[SO] Use common secret template in so

Generate passwords for: - so_user - so_admin and distribute them to all SO subcharts. mariadb-galera root password is taken as a reference to existing secret (shared mariadb instance) or also generated if local cluster is used. Three other DB users also have generated passwords but they are not distributed outside of so-mariadb as they were never used. Issue-ID: OOM-2328 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Ic4af5c9b12b00d2a52d2597e3fe1161d0d1a9f20
author: Krzysztof Opasiak <k.opasiak@samsung.com> 2020-03-28 02:14:37 +0100
committer: Krzysztof Opasiak <k.opasiak@samsung.com> 2020-03-28 02:14:37 +0100
commit: c53ff54815a8d716c12395293a8c75a5b6a7fa91 (patch)
tree: da614c3f8fdeb01253aae189d995122c6f3baeda /kubernetes/so/values.yaml
parent: f68b72895b2fe13a50d7a059b25b42ba37469091 (diff)
1 files changed, 83 insertions, 1 deletions
diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml
index 807d2a6c7e..b2a8b681b3 100755
--- a/kubernetes/so/values.yaml
+++ b/kubernetes/so/values.yaml
@@ -26,7 +26,8 @@ global:
     nameOverride: mariadb-galera
     serviceName: mariadb-galera
     servicePort: "3306"
-    mariadbRootPassword: secretpassword
+    # mariadbRootPassword: secretpassword
+    # rootPasswordExternalSecret: some secret
     #This flag allows SO to instantiate its own mariadb-galera cluster,
     #serviceName and nameOverride should be so-mariadb-galera if this flag is enabled
     localCluster: false
@@ -40,6 +41,7 @@ global:
     dbPort: 3306
     dbUser: root
     dbPassword: secretpassword
+    # dbCredsExternalSecret: some secret
   msbEnabled: true
   security:
     aaf:
@@ -69,9 +71,55 @@ global:
     certs:
       trustStorePassword: b25hcDRzbw==
       keyStorePassword: c280b25hcA==
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: db-root-pass
+    name: &dbRootPassSecretName '{{ include "common.release" . }}-so-db-root-pass'
+    type: password
+    externalSecret: '{{ ternary .Values.global.mariadbGalera.rootPasswordExternalSecret (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.rootPasswordExternalSecret) .Values.global.mariadbGalera.localCluster }}'
+    password: '{{ .Values.global.mariadbGalera.mariadbRootpassword }}'
+  - uid: db-backup-creds
+    name: &dbBackupCredsSecretName '{{ include "common.release" . }}-so-db-backup-creds'
+    type: basicAuth
+    externalSecret: '{{ ternary .Values.global.migration.dbCredsExternalSecret "migrationDisabled" .Values.global.migration.enabled }}'
+    login: '{{ ternary .Values.global.migration.dbUser "migrationDisabled" .Values.global.migration.enabled }}'
+    password: '{{ ternary .Values.global.migration.dbPassword "migrationDisabled" .Values.global.migration.enabled }}'
+    passwordPolicy: required
+    annotations:
+      helm.sh/hook: pre-upgrade,pre-install
+      helm.sh/hook-weight: "0"
+      helm.sh/hook-delete-policy: before-hook-creation
+  - uid: db-user-creds
+    name: &dbUserCredsSecretName '{{ include "common.release" . }}-so-db-user-creds'
+    type: basicAuth
+    externalSecret: '{{ .Values.dbCreds.userCredsExternalSecret }}'
+    login: '{{ .Values.dbCreds.userName }}'
+    password: '{{ .Values.dbCreds.userPassword }}'
+    passwordPolicy: generate
+  - uid: db-admin-creds
+    name: &dbAdminCredsSecretName '{{ include "common.release" . }}-so-db-admin-creds'
+    type: basicAuth
+    externalSecret: '{{ .Values.dbCreds.adminCredsExternalSecret }}'
+    login: '{{ .Values.dbCreds.adminName }}'
+    password: '{{ .Values.dbCreds.adminPassword }}'
+    passwordPolicy: generate
+
 #################################################################
 # Application configuration defaults.
 #################################################################
+
+dbSecrets: &dbSecrets
+  userCredsExternalSecret: *dbUserCredsSecretName
+  adminCredsExternalSecret: *dbAdminCredsSecretName
+
+# unused in this, just to pass to subcharts
+dbCreds:
+  userName: so_user
+  adminName: so_admin
+
 repository: nexus3.onap.org:10001
 image: onap/so/api-handler-infra:1.5.3
 pullPolicy: Always
@@ -133,6 +181,8 @@ config:
 #                                                       --set so.global.mariadbGalera.nameOverride=so-mariadb-galera \
 #                                                       --set so.global.mariadbGalera.serviceName=so-mariadb-galera
 mariadb-galera:
+  config:
+    mariadbRootPasswordExternalSecret: *dbRootPassSecretName
   nameOverride: so-mariadb-galera
   replicaCount: 1
   service:
@@ -172,7 +222,10 @@ mso:
         auth: 51EA5414022D7BE536E7516C4D1A6361416921849B72C0D6FC1C7F262FD9F2BBC2AD124190A332D9845A188AD80955567A4F975C84C221EEA8243BFD92FFE6896CDD1EA16ADD34E1E3D47D4A
   health:
     auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ=
+
 so-bpmn-infra:
+  db:
+    <<: *dbSecrets
   cds:
     auth: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw==
   aai:
@@ -204,7 +257,10 @@ so-bpmn-infra:
     vnfm:
       adapter:
         auth: Basic dm5mbTpwYXNzd29yZDEk
+
 so-catalog-db-adapter:
+  db:
+    <<: *dbSecrets
   mso:
     config:
       cadi:
@@ -215,7 +271,10 @@ so-catalog-db-adapter:
     adapters:
       db:
         auth: Basic YnBlbDpwYXNzd29yZDEk
+
 so-openstack-adapter:
+  db:
+    <<: *dbSecrets
   aaf:
     auth:
       encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F
@@ -240,7 +299,10 @@ so-openstack-adapter:
         noAuthn: /manage/health
     db:
       auth: Basic YnBlbDpwYXNzd29yZDEk
+
 so-request-db-adapter:
+  db:
+    <<: *dbSecrets
   mso:
     config:
       cadi:
@@ -251,7 +313,10 @@ so-request-db-adapter:
     adapters:
       requestDb:
         auth: Basic YnBlbDpwYXNzd29yZDEk
+
 so-sdc-controller:
+  db:
+    <<: *dbSecrets
   aai:
     auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586
   mso:
@@ -271,6 +336,8 @@ so-sdc-controller:
       asdc-controller1:
         password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F
 so-sdnc-adapter:
+  db:
+    <<: *dbSecrets
   org:
     onap:
       so:
@@ -292,7 +359,10 @@ so-sdnc-adapter:
         auth: Basic YnBlbDpwYXNzd29yZDEk
     rest:
       aafEncrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456
+
 so-vfc-adapter:
+  db:
+    <<: *dbSecrets
   mso:
     config:
       cadi:
@@ -322,3 +392,15 @@ so-vnfm-adapter:
         aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9
         apiEnforcement: org.onap.so.vnfmAdapterPerm
         noAuthn: /manage/health
+
+so-monitoring:
+  db:
+    <<: *dbSecrets
+
+so-mariadb:
+  db:
+    rootPasswordExternalSecretLocalDb: *dbRootPassSecretName
+    rootPasswordExternalSecret: '{{ ternary .Values.db.rootPasswordExternalSecretLocalDb (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.localCluster }}'
+    backupCredsExternalSecret: *dbBackupCredsSecretName
+    userCredsExternalSecret: *dbUserCredsSecretName
+    adminCredsExternalSecret: *dbAdminCredsSecretName
author	Krzysztof Opasiak <k.opasiak@samsung.com>	2020-03-28 02:14:37 +0100
committer	Krzysztof Opasiak <k.opasiak@samsung.com>	2020-03-28 02:14:37 +0100
commit	c53ff54815a8d716c12395293a8c75a5b6a7fa91 (patch)
tree	da614c3f8fdeb01253aae189d995122c6f3baeda /kubernetes/so/values.yaml
parent	f68b72895b2fe13a50d7a059b25b42ba37469091 (diff)