Use common secret template in mariadb-galera

Instead of defining the secret in some custom way let's use the common template (common.secret). To avoid some issues in ONAP components that depend on this chart let's do not remove for now the default username and password. We will do this when all services properly utylize secrets to store mariadb credentials. Issue-ID: OOM-2053 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I78e224299cccd9632192ee03a45cd077e6f0906f
author: Krzysztof Opasiak <k.opasiak@samsung.com> 2019-12-16 17:42:38 +0100
committer: Krzysztof Opasiak <k.opasiak@samsung.com> 2019-12-21 02:23:37 +0100
commit: 01c975b4582a2eeb3ad3d72bb4ae61bc18daaae6 (patch)
tree: 4473aaeafd7f8f82f733f17850db2d94abcdc77b
parent: ba73e834856db7875a44a6a301ed1224769e78ff (diff)
7 files changed, 31 insertions, 38 deletions
diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl
index cd7142fd73..15fb5a4225 100644
--- a/kubernetes/common/common/templates/_mariadb.tpl
+++ b/kubernetes/common/common/templates/_mariadb.tpl
@@ -41,7 +41,7 @@
 */}}
 {{- define "common.mariadbSecret" -}}
   {{- if .Values.global.mariadbGalera.localCluster -}}
-    {{ printf "%s-%s" (include "common.fullname" .) (index .Values "mariadb-galera" "nameOverride") -}}
+    {{ printf "%s-%s-db-user-credentials" (include "common.fullname" .) (index .Values "mariadb-galera" "nameOverride") -}}
   {{- else -}}
     {{ printf "%s-%s" (.Release.Name) (index .Values "mariadb-init" "nameOverride") -}}
   {{- end -}}
@@ -52,7 +52,7 @@
 */}}
 {{- define "common.mariadbSecretParam" -}}
   {{- if .Values.global.mariadbGalera.localCluster -}}
-    {{ printf "user-password" -}}
+    {{ printf "password" -}}
   {{- else -}}
     {{ printf "db-user-password" -}}
   {{- end -}}
diff --git a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
index a5f1578159..408bd1814c 100644
--- a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
+++ b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
@@ -1,5 +1,5 @@
 {{/*
-# Copyright © 2019 Amdocs, Bell Canada
+# Copyright © 2019 Amdocs, Bell Canada, Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -86,10 +86,7 @@ spec:
               echo "Backup Successful!!!"
             env:
             - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "common.fullname" . }}
-                  key: db-root-password
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}}
             volumeMounts:
             - name: backup-dir
               mountPath: /backup
@@ -99,10 +96,7 @@ spec:
             imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
             env:
             - name: MYSQL_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "common.fullname" . }}
-                  key: db-root-password
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}}
             command:
             - /bin/bash
             - -c
diff --git a/kubernetes/common/mariadb-galera/templates/secrets.yaml b/kubernetes/common/mariadb-galera/templates/secrets.yaml
index 233158f791..3f8eb0b6de 100644
--- a/kubernetes/common/mariadb-galera/templates/secrets.yaml
+++ b/kubernetes/common/mariadb-galera/templates/secrets.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2019 Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -11,18 +12,4 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ .Release.Name }}"
-    heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
-  db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }}
-  user-password: {{ default "" .Values.config.userPassword | b64enc | quote }}
-\ No newline at end of file
+{{ include "common.secret" . }}
diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index c3cb4aaaf4..a9f1fb37b7 100644
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -1,4 +1,4 @@
-# Copyright © 2019 Amdocs, Bell Canada, Orange
+# Copyright © 2019 Amdocs, Bell Canada, Orange, Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -61,19 +61,13 @@ spec:
                   apiVersion: v1
                   fieldPath: metadata.namespace
             - name: MYSQL_USER
-              value: {{ default "" .Values.config.userName | quote }}
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-credentials" "key" "login") | indent 14}}
             - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "common.fullname" . }}
-                  key: user-password
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-credentials" "key" "password") | indent 14}}
             - name: MYSQL_DATABASE
               value: {{ default "" .Values.config.mysqlDatabase | quote }}
             - name: MYSQL_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "common.fullname" . }}
-                  key: db-root-password
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
             name: {{ .Values.service.portName }}
diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index 14215e46de..a6dd1ca359 100644
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2019 Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,6 +14,21 @@
 # limitations under the License.
 
 #################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: "db-root-password"
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.config.mariadbRootPasswordExternalSecret) . }}'
+    password: '{{ .Values.config.mariadbRootPassword }}'
+  - uid: "db-user-credentials"
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.config.userCredentialsExternalSecret) . }}'
+    login: '{{ .Values.config.userName }}'
+    password: '{{ .Values.config.userPassword }}'
+
+
+#################################################################
 # Global configuration defaults.
 #################################################################
 global:
@@ -41,7 +57,9 @@ pullPolicy: IfNotPresent
 
 # application configuration
 config:
+  # .mariadbRootPasswordExternalSecret: 'some-external-secret'
   mariadbRootPassword: secretpassword
+  # .userCredentialsExternalSecret: 'some-external-secret'
   userName: my-user
   userPassword: my-password
   mysqlDatabase: my-database
diff --git a/kubernetes/common/mariadb-init/templates/_mariadb.tpl b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
index 4f111a5f40..fb3f7974b9 100644
--- a/kubernetes/common/mariadb-init/templates/_mariadb.tpl
+++ b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
@@ -19,7 +19,7 @@
 */}}
 {{- define "mariadbInit.mariadbClusterSecret" -}}
   {{- if (eq "default" .Values.global.mariadbGalera.userRootSecret) -}}
-    {{- printf "%s-mariadb-galera-%s" (include "common.release" .) .Values.global.mariadbGalera.nameOverride -}}
+    {{- printf "%s-mariadb-galera-%s-db-root-password" (include "common.release" .) .Values.global.mariadbGalera.nameOverride -}}
   {{- else -}}
     {{- .Values.global.mariadbGalera.userRootSecret -}}
   {{- end -}}
diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml
index 095ff62ddf..d148ba6888 100644
--- a/kubernetes/common/mariadb-init/values.yaml
+++ b/kubernetes/common/mariadb-init/values.yaml
@@ -24,7 +24,7 @@ global:
     servicePort: 3306
     # set these two values if you want to access an 'out of ONAP' mariadb
     userRootSecret: default
-    userRootSecretKey: db-root-password
+    userRootSecretKey: password
 
 #################################################################
 # Application configuration defaults.
author	Krzysztof Opasiak <k.opasiak@samsung.com>	2019-12-16 17:42:38 +0100
committer	Krzysztof Opasiak <k.opasiak@samsung.com>	2019-12-21 02:23:37 +0100
commit	01c975b4582a2eeb3ad3d72bb4ae61bc18daaae6 (patch)
tree	4473aaeafd7f8f82f733f17850db2d94abcdc77b
parent	ba73e834856db7875a44a6a301ed1224769e78ff (diff)