summaryrefslogtreecommitdiffstats
path: root/kubernetes/portal
diff options
context:
space:
mode:
authorSandeep Shah <sandeeplinux1068@gmail.com>2020-10-20 16:11:21 -0500
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-10-27 08:40:12 +0100
commit8f1acc0cf15e399da7c93350233ae0b0f2a74e8f (patch)
treed091907839543e5cf1b505a70e83d1bdca567d05 /kubernetes/portal
parentb61ad49e3b97eadebccbf76bcebefa638ef10c05 (diff)
[PORTAL ] Non-root user DB access from WMS
Update portal-widget HELM charts to use non- root user access to the portal mariadb backend Issue-ID: OOM-2601 Signed-off-by: SandeepLinux <ss048t@att.com> Change-Id: I434ce85f1d0922d87fca35f692064a9b5e757954 Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Diffstat (limited to 'kubernetes/portal')
-rw-r--r--kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties13
-rw-r--r--kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml2
-rw-r--r--kubernetes/portal/components/portal-widget/templates/deployment.yaml37
-rw-r--r--kubernetes/portal/components/portal-widget/templates/secret.yaml17
-rw-r--r--kubernetes/portal/components/portal-widget/values.yaml44
5 files changed, 105 insertions, 8 deletions
diff --git a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties
index a53dd2e283..f5a900e8ce 100644
--- a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties
+++ b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties
@@ -7,27 +7,26 @@ microservice.widget.location=/tmp
## App DB Properties
spring.datasource.url=jdbc:mysql://portal-db:3306/portal
-spring.datasource.username=root
-spring.datasource.password=Aa123456
+spring.datasource.username=${PORTAL_DB_USER}
+spring.datasource.password=${PORTAL_DB_PASSWORD}
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQLDialect
spring.database.driver.classname=org.mariadb.jdbc.Driver
spring.jpa.show-sql=false
spring.jpa.properties.hibernate.format_sql=false
## Basic Authentication Properties
-security.user.name=widget_user
-security.user.password=ENC(IjywcRnI9+nuVEh9+OFFiRWAjBT1n718)
+security.user.name=${WIDGET_USER}
+security.user.password=${WIDGET_PASSWORD}
initialization.default.widgets=true
initialization.widgetData.url=http://portal-app:{{.Values.global.portalPort}}/ONAPPORTAL/commonWidgets
## Account Basic Authentication Properties
-account.user.name=portal
-account.user.password=6APqvG4AU2rfLgCvMdySwQ==
+account.user.name=${ACC_USER}
+account.user.password=${ACC_PASSWORD}
## Certificate Properties
#server.ssl.key-store=classpath:widget-keystore.p12
#server.ssl.key-store-password=ENC(DiIYnAMab4u7rEW2yKhF9zBL00uU55q8)
#server.ssl.keyStoreType=PKCS12
#server.ssl.keyAlias=widget-microservice
-
diff --git a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml
index 087c93f5ce..3d7f9a8056 100644
--- a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml
+++ b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml
@@ -14,4 +14,4 @@
jasypt:
encryptor:
- password: EncryptionKey
+ password: ${JASYPT_ENC_KEY}
diff --git a/kubernetes/portal/components/portal-widget/templates/deployment.yaml b/kubernetes/portal/components/portal-widget/templates/deployment.yaml
index 4640a43f73..44d7fc467e 100644
--- a/kubernetes/portal/components/portal-widget/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-widget/templates/deployment.yaml
@@ -49,6 +49,40 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ - name: {{ include "common.name" . }}-portal-widget-config
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command:
+ - sh
+ args:
+ - "-c"
+ - |
+ cd /config-input && \
+ for PFILE in `ls -1 *.*`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ chmod 0755 /config/${PFILE}
+ done
+ env:
+ - name: PORTAL_DB_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }}
+ - name: PORTAL_DB_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }}
+ - name: WIDGET_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-widget" "key" "login") | indent 12 }}
+ - name: WIDGET_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-widget" "key" "password") | indent 12 }}
+ - name: ACC_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-account" "key" "login") | indent 12 }}
+ - name: ACC_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-account" "key" "password") | indent 12 }}
+ - name: JASYPT_ENC_KEY
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "jasypt-enc-key" "key" "password") | indent 12 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: properties-onapwidgetms-scrubbed
+ - mountPath: /config
+ name: properties-onapwidgetms
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -94,6 +128,9 @@ spec:
hostPath:
path: /etc/localtime
- name: properties-onapwidgetms
+ emptyDir:
+ medium: Memory
+ - name: properties-onapwidgetms-scrubbed
configMap:
name: {{ include "common.fullname" . }}-onapwidgetms
defaultMode: 0755
diff --git a/kubernetes/portal/components/portal-widget/templates/secret.yaml b/kubernetes/portal/components/portal-widget/templates/secret.yaml
new file mode 100644
index 0000000000..9a3f011e80
--- /dev/null
+++ b/kubernetes/portal/components/portal-widget/templates/secret.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/portal/components/portal-widget/values.yaml b/kubernetes/portal/components/portal-widget/values.yaml
index 94da33019c..1367b25e4c 100644
--- a/kubernetes/portal/components/portal-widget/values.yaml
+++ b/kubernetes/portal/components/portal-widget/values.yaml
@@ -22,6 +22,46 @@ global:
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
ubuntuInit: ubuntu-init:1.0.0
+ envsubstImage: dibi/envsubst
+
+################################################################
+# Secrets metaconfig
+#################################################################
+
+secrets:
+ - uid: portal-backend-db
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}'
+ login: '{{ .Values.mariadb.config.backendUserName }}'
+ password: '{{ .Values.mariadb.config.backendPassword }}'
+ passwordPolicy: required
+ - uid: portal-widget
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.config.widgetCredsExternalSecret) . }}'
+ login: '{{ .Values.config.widgetUsername }}'
+ password: '{{ .Values.config.widgetPassword }}'
+ passwordPolicy: required
+ - uid: portal-account
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.config.accountCredsExternalSecret) . }}'
+ login: '{{ .Values.config.accountUsername }}'
+ password: '{{ .Values.config.accountPassword }}'
+ passwordPolicy: required
+ - uid: jasypt-enc-key
+ type: password
+ externalSecret: '{{ .Values.config.jasyptEncKeyExternalSecret}}'
+ password: '{{ .Values.config.jasyptEncKey }}'
+ passwordPolicy: required
+
+config:
+ widgetUsername: widget_user
+ widgetPassword: widget_pass
+# widgetCredsExternalSecret: some secret
+ accountUsername: portal
+ accountPassword: portal
+# accountCredsExternalSecret: some secret
+ jasyptEncKey: EncryptionKey
+ # jasyptEncKeyExternalSecret: some secret
#################################################################
# Application configuration defaults.
@@ -56,6 +96,10 @@ readiness:
mariadb:
service:
name: portal-db
+ config:
+ # backendDbExternalSecret: some secret
+ backendUserName: portal
+ backendPassword: portal
service:
type: ClusterIP