diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-02-25 23:31:20 +0100 |
---|---|---|
committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-03-04 21:00:24 +0100 |
commit | cc97c73108f8b3e2f1f58ab0463fce2fb99d79c2 (patch) | |
tree | 068d832fdc751fe0260e380c66372f29d0e86990 /kubernetes | |
parent | 0320331c03eb50e1e8fb4e14a409b968a761e5d2 (diff) |
[SDNC] Use common secret template in sdnc
Some passwords are still hardcoded but with this commit all components
should be using passwords provided via secrets not directly as strings.
A follow-up patch will remove hardcoded passwords where feasible.
Issue-ID: OOM-2309
Change-Id: I047974506430cbb277200d0103bcc57a6fd8a83b
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Diffstat (limited to 'kubernetes')
-rw-r--r-- | kubernetes/sdnc/charts/ueb-listener/values.yaml | 2 | ||||
-rw-r--r-- | kubernetes/sdnc/requirements.yaml | 3 | ||||
-rwxr-xr-x[-rw-r--r--] | kubernetes/sdnc/resources/config/bin/installSdncDb.sh | 12 | ||||
-rwxr-xr-x | kubernetes/sdnc/resources/config/bin/startODL.sh | 7 | ||||
-rwxr-xr-x | kubernetes/sdnc/resources/config/conf/aaiclient.properties | 7 | ||||
-rw-r--r-- | kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties | 8 | ||||
-rw-r--r-- | kubernetes/sdnc/resources/config/conf/dblib.properties | 11 | ||||
-rw-r--r-- | kubernetes/sdnc/resources/config/conf/lcm-dg.properties | 12 | ||||
-rwxr-xr-x | kubernetes/sdnc/resources/config/conf/netbox.properties | 2 | ||||
-rw-r--r-- | kubernetes/sdnc/resources/config/conf/svclogic.properties | 12 | ||||
-rwxr-xr-x | kubernetes/sdnc/templates/job.yaml | 74 | ||||
-rw-r--r-- | kubernetes/sdnc/templates/secret-aaf.yaml | 15 | ||||
-rw-r--r-- | kubernetes/sdnc/templates/secrets.yaml | 56 | ||||
-rw-r--r-- | kubernetes/sdnc/templates/statefulset.yaml | 120 | ||||
-rw-r--r-- | kubernetes/sdnc/values.yaml | 177 |
15 files changed, 322 insertions, 196 deletions
diff --git a/kubernetes/sdnc/charts/ueb-listener/values.yaml b/kubernetes/sdnc/charts/ueb-listener/values.yaml index 9b7dcb054b..254d76a05e 100644 --- a/kubernetes/sdnc/charts/ueb-listener/values.yaml +++ b/kubernetes/sdnc/charts/ueb-listener/values.yaml @@ -52,7 +52,7 @@ secrets: passwordPolicy: required - uid: ueb-creds type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.odlCredsExternalSecret) . }}' + externalSecret: '{{ tpl (default "" .Values.config.uebCredsExternalSecret) . }}' login: '{{ .Values.config.uebUser }}' password: '{{ .Values.config.uebPassword }}' passwordPolicy: required diff --git a/kubernetes/sdnc/requirements.yaml b/kubernetes/sdnc/requirements.yaml index c3b757ae14..58db6ad7a0 100644 --- a/kubernetes/sdnc/requirements.yaml +++ b/kubernetes/sdnc/requirements.yaml @@ -29,5 +29,4 @@ dependencies: - name: mariadb-galera version: ~5.x-0 repository: '@local' - condition: config.localDBCluster - + condition: .global.mariadbGalera.localCluster diff --git a/kubernetes/sdnc/resources/config/bin/installSdncDb.sh b/kubernetes/sdnc/resources/config/bin/installSdncDb.sh index 455cb834f9..754ff2c5cc 100644..100755 --- a/kubernetes/sdnc/resources/config/bin/installSdncDb.sh +++ b/kubernetes/sdnc/resources/config/bin/installSdncDb.sh @@ -25,11 +25,11 @@ SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc} ETC_DIR=${ETC_DIR:-${SDNC_HOME}/data} BIN_DIR=${BIN_DIR-${SDNC_HOME}/bin} MYSQL_HOST=${MYSQL_HOST:-dbhost} -MYSQL_PASSWORD=${MYSQL_PASSWORD:-openECOMP1.0} +MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD} -SDNC_DB_USER=${SDNC_DB_USER:-sdnctl} -SDNC_DB_PASSWORD=${SDNC_DB_PASSWORD:-gamma} -SDNC_DB_DATABASE=${SDN_DB_DATABASE:-sdnctl} +SDNC_DB_USER=${SDNC_DB_USER} +SDNC_DB_PASSWORD=${SDNC_DB_PASSWORD} +SDNC_DB_DATABASE=${SDNC_DB_DATABASE} # Create tablespace and user account @@ -46,12 +46,12 @@ END # load schema if [ -f ${ETC_DIR}/sdnctl.dump ] then - mysql -h ${MYSQL_HOST} -u root -p${MYSQL_PASSWORD} sdnctl < ${ETC_DIR}/sdnctl.dump + mysql -h ${MYSQL_HOST} -u root -p${MYSQL_PASSWORD} ${SDNC_DB_DATABASE} < ${ETC_DIR}/sdnctl.dump fi for datafile in ${ETC_DIR}/*.data.dump do - mysql -h ${MYSQL_HOST} -u root -p${MYSQL_PASSWORD} sdnctl < $datafile + mysql -h ${MYSQL_HOST} -u root -p${MYSQL_PASSWORD} ${SDNC_DB_DATABASE} < $datafile done # Create VNIs 100-199 diff --git a/kubernetes/sdnc/resources/config/bin/startODL.sh b/kubernetes/sdnc/resources/config/bin/startODL.sh index 5f5f811fd0..af5c36207c 100755 --- a/kubernetes/sdnc/resources/config/bin/startODL.sh +++ b/kubernetes/sdnc/resources/config/bin/startODL.sh @@ -65,7 +65,7 @@ function enable_odl_cluster(){ addToFeatureBoot odl-jolokia #${ODL_HOME}/bin/client feature:install odl-mdsal-clustering #${ODL_HOME}/bin/client feature:install odl-jolokia - + echo "Update cluster information statically" hm=$(hostname) @@ -113,8 +113,8 @@ function enable_odl_cluster(){ # Install SDN-C platform components if not already installed and start container ODL_HOME=${ODL_HOME:-/opt/opendaylight/current} -ODL_ADMIN_USERNAME=${ODL_ADMIN_USERNAME:-admin} -ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD:-Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U} +ODL_ADMIN_USERNAME=${ODL_ADMIN_USERNAME} +ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD} SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc} SDNC_BIN=${SDNC_BIN:-/opt/onap/sdnc/bin} CCSDK_HOME=${CCSDK_HOME:-/opt/onap/ccsdk} @@ -166,4 +166,3 @@ nohup python ${SDNC_BIN}/installCerts.py & exec ${ODL_HOME}/bin/karaf server - diff --git a/kubernetes/sdnc/resources/config/conf/aaiclient.properties b/kubernetes/sdnc/resources/config/conf/aaiclient.properties index 035942b304..5d4473c978 100755 --- a/kubernetes/sdnc/resources/config/conf/aaiclient.properties +++ b/kubernetes/sdnc/resources/config/conf/aaiclient.properties @@ -2,8 +2,7 @@ # ============LICENSE_START======================================================= # openECOMP : SDN-C # ================================================================================ -# Copyright (C) 2018 ONAP Intellectual Property. All rights -# reserved. +# Copyright (C) 2018 ONAP Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,8 +29,8 @@ org.onap.ccsdk.sli.adaptors.aai.ssl.trust=/opt/onap/sdnc/data/stores/truststoreO org.onap.ccsdk.sli.adaptors.aai.ssl.trust.psswd=changeit org.onap.ccsdk.sli.adaptors.aai.host.certificate.ignore=true -org.onap.ccsdk.sli.adaptors.aai.client.name=sdnc@sdnc.onap.org -org.onap.ccsdk.sli.adaptors.aai.client.psswd=demo123456! +org.onap.ccsdk.sli.adaptors.aai.client.name=${AAI_CLIENT_NAME} +org.onap.ccsdk.sli.adaptors.aai.client.psswd=${AAI_CLIENT_PASSWORD} org.onap.ccsdk.sli.adaptors.aai.application=openECOMP # diff --git a/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties b/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties index 3a6b5a08f0..224e84b3a7 100644 --- a/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties +++ b/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties @@ -24,12 +24,12 @@ org.onap.ccsdk.features.blueprints.adaptors.envtype=solo org.onap.ccsdk.features.blueprints.adaptors.modelservice.type=generic org.onap.ccsdk.features.blueprints.adaptors.modelservice.enable=true org.onap.ccsdk.features.blueprints.adaptors.modelservice.url=http://controller-blueprints:8080/api/v1/ -org.onap.ccsdk.features.blueprints.adaptors.modelservice.user=ccsdkapps -org.onap.ccsdk.features.blueprints.adaptors.modelservice.passwd=ccsdkapps +org.onap.ccsdk.features.blueprints.adaptors.modelservice.user=${MODELSERVICE_USER} +org.onap.ccsdk.features.blueprints.adaptors.modelservice.passwd=${MODELSERVICE_PASSWORD} # Generic RESTCONF Adaptor org.onap.ccsdk.features.blueprints.adaptors.restconf.type=generic org.onap.ccsdk.features.blueprints.adaptors.restconf.enable=true -org.onap.ccsdk.features.blueprints.adaptors.restconf.user=admin -org.onap.ccsdk.features.blueprints.adaptors.restconf.passwd={{ .Values.config.odlPassword}} +org.onap.ccsdk.features.blueprints.adaptors.restconf.user=${RESTCONF_USER} +org.onap.ccsdk.features.blueprints.adaptors.restconf.passwd=${RESTCONF_PASSWORD} org.onap.ccsdk.features.blueprints.adaptors.restconf.url=http://sdnc:8282/restconf/ diff --git a/kubernetes/sdnc/resources/config/conf/dblib.properties b/kubernetes/sdnc/resources/config/conf/dblib.properties index 1849053411..1fb6fb8732 100644 --- a/kubernetes/sdnc/resources/config/conf/dblib.properties +++ b/kubernetes/sdnc/resources/config/conf/dblib.properties @@ -1,7 +1,6 @@ ### # ============LICENSE_START======================================================= -# Copyright (C) 2018 AT&T Intellectual Property. All rights -# reserved. +# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,11 +17,11 @@ ### org.onap.ccsdk.sli.dbtype=jdbc org.onap.ccsdk.sli.jdbc.hosts=sdnctldb01 -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}:{{.Values.config.mariadbGalera.internalPort}}/sdnctl +org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{include "common.mariadbService" $}}:{{include "common.mariadbPort" $}}/{{$.Values.config.dbSdnctlDatabase}} org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database=sdnctl -org.onap.ccsdk.sli.jdbc.user=sdnctl -org.onap.ccsdk.sli.jdbc.password={{.Values.config.dbSdnctlPassword}} +org.onap.ccsdk.sli.jdbc.database={{$.Values.config.dbSdnctlDatabase}} +org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} +org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWORD} org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 org.onap.ccsdk.sli.jdbc.connection.timeout=50 org.onap.ccsdk.sli.jdbc.request.timeout=100 diff --git a/kubernetes/sdnc/resources/config/conf/lcm-dg.properties b/kubernetes/sdnc/resources/config/conf/lcm-dg.properties index f91c62c98b..44ee0b998f 100644 --- a/kubernetes/sdnc/resources/config/conf/lcm-dg.properties +++ b/kubernetes/sdnc/resources/config/conf/lcm-dg.properties @@ -1,7 +1,7 @@ #ANSIBLE ansible.agenturl=http://{{.Values.config.ansibleServiceName}}:{{.Values.config.ansiblePort}}/Dispatch -ansible.user=sdnc -ansible.password=sdnc +ansible.user=${ANSIBLE_USER} +ansible.password=${ANSIBLE_PASSWORD} ansible.lcm.localparameters= ansible.nodelist= ansible.timeout=60 @@ -23,10 +23,10 @@ restapi.templateDir=/opt/onap/sdnc/restapi/templates lcm.restconf.configscaleout.templatefile=lcm-restconf-configscaleout.json lcm.restconf.configscaleout.urlpath=/restconf/config/vlb-business-vnf-onap-plugin:vlb-business-vnf-onap-plugin/vdns-instances/vdns-instance/ lcm.restconf.configscaleout.geturlpath=/restconf/operational/health-vnf-onap-plugin:health-vnf-onap-plugin-state/health-check -lcm.restconf.configscaleout.user=admin -lcm.restconf.configscaleout.password=admin -lcm.restconf.user=admin -lcm.restconf.password=admin +lcm.restconf.configscaleout.user=${SCALEOUT_USER} +lcm.restconf.configscaleout.password=${SCALEOUT_PASSWORD} +lcm.restconf.user=${RESTCONF_USER} +lcm.restconf.password=${RESTCONF_PASSWORD} lcm.restconf.port=8183 #DMAAP diff --git a/kubernetes/sdnc/resources/config/conf/netbox.properties b/kubernetes/sdnc/resources/config/conf/netbox.properties index 9cd3880614..a768041945 100755 --- a/kubernetes/sdnc/resources/config/conf/netbox.properties +++ b/kubernetes/sdnc/resources/config/conf/netbox.properties @@ -16,4 +16,4 @@ # Configuration file for Netbox client org.onap.ccsdk.sli.adaptors.netbox.url=http://netbox-app.{{.Release.Namespace}}:8001 -org.onap.ccsdk.sli.adaptors.netbox.apikey=onceuponatimeiplayedwithnetbox20180814
\ No newline at end of file +org.onap.ccsdk.sli.adaptors.netbox.apikey=${NETBOX_API_KEY}
\ No newline at end of file diff --git a/kubernetes/sdnc/resources/config/conf/svclogic.properties b/kubernetes/sdnc/resources/config/conf/svclogic.properties index 55ef8e7e85..adbba660c5 100644 --- a/kubernetes/sdnc/resources/config/conf/svclogic.properties +++ b/kubernetes/sdnc/resources/config/conf/svclogic.properties @@ -2,8 +2,7 @@ # ============LICENSE_START======================================================= # openECOMP : SDN-C # ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. +# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,8 +19,7 @@ ### org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}:{{.Values.config.mariadbGalera.internalPort}}/sdnctl -org.onap.ccsdk.sli.jdbc.database = sdnctl -org.onap.ccsdk.sli.jdbc.user = sdnctl -org.onap.ccsdk.sli.jdbc.password = {{.Values.config.dbSdnctlPassword}} - +org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{include "common.mariadbService" $}}:{{include "common.mariadbPort" $}}/{{$.Values.config.dbSdnctlDatabase}} +org.onap.ccsdk.sli.jdbc.database = {{$.Values.config.dbSdnctlDatabase}} +org.onap.ccsdk.sli.jdbc.user = ${SDNC_DB_USER} +org.onap.ccsdk.sli.jdbc.password = ${SDNC_DB_PASSWORD} diff --git a/kubernetes/sdnc/templates/job.yaml b/kubernetes/sdnc/templates/job.yaml index dc77006a60..0cd0eae610 100755 --- a/kubernetes/sdnc/templates/job.yaml +++ b/kubernetes/sdnc/templates/job.yaml @@ -36,12 +36,53 @@ spec: name: {{ include "common.name" . }} spec: initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: AAI_CLIENT_NAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aai-user-creds" "key" "login") | indent 10 }} + - name: AAI_CLIENT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aai-user-creds" "key" "password") | indent 10 }} + - name: MODELSERVICE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "modeling-user-creds" "key" "login") | indent 10 }} + - name: MODELSERVICE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "modeling-user-creds" "key" "password") | indent 10 }} + - name: RESTCONF_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} + - name: RESTCONF_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} + - name: ANSIBLE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ansible-creds" "key" "login") | indent 10 }} + - name: ANSIBLE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ansible-creds" "key" "password") | indent 10 }} + - name: SCALEOUT_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "scaleout-creds" "key" "login") | indent 10 }} + - name: SCALEOUT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "scaleout-creds" "key" "password") | indent 10 }} + - name: NETBOX_APIKEY + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "netbox-apikey" "key" "password") | indent 10 }} + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: properties + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - name: {{ include "common.name" . }}-readiness command: - /root/ready.py args: - --container-name - - {{ .Values.config.mariadbGalera.chartName }} + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -55,31 +96,24 @@ spec: image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} + - name: ODL_ADMIN_USERNAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "login") | indent 12 }} - name: ODL_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-odl - key: odl-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "password") | indent 12 }} + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: SDNC_DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-sdnctl - key: db-sdnctl-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: MYSQL_HOST - value: "{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}" + value: {{ include "common.mariadbService" . }} - name: SDNC_HOME value: "{{.Values.config.sdncHome}}" - name: ETC_DIR value: "{{.Values.config.etcDir}}" - name: BIN_DIR value: "{{.Values.config.binDir}}" - - name: SDNC_DB_USER - value: "{{.Values.config.dbSdnctlUser}}" - name: SDNC_DB_DATABASE value: "{{.Values.config.dbSdnctlDatabase}}" volumeMounts: @@ -119,11 +153,13 @@ spec: configMap: name: {{ include "common.fullname" . }}-bin defaultMode: 0755 - - name: properties + - name: config-input configMap: name: {{ include "common.fullname" . }}-properties defaultMode: 0644 + - name: properties + emptyDir: + medium: Memory restartPolicy: Never imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/sdnc/templates/secret-aaf.yaml b/kubernetes/sdnc/templates/secret-aaf.yaml deleted file mode 100644 index cd2e539b28..0000000000 --- a/kubernetes/sdnc/templates/secret-aaf.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Values.global.aafEnabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - aaf-password: {{ .Values.aaf_init.deploy_pass | b64enc | quote }} -{{ end }} diff --git a/kubernetes/sdnc/templates/secrets.yaml b/kubernetes/sdnc/templates/secrets.yaml index e8cb336883..dee311c336 100644 --- a/kubernetes/sdnc/templates/secrets.yaml +++ b/kubernetes/sdnc/templates/secrets.yaml @@ -1,41 +1,15 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.dbRootPassword | b64enc | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-odl - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - odl-password: {{ .Values.config.odlPassword | b64enc | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-sdnctl - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-sdnctl-password: {{ .Values.config.dbSdnctlPassword | b64enc | quote }} +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 1611449095..6054546d58 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -34,10 +34,51 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: AAI_CLIENT_NAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aai-user-creds" "key" "login") | indent 10 }} + - name: AAI_CLIENT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aai-user-creds" "key" "password") | indent 10 }} + - name: MODELSERVICE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "modeling-user-creds" "key" "login") | indent 10 }} + - name: MODELSERVICE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "modeling-user-creds" "key" "password") | indent 10 }} + - name: RESTCONF_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} + - name: RESTCONF_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} + - name: ANSIBLE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ansible-creds" "key" "login") | indent 10 }} + - name: ANSIBLE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ansible-creds" "key" "password") | indent 10 }} + - name: SCALEOUT_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "scaleout-creds" "key" "login") | indent 10 }} + - name: SCALEOUT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "scaleout-creds" "key" "password") | indent 10 }} + - name: NETBOX_APIKEY + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "netbox-apikey" "key" "password") | indent 10 }} + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: properties + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: - /root/ready.py args: - --container-name - - {{ .Values.config.mariadbGalera.chartName }} + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -89,12 +130,9 @@ spec: - name: aaf_locator_app_ns value: "{{ .Values.aaf_init.app_ns }}" - name: DEPLOY_FQI - value: "{{ .Values.aaf_init.deploy_fqi }}" + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-creds" "key" "login") | indent 12 }} - name: DEPLOY_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" .}}-aaf - key: aaf-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-creds" "key" "password") | indent 12 }} - name: cadi_longitude value: "{{ .Values.aaf_init.cadi_longitude }}" - name: cadi_latitude @@ -125,41 +163,36 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password - - name: ODL_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-odl - key: odl-password - - name: SDNC_DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-sdnctl - key: db-sdnctl-password - - name: SDNC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: ENABLE_ODL_CLUSTER - value: "{{ .Values.config.enableClustering }}" - - name: MY_ODL_CLUSTER - value: "{{ .Values.config.myODLCluster }}" - - name: PEER_ODL_CLUSTER - value: "{{ .Values.config.peerODLCluster }}" - - name: IS_PRIMARY_CLUSTER - value: "{{ .Values.config.isPrimaryCluster }}" - - name: GEO_ENABLED - value: "{{ .Values.config.geoEnabled}}" - - name: SDNC_AAF_ENABLED - value: "{{ .Values.global.aafEnabled}}" - - name: SDNC_REPLICAS - value: "{{ .Values.replicaCount }}" - - name: MYSQL_HOST - value: "{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}" - - name: JAVA_HOME - value: "{{ .Values.config.javaHome}}" + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} + - name: ODL_ADMIN_USERNAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "login") | indent 12 }} + - name: ODL_ADMIN_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "password") | indent 12 }} + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SDNC_CONFIG_DIR + value: "{{ .Values.config.configDir }}" + - name: ENABLE_ODL_CLUSTER + value: "{{ .Values.config.enableClustering }}" + - name: MY_ODL_CLUSTER + value: "{{ .Values.config.myODLCluster }}" + - name: PEER_ODL_CLUSTER + value: "{{ .Values.config.peerODLCluster }}" + - name: IS_PRIMARY_CLUSTER + value: "{{ .Values.config.isPrimaryCluster }}" + - name: GEO_ENABLED + value: "{{ .Values.config.geoEnabled}}" + - name: SDNC_AAF_ENABLED + value: "{{ .Values.global.aafEnabled}}" + - name: SDNC_REPLICAS + value: "{{ .Values.replicaCount }}" + - name: MYSQL_HOST + value: {{ include "common.mariadbService" . }} + - name: JAVA_HOME + value: "{{ .Values.config.javaHome}}" volumeMounts: - mountPath: /etc/localtime name: localtime @@ -252,10 +285,13 @@ spec: configMap: name: {{ include "common.fullname" . }}-bin defaultMode: 0755 - - name: properties + - name: config-input configMap: name: {{ include "common.fullname" . }}-properties defaultMode: 0644 + - name: properties + emptyDir: + medium: Memory - name: {{ include "common.fullname" . }}-certs {{ if .Values.certpersistence.enabled }} persistentVolumeClaim: diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 4447a7dfaa..8fd7590863 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -26,6 +26,83 @@ global: persistence: mountPath: /dockerdata-nfs aafEnabled: true + # envsusbt + envsubstImage: dibi/envsubst + mariadbGalera: + #This flag allows SO to instantiate its own mariadb-galera cluster + #If shared instance is used, this chart assumes that DB already exists + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-password + name: '{{ include "common.release" . }}-sdnc-db-root-password' + type: password + externalSecret: '{{ .Values.global.mariadbGalera.localCluster | ternary (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (index .Values "mariadb-galera" "nameOverride"))) (index .Values "mariadb-galera" "config" "mariadbRootPasswordExternalSecret")) (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) }}' + password: '{{ (index .Values "mariadb-galera" "config" "mariadbRootPassword" }}' + - uid: db-secret + name: &dbSecretName '{{ include "common.release" . }}-sdnc-db-secret' + type: basicAuth + # This is a nasty trick that allows you override this secret using external one + # with the same field that is used to pass this to subchart + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "config" "userName" }}' + password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' + - uid: odl-creds + name: &odlCredsSecretName '{{ include "common.release" . }}-sdnc-odl-creds' + type: basicAuth + externalSecret: '{{ .Values.config.odlCredsExternalSecret }}' + login: '{{ .Values.config.odlUser }}' + password: '{{ .Values.config.odlPassword }}' + # For now this is left hardcoded but should be revisited in a future + passwordPolicy: required + - uid: aaf-creds + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aaf_init.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aaf_init.deploy_fqi }}' + password: '{{ .Values.aaf_init.deploy_pass }}' + passwordPolicy: required + - uid: netbox-apikey + type: password + externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}' + password: '{{ .Values.config.netboxApikey }}' + passwordPolicy: required + - uid: aai-user-creds + type: basicAuth + externalSecret: '{{ .Values.config.aaiCredsExternalSecret}}' + login: '{{ .Values.config.aaiUser }}' + password: '{{ .Values.config.aaiPassword }}' + passwordPolicy: required + - uid: modeling-user-creds + type: basicAuth + externalSecret: '{{ .Values.config.modelingCredsExternalSecret}}' + login: '{{ .Values.config.modelingUser }}' + password: '{{ .Values.config.modelingPassword }}' + passwordPolicy: required + - uid: restconf-creds + type: basicAuth + externalSecret: '{{ .Values.config.restconfCredsExternalSecret}}' + login: '{{ .Values.config.restconfUser }}' + password: '{{ .Values.config.restconfPassword }}' + passwordPolicy: required + - uid: ansible-creds + name: &ansibleSecretName '{{ include "common.release" . }}-sdnc-ansible-creds' + type: basicAuth + externalSecret: '{{ .Values.config.ansibleCredsExternalSecret}}' + login: '{{ .Values.config.ansibleUser }}' + password: '{{ .Values.config.ansiblePassword }}' + passwordPolicy: required + - uid: scaleout-creds + type: basicAuth + externalSecret: '{{ .Values.config.scaleoutCredsExternalSecret}}' + login: '{{ .Values.config.scaleoutUser }}' + password: '{{ .Values.config.scaleoutPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -43,11 +120,27 @@ debugEnabled: false config: odlUid: 100 odlGid: 101 + odlUser: admin odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - dbRootPassword: secretpassword - dbSdnctlUser: sdnctl - dbSdnctlDatabase: sdnctl - dbSdnctlPassword: gamma + # odlCredsExternalSecret: some secret + netboxApikey: onceuponatimeiplayedwithnetbox20180814 + # netboxApikeyExternalSecret: some secret + aaiUser: sdnc@sdnc.onap.org + aaiPassword: demo123456! + # aaiCredsExternalSecret: some secret + modelingUser: ccsdkapps + modelingPassword: ccsdkapps + # modelingCredsExternalSecret: some secret + restconfUser: admin + restconfPassword: admin + # restconfCredsExternalSecret: some secret + scaleoutUser: admin + scaleoutPassword: admin + # scaleoutExternalSecret: some secret + ansibleUser: sdnc + ansiblePassword: sdnc + # ansibleCredsExternalSecret: some secret + dbSdnctlDatabase: &sdncDbName sdnctl enableClustering: true sdncHome: /opt/onap/sdnc binDir: /opt/onap/sdnc/bin @@ -91,17 +184,6 @@ config: parallelGCThreads : 3 numberGGLogFiles: 10 - - - #local Mariadb-galera cluster - localDBCluster: false - - #Shared mariadb-galera details - mariadbGalera: - chartName: mariadb-galera - serviceName: mariadb-galera - internalPort: 3306 - # dependency / sub-chart configuration aaf_init: agentImage: onap/aaf/aaf_agent:2.1.15 @@ -114,63 +196,82 @@ aaf_init: cadi_latitude: "38.0" cadi_longitude: "-72.0" +mariadb-galera: &mariadbGalera + nameOverride: sdnc-db + config: + rootPasswordExternalSecret: '{{ ternary (include "common.release" .)-sdnc-db-root-password "" .Values.global.mariadbGalera.localCluster }}' + userName: sdnctl + userCredentialsExternalSecret: *dbSecretName + service: + name: sdnc-dbhost + internalPort: 3306 + sdnctlPrefix: sdnc + persistence: + mountSubPath: sdnc/mariadb-galera + enabled: true + replicaCount: 1 + cds: enabled: false dmaap-listener: nameOverride: sdnc-dmaap-listener + mariadb-galera: + << : *mariadbGalera + config: + mysqlDatabase: *sdncDbName config: sdncChartName: sdnc - mysqlChartName: mariadb-galera dmaapPort: 3904 sdncPort: 8282 configDir: /opt/onap/sdnc/data/properties - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + odlCredsExternalSecret: *odlCredsSecretName ueb-listener: + mariadb-galera: + << : *mariadbGalera + config: + mysqlDatabase: *sdncDbName nameOverride: sdnc-ueb-listener config: sdncPort: 8282 sdncChartName: sdnc - mysqlChartName: mariadb-galera configDir: /opt/onap/sdnc/data/properties - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + odlCredsExternalSecret: *odlCredsSecretName sdnc-portal: + mariadb-galera: + << : *mariadbGalera + config: + mysqlDatabase: *sdncDbName config: sdncChartName: sdnc - mysqlChartName: mariadb-galera configDir: /opt/onap/sdnc/data/properties - dbRootPassword: secretpassword - dbSdnctlPassword: gamma - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + odlCredsExternalSecret: *odlCredsSecretName sdnc-ansible-server: + config: + restCredsExternalSecret: *ansibleSecretName + mariadb-galera: + << : *mariadbGalera + config: + mysqlDatabase: ansible service: name: sdnc-ansible-server internalPort: 8000 - config: - mysqlServiceName: mariadb-galera - -mariadb-galera: - nameOverride: sdnc-db - service: - name: sdnc-dbhost - internalPort: 3306 - sdnctlPrefix: sdnc - persistence: - mountSubPath: sdnc/mariadb-galera - enabled: true - replicaCount: 1 dgbuilder: nameOverride: sdnc-dgbuilder config: + db: + dbName: *sdncDbName + rootPasswordExternalSecret: '{{ ternary (printf "%s-sdnc-db-root-password" (include "common.release" .)) (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" "mariadb-galera")) .Values.global.mariadbGalera.localCluster }}' + userCredentialsExternalSecret: *dbSecretName dbPodName: mariadb-galera dbServiceName: mariadb-galera - dbRootPassword: secretpassword - dbSdnctlPassword: gamma + # This should be revisited and changed to plain text dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 + mariadb-galera: service: name: sdnc-dgbuilder nodePort: "03" |