summaryrefslogtreecommitdiffstats
path: root/kubernetes/common/dgbuilder/templates
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-02-17 22:05:51 +0100
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-02-18 12:33:20 +0100
commitacdd90c7b8b2add7c885314563f678f05f09e20b (patch)
tree3b66e9b2b6e50e410016e35d646365015d260776 /kubernetes/common/dgbuilder/templates
parent4eddfbdf9caabe3ce30937d78b1bfe8aad72f8f9 (diff)
[COMMON] Use common secret template in dgbuilder
Taken into account how "easy" it would be to modify the dgbuilder which is written in JavaScript (which is not my mother tongue to say the least) let's try to remove hardcoded passwords from config files without modifying the application container itself. In order to achieve this: 1) Remove createReleaseDir.sh script from the container as it is never used and contains a ton of passwords 2) Replace all sensitive values in config files with references to respective environment variables 3) Introduce init container that will run envsubst command on config files and copy them from ConfigMap value to the new volume which is backed by tmpfs so that the plain text passwords are never written to the disk For now all the hardcoded values are still there to minimize the risk of breaking the deployment but step by step they will be removed in next commits. Issue-ID: OOM-2247 Change-Id: I5a428e3415713857084ba6aaa6be9b04a8eb8c0f Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Diffstat (limited to 'kubernetes/common/dgbuilder/templates')
-rw-r--r--kubernetes/common/dgbuilder/templates/configmap.yaml13
-rw-r--r--kubernetes/common/dgbuilder/templates/deployment.yaml53
-rw-r--r--kubernetes/common/dgbuilder/templates/secrets.yaml15
3 files changed, 41 insertions, 40 deletions
diff --git a/kubernetes/common/dgbuilder/templates/configmap.yaml b/kubernetes/common/dgbuilder/templates/configmap.yaml
index 24f61b5487..828818c68d 100644
--- a/kubernetes/common/dgbuilder/templates/configmap.yaml
+++ b/kubernetes/common/dgbuilder/templates/configmap.yaml
@@ -24,16 +24,3 @@ metadata:
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-scripts
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/scripts/*").AsConfig . | indent 2 }}
diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml
index 495c4c6ab6..b3f0ab05a3 100644
--- a/kubernetes/common/dgbuilder/templates/deployment.yaml
+++ b/kubernetes/common/dgbuilder/templates/deployment.yaml
@@ -32,6 +32,40 @@ spec:
spec:
initContainers:
- command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: DB_USER
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }}
+ - name: DB_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }}
+ - name: HTTP_USER
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }}
+ - name: HTTP_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }}
+ - name: HTTP_ADMIN_USER
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }}
+ - name: HTTP_ADMIN_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }}
+ - name: HTTP_NODE_USER
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }}
+ - name: HTTP_NODE_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }}
+ - name: REST_CONF_USER
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }}
+ - name: REST_CONF_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: config-input
+ - mountPath: /config
+ name: config
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ - command:
- /root/ready.py
args:
- --container-name
@@ -59,11 +93,6 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
- - name: MYSQL_ROOT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "common.fullname" . }}
- key: db-root-password
- name: SDNC_CONFIG_DIR
value: /opt/onap/sdnc/data/properties
volumeMounts:
@@ -79,10 +108,7 @@ spec:
- name: config
mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties
subPath: svclogic.properties
- - name: scripts
- mountPath: /opt/onap/ccsdk/dgbuilder/createReleaseDir.sh
- subPath: createReleaseDir.sh
- - name: scripts
+ - name: config
mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js
subPath: customSettings.js
resources:
@@ -99,12 +125,11 @@ spec:
- name: localtime
hostPath:
path: /etc/localtime
- - name: config
+ - name: config-input
configMap:
name: {{ include "common.fullname" . }}-config
- - name: scripts
- configMap:
- name: {{ include "common.fullname" . }}-scripts
- defaultMode: 0755
+ - name: config
+ emptyDir:
+ medium: Memory
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/common/dgbuilder/templates/secrets.yaml b/kubernetes/common/dgbuilder/templates/secrets.yaml
index e00d7cfc03..c9a409fdca 100644
--- a/kubernetes/common/dgbuilder/templates/secrets.yaml
+++ b/kubernetes/common/dgbuilder/templates/secrets.yaml
@@ -1,4 +1,5 @@
# Copyright © 2018 AT&T, Amdocs, Bell Canada
+# Copyright © 2020 Samsung Electronics
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,16 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.fullname" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
- db-root-password: {{ .Values.config.dbRootPassword | b64enc | quote }} \ No newline at end of file
+{{ include "common.secret" . }}