aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-04-01 22:33:58 +0200
committerjhh <jorge.hernandez-herrero@att.com>2020-04-10 15:43:22 -0500
commit98a79cc52d63ae1218aff2b0043fedf9536f235a (patch)
tree949e0bd81fc7e7f58812c7d2ebc518086e1864d1
parent9f66ecee20e4fde39ced729b856e68af1ab31bb6 (diff)
[POLICY] Use common secret template in whole policy module
All subcharts are ready so now we can remove hardcoded mariadb credentials in policy module and depend on common secret chart to generate them for us at the deployment time. Issue-ID: OOM-2342 Change-Id: I84bfc30511312be0b2e614ddff4676f36d85619b Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: jhh <jorge.hernandez-herrero@att.com>
-rw-r--r--kubernetes/policy/charts/brmsgw/templates/deployment.yaml23
-rw-r--r--kubernetes/policy/charts/brmsgw/values.yaml1
-rw-r--r--kubernetes/policy/charts/pdp/templates/statefulset.yaml23
-rw-r--r--kubernetes/policy/charts/policy-common/resources/config/pe/base.conf5
-rw-r--r--kubernetes/policy/templates/deployment.yaml23
-rw-r--r--kubernetes/policy/templates/job.yaml7
-rw-r--r--kubernetes/policy/templates/secrets.yaml15
-rw-r--r--kubernetes/policy/values.yaml42
8 files changed, 110 insertions, 29 deletions
diff --git a/kubernetes/policy/charts/brmsgw/templates/deployment.yaml b/kubernetes/policy/charts/brmsgw/templates/deployment.yaml
index 6ff76ddfd1..5bbffb5836 100644
--- a/kubernetes/policy/charts/brmsgw/templates/deployment.yaml
+++ b/kubernetes/policy/charts/brmsgw/templates/deployment.yaml
@@ -33,6 +33,24 @@ spec:
spec:
initContainers:
- command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `ls -1 *.conf`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: JDBC_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+ - name: JDBC_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: pe
+ - mountPath: /config
+ name: pe-processed
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ - command:
- /root/ready.py
args:
- --container-name
@@ -84,7 +102,7 @@ spec:
name: pe-brmsgw
subPath: brmsgw.conf
- mountPath: /tmp/policy-install/config/base.conf
- name: pe
+ name: pe-processed
subPath: base.conf
- mountPath: /tmp/policy-install/do-start.sh
name: pe-scripts
@@ -115,5 +133,8 @@ spec:
configMap:
name: {{ include "common.fullname" . }}-pe-configmap
defaultMode: 0755
+ - name: pe-processed
+ emptyDir:
+ medium: Memory
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/policy/charts/brmsgw/values.yaml b/kubernetes/policy/charts/brmsgw/values.yaml
index 08afdeeac0..f578f09617 100644
--- a/kubernetes/policy/charts/brmsgw/values.yaml
+++ b/kubernetes/policy/charts/brmsgw/values.yaml
@@ -20,6 +20,7 @@ global:
nodePortPrefix: 302
readinessRepository: oomk8s
readinessImage: readiness-check:2.0.2
+ envsubstImage: dibi/envsubst
#################################################################
# Secrets metaconfig
diff --git a/kubernetes/policy/charts/pdp/templates/statefulset.yaml b/kubernetes/policy/charts/pdp/templates/statefulset.yaml
index 16d5fb5cec..e55f9d0987 100644
--- a/kubernetes/policy/charts/pdp/templates/statefulset.yaml
+++ b/kubernetes/policy/charts/pdp/templates/statefulset.yaml
@@ -37,6 +37,24 @@ spec:
spec:
initContainers:
- command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `ls -1 *.conf`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: JDBC_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+ - name: JDBC_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: pe
+ - mountPath: /config
+ name: pe-processed
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ - command:
- /root/ready.py
args:
- --container-name
@@ -84,7 +102,7 @@ spec:
name: localtime
readOnly: true
- mountPath: /tmp/policy-install/config/base.conf
- name: pe
+ name: pe-processed
subPath: base.conf
- mountPath: /tmp/policy-install/config/pdp-tweaks.sh
name: pe-pdp
@@ -144,5 +162,8 @@ spec:
configMap:
name: {{ include "common.fullname" . }}-pe-configmap
defaultMode: 0755
+ - name: pe-processed
+ emptyDir:
+ medium: Memory
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/policy/charts/policy-common/resources/config/pe/base.conf b/kubernetes/policy/charts/policy-common/resources/config/pe/base.conf
index 93b02e76bc..810b090069 100644
--- a/kubernetes/policy/charts/policy-common/resources/config/pe/base.conf
+++ b/kubernetes/policy/charts/policy-common/resources/config/pe/base.conf
@@ -21,8 +21,9 @@ TRUSTSTORE_PASSWD=Pol1cy_0nap
JDBC_DRIVER=org.mariadb.jdbc.Driver
JDBC_URL=jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/onap_sdk?connectTimeout=30000&socketTimeout=60000&log=true&sessionVariables=max_statement_time=30
JDBC_LOG_URL=jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/log?connectTimeout=30000&socketTimeout=60000&log=true&sessionVariables=max_statement_time=30
-JDBC_USER={{ .Values.global.mariadb.config.userName }}
-JDBC_PASSWORD={{ .Values.global.mariadb.config.userPassword }}
+
+JDBC_USER=${JDBC_USER}
+JDBC_PASSWORD=${JDBC_PASSWORD}
site_name=site_1
fp_monitor_interval=30
diff --git a/kubernetes/policy/templates/deployment.yaml b/kubernetes/policy/templates/deployment.yaml
index 8a0db8a699..7f96888ec8 100644
--- a/kubernetes/policy/templates/deployment.yaml
+++ b/kubernetes/policy/templates/deployment.yaml
@@ -33,6 +33,24 @@ spec:
spec:
initContainers:
- command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `ls -1 *.conf`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: JDBC_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+ - name: JDBC_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: pe
+ - mountPath: /config
+ name: pe-processed
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ - command:
- /root/ready.py
args:
- --container-name
@@ -100,7 +118,7 @@ spec:
name: pe-pap
subPath: console.conf
- mountPath: /tmp/policy-install/config/base.conf
- name: pe
+ name: pe-processed
subPath: base.conf
- mountPath: /tmp/policy-install/do-start.sh
name: pe-scripts
@@ -157,5 +175,8 @@ spec:
configMap:
name: {{ include "common.fullname" . }}-pe-configmap
defaultMode: 0755
+ - name: pe-processed
+ emptyDir:
+ medium: Memory
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml
index 81904143fa..f6a1ace3dc 100644
--- a/kubernetes/policy/templates/job.yaml
+++ b/kubernetes/policy/templates/job.yaml
@@ -57,14 +57,11 @@ spec:
- /dbcmd-config/db.sh
env:
- name: MYSQL_ROOT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "common.fullname" . }}-secret
- key: db-root-password
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 10 }}
- name: MYSQL_HOST
value: "{{ index .Values "mariadb-galera" "service" "name" }}"
- name: MYSQL_USER
- value: "{{ index .Values "mariadb-galera" "config" "userName" }}"
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
- name: MYSQL_PORT
value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}"
restartPolicy: Never
diff --git a/kubernetes/policy/templates/secrets.yaml b/kubernetes/policy/templates/secrets.yaml
index 6b8bc41033..c1f98ba3cc 100644
--- a/kubernetes/policy/templates/secrets.yaml
+++ b/kubernetes/policy/templates/secrets.yaml
@@ -13,17 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-secret
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
- db-user-password: {{ index .Values "mariadb-galera" "config" "userPassword" | b64enc | quote }}
- db-root-password: {{ index .Values "mariadb-galera" "config" "mariadbRootPassword" | b64enc | quote }}
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml
index 1ac00c760a..524fe9953d 100644
--- a/kubernetes/policy/values.yaml
+++ b/kubernetes/policy/values.yaml
@@ -22,6 +22,7 @@ global:
readinessImage: readiness-check:2.0.2
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
+ envsubstImage: dibi/envsubst
ubuntuImage: ubuntu:16.04
pdp:
nameOverride: pdp
@@ -37,9 +38,6 @@ global:
# '&mariadbConfig' means we "store" the values for later use in the file
# with '*mariadbConfig' pointer.
config: &mariadbConfig
- userName: policy_user
- userPassword: policy_user
- mariadbRootPassword: secret
mysqlDatabase: policyadmin
service: &mariadbService
name: policy-mariadb
@@ -47,6 +45,24 @@ global:
internalPort: 3306
#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: db-root-password
+ name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password'
+ type: password
+ externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "mariadbRootPasswordExternalSecret")) .) (hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "config" "mariadbRootPasswordExternalSecret"))}}'
+ password: '{{ (index .Values "mariadb-galera" "config" "mariadbRootPassword") }}'
+ policy: generate
+ - uid: db-secret
+ name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret'
+ type: basicAuth
+ externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}'
+ login: '{{ index .Values "mariadb-galera" "config" "userName" }}'
+ password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}'
+ passwordPolicy: generate
+
+#################################################################
# Application configuration defaults.
#################################################################
# application image
@@ -58,14 +74,26 @@ pullPolicy: Always
subChartsOnly:
enabled: true
+db: &dbSecretsHook
+ credsExternalSecret: *dbSecretName
+
pap:
nameOverride: pap
+ db: *dbSecretsHook
pdp:
nameOverride: pdp
+ db: *dbSecretsHook
drools:
nameOverride: drools
-brmwgw:
+ db: *dbSecretsHook
+brmsgw:
nameOverride: brmsgw
+ db: *dbSecretsHook
+policy-api:
+ db: *dbSecretsHook
+policy-xacml-pdp:
+ db: *dbSecretsHook
+
nexus:
nameOverride: nexus
@@ -112,7 +140,11 @@ ingress:
mariadb-galera:
# mariadb-galera.config and global.mariadb.config must be equals
- config: *mariadbConfig
+ config:
+ <<: *mariadbConfig
+ userName: policy_user
+ mariadbRootPasswordExternalSecret: *dbRootPassSecretName
+ userCredentialsExternalSecret: *dbSecretName
nameOverride: policy-mariadb
# mariadb-galera.service and global.mariadb.service must be equals
service: *mariadbService