diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-02-20 21:29:45 +0100 |
---|---|---|
committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-02-21 00:42:24 +0100 |
commit | b9d50c917cc9eb507483be32587f42d567c827dd (patch) | |
tree | e439c93c6c80a74ea2c23c2ac977e3c140547648 /kubernetes | |
parent | 62cb98b8def94cd365d2f19b5daac596e546f5bb (diff) |
[SDNC] Use common secret template in ansible-server
Whole SDNC strongly depends on the assumption that it is using a
common mariadb-galera instance and that root password is secret
password. Also user and password to sdnc DB is hardcoded.
Let's start working on removing this assumption and component by
component add support for local and shared mariadb instance without
hardcoding any passwords to the database.
In this patch all passwords are still hardcoded in the helm chart to
not break other parts of SDNC. Those values will be removed in a final patch.
Issue-ID: OOM-2309
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Idb460e72301dd63082d7890d34fea923df3ac426
Diffstat (limited to 'kubernetes')
4 files changed, 107 insertions, 21 deletions
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config b/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config index eb88d7236b..7dc5c19e12 100644 --- a/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config @@ -13,33 +13,33 @@ # limitations under the License. # Host definition -ip: 0.0.0.0 -port: {{.Values.service.internalPort}} +ip: 0.0.0.0 +port: {{.Values.service.internalPort}} # Security (controls use of TLS encrypton and RestServer authentication) -tls: no -auth: no +tls: no +auth: no # TLS certificates (must be built on application host) -priv: provide_privated_key.pem -pub: provide_public_key.pem +priv: provide_privated_key.pem +pub: provide_public_key.pem # RestServer authentication -id: sdnc -psswd: sdnc +id: ${REST_USER} +psswd: ${REST_PASSWORD} # Mysql -host: {{.Values.config.mariadbGalera.serviceName}} -user: sdnc -passwd: sdnc -db: ansible +host: {{ include "common.mariadbService" $ }} +user: ${DB_USER} +passwd: ${DB_PASSWORD} +db: {{ index .Values "mariadb-galera" "config" "mysqlDatabase" }} # Playbooks -from_files: yes -ansible_path: /opt/onap/sdnc/Playbooks -ansible_inv: Ansible_inventory -ansible_temp: PlaybooksTemp -timeout_seconds: 60 +from_files: yes +ansible_path: /opt/onap/sdnc/Playbooks +ansible_inv: Ansible_inventory +ansible_temp: PlaybooksTemp +timeout_seconds: 60 # Blocking on GetResults -getresults_block: yes +getresults_block: yes diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml index 2233099224..d353adaf58 100644 --- a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml @@ -32,6 +32,29 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: REST_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "rest-creds" "key" "login") | indent 10 }} + - name: REST_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "rest-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: config + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: - /root/ready.py args: - --container-name @@ -89,9 +112,12 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: config + - name: config-input configMap: name: {{ include "common.fullname" . }} defaultMode: 0644 + - name: config + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml new file mode 100644 index 0000000000..dee311c336 --- /dev/null +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml index db7c63cfa4..b0b3c81c8f 100644 --- a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml @@ -21,6 +21,35 @@ global: readinessImage: readiness-check:2.0.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + # envsusbt + envsubstImage: dibi/envsubst + mariadbGalera: + #This flag allows SO to instantiate its own mariadb-galera cluster + #If shared instance is used, this chart assumes that DB already exists + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + name: &dbSecretName '{{ include "common.release" . }}-sdnc-ansible-server-db-secret' + type: basicAuth + # This is a nasty trick that allows you override this secret using external one + # with the same field that is used to pass this to subchart + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-ansible-server-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "config" "userName" }}' + password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' + passwordPolicy: required + - uid: rest-creds + type: basicAuth + externalSecret: '{{ .Values.config.restCredsExternalSecret }}' + login: '{{ .Values.config.restUser }}' + password: '{{ .Values.config.restPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -37,9 +66,25 @@ debugEnabled: false config: sdncChartName: sdnc configDir: /opt/onap/sdnc - mariadbGalera: - serviceName: mariadb-galera + restUser: sdnc + restPassword: sdnc + # restCredsExternalSecret: some secret +mariadb-galera: + config: + userCredentialsExternalSecret: *dbSecretName + userName: sdnc + userPassword: sdnc + mysqlDatabase: ansible + nameOverride: ansible-server-galera + service: + name: ansible-server-galera + portName: ansible-server-galera + internalPort: 3306 + replicaCount: 1 + persistence: + enabled: true + mountSubPath: ansible-server/maria/data # default number of instances replicaCount: 1 |