summaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/cassandra/resources/config/docker-entrypoint.sh9
-rw-r--r--kubernetes/common/cmpv2Certificate/Chart.yaml18
-rw-r--r--kubernetes/common/cmpv2Certificate/requirements.yaml24
-rw-r--r--kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl189
-rw-r--r--kubernetes/common/cmpv2Certificate/values.yaml13
-rw-r--r--kubernetes/common/cmpv2Config/values.yaml12
-rw-r--r--kubernetes/common/dgbuilder/requirements.yaml3
-rw-r--r--kubernetes/common/dgbuilder/templates/deployment.yaml1
-rw-r--r--kubernetes/common/dgbuilder/values.yaml5
-rwxr-xr-xkubernetes/common/mariadb-init/resources/config/db_init.sh12
-rw-r--r--kubernetes/common/repositoryGenerator/templates/_repository.tpl6
-rw-r--r--kubernetes/common/repositoryGenerator/values.yaml2
12 files changed, 26 insertions, 268 deletions
diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
index 5b652228a6..5f23a89867 100644
--- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
+++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+
set -e
# first arg is `-f` or `--some-option`
@@ -11,7 +12,7 @@ fi
if [ "$1" = 'cassandra' -a "$(id -u)" = '0' ]; then
find /var/lib/cassandra /var/log/cassandra "$CASSANDRA_CONFIG" \
\! -user cassandra -exec chown cassandra '{}' +
- exec gosu cassandra "$BASH_SOURCE" "$@"
+ exec gosu cassandra "$0" "$@"
fi
_ip_address() {
@@ -71,7 +72,8 @@ if [ "$1" = 'cassandra' ]; then
authenticator \
; do
var="CASSANDRA_${yaml^^}"
- val="${!var}"
+ # eval presents no security issue here because of limited possible values of var
+ eval val=\$$var
if [ "$val" ]; then
_sed-in-place "$CASSANDRA_CONFIG/cassandra.yaml" \
-r 's/^(# )?('"$yaml"':).*/\2 '"$val"'/'
@@ -80,7 +82,8 @@ if [ "$1" = 'cassandra' ]; then
for rackdc in dc rack; do
var="CASSANDRA_${rackdc^^}"
- val="${!var}"
+ # eval presents no security issue here because of limited possible values of var
+ eval val=\$$var
if [ "$val" ]; then
_sed-in-place "$CASSANDRA_CONFIG/cassandra-rackdc.properties" \
-r 's/^('"$rackdc"'=).*/\1 '"$val"'/'
diff --git a/kubernetes/common/cmpv2Certificate/Chart.yaml b/kubernetes/common/cmpv2Certificate/Chart.yaml
deleted file mode 100644
index 6641ec6954..0000000000
--- a/kubernetes/common/cmpv2Certificate/Chart.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# Copyright © 2021 Nokia
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-description: Template used to add cmpv2 certificates to components
-name: cmpv2Certificate
-version: 8.0.0
diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml
deleted file mode 100644
index b10896d2ce..0000000000
--- a/kubernetes/common/cmpv2Certificate/requirements.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright © 2021 Nokia
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-dependencies:
- - name: common
- version: ~8.x-0
- repository: 'file://../common'
- - name: repositoryGenerator
- version: ~8.x-0
- repository: 'file://../repositoryGenerator'
- - name: cmpv2Config
- version: ~8.x-0
- repository: 'file://../cmpv2Config'
diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
deleted file mode 100644
index f80b06b4d3..0000000000
--- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
+++ /dev/null
@@ -1,189 +0,0 @@
-{{/*
-# Copyright © 2021 Nokia
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
-{{/*
-In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each
-certificate will be requested from separate init container
-
-Minimum example of array in target component values.yaml:
-certificates:
- - mountPath: /var/custom-certs
- commonName: common-name
-
-Full example (other fields are ignored):
-certificates:
- - mountPath: /var/custom-certs
- caName: RA
- keystore:
- outputType:
- - jks
- commonName: common-name
- dnsNames:
- - dns-name-1
- - dns-name-2
- ipAddresses:
- - 192.168.0.1
- - 192.168.0.2
- emailAddresses:
- - email-1@onap.org
- - email-2@onap.org
- uris:
- - http://uri-1.onap.org
- - http://uri-2.onap.org
- subject:
- organization: Linux-Foundation
- country: US
- locality: San Francisco
- province: California
- organizationalUnit: ONAP
-
-There also need to be some includes used in a target component deployment (indent values may need to be adjusted):
- 1. In initContainers section:
- {{ include "common.certServiceClient.initContainer" . | indent 6 }}
- 2. In volumeMounts section of container using certificates:
- {{ include "common.certServiceClient.volumeMounts" . | indent 10 }}
- 3. In volumes section:
- {{ include "common.certServiceClient.volumes" . | indent 8 }}
-
-*/}}
-
-{{- define "common.certServiceClient.initContainer" -}}
-{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
-{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
-{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
-{{- range $index, $certificate := $dot.Values.certificates -}}
-{{/*# General certifiacate attributes #*/}}
-{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
-{{/*# SAN's #*/}}
-{{- $dnsNames := default (list) $certificate.dnsNames -}}
-{{- $ipAddresses := default (list) $certificate.ipAddresses -}}
-{{- $uris := default (list) $certificate.uris -}}
-{{- $emailAddresses := default (list) $certificate.emailAddresses -}}
-{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}}
-{{- $sans := join "," $sansList }}
-{{/*# Subject #*/}}
-{{- $organization := $subchartGlobal.certificate.default.subject.organization -}}
-{{- $country := $subchartGlobal.certificate.default.subject.country -}}
-{{- $locality := $subchartGlobal.certificate.default.subject.locality -}}
-{{- $province := $subchartGlobal.certificate.default.subject.province -}}
-{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}}
-{{- if $certificate.subject -}}
-{{- $organization := $certificate.subject.organization -}}
-{{- $country := $certificate.subject.country -}}
-{{- $locality := $certificate.subject.locality -}}
-{{- $province := $certificate.subject.province -}}
-{{- $orgUnit := $certificate.subject.organizationalUnit -}}
-{{- end -}}
-{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}}
-{{- $outputType := $subchartGlobal.platform.certServiceClient.envVariables.outputType -}}
-{{- if $certificate.keystore -}}
-{{- $outputTypeList := (required "'outputType' in 'keystore' section is required." $certificate.keystore.outputType) -}}
-{{- $outputType = mustFirst ($outputTypeList) | upper -}}
-{{- end -}}
-{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
-{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
-{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}
-{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}}
-{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}}
-{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}}
-{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}}
-{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}}
-{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}}
-{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}}
-{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}}
-- name: certs-init-{{ $index }}
- image: {{ include "repositoryGenerator.image.certserviceclient" $dot }}
- imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
- env:
- - name: REQUEST_URL
- value: {{ $requestUrl | quote }}
- - name: REQUEST_TIMEOUT
- value: {{ $requestTimeout | quote }}
- - name: OUTPUT_PATH
- value: {{ $certPath | quote }}
- - name: OUTPUT_TYPE
- value: {{ $outputType | quote }}
- - name: CA_NAME
- value: {{ $caName | quote }}
- - name: COMMON_NAME
- value: {{ $commonName | quote }}
- - name: SANS
- value: {{ $sans | quote }}
- - name: ORGANIZATION
- value: {{ $organization | quote }}
- - name: ORGANIZATION_UNIT
- value: {{ $orgUnit | quote }}
- - name: LOCATION
- value: {{ $locality | quote }}
- - name: STATE
- value: {{ $province | quote }}
- - name: COUNTRY
- value: {{ $country | quote }}
- - name: KEYSTORE_PATH
- value: {{ $keystorePath | quote }}
- - name: KEYSTORE_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ $keystorePasswordSecret | quote}}
- key: {{ $keystorePasswordSecretKey | quote}}
- - name: TRUSTSTORE_PATH
- value: {{ $truststorePath | quote }}
- - name: TRUSTSTORE_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ $truststorePasswordSecret | quote}}
- key: {{ $truststorePasswordSecretKey | quote}}
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: {{ $certPath }}
- name: cmpv2-certs-volume-{{ $index }}
- - mountPath: {{ $certificatesSecretMountPath }}
- name: certservice-tls-volume
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "common.certServiceClient.volumes" -}}
-{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
-{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
-{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
-{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}}
-- name: certservice-tls-volume
- secret:
- secretName: {{ $certificatesSecretName }}
-{{ range $index, $certificate := $dot.Values.certificates -}}
-- name: cmpv2-certs-volume-{{ $index }}
- emptyDir:
- medium: Memory
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "common.certServiceClient.volumeMounts" -}}
-{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
-{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
-{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
-{{- range $index, $certificate := $dot.Values.certificates -}}
-{{- $mountPath := $certificate.mountPath -}}
-- mountPath: {{ $mountPath }}
- name: cmpv2-certs-volume-{{ $index }}
-{{ end -}}
-{{- end -}}
-{{- end -}}
diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml
deleted file mode 100644
index 504947525d..0000000000
--- a/kubernetes/common/cmpv2Certificate/values.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-# Copyright © 2021 Nokia
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml
index 695e40616c..02595b348d 100644
--- a/kubernetes/common/cmpv2Config/values.yaml
+++ b/kubernetes/common/cmpv2Config/values.yaml
@@ -15,7 +15,6 @@ global:
# Enabling CMPv2
cmpv2Enabled: true
- CMPv2CertManagerIntegration: false
certificate:
default:
@@ -35,17 +34,6 @@ global:
keystorePasswordSecretKey: password
truststorePasswordSecretName: oom-cert-service-truststore-password
truststorePasswordSecretKey: password
- certServiceClient:
- image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
- certificatesSecretMountPath: /etc/onap/oom/certservice/certs/
- envVariables:
- certPath: "/var/custom-certs"
- # Certificate related
- caName: "RA"
- # Client configuration related
- requestURL: "https://oom-cert-service:8443/v1/certificate/"
- requestTimeout: "30000"
- outputType: "P12"
certPostProcessor:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
diff --git a/kubernetes/common/dgbuilder/requirements.yaml b/kubernetes/common/dgbuilder/requirements.yaml
index 0157b7063e..1bbab11af4 100644
--- a/kubernetes/common/dgbuilder/requirements.yaml
+++ b/kubernetes/common/dgbuilder/requirements.yaml
@@ -22,3 +22,6 @@ dependencies:
- name: repositoryGenerator
version: ~8.x-0
repository: 'file://../repositoryGenerator'
+ - name: serviceAccount
+ version: ~8.x-0
+ repository: 'file://../serviceAccount'
diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml
index ad3e4cf128..6538ad0836 100644
--- a/kubernetes/common/dgbuilder/templates/deployment.yaml
+++ b/kubernetes/common/dgbuilder/templates/deployment.yaml
@@ -128,6 +128,7 @@ spec:
affinity:
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
{{ include "common.certInitializer.volumes" . | nindent 8 }}
- name: localtime
diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml
index ae1d85795d..0f91bbd882 100644
--- a/kubernetes/common/dgbuilder/values.yaml
+++ b/kubernetes/common/dgbuilder/values.yaml
@@ -186,3 +186,8 @@ resources:
memory: 4Gi
unlimited: {}
+#Pods Service Account
+serviceAccount:
+ nameOverride: dgbuilder
+ roles:
+ - read
diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh
index fa4b007a5a..f130bb5118 100755
--- a/kubernetes/common/mariadb-init/resources/config/db_init.sh
+++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+
{{/*
# Copyright © 2019 Orange
# Copyright © 2020 Samsung Electronics
@@ -22,8 +23,15 @@ set -e
while read DB ; do
USER_VAR="MYSQL_USER_${DB^^}"
PASS_VAR="MYSQL_PASSWORD_${DB^^}"
- USER=${!USER_VAR}
- PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"`
+{{/*
+ # USER=${!USER_VAR}
+ # PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"`
+ # eval replacement of the bashism equivalents above might present a security issue here
+ # since it reads content from DB values filled by helm at the end of the script.
+ # These possible values has to be constrainted and/or limited by helm for a safe use of eval.
+*/}}
+ eval USER=\$$USER_VAR
+ PASS=$(eval echo -n \$$PASS_VAR | sed -e "s/'/''/g")
MYSQL_OPTS=( -h ${DB_HOST} -P ${DB_PORT} -uroot -p${MYSQL_ROOT_PASSWORD} )
echo "Creating database ${DB} and user ${USER}..."
diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
index 91f21ab0c9..488db054a0 100644
--- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl
+++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
@@ -83,10 +83,6 @@
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }}
{{- end -}}
-{{- define "repositoryGenerator.image.certserviceclient" -}}
- {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }}
-{{- end -}}
-
{{- define "repositoryGenerator.image.dcaepolicysync" -}}
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }}
{{- end -}}
@@ -143,7 +139,7 @@
{{/* Our version of helm doesn't support deepCopy so we need this nasty trick */}}
{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
{{- $repoCreds := "" }}
- {{- if $subchartDot.Values.global.dockerHubRepositoryCred }}
+ {{- if $subchartDot.Values.global.repositoryCred }}
{{- $repo := $subchartDot.Values.global.repository }}
{{- $cred := $subchartDot.Values.global.repositoryCred }}
{{- $mail := default "@" $cred.mail }}
diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml
index 8a68f6dd9c..bf21e2da08 100644
--- a/kubernetes/common/repositoryGenerator/values.yaml
+++ b/kubernetes/common/repositoryGenerator/values.yaml
@@ -23,7 +23,6 @@ global:
# common global images
busyboxImage: busybox:1.32
curlImage: curlimages/curl:7.69.1
- certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
envsubstImage: dibi/envsubst:1
# there's only latest image for htpasswd
htpasswdImage: xmartlabs/htpasswd:latest
@@ -56,7 +55,6 @@ global:
imageRepoMapping:
busyboxImage: dockerHubRepository
curlImage: dockerHubRepository
- certServiceClientImage: repository
envsubstImage: dockerHubRepository
htpasswdImage: dockerHubRepository
jreImage: repository