diff options
author | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-02-23 18:07:34 +0100 |
---|---|---|
committer | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-11-12 20:18:54 +0000 |
commit | c57b58ddca8fa19fad93b3aea70e556ad6f045d8 (patch) | |
tree | bf43684a4c647fe941d1b492edb182b162d31cbf /kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml | |
parent | af3d4158481aa457d21b894865536e8d5bda1826 (diff) |
[AAI][SCHEMA] Remove Hardcoded certificates
Use Certinitializer in order to retrieve needed certificates.
It'll also do the retrieval for graphadmin as both microservices are
working together.
Issue-ID: OOM-2691
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Iad790cc14361cf15d5a6bf4fcad6fd9f4048a1a7
Diffstat (limited to 'kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml')
-rw-r--r-- | kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml | 238 |
1 files changed, 156 insertions, 82 deletions
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 5752e54926..1256e71e08 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -5,7 +5,7 @@ # ================================================================================ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. -# Copyright (c) 2020 Orange Intellectual Property. All rights reserved. +# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,7 +58,49 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- if .Values.global.aafEnabled }} + - command: + - sh + args: + - -c + - | + echo "*** retrieve Truststore and Keystore password" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + echo "*** obfuscate them " + export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + image: {{ include "repositoryGenerator.image.jetty" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-obfuscate + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + securityContext: + runAsUser: {{ .Values.securityContext.user_id }} + - command: + - sh + args: + - -c + - | + echo "*** Set obfuscated Truststore and Keystore password into configuration file" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + cd /config-input + for PFILE in `ls -1` + do + envsubst <${PFILE} >/config/${PFILE} + done + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - mountPath: /config-input + name: properties-input + - mountPath: /config + name: properties + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + {{- end }} - command: - /app/ready.py args: @@ -80,46 +122,42 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness - command: - - /bin/bash + - sh + args: - -c - - bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'` + - | + bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'` env: - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} + value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - volumeMounts: + value: {{ .Values.securityContext.group_id | quote }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties - name: {{ include "common.fullname" . }}-config + name: config subPath: janusgraph-realtime.properties - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots - name: {{ include "common.fullname" . }}-snapshots + name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config + name: config subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties - name: {{ include "common.fullname" . }}-config + name: properties subPath: aaiconfig.properties - mountPath: /opt/aai/logroot/AAI-GA - name: {{ include "common.fullname" . }}-logs + name: logs - mountPath: /opt/app/aai-graphadmin/resources/logback.xml - name: {{ include "common.fullname" . }}-config + name: config subPath: logback.xml - mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml - name: {{ include "common.fullname" . }}-config + name: config subPath: localhost-access-logback.xml - mountPath: /opt/app/aai-graphadmin/resources/application.properties - name: {{ include "common.fullname" . }}-config + name: properties subPath: application.properties - {{ $global := . }} - {{ range $job := .Values.global.config.auth.files }} - - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }} - name: {{ include "common.fullname" $global }}-auth-truststore-sec - subPath: {{ . }} - {{ end }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-restore-backup @@ -128,57 +166,49 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-perform-migration command: - - /bin/bash + - sh + args: - -c - | bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} + value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - volumeMounts: + value: {{ .Values.securityContext.group_id | quote }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties - name: {{ include "common.fullname" . }}-config + name: config subPath: janusgraph-realtime.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config + name: config subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties - name: {{ include "common.fullname" . }}-config + name: properties subPath: aaiconfig.properties - mountPath: /opt/aai/logroot/AAI-GA - name: {{ include "common.fullname" . }}-logs + name: logs - mountPath: /opt/app/aai-graphadmin/resources/logback.xml - name: {{ include "common.fullname" . }}-config + name: config subPath: logback.xml - mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml - name: {{ include "common.fullname" . }}-config + name: config subPath: localhost-access-logback.xml - mountPath: /opt/app/aai-graphadmin/resources/application.properties - name: {{ include "common.fullname" . }}-config + name: properties subPath: application.properties - {{ $global := . }} - {{ range $job := .Values.global.config.auth.files }} - - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }} - name: {{ include "common.fullname" $global }}-auth-truststore-sec - subPath: {{ . }} - {{ end }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: localtime hostPath: path: /etc/localtime @@ -191,14 +221,12 @@ spec: - name: {{ include "common.fullname" . }}-snapshots persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration - - name: {{ include "common.fullname" . }}-auth-truststore-sec - secret: - secretName: aai-common-truststore - items: - {{ range $job := .Values.global.config.auth.files }} - - key: {{ . }} - path: {{ . }} - {{ end }} + - name: properties-input + configMap: + name: {{ include "common.fullname" . }}-properties + - name: properties + emptyDir: + medium: Memory restartPolicy: Never imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" @@ -226,8 +254,50 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- if .Values.global.aafEnabled }} + - command: + - sh + args: + - -c + - | + echo "*** retrieve Truststore and Keystore password" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + echo "*** obfuscate them " + export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + image: {{ include "repositoryGenerator.image.jetty" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-obfuscate + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + securityContext: + runAsUser: {{ .Values.securityContext.user_id }} + - command: + - sh + args: + - -c + - | + echo "*** Set obfuscated Truststore and Keystore password into configuration file" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + cd /config-input + for PFILE in `ls -1` + do + envsubst <${PFILE} >/config/${PFILE} + done + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - mountPath: /config-input + name: properties-input + - mountPath: /config + name: properties + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + {{- end }} {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - initContainers: - command: - /bin/bash - -c @@ -247,65 +317,69 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - - /bin/bash + - sh + args: - -c - | - bash docker-entrypoint.sh dataSnapshot.sh ; + bash docker-entrypoint.sh dataSnapshot.sh {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} + value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - volumeMounts: + value: {{ .Values.securityContext.group_id | quote }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots - name: {{ include "common.fullname" . }}-snapshots + name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties - name: {{ include "common.fullname" . }}-migration + name: migration subPath: janusgraph-migration-real.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-migration + name: migration subPath: janusgraph-migration-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties - name: {{ include "common.fullname" . }}-config + name: properties subPath: aaiconfig.properties - mountPath: /opt/aai/logroot/AAI-RES/ - name: {{ include "common.fullname" . }}-logs + name: logs - mountPath: /opt/app/aai-graphadmin/resources/logback.xml - name: {{ include "common.fullname" . }}-config + name: config subPath: logback.xml - mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml - name: {{ include "common.fullname" . }}-config + name: config subPath: localhost-access-logback.xml - mountPath: /opt/app/aai-graphadmin/resources/application.properties - name: {{ include "common.fullname" . }}-config + name: properties subPath: application.properties - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: + volumes: {{ include "common.resources" . | nindent 10 }} - name: localtime hostPath: path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs + - name: logs emptyDir: {} - - name: {{ include "common.fullname" . }}-config + - name: config configMap: - name: {{ include "common.fullname" . }}-configmap - - name: {{ include "common.fullname" . }}-migration + name: {{ include "common.fullname" . }} + - name: properties-input configMap: - name: {{ include "common.fullname" . }}-migration-configmap - - name: {{ include "common.fullname" . }}-snapshots + name: {{ include "common.fullname" . }}-properties + - name: properties + emptyDir: + medium: Memory + - name: migration + configMap: + name: {{ include "common.fullname" . }}-migration + - name: snapshots persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration restartPolicy: Never |