diff options
Diffstat (limited to 'kubernetes/common')
13 files changed, 28 insertions, 269 deletions
diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh index 5b652228a6..5f23a89867 100644 --- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh +++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh @@ -1,4 +1,5 @@ #!/bin/bash + set -e # first arg is `-f` or `--some-option` @@ -11,7 +12,7 @@ fi if [ "$1" = 'cassandra' -a "$(id -u)" = '0' ]; then find /var/lib/cassandra /var/log/cassandra "$CASSANDRA_CONFIG" \ \! -user cassandra -exec chown cassandra '{}' + - exec gosu cassandra "$BASH_SOURCE" "$@" + exec gosu cassandra "$0" "$@" fi _ip_address() { @@ -71,7 +72,8 @@ if [ "$1" = 'cassandra' ]; then authenticator \ ; do var="CASSANDRA_${yaml^^}" - val="${!var}" + # eval presents no security issue here because of limited possible values of var + eval val=\$$var if [ "$val" ]; then _sed-in-place "$CASSANDRA_CONFIG/cassandra.yaml" \ -r 's/^(# )?('"$yaml"':).*/\2 '"$val"'/' @@ -80,7 +82,8 @@ if [ "$1" = 'cassandra' ]; then for rackdc in dc rack; do var="CASSANDRA_${rackdc^^}" - val="${!var}" + # eval presents no security issue here because of limited possible values of var + eval val=\$$var if [ "$val" ]; then _sed-in-place "$CASSANDRA_CONFIG/cassandra-rackdc.properties" \ -r 's/^('"$rackdc"'=).*/\1 '"$val"'/' diff --git a/kubernetes/common/cmpv2Certificate/Chart.yaml b/kubernetes/common/cmpv2Certificate/Chart.yaml deleted file mode 100644 index 6641ec6954..0000000000 --- a/kubernetes/common/cmpv2Certificate/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -description: Template used to add cmpv2 certificates to components -name: cmpv2Certificate -version: 8.0.0 diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml deleted file mode 100644 index b10896d2ce..0000000000 --- a/kubernetes/common/cmpv2Certificate/requirements.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -dependencies: - - name: common - version: ~8.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~8.x-0 - repository: 'file://../repositoryGenerator' - - name: cmpv2Config - version: ~8.x-0 - repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl deleted file mode 100644 index f80b06b4d3..0000000000 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ /dev/null @@ -1,189 +0,0 @@ -{{/* -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{/* -In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each -certificate will be requested from separate init container - -Minimum example of array in target component values.yaml: -certificates: - - mountPath: /var/custom-certs - commonName: common-name - -Full example (other fields are ignored): -certificates: - - mountPath: /var/custom-certs - caName: RA - keystore: - outputType: - - jks - commonName: common-name - dnsNames: - - dns-name-1 - - dns-name-2 - ipAddresses: - - 192.168.0.1 - - 192.168.0.2 - emailAddresses: - - email-1@onap.org - - email-2@onap.org - uris: - - http://uri-1.onap.org - - http://uri-2.onap.org - subject: - organization: Linux-Foundation - country: US - locality: San Francisco - province: California - organizationalUnit: ONAP - -There also need to be some includes used in a target component deployment (indent values may need to be adjusted): - 1. In initContainers section: - {{ include "common.certServiceClient.initContainer" . | indent 6 }} - 2. In volumeMounts section of container using certificates: - {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} - 3. In volumes section: - {{ include "common.certServiceClient.volumes" . | indent 8 }} - -*/}} - -{{- define "common.certServiceClient.initContainer" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- range $index, $certificate := $dot.Values.certificates -}} -{{/*# General certifiacate attributes #*/}} -{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} -{{/*# SAN's #*/}} -{{- $dnsNames := default (list) $certificate.dnsNames -}} -{{- $ipAddresses := default (list) $certificate.ipAddresses -}} -{{- $uris := default (list) $certificate.uris -}} -{{- $emailAddresses := default (list) $certificate.emailAddresses -}} -{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}} -{{- $sans := join "," $sansList }} -{{/*# Subject #*/}} -{{- $organization := $subchartGlobal.certificate.default.subject.organization -}} -{{- $country := $subchartGlobal.certificate.default.subject.country -}} -{{- $locality := $subchartGlobal.certificate.default.subject.locality -}} -{{- $province := $subchartGlobal.certificate.default.subject.province -}} -{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}} -{{- if $certificate.subject -}} -{{- $organization := $certificate.subject.organization -}} -{{- $country := $certificate.subject.country -}} -{{- $locality := $certificate.subject.locality -}} -{{- $province := $certificate.subject.province -}} -{{- $orgUnit := $certificate.subject.organizationalUnit -}} -{{- end -}} -{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} -{{- $outputType := $subchartGlobal.platform.certServiceClient.envVariables.outputType -}} -{{- if $certificate.keystore -}} -{{- $outputTypeList := (required "'outputType' in 'keystore' section is required." $certificate.keystore.outputType) -}} -{{- $outputType = mustFirst ($outputTypeList) | upper -}} -{{- end -}} -{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} -{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} -{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} -{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}} -{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}} -{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}} -{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}} -{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}} -{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}} -{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}} -{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}} -- name: certs-init-{{ $index }} - image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} - env: - - name: REQUEST_URL - value: {{ $requestUrl | quote }} - - name: REQUEST_TIMEOUT - value: {{ $requestTimeout | quote }} - - name: OUTPUT_PATH - value: {{ $certPath | quote }} - - name: OUTPUT_TYPE - value: {{ $outputType | quote }} - - name: CA_NAME - value: {{ $caName | quote }} - - name: COMMON_NAME - value: {{ $commonName | quote }} - - name: SANS - value: {{ $sans | quote }} - - name: ORGANIZATION - value: {{ $organization | quote }} - - name: ORGANIZATION_UNIT - value: {{ $orgUnit | quote }} - - name: LOCATION - value: {{ $locality | quote }} - - name: STATE - value: {{ $province | quote }} - - name: COUNTRY - value: {{ $country | quote }} - - name: KEYSTORE_PATH - value: {{ $keystorePath | quote }} - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $keystorePasswordSecret | quote}} - key: {{ $keystorePasswordSecretKey | quote}} - - name: TRUSTSTORE_PATH - value: {{ $truststorePath | quote }} - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $truststorePasswordSecret | quote}} - key: {{ $truststorePasswordSecretKey | quote}} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: {{ $certPath }} - name: cmpv2-certs-volume-{{ $index }} - - mountPath: {{ $certificatesSecretMountPath }} - name: certservice-tls-volume -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "common.certServiceClient.volumes" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}} -- name: certservice-tls-volume - secret: - secretName: {{ $certificatesSecretName }} -{{ range $index, $certificate := $dot.Values.certificates -}} -- name: cmpv2-certs-volume-{{ $index }} - emptyDir: - medium: Memory -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "common.certServiceClient.volumeMounts" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- range $index, $certificate := $dot.Values.certificates -}} -{{- $mountPath := $certificate.mountPath -}} -- mountPath: {{ $mountPath }} - name: cmpv2-certs-volume-{{ $index }} -{{ end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml deleted file mode 100644 index 504947525d..0000000000 --- a/kubernetes/common/cmpv2Certificate/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 695e40616c..02595b348d 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -15,7 +15,6 @@ global: # Enabling CMPv2 cmpv2Enabled: true - CMPv2CertManagerIntegration: false certificate: default: @@ -35,17 +34,6 @@ global: keystorePasswordSecretKey: password truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password - certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ - envVariables: - certPath: "/var/custom-certs" - # Certificate related - caName: "RA" - # Client configuration related - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - outputType: "P12" certPostProcessor: image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/common/dgbuilder/requirements.yaml b/kubernetes/common/dgbuilder/requirements.yaml index 0157b7063e..1bbab11af4 100644 --- a/kubernetes/common/dgbuilder/requirements.yaml +++ b/kubernetes/common/dgbuilder/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~8.x-0 + repository: 'file://../serviceAccount' diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml index ad3e4cf128..6538ad0836 100644 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ b/kubernetes/common/dgbuilder/templates/deployment.yaml @@ -128,6 +128,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml index ae1d85795d..0f91bbd882 100644 --- a/kubernetes/common/dgbuilder/values.yaml +++ b/kubernetes/common/dgbuilder/values.yaml @@ -186,3 +186,8 @@ resources: memory: 4Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: dgbuilder + roles: + - read diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 4c77efc83f..ed9977acd9 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -86,9 +86,10 @@ service: ## type: ClusterIP headless: {} + internalPort: &dbPort 3306 ports: - name: mysql - port: 3306 + port: *dbPort headlessPorts: - name: galera port: 4567 diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh index fa4b007a5a..f130bb5118 100755 --- a/kubernetes/common/mariadb-init/resources/config/db_init.sh +++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh @@ -1,4 +1,5 @@ #!/bin/bash + {{/* # Copyright © 2019 Orange # Copyright © 2020 Samsung Electronics @@ -22,8 +23,15 @@ set -e while read DB ; do USER_VAR="MYSQL_USER_${DB^^}" PASS_VAR="MYSQL_PASSWORD_${DB^^}" - USER=${!USER_VAR} - PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"` +{{/* + # USER=${!USER_VAR} + # PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"` + # eval replacement of the bashism equivalents above might present a security issue here + # since it reads content from DB values filled by helm at the end of the script. + # These possible values has to be constrainted and/or limited by helm for a safe use of eval. +*/}} + eval USER=\$$USER_VAR + PASS=$(eval echo -n \$$PASS_VAR | sed -e "s/'/''/g") MYSQL_OPTS=( -h ${DB_HOST} -P ${DB_PORT} -uroot -p${MYSQL_ROOT_PASSWORD} ) echo "Creating database ${DB} and user ${USER}..." diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 95cbd20a4b..211cf1c599 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -92,10 +92,6 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }} {{- end -}} -{{- define "repositoryGenerator.image.certserviceclient" -}} - {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} -{{- end -}} - {{- define "repositoryGenerator.image.dcaepolicysync" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }} {{- end -}} @@ -152,7 +148,7 @@ {{/* Our version of helm doesn't support deepCopy so we need this nasty trick */}} {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} {{- $repoCreds := "" }} - {{- if $subchartDot.Values.global.dockerHubRepositoryCred }} + {{- if $subchartDot.Values.global.repositoryCred }} {{- $repo := $subchartDot.Values.global.repository }} {{- $cred := $subchartDot.Values.global.repositoryCred }} {{- $mail := default "@" $cred.mail }} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 3fdf76d8af..2a01112ce6 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -24,7 +24,6 @@ global: # common global images busyboxImage: busybox:1.32 curlImage: curlimages/curl:7.69.1 - certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 envsubstImage: dibi/envsubst:1 # there's only latest image for htpasswd htpasswdImage: xmartlabs/htpasswd:latest @@ -57,7 +56,6 @@ global: imageRepoMapping: busyboxImage: dockerHubRepository curlImage: dockerHubRepository - certServiceClientImage: repository envsubstImage: dockerHubRepository htpasswdImage: dockerHubRepository jreImage: repository |