Merge "[SDNC] Use common secret template in ansible-server"

4 files changed, 107 insertions, 21 deletions

diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config b/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config
index eb88d7236b..7dc5c19e12 100644
--- a/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config
@@ -13,33 +13,33 @@
 # limitations under the License.
 
 # Host definition
-ip:	0.0.0.0
-port:	{{.Values.service.internalPort}}
+ip:     0.0.0.0
+port:   {{.Values.service.internalPort}}
 
 # Security (controls use of TLS encrypton and RestServer authentication)
-tls:	no
-auth:	no
+tls:    no
+auth:   no
 
 # TLS certificates (must be built on application host)
-priv:	provide_privated_key.pem
-pub:	provide_public_key.pem
+priv:   provide_privated_key.pem
+pub:    provide_public_key.pem
 
 # RestServer authentication
-id:	sdnc
-psswd:	sdnc
+id:     ${REST_USER}
+psswd:  ${REST_PASSWORD}
 
 # Mysql
-host:	{{.Values.config.mariadbGalera.serviceName}}
-user:	sdnc
-passwd:	sdnc
-db:	ansible
+host:   {{ include "common.mariadbService" $ }}
+user:   ${DB_USER}
+passwd: ${DB_PASSWORD}
+db:     {{ index .Values "mariadb-galera" "config" "mysqlDatabase" }}
 
 # Playbooks
-from_files:		yes
-ansible_path:		/opt/onap/sdnc/Playbooks
-ansible_inv:		Ansible_inventory
-ansible_temp:		PlaybooksTemp
-timeout_seconds:	60
+from_files:             yes
+ansible_path:           /opt/onap/sdnc/Playbooks
+ansible_inv:            Ansible_inventory
+ansible_temp:           PlaybooksTemp
+timeout_seconds:        60
 
 # Blocking on GetResults
-getresults_block:	yes
+getresults_block:       yes
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
index 2233099224..d353adaf58 100644
--- a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
@@ -32,6 +32,29 @@ spec:
     spec:
       initContainers:
       - command:
+        - sh
+        args:
+        - -c
+        - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+        env:
+        - name: DB_USER
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+        - name: DB_PASSWORD
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+        - name: REST_USER
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "rest-creds" "key" "login") | indent 10 }}
+        - name: REST_PASSWORD
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "rest-creds" "key" "password") | indent 10 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: config-input
+        - mountPath: /config
+          name: config
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: {{ include "common.name" . }}-update-config
+
+      - command:
         - /root/ready.py
         args:
         - --container-name
@@ -89,9 +112,12 @@ spec:
         - name: localtime
           hostPath:
             path: /etc/localtime
-        - name: config
+        - name: config-input
           configMap:
             name: {{ include "common.fullname" . }}
             defaultMode: 0644
+        - name: config
+          emptyDir:
+            medium: Memory
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml
new file mode 100644
index 0000000000..dee311c336
--- /dev/null
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml
@@ -0,0 +1,15 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secret" . }}
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml
index db7c63cfa4..b0b3c81c8f 100644
--- a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml
@@ -21,6 +21,35 @@ global:
   readinessImage: readiness-check:2.0.2
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
+  # envsusbt
+  envsubstImage: dibi/envsubst
+  mariadbGalera:
+    #This flag allows SO to instantiate its own mariadb-galera cluster
+    #If shared instance is used, this chart assumes that DB already exists
+    localCluster: false
+    service: mariadb-galera
+    internalPort: 3306
+    nameOverride: mariadb-galera
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: db-secret
+    name: &dbSecretName '{{ include "common.release" . }}-sdnc-ansible-server-db-secret'
+    type: basicAuth
+    # This is a nasty trick that allows you override this secret using external one
+    # with the same field that is used to pass this to subchart
+    externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-ansible-server-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}'
+    login: '{{ index .Values "mariadb-galera" "config" "userName" }}'
+    password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}'
+    passwordPolicy: required
+  - uid: rest-creds
+    type: basicAuth
+    externalSecret: '{{ .Values.config.restCredsExternalSecret }}'
+    login: '{{ .Values.config.restUser }}'
+    password: '{{ .Values.config.restPassword }}'
+    passwordPolicy: required
 
 #################################################################
 # Application configuration defaults.
@@ -37,9 +66,25 @@ debugEnabled: false
 config:
   sdncChartName: sdnc
   configDir: /opt/onap/sdnc
-  mariadbGalera:
-    serviceName: mariadb-galera
+  restUser: sdnc
+  restPassword: sdnc
+  # restCredsExternalSecret: some secret
 
+mariadb-galera:
+  config:
+    userCredentialsExternalSecret: *dbSecretName
+    userName: sdnc
+    userPassword: sdnc
+    mysqlDatabase: ansible
+  nameOverride: ansible-server-galera
+  service:
+    name: ansible-server-galera
+    portName: ansible-server-galera
+    internalPort: 3306
+  replicaCount: 1
+  persistence:
+    enabled: true
+    mountSubPath: ansible-server/maria/data
 
 # default number of instances
 replicaCount: 1