From 01c975b4582a2eeb3ad3d72bb4ae61bc18daaae6 Mon Sep 17 00:00:00 2001
From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Mon, 16 Dec 2019 17:42:38 +0100
Subject: Use common secret template in mariadb-galera

Instead of defining the secret in some custom way let's use the common
template (common.secret). To avoid some issues in ONAP components that
depend on this chart let's do not remove for now the default username
and password. We will do this when all services properly utylize
secrets to store mariadb credentials.

Issue-ID: OOM-2053
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I78e224299cccd9632192ee03a45cd077e6f0906f
---
 kubernetes/common/common/templates/_mariadb.tpl        |  4 ++--
 .../mariadb-galera/templates/backup/cronjob.yaml       | 12 +++---------
 .../common/mariadb-galera/templates/secrets.yaml       | 17 ++---------------
 .../common/mariadb-galera/templates/statefulset.yaml   | 14 ++++----------
 kubernetes/common/mariadb-galera/values.yaml           | 18 ++++++++++++++++++
 kubernetes/common/mariadb-init/templates/_mariadb.tpl  |  2 +-
 kubernetes/common/mariadb-init/values.yaml             |  2 +-
 7 files changed, 31 insertions(+), 38 deletions(-)

(limited to 'kubernetes/common')

diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl
index cd7142fd73..15fb5a4225 100644
--- a/kubernetes/common/common/templates/_mariadb.tpl
+++ b/kubernetes/common/common/templates/_mariadb.tpl
@@ -41,7 +41,7 @@
 */}}
 {{- define "common.mariadbSecret" -}}
   {{- if .Values.global.mariadbGalera.localCluster -}}
-    {{ printf "%s-%s" (include "common.fullname" .) (index .Values "mariadb-galera" "nameOverride") -}}
+    {{ printf "%s-%s-db-user-credentials" (include "common.fullname" .) (index .Values "mariadb-galera" "nameOverride") -}}
   {{- else -}}
     {{ printf "%s-%s" (.Release.Name) (index .Values "mariadb-init" "nameOverride") -}}
   {{- end -}}
@@ -52,7 +52,7 @@
 */}}
 {{- define "common.mariadbSecretParam" -}}
   {{- if .Values.global.mariadbGalera.localCluster -}}
-    {{ printf "user-password" -}}
+    {{ printf "password" -}}
   {{- else -}}
     {{ printf "db-user-password" -}}
   {{- end -}}
diff --git a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
index a5f1578159..408bd1814c 100644
--- a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
+++ b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
@@ -1,5 +1,5 @@
 {{/*
-# Copyright © 2019 Amdocs, Bell Canada
+# Copyright © 2019 Amdocs, Bell Canada, Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -86,10 +86,7 @@ spec:
               echo "Backup Successful!!!"
             env:
             - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "common.fullname" . }}
-                  key: db-root-password
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}}
             volumeMounts:
             - name: backup-dir
               mountPath: /backup
@@ -99,10 +96,7 @@ spec:
             imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
             env:
             - name: MYSQL_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "common.fullname" . }}
-                  key: db-root-password
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}}
             command:
             - /bin/bash
             - -c
diff --git a/kubernetes/common/mariadb-galera/templates/secrets.yaml b/kubernetes/common/mariadb-galera/templates/secrets.yaml
index 233158f791..3f8eb0b6de 100644
--- a/kubernetes/common/mariadb-galera/templates/secrets.yaml
+++ b/kubernetes/common/mariadb-galera/templates/secrets.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2019 Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -11,18 +12,4 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ .Release.Name }}"
-    heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
-  db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }}
-  user-password: {{ default "" .Values.config.userPassword | b64enc | quote }}
\ No newline at end of file
+{{ include "common.secret" . }}
diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index c3cb4aaaf4..a9f1fb37b7 100644
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -1,4 +1,4 @@
-# Copyright © 2019 Amdocs, Bell Canada, Orange
+# Copyright © 2019 Amdocs, Bell Canada, Orange, Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -61,19 +61,13 @@ spec:
                   apiVersion: v1
                   fieldPath: metadata.namespace
             - name: MYSQL_USER
-              value: {{ default "" .Values.config.userName | quote }}
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-credentials" "key" "login") | indent 14}}
             - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "common.fullname" . }}
-                  key: user-password
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-credentials" "key" "password") | indent 14}}
             - name: MYSQL_DATABASE
               value: {{ default "" .Values.config.mysqlDatabase | quote }}
             - name: MYSQL_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "common.fullname" . }}
-                  key: db-root-password
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
             name: {{ .Values.service.portName }}
diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index 14215e46de..a6dd1ca359 100644
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2019 Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,6 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: "db-root-password"
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.config.mariadbRootPasswordExternalSecret) . }}'
+    password: '{{ .Values.config.mariadbRootPassword }}'
+  - uid: "db-user-credentials"
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.config.userCredentialsExternalSecret) . }}'
+    login: '{{ .Values.config.userName }}'
+    password: '{{ .Values.config.userPassword }}'
+
+
 #################################################################
 # Global configuration defaults.
 #################################################################
@@ -41,7 +57,9 @@ pullPolicy: IfNotPresent
 
 # application configuration
 config:
+  # .mariadbRootPasswordExternalSecret: 'some-external-secret'
   mariadbRootPassword: secretpassword
+  # .userCredentialsExternalSecret: 'some-external-secret'
   userName: my-user
   userPassword: my-password
   mysqlDatabase: my-database
diff --git a/kubernetes/common/mariadb-init/templates/_mariadb.tpl b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
index 4f111a5f40..fb3f7974b9 100644
--- a/kubernetes/common/mariadb-init/templates/_mariadb.tpl
+++ b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
@@ -19,7 +19,7 @@
 */}}
 {{- define "mariadbInit.mariadbClusterSecret" -}}
   {{- if (eq "default" .Values.global.mariadbGalera.userRootSecret) -}}
-    {{- printf "%s-mariadb-galera-%s" (include "common.release" .) .Values.global.mariadbGalera.nameOverride -}}
+    {{- printf "%s-mariadb-galera-%s-db-root-password" (include "common.release" .) .Values.global.mariadbGalera.nameOverride -}}
   {{- else -}}
     {{- .Values.global.mariadbGalera.userRootSecret -}}
   {{- end -}}
diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml
index 095ff62ddf..d148ba6888 100644
--- a/kubernetes/common/mariadb-init/values.yaml
+++ b/kubernetes/common/mariadb-init/values.yaml
@@ -24,7 +24,7 @@ global:
     servicePort: 3306
     # set these two values if you want to access an 'out of ONAP' mariadb
     userRootSecret: default
-    userRootSecretKey: db-root-password
+    userRootSecretKey: password
 
 #################################################################
 # Application configuration defaults.
-- 
cgit