diff options
| author |   Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-02-17 22:05:51 +0100 |
|---|---|---|
| committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-02-18 12:33:20 +0100 |
| commit | acdd90c7b8b2add7c885314563f678f05f09e20b (patch) | |
| tree | 3b66e9b2b6e50e410016e35d646365015d260776 /kubernetes/common/dgbuilder/values.yaml | |
| parent | 4eddfbdf9caabe3ce30937d78b1bfe8aad72f8f9 (diff) | |
[COMMON] Use common secret template in dgbuilder
Taken into account how "easy" it would be to modify the dgbuilder
which is written in JavaScript (which is not my mother tongue to say
the least) let's try to remove hardcoded passwords from config files
without modifying the application container itself.
In order to achieve this:
1) Remove createReleaseDir.sh script from the container as it is never
used and contains a ton of passwords
2) Replace all sensitive values in config files with references to
respective environment variables
3) Introduce init container that will run envsubst command on config
files and copy them from ConfigMap value to the new volume which is
backed by tmpfs so that the plain text passwords are never written to
the disk
For now all the hardcoded values are still there to minimize the risk
of breaking the deployment but step by step they will be removed in
next commits.
Issue-ID: OOM-2247
Change-Id: I5a428e3415713857084ba6aaa6be9b04a8eb8c0f
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Diffstat (limited to 'kubernetes/common/dgbuilder/values.yaml')
| -rw-r--r-- | kubernetes/common/dgbuilder/values.yaml | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml index fa205e227e..96d7dffb0a 100644 --- a/kubernetes/common/dgbuilder/values.yaml +++ b/kubernetes/common/dgbuilder/values.yaml @@ -31,6 +31,9 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + # envsusbt + envsubstImage: dibi/envsubst + # image pull policy pullPolicy: Always @@ -43,6 +46,40 @@ global: debugEnabled: true ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: 'db-root-password' + type: password + externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' + password: '{{ .Values.config.dbRootPassword }}' + - uid: 'db-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.dbSdnctlPassword }}' + - uid: 'http-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' + login: '{{ .Values.config.httpUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'admin-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' + login: '{{ .Values.config.adminUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'node-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' + login: '{{ .Values.config.nodeUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'restconf-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' + login: '{{ .Values.config.restconfUser }}' + password: '{{ .Values.config.restconfPassword }}' + +################################################################# # Application configuration defaults. ################################################################# # application image @@ -55,6 +92,32 @@ debugEnabled: false # application configuration config: + db: + dbName: sdnctl + # unused for now to preserve the API + rootPassword: openECOMP1.0 + # rootPasswordExternalSecret: some secret + userName: sdnctl + # unused for now to preserve the API + userPassword: gamma + # userCredentialsExternalSecret: some secret + httpUser: dguser + # unused for now to preserve the API + httpPassword: cc03e747a6afbbcbf8be7668acfebee5 + # httpCredsExternalSecret: some secret + adminUser: dguser + # unused for now to preserve the API + adminPassword: cc03e747a6afbbcbf8be7668acfebee5 + # adminCredsExternalSecret: some secret + nodeUser: dguser + # unused for now to preserve the API + nodePassword: cc03e747a6afbbcbf8be7668acfebee5 + # nodeCredsExternalSecret: some secret + restconfUser: admin + # unused for now to preserve the API + restconfPassword: admin + # restconfCredsExternalSecret: some secret + dbRootPassword: openECOMP1.0 dbSdnctlPassword: gamma dbPodName: mysql-db |