summaryrefslogtreecommitdiffstats
path: root/kubernetes/portal
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/portal')
-rw-r--r--kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml2
-rwxr-xr-xkubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties6
-rw-r--r--kubernetes/portal/components/portal-app/templates/deployment.yaml23
-rw-r--r--kubernetes/portal/components/portal-app/values.yaml12
-rw-r--r--kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh446
-rw-r--r--kubernetes/portal/components/portal-mariadb/templates/deployment.yaml12
-rw-r--r--kubernetes/portal/components/portal-mariadb/templates/secrets.yaml3
-rw-r--r--kubernetes/portal/components/portal-mariadb/values.yaml7
-rw-r--r--kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml2
-rwxr-xr-xkubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties6
-rw-r--r--kubernetes/portal/components/portal-sdk/templates/deployment.yaml23
-rw-r--r--kubernetes/portal/components/portal-sdk/values.yaml12
-rw-r--r--kubernetes/portal/components/portal-widget/values.yaml2
-rw-r--r--kubernetes/portal/values.yaml20
14 files changed, 421 insertions, 155 deletions
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml
index ece708914e..e707e259ca 100644
--- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml
@@ -69,7 +69,7 @@
value="%X{MetricsLogBeginTimestamp}|%X{MetricsLogEndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread|%X{VirtualServerName}|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{Timer}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ClassName}|%X{Unused}|%X{ProcessKey}|%X{TargetVisualEntity}|%X{CustomField1}|%X{CustomField2}|%X{CustomField3}|%X{CustomField4}| %msg%n" />
<property name="errorLoggerPattern"
- value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{AlertSeverity}|%X{ErrorCode}|%X{ErrorDescription}| %msg%n" />
+ value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{ErrorCategory}|%X{ErrorCode}|%X{ErrorDescription}| %msg%n" />
<property name="defaultLoggerPattern"
value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ClassName}| %msg%n" />
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
index b5b4e48b97..c8a292f60b 100755
--- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
@@ -16,8 +16,8 @@
#mysql
db.driver = org.mariadb.jdbc.Driver
db.connectionURL = jdbc:mariadb:failover://portal-db:3306/portal
-db.userName =root
-db.password =Aa123456
+db.userName =${PORTAL_DB_USER}
+db.password =${PORTAL_DB_PASSWORD}
db.hib.dialect = org.hibernate.dialect.MySQLDialect
db.min_pool_size = 5
db.max_pool_size = 10
@@ -122,4 +122,4 @@ remote_centralized_system_access = {{.Values.global.aafEnabled}}
ext_central_access_user_name = aaf_admin@people.osaaf.org
ext_central_access_password = demo123456!
ext_central_access_url = {{.Values.aafURL}}
-ext_central_access_user_domain = @people.osaaf.org \ No newline at end of file
+ext_central_access_user_domain = @people.osaaf.org
diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml
index 0be1fdc91f..8c434c55ff 100644
--- a/kubernetes/portal/components/portal-app/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-app/templates/deployment.yaml
@@ -52,8 +52,23 @@ spec:
- name: {{ include "common.name" . }}-portal-config
image: "{{ .Values.global.envsubstImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command: ["/bin/sh"]
- args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"]
+ command:
+ - sh
+ args:
+ - "-c"
+ - |
+ cd /config-input && \
+ for PFILE in `ls -1 *.xml`
+ do
+ cp ${PFILE} /config
+ chmod 0755 /config/${PFILE}
+ done
+ cd /config-input && \
+ for PFILE in `ls -1 *.properties`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ chmod 0755 /config/${PFILE}
+ done
env:
- name: CASSA_USER
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }}
@@ -61,6 +76,10 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
- name: CIPHER_ENC_KEY
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+ - name: PORTAL_DB_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }}
+ - name: PORTAL_DB_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }}
volumeMounts:
- mountPath: /config-input
name: properties-onapportal-scrubbed
diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml
index 55a7ccca38..3f55f4a08e 100644
--- a/kubernetes/portal/components/portal-app/values.yaml
+++ b/kubernetes/portal/components/portal-app/values.yaml
@@ -43,6 +43,12 @@ secrets:
externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
password: '{{ .Values.config.cipherEncKey }}'
passwordPolicy: required
+ - uid: portal-backend-db
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}'
+ login: '{{ .Values.mariadb.config.backendUserName }}'
+ password: '{{ .Values.mariadb.config.backendPassword }}'
+ passwordPolicy: required
#################################################################
# Application configuration defaults.
@@ -50,7 +56,7 @@ secrets:
# application image
repository: nexus3.onap.org:10001
-image: onap/portal-app:3.2.3
+image: onap/portal-app:3.4.1
pullPolicy: Always
# application configuration
@@ -120,6 +126,10 @@ service:
mariadb:
service:
name: portal-db
+ config:
+ # backendDbExternalSecret: some secret
+ backendUserName: portal
+ backendPassword: portal
widget:
service:
name: portal-widget
diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
index 28fcee1551..390241fa1d 100644
--- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
+++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
@@ -2,21 +2,21 @@
set -eo pipefail
shopt -s nullglob
-# if command starts with an option, prepend mysqld
-if [ "${1:0:1}" = '-' ]; then
- set -- mysqld "$@"
-fi
-
-# skip setup if they want an option that stops mysqld
-wantHelp=
-for arg; do
- case "$arg" in
- -'?'|--help|--print-defaults|-V|--version)
- wantHelp=1
- break
- ;;
- esac
-done
+# logging functions
+mysql_log() {
+ local type="$1"; shift
+ printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*"
+}
+mysql_note() {
+ mysql_log Note "$@"
+}
+mysql_warn() {
+ mysql_log Warn "$@" >&2
+}
+mysql_error() {
+ mysql_log ERROR "$@" >&2
+ exit 1
+}
# usage: file_env VAR [DEFAULT]
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -27,8 +27,7 @@ file_env() {
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
+ mysql_error "Both $var and $fileVar are set (but are exclusive)"
fi
local val="$def"
if [ "${!var:-}" ]; then
@@ -40,157 +39,328 @@ file_env() {
unset "$fileVar"
}
-_check_config() {
- toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" )
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions
+docker_process_init_files() {
+ # mysql here for backwards compatibility "${mysql[@]}"
+ mysql=( docker_process_sql )
+
+ echo
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ mysql_note "$0: running $f"
+ "$f"
+ else
+ mysql_note "$0: sourcing $f"
+ . "$f"
+ fi
+ ;;
+ *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;;
+ *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;
+ *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;;
+ *) mysql_warn "$0: ignoring $f" ;;
+ esac
+ echo
+ done
+}
+
+mysql_check_config() {
+ local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors
if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
- cat >&2 <<-EOM
- ERROR: mysqld failed while attempting to check config
- command was: "${toRun[*]}"
- $errors
- EOM
- exit 1
+ mysql_error $'mysqld failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors"
fi
}
# Fetch value from server config
# We use mysqld --verbose --help instead of my_print_defaults because the
# latter only show values present in config files, and not server defaults
-_get_config() {
+mysql_get_config() {
local conf="$1"; shift
"$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \
- | awk '$1 == "'"$conf"'" && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
+ | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
# match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)"
}
-# allow the container to be started with `--user`
-if [ "$1" = 'mysqld' -a -z "$wantHelp" -a "$(id -u)" = '0' ]; then
- _check_config "$@"
- DATADIR="$(_get_config 'datadir' "$@")"
+# Do a temporary startup of the MySQL server, for init purposes
+docker_temp_server_start() {
+ "$@" --skip-networking --socket="${SOCKET}" &
+ mysql_note "Waiting for server startup"
+ local i
+ for i in {30..0}; do
+ # only use the root password if the database has already been initializaed
+ # so that it won't try to fill in a password file when it hasn't been set yet
+ extraArgs=()
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ extraArgs+=( '--dont-use-mysql-root-password' )
+ fi
+ if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
+ break
+ fi
+ sleep 1
+ done
+ if [ "$i" = 0 ]; then
+ mysql_error "Unable to start server."
+ fi
+}
+
+# Stop the server. When using a local socket file mysqladmin will block until
+# the shutdown is complete.
+docker_temp_server_stop() {
+ if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then
+ mysql_error "Unable to shut down server."
+ fi
+}
+
+# Verify that the minimally required password settings are set for new databases.
+docker_verify_minimum_env() {
+ if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
+ mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD'
+ fi
+}
+
+# creates folders for the database
+# also ensures permission for user mysql of run as root
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ # TODO other directories that are used by default? like /var/lib/mysql-files
+ # see https://github.com/docker-library/mysql/issues/562
mkdir -p "$DATADIR"
- find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
- exec gosu mysql "$BASH_SOURCE" "$@"
-fi
-if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
- # still need to check config, container may have started with --user
- _check_config "$@"
+ if [ "$user" = "0" ]; then
+ # this will cause less disk access than `chown -R`
+ find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
+ fi
+}
+
+# initializes the database directory
+docker_init_database_dir() {
+ mysql_note "Initializing database files"
+ installArgs=( --datadir="$DATADIR" --rpm )
+ if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
+ # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
+ # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
+ # (this flag doesn't exist in 10.0 and below)
+ installArgs+=( --auth-root-authentication-method=normal )
+ fi
+ # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
+ mysql_install_db "${installArgs[@]}" "${@:2}"
+ mysql_note "Database files initialized"
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called after mysql_check_config, but before any other functions
+docker_setup_env() {
# Get config
- DATADIR="$(_get_config 'datadir' "$@")"
-
- if [ ! -d "$DATADIR/mysql" ]; then
- file_env 'MYSQL_ROOT_PASSWORD'
- if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
- echo >&2 'error: database is uninitialized and password option is not specified '
- echo >&2 ' You need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD'
- exit 1
- fi
+ declare -g DATADIR SOCKET
+ DATADIR="$(mysql_get_config 'datadir' "$@")"
+ SOCKET="$(mysql_get_config 'socket' "$@")"
- mkdir -p "$DATADIR"
+ # Initialize values that might be stored in a file
+ file_env 'MYSQL_ROOT_HOST' '%'
+ file_env 'MYSQL_DATABASE'
+ file_env 'MYSQL_USER'
+ file_env 'MYSQL_PASSWORD'
+ file_env 'MYSQL_ROOT_PASSWORD'
+ file_env 'PORTAL_DB_TABLES'
- echo 'Initializing database'
- installArgs=( --datadir="$DATADIR" --rpm )
- if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
- # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
- # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
- # (this flag doesn't exist in 10.0 and below)
- installArgs+=( --auth-root-authentication-method=normal )
- fi
- # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
- mysql_install_db "${installArgs[@]}" "${@:2}"
- echo 'Database initialized'
-
- SOCKET="$(_get_config 'socket' "$@")"
- "$@" --skip-networking --socket="${SOCKET}" &
- pid="$!"
-
- mysql=( mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" )
-
- for i in {60..0}; do
- if echo 'SELECT 1' | "${mysql[@]}" &> /dev/null; then
- break
- fi
- echo 'MySQL init process in progress...'
- sleep 1
- done
- if [ "$i" = 0 ]; then
- echo >&2 'MySQL init process failed.'
- exit 1
- fi
+ declare -g DATABASE_ALREADY_EXISTS
+ if [ -d "$DATADIR/mysql" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
- if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
- # sed is for https://bugs.mysql.com/bug.php?id=20545
- mysql_tzinfo_to_sql /usr/share/zoneinfo | sed 's/Local time zone must be set--see zic manual page/FCTY/' | "${mysql[@]}" mysql
- fi
+# Execute sql script, passed via stdin
+# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args]
+# ie: docker_process_sql --database=mydb <<<'INSERT ...'
+# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb <my-file.sql
+docker_process_sql() {
+ passfileArgs=()
+ if [ '--dont-use-mysql-root-password' = "$1" ]; then
+ passfileArgs+=( "$1" )
+ shift
+ fi
+ # args sent in can override this db, since they will be later in the command
+ if [ -n "$MYSQL_DATABASE" ]; then
+ set -- --database="$MYSQL_DATABASE" "$@"
+ fi
- if [ ! -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
- export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
- echo "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
- fi
+ mysql --defaults-extra-file=<( _mysql_passfile "${passfileArgs[@]}") --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
+}
- rootCreate=
- # default root to listen for connections from anywhere
- file_env 'MYSQL_ROOT_HOST' '%'
- if [ ! -z "$MYSQL_ROOT_HOST" -a "$MYSQL_ROOT_HOST" != 'localhost' ]; then
- # no, we don't care if read finds a terminating character in this heredoc
- # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
- read -r -d '' rootCreate <<-EOSQL || true
- CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
- GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
- EOSQL
- fi
+# Initializes database with timezone info and root password, plus optional extra db/user
+docker_setup_db() {
+ # Load timezone info into database
+ if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
+ {
+ # Aria in 10.4+ is slow due to "transactional" (crash safety)
+ # https://jira.mariadb.org/browse/MDEV-23326
+ # https://github.com/docker-library/mariadb/issues/262
+ local tztables=( time_zone time_zone_leap_second time_zone_name time_zone_transition time_zone_transition_type )
+ for table in "${tztables[@]}"; do
+ echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=0 */;"
+ done
- "${mysql[@]}" <<-EOSQL
- -- What's done in this file shouldn't be replicated
- -- or products like mysql-fabric won't work
- SET @@SESSION.SQL_LOG_BIN=0;
- DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
- SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
- GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
- ${rootCreate}
- DROP DATABASE IF EXISTS test ;
- FLUSH PRIVILEGES ;
+ # sed is for https://bugs.mysql.com/bug.php?id=20545
+ mysql_tzinfo_to_sql /usr/share/zoneinfo \
+ | sed 's/Local time zone must be set--see zic manual page/FCTY/'
+
+ for table in "${tztables[@]}"; do
+ echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=1 */;"
+ done
+ } | docker_process_sql --dont-use-mysql-root-password --database=mysql
+ # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
+ fi
+ # Generate random root password
+ if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
+ export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
+ mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
+ fi
+ # Sets root password and creates root users for non-localhost hosts
+ local rootCreate=
+ # default root to listen for connections from anywhere
+ if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then
+ # no, we don't care if read finds a terminating character in this heredoc
+ # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
+ read -r -d '' rootCreate <<-EOSQL || true
+ CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
+ GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
EOSQL
+ fi
- if [ ! -z "$MYSQL_ROOT_PASSWORD" ]; then
- mysql+=( -p"${MYSQL_ROOT_PASSWORD}" )
- fi
+ # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
+ docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
+ -- What's done in this file shouldn't be replicated
+ -- or products like mysql-fabric won't work
+ SET @@SESSION.SQL_LOG_BIN=0;
- file_env 'MYSQL_DATABASE'
- if [ "$MYSQL_DATABASE" ]; then
- echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" | "${mysql[@]}"
- mysql+=( "$MYSQL_DATABASE" )
- fi
+ DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mariadb.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
+ SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
+ -- 10.1: https://github.com/MariaDB/server/blob/d925aec1c10cebf6c34825a7de50afe4e630aff4/scripts/mysql_secure_installation.sh#L347-L365
+ -- 10.5: https://github.com/MariaDB/server/blob/00c3a28820c67c37ebbca72691f4897b57f2eed5/scripts/mysql_secure_installation.sh#L351-L369
+ DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ;
- file_env 'MYSQL_USER'
- file_env 'MYSQL_PASSWORD'
- if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then
- echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" | "${mysql[@]}"
+ GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
+ FLUSH PRIVILEGES ;
+ ${rootCreate}
+ DROP DATABASE IF EXISTS test ;
+ EOSQL
- if [ "$MYSQL_DATABASE" ]; then
- echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
- fi
+ # Creates a custom database and user if specified
+ if [ -n "$MYSQL_DATABASE" ]; then
+ mysql_note "Creating database ${MYSQL_DATABASE}"
+ docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;"
+ fi
+
+ if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
+ mysql_note "Creating user ${MYSQL_USER}"
+ docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;"
+
+ if [ -n "$MYSQL_DATABASE" ]; then
+ mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
+ docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;"
fi
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh) echo "$0: running $f"; . "$f" ;;
- *.sql) echo "$0: running $f"; "${mysql[@]}" < "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${mysql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
+ docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;"
+ fi
+}
- if ! kill -s TERM "$pid" || ! wait "$pid"; then
- echo >&2 'MySQL init process failed.'
- exit 1
+_mysql_passfile() {
+ # echo the password to the "file" the client uses
+ # the client command will use process substitution to create a file on the fly
+ # ie: --defaults-extra-file=<( _mysql_passfile )
+ if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then
+ cat <<-EOF
+ [client]
+ password="${MYSQL_ROOT_PASSWORD}"
+ EOF
+ fi
+}
+
+# check arguments for an option that would cause mysqld to stop
+# return true if there is one
+_mysql_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ -'?'|--help|--print-defaults|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if command starts with an option, prepend mysqld
+ if [ "${1:0:1}" = '-' ]; then
+ set -- mysqld "$@"
+ fi
+
+ # skip setup if they aren't running mysqld or want an option that stops mysqld
+ if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
+ mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started."
+
+ mysql_check_config "$@"
+ # Load various environment variables
+ docker_setup_env "$@"
+ docker_create_db_directories
+
+ # If container is started as root user, restart as dedicated mysql user
+ if [ "$(id -u)" = "0" ]; then
+ mysql_note "Switching to dedicated user 'mysql'"
+ exec gosu mysql "$BASH_SOURCE" "$@"
fi
- echo
- echo 'MySQL init process done. Ready for start up.'
- echo
+ # there's no database, so it needs to be initialized
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir "$@"
+
+ mysql_note "Starting temporary server"
+ docker_temp_server_start "$@"
+ mysql_note "Temporary server started."
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g")
+ do
+ echo "Granting portal user ALL PRIVILEGES for table $i"
+ echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
+ done
+
+ mysql_note "Stopping temporary server"
+ docker_temp_server_stop
+ mysql_note "Temporary server stopped"
+
+ echo
+ mysql_note "MySQL init process done. Ready for start up."
+ echo
+ fi
fi
-fi
+ exec "$@"
+}
-exec "$@" \ No newline at end of file
+# If we are sourced from elsewhere, don't perform any further actions
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
index ec6cc50634..196a2d1ad4 100644
--- a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml
@@ -69,6 +69,18 @@ spec:
secretKeyRef:
name: {{ template "common.fullname" . }}
key: db-root-password
+ - name: MYSQL_USER
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "common.fullname" . }}
+ key: backend-db-user
+ - name: MYSQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "common.fullname" . }}
+ key: backend-db-password
+ - name: PORTAL_DB_TABLES
+ value: {{ .Values.config.backend_portal_tables }}
volumeMounts:
- mountPath: /var/lib/mysql
name: mariadb-data
diff --git a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
index ad1db77298..4415c5ebd0 100644
--- a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
+++ b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml
@@ -26,3 +26,6 @@ metadata:
type: Opaque
data:
db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }}
+stringData:
+ backend-db-user: {{ .Values.config.backendDbUser }}
+ backend-db-password: {{ .Values.config.backendDbPassword }}
diff --git a/kubernetes/portal/components/portal-mariadb/values.yaml b/kubernetes/portal/components/portal-mariadb/values.yaml
index 3435feb43e..5061593739 100644
--- a/kubernetes/portal/components/portal-mariadb/values.yaml
+++ b/kubernetes/portal/components/portal-mariadb/values.yaml
@@ -25,7 +25,7 @@ global: # global defaults
# application image
repository: nexus3.onap.org:10001
-image: onap/portal-db:3.2.3
+image: onap/portal-db:3.4.1
pullPolicy: Always
@@ -35,6 +35,11 @@ mariadbInitImage: "oomk8s/mariadb-client-init:3.0.0"
config:
mariadbUser: root
mariadbRootPassword: Aa123456
+ backendDbUser: portal
+ backendDbPassword: portal
+ #backend_portal_tables is a comma delimited string listing back-end tables
+ #that backendDbUser needs access to, such as to portal and ecomp_sdk tables
+ backend_portal_tables: portal,ecomp_sdk
#The directory where sql files are found in the projects gerrit repo.
sqlSourceDirectory: portal/deliveries
# sdc frontend assignment for port 9443
diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml
index e1fee17381..2c2cd00f1c 100644
--- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml
+++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml
@@ -62,7 +62,7 @@
<!-- 1610 Logging Fields Format Revisions -->
<property name="auditLoggerPattern" value="%X{AuditLogBeginTimestamp}|%X{AuditLogEndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread|%X{VirtualServerName}|%X{ServiceName}|%X{PartnerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{Timer}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ClassName}|%X{Unused}|%X{ProcessKey}|%X{CustomField1}|%X{CustomField2}|%X{CustomField3}|%X{CustomField4}| %msg%n" />
<property name="metricsLoggerPattern" value="%X{MetricsLogBeginTimestamp}|%X{MetricsLogEndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread|%X{VirtualServerName}|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{Timer}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ClassName}|%X{Unused}|%X{ProcessKey}|%X{TargetVisualEntity}|%X{CustomField1}|%X{CustomField2}|%X{CustomField3}|%X{CustomField4}| %msg%n" />
- <property name="errorLoggerPattern" value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{AlertSeverity}|%X{ErrorCode}|%X{ErrorDescription}| %msg%n" />
+ <property name="errorLoggerPattern" value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{ErrorCategory}|%X{ErrorCode}|%X{ErrorDescription}| %msg%n" />
<property name="defaultLoggerPattern" value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ClassName}| %msg%n" />
<!-- use %class so library logging calls yield their class name -->
<property name="applicationLoggerPattern" value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%class{36}| %msg%n" />
diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
index 2a2ec59d5c..1faed41b85 100755
--- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
+++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
@@ -40,8 +40,8 @@ decryption_key = AGLDdG4D04BKm2IxIWEr8o==
db.driver = org.mariadb.jdbc.Driver
db.connectionURL = jdbc:mariadb://portal-db:3306/ecomp_sdk
-db.userName = root
-db.password = Aa123456
+db.userName =${PORTAL_DB_USER}
+db.password =${PORTAL_DB_PASSWORD}
db.min_pool_size = 5
db.max_pool_size = 10
hb.dialect = org.hibernate.dialect.MySQLDialect
@@ -90,4 +90,4 @@ remote_centralized_system_access = {{.Values.global.aafEnabled}}
ext_central_access_user_name = aaf_admin@people.osaaf.org
ext_central_access_password = demo123456!
ext_central_access_url = {{.Values.aafURL}}
-ext_central_access_user_domain = @people.osaaf.org \ No newline at end of file
+ext_central_access_user_domain = @people.osaaf.org
diff --git a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
index f79098fade..52bf49b972 100644
--- a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
@@ -52,8 +52,23 @@ spec:
- name: {{ include "common.name" . }}-portalsdk-config
image: "{{ .Values.global.envsubstImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command: ["/bin/sh"]
- args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"]
+ command:
+ - sh
+ args:
+ - "-c"
+ - |
+ cd /config-input && \
+ for PFILE in `ls -1 *.xml`
+ do
+ cp ${PFILE} /config
+ chmod 0755 /config/${PFILE}
+ done
+ cd /config-input && \
+ for PFILE in `ls -1 *.properties`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ chmod 0755 /config/${PFILE}
+ done
env:
- name: CASSA_USER
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }}
@@ -61,6 +76,10 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
- name: CIPHER_ENC_KEY
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+ - name: PORTAL_DB_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }}
+ - name: PORTAL_DB_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }}
volumeMounts:
- mountPath: /config-input
name: properties-onapportalsdk-scrubbed
diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml
index c0f1b58c9a..ae373a2f54 100644
--- a/kubernetes/portal/components/portal-sdk/values.yaml
+++ b/kubernetes/portal/components/portal-sdk/values.yaml
@@ -39,6 +39,12 @@ secrets:
login: '{{ .Values.cassandra.config.cassandraUsername }}'
password: '{{ .Values.cassandra.config.cassandraPassword }}'
passwordPolicy: required
+ - uid: portal-backend-db
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}'
+ login: '{{ .Values.mariadb.config.backendUserName }}'
+ password: '{{ .Values.mariadb.config.backendPassword }}'
+ passwordPolicy: required
- uid: cipher-enc-key
type: password
externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
@@ -51,7 +57,7 @@ secrets:
# application image
repository: nexus3.onap.org:10001
-image: onap/portal-sdk:3.2.0
+image: onap/portal-sdk:3.4.1
pullPolicy: Always
# application configuration
@@ -115,6 +121,10 @@ service:
mariadb:
service:
name: portal-db
+ config:
+ # backendDbExternalSecret: some secret
+ backendUserName: portal
+ backendPassword: portal
widget:
service:
name: portal-widget
diff --git a/kubernetes/portal/components/portal-widget/values.yaml b/kubernetes/portal/components/portal-widget/values.yaml
index 3afb4c6f60..94da33019c 100644
--- a/kubernetes/portal/components/portal-widget/values.yaml
+++ b/kubernetes/portal/components/portal-widget/values.yaml
@@ -28,7 +28,7 @@ global:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/portal-wms:3.2.3
+image: onap/portal-wms:3.4.1
pullPolicy: Always
# flag to enable debugging - application support required
diff --git a/kubernetes/portal/values.yaml b/kubernetes/portal/values.yaml
index 2a760cdd98..0d4b023b12 100644
--- a/kubernetes/portal/values.yaml
+++ b/kubernetes/portal/values.yaml
@@ -32,12 +32,19 @@ secrets:
externalSecret: '{{ tpl (default "" .Values.config.casandraCredsExternalSecret) . }}'
login: '{{ .Values.config.cassandraUsername }}'
password: '{{ .Values.config.cassandraPassword }}'
+ - uid: portal-backend-db
+ name: &backendDbSecretName '{{ include "common.release" . }}-portal-backend-creds'
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}'
+ login: '{{ .Values.mariadb.config.backendUserName }}'
+ password: '{{ .Values.mariadb.config.backendPassword }}'
+ passwordPolicy: required
config:
logstashServiceName: log-ls
logstashPort: 5044
cassandraUsername: root
-# cassandraPassword: Aa123456
+ cassandraPassword: Aa123456
# casandraCredsExternalSecret: some secret
portal-mariadb:
@@ -45,6 +52,11 @@ portal-mariadb:
mariadb:
service:
name: portal-db
+ config:
+# backendDbExternalSecret: some secret
+ backendUserName: portal
+ backendPassword: portal
+
widget:
service:
name: portal-widget
@@ -54,10 +66,16 @@ cassandra:
config:
cassandraExternalSecret: *dbSecretName
portal-app:
+ mariadb:
+ config:
+ backendDbExternalSecret: *backendDbSecretName
cassandra:
config:
cassandraExternalSecret: *dbSecretName
portal-sdk:
+ mariadb:
+ config:
+ backendDbExternalSecret: *backendDbSecretName
cassandra:
config:
cassandraExternalSecret: *dbSecretName