diff options
19 files changed, 218 insertions, 67 deletions
diff --git a/kubernetes/aai b/kubernetes/aai -Subproject 93f574789eee8a44d9e77b940e352a9c413d581 +Subproject 40aacd4952fc1d8a37f4ad44c89bef093762b81 diff --git a/kubernetes/so/charts/so-bpmn-infra/values.yaml b/kubernetes/so/charts/so-bpmn-infra/values.yaml index 357a8fd62c..4c64caf304 100755 --- a/kubernetes/so/charts/so-bpmn-infra/values.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/values.yaml @@ -30,14 +30,14 @@ secrets: - uid: db-user-creds name: '{{ include "common.release" . }}-so-bpmn-infra-db-user-creds' type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds name: '{{ include "common.release" . }}-so-bpmn-infra-db-admin-creds' type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml index 889f2e83ec..c276649a02 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml @@ -30,14 +30,14 @@ secrets: - uid: db-user-creds name: '{{ include "common.release" . }}-so-catalog-db-adapter-db-user-creds' type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds name: '{{ include "common.release" . }}-so-catalog-db-adapter-db-admin-creds' type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh index b6d30e405b..08adb4a407 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh +++ b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh @@ -23,12 +23,12 @@ echo "Creating camundabpmn database . . ." 1>/tmp/mariadb-camundabpmn.log 2>&1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD << 'EOF' || exit 1 -DROP DATABASE IF EXISTS `camundabpmn`; -CREATE DATABASE `camundabpmn`; -DROP USER IF EXISTS 'camundauser'; -CREATE USER 'camundauser'; -GRANT ALL on camundabpmn.* to 'camundauser' identified by 'camunda123' with GRANT OPTION; +mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +DROP DATABASE IF EXISTS camundabpmn; +CREATE DATABASE camundabpmn; +DROP USER IF EXISTS '${CAMUNDA_DB_USER}'; +CREATE USER '${CAMUNDA_DB_USER}'; +GRANT ALL on camundabpmn.* to '${CAMUNDA_DB_USER}' identified by '${CAMUNDA_DB_PASSWORD}' with GRANT OPTION; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh index b27760552d..0f404466ca 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh +++ b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh @@ -23,12 +23,12 @@ echo "Creating requestdb database . . ." 1>/tmp/mariadb-requestdb.log 2>&1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD << 'EOF' || exit 1 -DROP DATABASE IF EXISTS `requestdb`; -CREATE DATABASE /*!32312 IF NOT EXISTS*/ `requestdb` /*!40100 DEFAULT CHARACTER SET latin1 */; -DROP USER IF EXISTS 'requestuser'; -CREATE USER 'requestuser'; -GRANT ALL on requestdb.* to 'requestuser' identified by 'request123' with GRANT OPTION; +mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +DROP DATABASE IF EXISTS requestdb; +CREATE DATABASE /*!32312 IF NOT EXISTS*/ requestdb /*!40100 DEFAULT CHARACTER SET latin1 */; +DROP USER IF EXISTS '${REQUEST_DB_USER}'; +CREATE USER '${REQUEST_DB_USER}'; +GRANT ALL on requestdb.* to '${REQUEST_DB_USER}' identified by '${REQUEST_DB_PASSWORD}' with GRANT OPTION; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh index 10fb4b18db..3115ec6199 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh +++ b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh @@ -23,12 +23,12 @@ echo "Creating catalogdb database . . ." 1>/tmp/mariadb-catalogdb.log 2>&1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD << 'EOF' || exit 1 -DROP DATABASE IF EXISTS `catalogdb`; -CREATE DATABASE /*!32312 IF NOT EXISTS*/ `catalogdb` /*!40100 DEFAULT CHARACTER SET latin1 */; -DROP USER IF EXISTS 'cataloguser'; -CREATE USER 'cataloguser'; -GRANT ALL on catalogdb.* to 'cataloguser' identified by 'catalog123' with GRANT OPTION; +mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +DROP DATABASE IF EXISTS catalogdb; +CREATE DATABASE /*!32312 IF NOT EXISTS*/ catalogdb /*!40100 DEFAULT CHARACTER SET latin1 */; +DROP USER IF EXISTS '${CATALOG_DB_USER}'; +CREATE USER '${CATALOG_DB_USER}'; +GRANT ALL on catalogdb.* to '${CATALOG_DB_USER}' identified by '${CATALOG_DB_PASSWORD}' with GRANT OPTION; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-so-user.sh b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-so-user.sh index 9c96720775..c4048002cf 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-so-user.sh +++ b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-so-user.sh @@ -23,13 +23,13 @@ echo "Creating so user . . ." 1>/tmp/mariadb-so-user.log 2>&1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD << 'EOF' || exit 1 -DROP USER IF EXISTS 'so_user'; -CREATE USER 'so_user'; -GRANT USAGE ON *.* TO 'so_user'@'%' IDENTIFIED BY 'so_User123'; -GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON `requestdb`.* TO 'so_user'@'%'; -GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON `catalogdb`.* TO 'so_user'@'%'; -GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON `camundabpmn`.* TO 'so_user'@'%'; +mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +DROP USER IF EXISTS '${DB_USER}'; +CREATE USER '${DB_USER}'; +GRANT USAGE ON *.* TO '${DB_USER}'@'%' IDENTIFIED BY '${DB_PASSWORD}'; +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON requestdb.* TO '${DB_USER}'@'%'; +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON catalogdb.* TO '${DB_USER}'@'%'; +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON camundabpmn.* TO '${DB_USER}'@'%'; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-so-admin.sh b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-so-admin.sh index 6eb3baaffa..e9d7c6fefa 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-so-admin.sh +++ b/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-so-admin.sh @@ -23,13 +23,13 @@ echo "Creating so admin user . . ." 1>/tmp/mariadb-so-admin.log 2>&1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD << 'EOF' || exit 1 -DROP USER IF EXISTS 'so_admin'; -CREATE USER 'so_admin'; -GRANT USAGE ON *.* TO 'so_admin'@'%' IDENTIFIED BY 'so_Admin123'; -GRANT ALL PRIVILEGES ON `camundabpmn`.* TO 'so_admin'@'%' WITH GRANT OPTION; -GRANT ALL PRIVILEGES ON `requestdb`.* TO 'so_admin'@'%' WITH GRANT OPTION; -GRANT ALL PRIVILEGES ON `catalogdb`.* TO 'so_admin'@'%' WITH GRANT OPTION; +mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +DROP USER IF EXISTS '${DB_ADMIN}'; +CREATE USER '${DB_ADMIN}'; +GRANT USAGE ON *.* TO '${DB_ADMIN}'@'%' IDENTIFIED BY '${DB_ADMIN_PASSWORD}'; +GRANT ALL PRIVILEGES ON camundabpmn.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; +GRANT ALL PRIVILEGES ON requestdb.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; +GRANT ALL PRIVILEGES ON catalogdb.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/charts/so-mariadb/templates/job.yaml b/kubernetes/so/charts/so-mariadb/templates/job.yaml index 31868bd8af..ec589ea33e 100644 --- a/kubernetes/so/charts/so-mariadb/templates/job.yaml +++ b/kubernetes/so/charts/so-mariadb/templates/job.yaml @@ -136,6 +136,26 @@ spec: key: mariadb.readwrite.port - name: MYSQL_ROOT_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 10 }} + - name: DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} + - name: DB_ADMIN + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} + - name: DB_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} + - name: CAMUNDA_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "camunda-db-creds" "key" "login") | indent 10 }} + - name: CAMUNDA_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "camunda-db-creds" "key" "password") | indent 10 }} + - name: REQUEST_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "request-db-creds" "key" "login") | indent 10 }} + - name: REQUEST_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "request-db-creds" "key" "password") | indent 10 }} + - name: CATALOG_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "catalog-db-creds" "key" "login") | indent 10 }} + - name: CATALOG_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "catalog-db-creds" "key" "password") | indent 10 }} volumeMounts: - mountPath: /etc/localtime name: localtime diff --git a/kubernetes/so/charts/so-mariadb/values.yaml b/kubernetes/so/charts/so-mariadb/values.yaml index a5586c6665..5e7b2fef76 100755 --- a/kubernetes/so/charts/so-mariadb/values.yaml +++ b/kubernetes/so/charts/so-mariadb/values.yaml @@ -32,13 +32,13 @@ secrets: - uid: db-root-pass name: '{{ include "common.release" . }}-so-mariadb-root-pass' type: password - externalSecret: '{{ .Values.db.rootPasswordExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.rootPasswordExternalSecret) . }}' password: '{{ .Values.db.rootPassword }}' passwordPolicy: required - uid: db-backup-creds name: '{{ include "common.release" . }}-so-mariadb-backup-creds' type: basicAuth - externalSecret: '{{ .Values.db.backupCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.backupCredsExternalSecret) . }}' login: '{{ .Values.db.backupUser }}' password: '{{ .Values.db.backupPassword }}' passwordPolicy: required @@ -46,6 +46,33 @@ secrets: helm.sh/hook: pre-upgrade,pre-install helm.sh/hook-weight: "0" helm.sh/hook-delete-policy: before-hook-creation + - uid: db-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' + login: '{{ .Values.db.userName }}' + password: '{{ .Values.db.userPassword }}' + - uid: db-admin-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' + login: '{{ .Values.db.adminName }}' + password: '{{ .Values.db.adminPassword }}' + - uid: camunda-db-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.camunda.dbCredsExternalSecret) . }}' + login: '{{ .Values.db.camunda.userName }}' + password: '{{ .Values.db.camunda.password }}' + - uid: request-db-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.request.dbCredsExternalSecret) . }}' + login: '{{ .Values.db.request.userName }}' + password: '{{ .Values.db.request.password }}' + - uid: catalog-db-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.catalog.dbCredsExternalSecret) . }}' + login: '{{ .Values.db.catalog.userName }}' + password: '{{ .Values.db.catalog.password }}' + + ################################################################# # Application configuration defaults. @@ -63,6 +90,25 @@ db: backupPassword: secretpassword backupUser: root # backupCredsExternalSecret: some secret + userName: so_user + userPassword: so_User123 + # userCredsExternalSecret: some secret + adminName: so_admin + adminPassword: so_Admin123 + # adminCredsExternalSecret: some secret + camunda: + userName: camundauser + password: camunda123 + # dbCredsExternalSecret: some secret + request: + userName: requestuser + password: request123 + # dbCredsExternalSecret: some secret + catalog: + userName: cataloguser + password: catalog123 + # dbCredsExternalSecret: some secret + # application configuration config: # gerrit branch where the latest heat code is checked in diff --git a/kubernetes/so/charts/so-monitoring/values.yaml b/kubernetes/so/charts/so-monitoring/values.yaml index d3904234e2..357c61cc45 100644 --- a/kubernetes/so/charts/so-monitoring/values.yaml +++ b/kubernetes/so/charts/so-monitoring/values.yaml @@ -34,13 +34,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-openstack-adapter/values.yaml b/kubernetes/so/charts/so-openstack-adapter/values.yaml index 13556c6ee4..6a0b04b4d1 100755 --- a/kubernetes/so/charts/so-openstack-adapter/values.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-request-db-adapter/values.yaml b/kubernetes/so/charts/so-request-db-adapter/values.yaml index f15b7c27c6..6324cab35a 100755 --- a/kubernetes/so/charts/so-request-db-adapter/values.yaml +++ b/kubernetes/so/charts/so-request-db-adapter/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-sdc-controller/values.yaml b/kubernetes/so/charts/so-sdc-controller/values.yaml index 0e3bdf4084..6d8adf7338 100755 --- a/kubernetes/so/charts/so-sdc-controller/values.yaml +++ b/kubernetes/so/charts/so-sdc-controller/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-sdnc-adapter/values.yaml b/kubernetes/so/charts/so-sdnc-adapter/values.yaml index b6724aaa98..b736253f56 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/charts/so-sdnc-adapter/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/charts/so-vfc-adapter/values.yaml b/kubernetes/so/charts/so-vfc-adapter/values.yaml index 028f2b51b5..f442860ab3 100755 --- a/kubernetes/so/charts/so-vfc-adapter/values.yaml +++ b/kubernetes/so/charts/so-vfc-adapter/values.yaml @@ -29,13 +29,13 @@ global: secrets: - uid: db-user-creds type: basicAuth - externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' login: '{{ .Values.db.userName }}' password: '{{ .Values.db.userPassword }}' passwordPolicy: required - uid: db-admin-creds type: basicAuth - externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index c0ac078039..ca6be72273 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -66,25 +66,13 @@ spec: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.readwrite.port - name: DB_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.readwrite.rolename + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.readwrite.password + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} - name: DB_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.admin.rolename + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.admin.password + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} {{- if eq .Values.global.security.aaf.enabled true }} - name: TRUSTSTORE value: /app/org.onap.so.trust.jks diff --git a/kubernetes/so/templates/secret.yaml b/kubernetes/so/templates/secret.yaml new file mode 100644 index 0000000000..bd7eb8ea40 --- /dev/null +++ b/kubernetes/so/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 807d2a6c7e..b2a8b681b3 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -26,7 +26,8 @@ global: nameOverride: mariadb-galera serviceName: mariadb-galera servicePort: "3306" - mariadbRootPassword: secretpassword + # mariadbRootPassword: secretpassword + # rootPasswordExternalSecret: some secret #This flag allows SO to instantiate its own mariadb-galera cluster, #serviceName and nameOverride should be so-mariadb-galera if this flag is enabled localCluster: false @@ -40,6 +41,7 @@ global: dbPort: 3306 dbUser: root dbPassword: secretpassword + # dbCredsExternalSecret: some secret msbEnabled: true security: aaf: @@ -69,9 +71,55 @@ global: certs: trustStorePassword: b25hcDRzbw== keyStorePassword: c280b25hcA== + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-pass + name: &dbRootPassSecretName '{{ include "common.release" . }}-so-db-root-pass' + type: password + externalSecret: '{{ ternary .Values.global.mariadbGalera.rootPasswordExternalSecret (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.rootPasswordExternalSecret) .Values.global.mariadbGalera.localCluster }}' + password: '{{ .Values.global.mariadbGalera.mariadbRootpassword }}' + - uid: db-backup-creds + name: &dbBackupCredsSecretName '{{ include "common.release" . }}-so-db-backup-creds' + type: basicAuth + externalSecret: '{{ ternary .Values.global.migration.dbCredsExternalSecret "migrationDisabled" .Values.global.migration.enabled }}' + login: '{{ ternary .Values.global.migration.dbUser "migrationDisabled" .Values.global.migration.enabled }}' + password: '{{ ternary .Values.global.migration.dbPassword "migrationDisabled" .Values.global.migration.enabled }}' + passwordPolicy: required + annotations: + helm.sh/hook: pre-upgrade,pre-install + helm.sh/hook-weight: "0" + helm.sh/hook-delete-policy: before-hook-creation + - uid: db-user-creds + name: &dbUserCredsSecretName '{{ include "common.release" . }}-so-db-user-creds' + type: basicAuth + externalSecret: '{{ .Values.dbCreds.userCredsExternalSecret }}' + login: '{{ .Values.dbCreds.userName }}' + password: '{{ .Values.dbCreds.userPassword }}' + passwordPolicy: generate + - uid: db-admin-creds + name: &dbAdminCredsSecretName '{{ include "common.release" . }}-so-db-admin-creds' + type: basicAuth + externalSecret: '{{ .Values.dbCreds.adminCredsExternalSecret }}' + login: '{{ .Values.dbCreds.adminName }}' + password: '{{ .Values.dbCreds.adminPassword }}' + passwordPolicy: generate + ################################################################# # Application configuration defaults. ################################################################# + +dbSecrets: &dbSecrets + userCredsExternalSecret: *dbUserCredsSecretName + adminCredsExternalSecret: *dbAdminCredsSecretName + +# unused in this, just to pass to subcharts +dbCreds: + userName: so_user + adminName: so_admin + repository: nexus3.onap.org:10001 image: onap/so/api-handler-infra:1.5.3 pullPolicy: Always @@ -133,6 +181,8 @@ config: # --set so.global.mariadbGalera.nameOverride=so-mariadb-galera \ # --set so.global.mariadbGalera.serviceName=so-mariadb-galera mariadb-galera: + config: + mariadbRootPasswordExternalSecret: *dbRootPassSecretName nameOverride: so-mariadb-galera replicaCount: 1 service: @@ -172,7 +222,10 @@ mso: auth: 51EA5414022D7BE536E7516C4D1A6361416921849B72C0D6FC1C7F262FD9F2BBC2AD124190A332D9845A188AD80955567A4F975C84C221EEA8243BFD92FFE6896CDD1EA16ADD34E1E3D47D4A health: auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ= + so-bpmn-infra: + db: + <<: *dbSecrets cds: auth: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== aai: @@ -204,7 +257,10 @@ so-bpmn-infra: vnfm: adapter: auth: Basic dm5mbTpwYXNzd29yZDEk + so-catalog-db-adapter: + db: + <<: *dbSecrets mso: config: cadi: @@ -215,7 +271,10 @@ so-catalog-db-adapter: adapters: db: auth: Basic YnBlbDpwYXNzd29yZDEk + so-openstack-adapter: + db: + <<: *dbSecrets aaf: auth: encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F @@ -240,7 +299,10 @@ so-openstack-adapter: noAuthn: /manage/health db: auth: Basic YnBlbDpwYXNzd29yZDEk + so-request-db-adapter: + db: + <<: *dbSecrets mso: config: cadi: @@ -251,7 +313,10 @@ so-request-db-adapter: adapters: requestDb: auth: Basic YnBlbDpwYXNzd29yZDEk + so-sdc-controller: + db: + <<: *dbSecrets aai: auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 mso: @@ -271,6 +336,8 @@ so-sdc-controller: asdc-controller1: password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F so-sdnc-adapter: + db: + <<: *dbSecrets org: onap: so: @@ -292,7 +359,10 @@ so-sdnc-adapter: auth: Basic YnBlbDpwYXNzd29yZDEk rest: aafEncrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 + so-vfc-adapter: + db: + <<: *dbSecrets mso: config: cadi: @@ -322,3 +392,15 @@ so-vnfm-adapter: aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 apiEnforcement: org.onap.so.vnfmAdapterPerm noAuthn: /manage/health + +so-monitoring: + db: + <<: *dbSecrets + +so-mariadb: + db: + rootPasswordExternalSecretLocalDb: *dbRootPassSecretName + rootPasswordExternalSecret: '{{ ternary .Values.db.rootPasswordExternalSecretLocalDb (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.localCluster }}' + backupCredsExternalSecret: *dbBackupCredsSecretName + userCredsExternalSecret: *dbUserCredsSecretName + adminCredsExternalSecret: *dbAdminCredsSecretName |