aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-01-30 12:10:40 +0100
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-02-01 00:10:01 +0100
commitd73224418141fb7a2bae8d083de8f6e88e493c3d (patch)
tree34222cfe247b1cdff71ffeac5f5c0e6375a7f517
parent137d7ccd2597a6492e926818eebab2f6067fb382 (diff)
[COMMON] Use common secret template in mariadb-init
Use common secret template for all passwords that are used inside this chart. Issue-ID: OOM-2248 Change-Id: Ia94b87a4d0316a3d334fd492521be5a255c14b4e Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
-rw-r--r--kubernetes/common/common/templates/_mariadb.tpl8
-rw-r--r--kubernetes/common/mariadb-init/templates/_mariadb.tpl6
-rw-r--r--kubernetes/common/mariadb-init/templates/job.yaml21
-rw-r--r--kubernetes/common/mariadb-init/templates/secret.yaml39
-rw-r--r--kubernetes/common/mariadb-init/values.yaml24
5 files changed, 54 insertions, 44 deletions
diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl
index de8dfe83ca..d4af1807fa 100644
--- a/kubernetes/common/common/templates/_mariadb.tpl
+++ b/kubernetes/common/common/templates/_mariadb.tpl
@@ -43,7 +43,7 @@
{{- if .Values.global.mariadbGalera.localCluster -}}
{{ printf "%s-%s-db-user-credentials" (include "common.fullname" .) (index .Values "mariadb-galera" "nameOverride") -}}
{{- else -}}
- {{ printf "%s-%s" (include "common.release" .) (index .Values "mariadb-init" "nameOverride") -}}
+ {{ printf "%s-%s-%s" ( include "common.release" .) (index .Values "mariadb-init" "nameOverride") (index .Values "mariadb-init" "config" "mysqlDatabase" ) -}}
{{- end -}}
{{- end -}}
@@ -51,9 +51,5 @@
Choose the value of secret param to retrieve user value.
*/}}
{{- define "common.mariadbSecretParam" -}}
- {{- if .Values.global.mariadbGalera.localCluster -}}
- {{ printf "password" -}}
- {{- else -}}
- {{ printf "db-user-password" -}}
- {{- end -}}
+ {{ printf "password" -}}
{{- end -}}
diff --git a/kubernetes/common/mariadb-init/templates/_mariadb.tpl b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
index 231fd875e2..64c15ed862 100644
--- a/kubernetes/common/mariadb-init/templates/_mariadb.tpl
+++ b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
@@ -18,9 +18,5 @@
Choose the name of the mariadb secret to use.
*/}}
{{- define "mariadbInit.mariadbClusterSecret" -}}
- {{- if (eq "default" .Values.global.mariadbGalera.userRootSecret) -}}
- {{- printf "%s-%s-db-root-password" (include "common.release" .) .Values.global.mariadbGalera.nameOverride -}}
- {{- else -}}
- {{- .Values.global.mariadbGalera.userRootSecret -}}
- {{- end -}}
+ {{- printf "%s-%s-db-root-password" (include "common.release" .) (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride) -}}
{{- end -}}
diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml
index 1cdd5024ff..5202d572a2 100644
--- a/kubernetes/common/mariadb-init/templates/job.yaml
+++ b/kubernetes/common/mariadb-init/templates/job.yaml
@@ -60,26 +60,17 @@ spec:
- name: DB_PORT
value: "{{ .Values.global.mariadbGalera.servicePort }}"
- name: MYSQL_ROOT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ include "mariadbInit.mariadbClusterSecret" . }}
- key: {{ .Values.global.mariadbGalera.userRootSecretKey }}
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "root-password" "key" (default "password" .Values.global.mariadbGalera.userRootSecretKey)) | indent 10 }}
- name: {{ printf "MYSQL_USER_%s" .Values.config.mysqlDatabase | upper }}
- value: "{{ .Values.config.userName }}"
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" .Values.config.mysqlDatabase "key" "login") | indent 10 }}
- name: {{ printf "MYSQL_PASSWORD_%s" .Values.config.mysqlDatabase | upper }}
- valueFrom:
- secretKeyRef:
- name: {{ template "common.fullname" . }}
- key: db-user-password
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" .Values.config.mysqlDatabase "key" "password") | indent 10 }}
{{- $root := . }}
-{{ range $db, $dbInfos := .Values.config.mysqlAdditionalDatabases }}
+{{ range $db, $_values := .Values.config.mysqlAdditionalDatabases }}
- name: {{ printf "MYSQL_USER_%s" $db | upper }}
- value: {{ $dbInfos.user }}
+ {{- include "common.secret.envFromSecret" (dict "global" $root "uid" $db "key" "login") | indent 10 }}
- name: {{ printf "MYSQL_PASSWORD_%s" $db | upper }}
- valueFrom:
- secretKeyRef:
- name: {{ template "common.fullname" $root }}-secret
- key: {{ printf "db-%s-user-password" $db }}
+ {{- include "common.secret.envFromSecret" (dict "global" $root "uid" $db "key" "password") | indent 10 }}
{{ end }}
volumeMounts:
- mountPath: /etc/localtime
diff --git a/kubernetes/common/mariadb-init/templates/secret.yaml b/kubernetes/common/mariadb-init/templates/secret.yaml
index f30d582110..71a89d019b 100644
--- a/kubernetes/common/mariadb-init/templates/secret.yaml
+++ b/kubernetes/common/mariadb-init/templates/secret.yaml
@@ -12,19 +12,26 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
- db-user-password: {{ index .Values.config.userPassword | b64enc | quote }}
-{{ range $db, $dbInfos := .Values.config.mysqlAdditionalDatabases }}
- {{ printf "db-%s-user-password" $db}}: {{ $dbInfos.password | b64enc | quote }}
-{{ end }}
+{{- define "mariadb-init._update-secrets" -}}
+ {{ range $db, $dbInfos := .Values.config.mysqlAdditionalDatabases }}
+{{ printf "- uid: %s" $db }}
+{{ printf " type: basicAuth" }}
+ {{- if $dbInfos.externalSecret }}
+{{ printf " externalSecret: %s" $dbInfos.externalSecret }}
+ {{- end }}
+{{ printf " login: %s" $dbInfos.user }}
+{{ printf " password: %s" $dbInfos.password }}
+{{ printf " passwordPolicy: required" }}
+ {{- end -}}
+{{- end -}}
+
+{{ $global := . }}
+{{ $secretsString := .Values.secrets | toYaml | indent 2 }}
+{{ $additionalSecretsString := (include "mariadb-init._update-secrets" .) | indent 2 }}
+{{ $finalSecretsString := (cat "\nsecrets:\n" $secretsString $additionalSecretsString) | replace " -" " -" }}
+{{ $finalSecrets := ($finalSecretsString | fromYaml).secrets }}
+
+{{ $newValues := set $global.Values "secrets" $finalSecrets }}
+{{ $tmpGlobal := set $global "Values" $newValues }}
+
+{{ include "common.secret" $tmpGlobal }}
diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml
index d148ba6888..cac6f79f16 100644
--- a/kubernetes/common/mariadb-init/values.yaml
+++ b/kubernetes/common/mariadb-init/values.yaml
@@ -23,8 +23,24 @@ global:
nameOverride: mariadb-galera
servicePort: 3306
# set these two values if you want to access an 'out of ONAP' mariadb
- userRootSecret: default
- userRootSecretKey: password
+ # userRootPassword: some-password
+ # userRootSecret: some-secret-name
+ # userRootSecretKey: password
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: root-password
+ type: password
+ externalSecret: '{{ tpl (default (include "mariadbInit.mariadbClusterSecret" .) .Values.global.mariadbGalera.userRootSecret) . }}'
+ password: '{{ tpl (default "" .global.mariadbGalera.userRootPassword) . }}'
+ - uid: '{{ .Values.config.mysqlDatabase }}'
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.config.mysqlExternalSecret) . }}'
+ login: '{{ .Values.config.userName }}'
+ password: '{{ .Values.config.userPassword }}'
+ passwordPolicy: required
#################################################################
# Application configuration defaults.
@@ -39,6 +55,8 @@ pullPolicy: IfNotPresent
config:
userPassword: Ci@shsOd3pky1Vji
userName: u5WZ1GMSIS1wHZF
+ # set this value if you would like to use external secret instead of providing a password
+ # mysqlExternalsecret: some-secret-name
mysqlDatabase: ynsaUCru6mUNwGal
mysqlAdditionalDatabases: {}
# add addtional dabases
@@ -48,9 +66,11 @@ config:
# dbOne:
# user: one
# password: pwd1
+ # externalSecret: some-secret-name
# dbTwo:
# user: two
# password: pwd2
+ # externalSecret: some-secret-name
config_map: default
nodeSelector: {}