[Portal] Remove hardcoded cassandra password

Make cassandra password generate automatically and distribute it to components that use DB. Remove also hardcoded encryption key. Issue-ID: PORTAL-944 Signed-off-by: SandeepLinux <Sandeep.Shah@att.com> Change-Id: I6e579a76efacc7a0921fea7c74a7a9e49347ebd8 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
author: Sandeep Shah <sandeeplinux1068@gmail.com> 2020-09-01 21:13:16 -0500
committer: Sandeep Shah <sandeeplinux1068@gmail.com> 2020-09-24 09:35:19 -0500
commit: 2ffb1ba25a2a797fe781009adcc4766fbf44fe38 (patch)
tree: d5282e2b0970b61d7a5bc4b3b350b4b8fa3374b5 /kubernetes/portal/components/portal-app
parent: 47befb7d30489984cde86ef6377a0e9b573d29d6 (diff)
4 files changed, 54 insertions, 3 deletions
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties
new file mode 100644
index 0000000000..368cbe75b8
--- /dev/null
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties
@@ -0,0 +1,2 @@
+# Encrypted Properties
+cipher.enc.key = ${CIPHER_ENC_KEY}
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
index 37544d11e3..4efbac7fe3 100644
--- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
@@ -29,5 +29,5 @@ music.serialize.compress = true
 music.atomic.get = false
 music.atomic.put = true
 cassandra.host={{.Values.cassandra.service.name}}
-cassandra.user={{.Values.cassandra.config.cassandraUsername}}
-cassandra.password={{.Values.cassandra.config.cassandraPassword}}
+cassandra.user=${CASSA_USER}
+cassandra.password=${CASSA_PASSWORD}
diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml
index 6964715ef1..0be1fdc91f 100644
--- a/kubernetes/portal/components/portal-app/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-app/templates/deployment.yaml
@@ -49,6 +49,23 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
+      - name: {{ include "common.name" . }}-portal-config
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command: ["/bin/sh"]
+        args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"]
+        env:
+          - name: CASSA_USER
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }}
+          - name: CASSA_PASSWORD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
+          - name: CIPHER_ENC_KEY
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: properties-onapportal-scrubbed
+        - mountPath: /config
+          name: properties-onapportal
 {{ include "common.certInitializer.initContainer" . | indent 6 }}
       containers:
       - name: {{ include "common.name" . }}
@@ -103,6 +120,9 @@ spec:
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/portal.properties"
           subPath: portal.properties
         - name: properties-onapportal
+          mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties"
+          subPath: key.properties
+        - name: properties-onapportal
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/music.properties"
           subPath: music.properties
         - name: properties-onapportal
@@ -114,6 +134,8 @@ spec:
         - name: properties-onapportal
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/web.xml"
           subPath: web.xml
+        - name: properties-onapportal
+          mountPath: "{{ .Values.global.env.tomcatDir }}/temp"
         - name: var-log-onap
           mountPath: /var/log/onap
         resources:
@@ -122,7 +144,7 @@ spec:
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
       {{- end -}}
-      {{- if .Values.affinity }}
+{{- if .Values.affinity }}
       affinity:
 {{ toYaml .Values.affinity | indent 10 }}
       {{- end }}
@@ -143,6 +165,9 @@ spec:
           hostPath:
             path: /etc/localtime
         - name: properties-onapportal
+          emptyDir:
+            medium: Memory
+        - name: properties-onapportal-scrubbed
           configMap:
             name: {{ include "common.fullname" . }}-onapportal
             defaultMode: 0755
diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml
index 73306ba773..55a7ccca38 100644
--- a/kubernetes/portal/components/portal-app/values.yaml
+++ b/kubernetes/portal/components/portal-app/values.yaml
@@ -23,9 +23,27 @@ global:
   readinessImage: onap/oom/readiness:3.0.1
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
+  envsubstImage: dibi/envsubst
   #AAF service
   aafEnabled: true
 
+################################################################
+# Secrets metaconfig
+#################################################################
+
+secrets:
+  - uid: portal-cass
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}'
+    login: '{{ .Values.cassandra.config.cassandraUsername }}'
+    password: '{{ .Values.cassandra.config.cassandraPassword }}'
+    passwordPolicy: required
+  - uid: cipher-enc-key
+    type: password
+    externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
+    password: '{{ .Values.config.cipherEncKey }}'
+    passwordPolicy: required
+
 #################################################################
 # Application configuration defaults.
 #################################################################
@@ -35,6 +53,11 @@ repository: nexus3.onap.org:10001
 image: onap/portal-app:3.2.3
 pullPolicy: Always
 
+# application configuration
+config:
+  # cipherEncKeyExternalSecret: some secret
+  cipherEncKey: AGLDdG4D04BKm2IxIWEr8o==!
+
 #AAF local config
 
 aafURL: https://aaf-service:8100/authz/
@@ -104,6 +127,7 @@ cassandra:
   service:
     name: portal-cassandra
   config:
+    # cassandraExternalSecret: some secret
     cassandraUsername: root
     cassandraPassword: Aa123456
 messageRouter:
author	Sandeep Shah <sandeeplinux1068@gmail.com>	2020-09-01 21:13:16 -0500
committer	Sandeep Shah <sandeeplinux1068@gmail.com>	2020-09-24 09:35:19 -0500
commit	2ffb1ba25a2a797fe781009adcc4766fbf44fe38 (patch)
tree	d5282e2b0970b61d7a5bc4b3b350b4b8fa3374b5 /kubernetes/portal/components/portal-app
parent	47befb7d30489984cde86ef6377a0e9b573d29d6 (diff)