From e74ed5cd24df70e1e9b137eadf8e32d5c89f236b Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 23 Jan 2020 11:49:25 +0100 Subject: [APPC] Don't hardcode mariadb root password You should never ever assume that secretpassword is a production ready password for your mariadb-galera instance. Instead let's just share a secret with our instance of mariadb-galera. Issue-ID: OOM-2275 Change-Id: I25486ad81a2ec428dbbd379ab3529c84f55acc4b Signed-off-by: Krzysztof Opasiak --- .../config/appc/opt/onap/appc/bin/installAppcDb.sh | 3 +-- .../resources/config/appc/opt/onap/appc/bin/startODL.sh | 8 ++++---- .../config/appc/opt/onap/ccsdk/bin/installSdncDb.sh | 3 +-- kubernetes/appc/templates/secrets.yaml | 14 +------------- kubernetes/appc/templates/statefulset.yaml | 5 +---- kubernetes/appc/values.yaml | 9 ++++++++- 6 files changed, 16 insertions(+), 26 deletions(-) diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh index b3cf868731..1b951d0406 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh @@ -21,7 +21,7 @@ SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} APPC_HOME=${APPC_HOME:-/opt/onap/appc} -MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.mariadbRootPassword}}} +MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} APPC_DB_USER=${APPC_DB_USER:-appcctl} APPC_DB_PASSWD=${APPC_DB_PASSWD:-appcctl} @@ -52,4 +52,3 @@ if [ -f ${APPC_HOME}/data/sqlData.dump ] then mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} sdnctl < ${APPC_HOME}/data/sqlData.dump fi - diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index 22d38363c0..14689d5b11 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -54,7 +54,7 @@ ODL_HOME=${ODL_HOME:-/opt/opendaylight/current} SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} APPC_HOME=${APPC_HOME:-/opt/onap/appc} SLEEP_TIME=${SLEEP_TIME:-120} -MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.mariadbRootPassword}}} +MYSQL_PASSWD=${MYSQL_ROOT_PASSWORDD} ENABLE_ODL_CLUSTER=${ENABLE_ODL_CLUSTER:-false} ENABLE_AAF=${ENABLE_AAF:-true} DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} @@ -63,7 +63,7 @@ DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} # Wait for database to init properly # echo "Waiting for mariadbgalera" -until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p{{.Values.config.mariadbRootPassword}} mysql &> /dev/null +until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null do printf "." sleep 1 @@ -77,7 +77,7 @@ fi if [ ! -f ${DBINIT_DIR}/.installed ] then - sdnc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p{{.Values.config.mariadbRootPassword}} mysql <<-END + sdnc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END show databases like 'sdnctl'; END ) @@ -86,7 +86,7 @@ END echo "Installing SDNC database" ${SDNC_HOME}/bin/installSdncDb.sh - appc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p{{.Values.config.mariadbRootPassword}} mysql <<-END + appc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END show databases like 'appcctl'; END ) diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh index da16d394af..c3e692158c 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh @@ -23,7 +23,7 @@ ### SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -MYSQL_PASSWD=${MYSQL_PASSWD:-{{.Values.config.mariadbRootPassword}}} +MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} SDNC_DB_USER=${SDNC_DB_USER:-sdnctl} SDNC_DB_PASSWD=${SDNC_DB_PASSWD:-gamma} @@ -44,4 +44,3 @@ if [ -f ${SDNC_HOME}/data/odlsli.dump ] then mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} sdnctl < ${SDNC_HOME}/data/odlsli.dump fi - diff --git a/kubernetes/appc/templates/secrets.yaml b/kubernetes/appc/templates/secrets.yaml index 57311a0077..65a6b24eb7 100644 --- a/kubernetes/appc/templates/secrets.yaml +++ b/kubernetes/appc/templates/secrets.yaml @@ -12,16 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }} +{{ include "common.secret" . }} diff --git a/kubernetes/appc/templates/statefulset.yaml b/kubernetes/appc/templates/statefulset.yaml index 9a62426adb..5ed2970c45 100644 --- a/kubernetes/appc/templates/statefulset.yaml +++ b/kubernetes/appc/templates/statefulset.yaml @@ -69,10 +69,7 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - name: SDNC_CONFIG_DIR value: "{{ .Values.config.configDir }}" - name: APPC_CONFIG_DIR diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index 4dfb2263ad..a4cd0a644a 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -25,6 +25,14 @@ global: persistence: mountPath: /dockerdata-nfs +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: "db-root-pass" + externalSecret: '{{- include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (index .Values "mariadb-galera" "nameOverride")) }}' + type: password + ################################################################# # Application configuration defaults. ################################################################# @@ -43,7 +51,6 @@ config: odlGid: 101 ansibleServiceName: appc-ansible-server ansiblePort: 8000 - mariadbRootPassword: secretpassword userName: my-user userPassword: my-password mysqlDatabase: my-database -- cgit 1.2.3-korg