diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-01-23 11:49:25 +0100 |
---|---|---|
committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-02-01 00:10:01 +0100 |
commit | e74ed5cd24df70e1e9b137eadf8e32d5c89f236b (patch) | |
tree | 09e2881a74abd0833dd7328364c6a666dbeba67c /kubernetes | |
parent | 3ed9c940d61526344303ad29d9ce1dc50eb4117a (diff) |
[APPC] Don't hardcode mariadb root password
You should never ever assume that secretpassword is a production
ready password for your mariadb-galera instance. Instead let's
just share a secret with our instance of mariadb-galera.
Issue-ID: OOM-2275
Change-Id: I25486ad81a2ec428dbbd379ab3529c84f55acc4b
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Diffstat (limited to 'kubernetes')
6 files changed, 16 insertions, 26 deletions
diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh index b3cf868731..1b951d0406 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh @@ -21,7 +21,7 @@ SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} APPC_HOME=${APPC_HOME:-/opt/onap/appc} -MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.mariadbRootPassword}}} +MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} APPC_DB_USER=${APPC_DB_USER:-appcctl} APPC_DB_PASSWD=${APPC_DB_PASSWD:-appcctl} @@ -52,4 +52,3 @@ if [ -f ${APPC_HOME}/data/sqlData.dump ] then mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} sdnctl < ${APPC_HOME}/data/sqlData.dump fi - diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index 22d38363c0..14689d5b11 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -54,7 +54,7 @@ ODL_HOME=${ODL_HOME:-/opt/opendaylight/current} SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} APPC_HOME=${APPC_HOME:-/opt/onap/appc} SLEEP_TIME=${SLEEP_TIME:-120} -MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.mariadbRootPassword}}} +MYSQL_PASSWD=${MYSQL_ROOT_PASSWORDD} ENABLE_ODL_CLUSTER=${ENABLE_ODL_CLUSTER:-false} ENABLE_AAF=${ENABLE_AAF:-true} DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} @@ -63,7 +63,7 @@ DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} # Wait for database to init properly # echo "Waiting for mariadbgalera" -until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p{{.Values.config.mariadbRootPassword}} mysql &> /dev/null +until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null do printf "." sleep 1 @@ -77,7 +77,7 @@ fi if [ ! -f ${DBINIT_DIR}/.installed ] then - sdnc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p{{.Values.config.mariadbRootPassword}} mysql <<-END + sdnc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END show databases like 'sdnctl'; END ) @@ -86,7 +86,7 @@ END echo "Installing SDNC database" ${SDNC_HOME}/bin/installSdncDb.sh - appc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p{{.Values.config.mariadbRootPassword}} mysql <<-END + appc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END show databases like 'appcctl'; END ) diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh index da16d394af..c3e692158c 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh @@ -23,7 +23,7 @@ ### SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.mariadbRootPassword}}} +MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} SDNC_DB_USER=${SDNC_DB_USER:-sdnctl} SDNC_DB_PASSWD=${SDNC_DB_PASSWD:-gamma} @@ -44,4 +44,3 @@ if [ -f ${SDNC_HOME}/data/odlsli.dump ] then mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} sdnctl < ${SDNC_HOME}/data/odlsli.dump fi - diff --git a/kubernetes/appc/templates/secrets.yaml b/kubernetes/appc/templates/secrets.yaml index 57311a0077..65a6b24eb7 100644 --- a/kubernetes/appc/templates/secrets.yaml +++ b/kubernetes/appc/templates/secrets.yaml @@ -12,16 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }} +{{ include "common.secret" . }} diff --git a/kubernetes/appc/templates/statefulset.yaml b/kubernetes/appc/templates/statefulset.yaml index 9a62426adb..5ed2970c45 100644 --- a/kubernetes/appc/templates/statefulset.yaml +++ b/kubernetes/appc/templates/statefulset.yaml @@ -69,10 +69,7 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - name: SDNC_CONFIG_DIR value: "{{ .Values.config.configDir }}" - name: APPC_CONFIG_DIR diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index 4dfb2263ad..a4cd0a644a 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -26,6 +26,14 @@ global: mountPath: /dockerdata-nfs ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: "db-root-pass" + externalSecret: '{{- include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (index .Values "mariadb-galera" "nameOverride")) }}' + type: password + +################################################################# # Application configuration defaults. ################################################################# flavor: small @@ -43,7 +51,6 @@ config: odlGid: 101 ansibleServiceName: appc-ansible-server ansiblePort: 8000 - mariadbRootPassword: secretpassword userName: my-user userPassword: my-password mysqlDatabase: my-database |