summaryrefslogtreecommitdiffstats
path: root/kubernetes
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-02-20 21:29:45 +0100
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-02-21 00:42:24 +0100
commitb9d50c917cc9eb507483be32587f42d567c827dd (patch)
treee439c93c6c80a74ea2c23c2ac977e3c140547648 /kubernetes
parent62cb98b8def94cd365d2f19b5daac596e546f5bb (diff)
[SDNC] Use common secret template in ansible-server
Whole SDNC strongly depends on the assumption that it is using a common mariadb-galera instance and that root password is secret password. Also user and password to sdnc DB is hardcoded. Let's start working on removing this assumption and component by component add support for local and shared mariadb instance without hardcoding any passwords to the database. In this patch all passwords are still hardcoded in the helm chart to not break other parts of SDNC. Those values will be removed in a final patch. Issue-ID: OOM-2309 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Idb460e72301dd63082d7890d34fea923df3ac426
Diffstat (limited to 'kubernetes')
-rw-r--r--kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config36
-rw-r--r--kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml28
-rw-r--r--kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml15
-rw-r--r--kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml49
4 files changed, 107 insertions, 21 deletions
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config b/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config
index eb88d7236b..7dc5c19e12 100644
--- a/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config
@@ -13,33 +13,33 @@
# limitations under the License.
# Host definition
-ip: 0.0.0.0
-port: {{.Values.service.internalPort}}
+ip: 0.0.0.0
+port: {{.Values.service.internalPort}}
# Security (controls use of TLS encrypton and RestServer authentication)
-tls: no
-auth: no
+tls: no
+auth: no
# TLS certificates (must be built on application host)
-priv: provide_privated_key.pem
-pub: provide_public_key.pem
+priv: provide_privated_key.pem
+pub: provide_public_key.pem
# RestServer authentication
-id: sdnc
-psswd: sdnc
+id: ${REST_USER}
+psswd: ${REST_PASSWORD}
# Mysql
-host: {{.Values.config.mariadbGalera.serviceName}}
-user: sdnc
-passwd: sdnc
-db: ansible
+host: {{ include "common.mariadbService" $ }}
+user: ${DB_USER}
+passwd: ${DB_PASSWORD}
+db: {{ index .Values "mariadb-galera" "config" "mysqlDatabase" }}
# Playbooks
-from_files: yes
-ansible_path: /opt/onap/sdnc/Playbooks
-ansible_inv: Ansible_inventory
-ansible_temp: PlaybooksTemp
-timeout_seconds: 60
+from_files: yes
+ansible_path: /opt/onap/sdnc/Playbooks
+ansible_inv: Ansible_inventory
+ansible_temp: PlaybooksTemp
+timeout_seconds: 60
# Blocking on GetResults
-getresults_block: yes
+getresults_block: yes
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
index 2233099224..d353adaf58 100644
--- a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
@@ -32,6 +32,29 @@ spec:
spec:
initContainers:
- command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: DB_USER
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+ - name: DB_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+ - name: REST_USER
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "rest-creds" "key" "login") | indent 10 }}
+ - name: REST_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "rest-creds" "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: config-input
+ - mountPath: /config
+ name: config
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+
+ - command:
- /root/ready.py
args:
- --container-name
@@ -89,9 +112,12 @@ spec:
- name: localtime
hostPath:
path: /etc/localtime
- - name: config
+ - name: config-input
configMap:
name: {{ include "common.fullname" . }}
defaultMode: 0644
+ - name: config
+ emptyDir:
+ medium: Memory
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml
new file mode 100644
index 0000000000..dee311c336
--- /dev/null
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml
@@ -0,0 +1,15 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secret" . }}
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml
index db7c63cfa4..b0b3c81c8f 100644
--- a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml
@@ -21,6 +21,35 @@ global:
readinessImage: readiness-check:2.0.2
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
+ # envsusbt
+ envsubstImage: dibi/envsubst
+ mariadbGalera:
+ #This flag allows SO to instantiate its own mariadb-galera cluster
+ #If shared instance is used, this chart assumes that DB already exists
+ localCluster: false
+ service: mariadb-galera
+ internalPort: 3306
+ nameOverride: mariadb-galera
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: db-secret
+ name: &dbSecretName '{{ include "common.release" . }}-sdnc-ansible-server-db-secret'
+ type: basicAuth
+ # This is a nasty trick that allows you override this secret using external one
+ # with the same field that is used to pass this to subchart
+ externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-ansible-server-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}'
+ login: '{{ index .Values "mariadb-galera" "config" "userName" }}'
+ password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}'
+ passwordPolicy: required
+ - uid: rest-creds
+ type: basicAuth
+ externalSecret: '{{ .Values.config.restCredsExternalSecret }}'
+ login: '{{ .Values.config.restUser }}'
+ password: '{{ .Values.config.restPassword }}'
+ passwordPolicy: required
#################################################################
# Application configuration defaults.
@@ -37,9 +66,25 @@ debugEnabled: false
config:
sdncChartName: sdnc
configDir: /opt/onap/sdnc
- mariadbGalera:
- serviceName: mariadb-galera
+ restUser: sdnc
+ restPassword: sdnc
+ # restCredsExternalSecret: some secret
+mariadb-galera:
+ config:
+ userCredentialsExternalSecret: *dbSecretName
+ userName: sdnc
+ userPassword: sdnc
+ mysqlDatabase: ansible
+ nameOverride: ansible-server-galera
+ service:
+ name: ansible-server-galera
+ portName: ansible-server-galera
+ internalPort: 3306
+ replicaCount: 1
+ persistence:
+ enabled: true
+ mountSubPath: ansible-server/maria/data
# default number of instances
replicaCount: 1