPort}}/sdnctl +org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{include "common.mariadbService" $}}:{{include "common.mariadbPort" $}}/{{index $.Values "mariadb-galera" "config" "mysqlDatabase"}} org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database=sdnctl -org.onap.ccsdk.sli.jdbc.user=sdnctl -org.onap.ccsdk.sli.jdbc.password=gamma +org.onap.ccsdk.sli.jdbc.database={{index $.Values "mariadb-galera" "config" "mysqlDatabase"}} +org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} +org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWORD} org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 org.onap.ccsdk.sli.jdbc.connection.timeout=50 org.onap.ccsdk.sli.jdbc.request.timeout=100 diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties index 422696afbd..96f40790c6 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties @@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000 AFT_DME2_EP_READ_TIMEOUT_MS=50000 sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt -sdnc.odl.user=admin -sdnc.odl.password={{.Values.config.odlPassword}} +sdnc.odl.user=${ODL_USER} +sdnc.odl.password=${ODL_PASSWORD} sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties index f38f701064..0b52b3febb 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties @@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000 AFT_DME2_EP_READ_TIMEOUT_MS=50000 sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt -sdnc.odl.user=admin -sdnc.odl.password={{.Values.config.odlPassword}} +sdnc.odl.user=${ODL_USER} +sdnc.odl.password=${ODL_PASSWORD} sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations
\ No newline at end of file diff --git a/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml b/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml index 7d8178b7b5..7ef5ca4998 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml +++ b/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml @@ -32,10 +32,33 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: ODL_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "login") | indent 10 }} + - name: ODL_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: properties + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: - /root/ready.py args: - --container-name - - {{ .Values.config.mariadbGalera.chartName }} + - {{ include "common.mariadbService" . }} - --container-name - {{ .Values.config.sdncChartName }} - --container-name @@ -91,9 +114,12 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: properties + - name: config-input configMap: name: {{ include "common.fullname" . }} defaultMode: 0644 + - name: properties + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdnc/charts/dmaap-listener/values.yaml b/kubernetes/sdnc/charts/dmaap-listener/values.yaml index 4965d96908..d90da63e6d 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/values.yaml +++ b/kubernetes/sdnc/charts/dmaap-listener/values.yaml @@ -21,6 +21,35 @@ global: readinessImage: readiness-check:2.0.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + # envsusbt + envsubstImage: dibi/envsubst + mariadbGalera: + #This flag allows SO to instantiate its own mariadb-galera cluster + #If shared instance is used, this chart assumes that DB already exists + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + name: &dbSecretName '{{ include "common.release" . }}-sdnc-dmaap-listener-db-secret' + type: basicAuth + # This is a nasty trick that allows you override this secret using external one + # with the same field that is used to pass this to subchart + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-dmaap-listener-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "config" "userName" }}' + password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' + passwordPolicy: required + - uid: odl-creds + type: basicAuth + externalSecret: '{{ .Values.config.odlCredsExternalSecret }}' + login: '{{ .Values.config.odlUser }}' + password: '{{ .Values.config.odlPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -40,11 +69,25 @@ config: sdncPort: 8282 msgRouterContainerName: message-router configDir: /opt/onap/sdnc/data/properties + odlUser: admin odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - mariadbGalera: - chartName: mariadb-galera - serviceName: mariadb-galera + # odlCredsExternalSecret: some secret + +mariadb-galera: + config: + userCredentialsExternalSecret: *dbSecretName + userName: sdnctl + userPassword: gamma + mysqlDatabase: sdnctl + nameOverride: dmaap-listener-galera + service: + name: dmaap-listener-galera + portName: dmaap-listener-galera internalPort: 3306 + replicaCount: 1 + persistence: + enabled: true + mountSubPath: dmaap-listener/maria/data # default number of instances replicaCount: 1 |