From 01c975b4582a2eeb3ad3d72bb4ae61bc18daaae6 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Mon, 16 Dec 2019 17:42:38 +0100 Subject: Use common secret template in mariadb-galera Instead of defining the secret in some custom way let's use the common template (common.secret). To avoid some issues in ONAP components that depend on this chart let's do not remove for now the default username and password. We will do this when all services properly utylize secrets to store mariadb credentials. Issue-ID: OOM-2053 Signed-off-by: Krzysztof Opasiak Change-Id: I78e224299cccd9632192ee03a45cd077e6f0906f --- kubernetes/common/common/templates/_mariadb.tpl | 4 ++-- .../mariadb-galera/templates/backup/cronjob.yaml | 12 +++--------- .../common/mariadb-galera/templates/secrets.yaml | 17 ++--------------- .../common/mariadb-galera/templates/statefulset.yaml | 14 ++++---------- kubernetes/common/mariadb-galera/values.yaml | 18 ++++++++++++++++++ kubernetes/common/mariadb-init/templates/_mariadb.tpl | 2 +- kubernetes/common/mariadb-init/values.yaml | 2 +- 7 files changed, 31 insertions(+), 38 deletions(-) (limited to 'kubernetes/common') diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index cd7142fd73..15fb5a4225 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -41,7 +41,7 @@ */}} {{- define "common.mariadbSecret" -}} {{- if .Values.global.mariadbGalera.localCluster -}} - {{ printf "%s-%s" (include "common.fullname" .) (index .Values "mariadb-galera" "nameOverride") -}} + {{ printf "%s-%s-db-user-credentials" (include "common.fullname" .) (index .Values "mariadb-galera" "nameOverride") -}} {{- else -}} {{ printf "%s-%s" (.Release.Name) (index .Values "mariadb-init" "nameOverride") -}} {{- end -}} @@ -52,7 +52,7 @@ */}} {{- define "common.mariadbSecretParam" -}} {{- if .Values.global.mariadbGalera.localCluster -}} - {{ printf "user-password" -}} + {{ printf "password" -}} {{- else -}} {{ printf "db-user-password" -}} {{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml index a5f1578159..408bd1814c 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2019 Amdocs, Bell Canada +# Copyright © 2019 Amdocs, Bell Canada, Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -86,10 +86,7 @@ spec: echo "Backup Successful!!!" env: - name: DB_PASS - valueFrom: - secretKeyRef: - name: {{ include "common.fullname" . }} - key: db-root-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}} volumeMounts: - name: backup-dir mountPath: /backup @@ -99,10 +96,7 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.fullname" . }} - key: db-root-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}} command: - /bin/bash - -c diff --git a/kubernetes/common/mariadb-galera/templates/secrets.yaml b/kubernetes/common/mariadb-galera/templates/secrets.yaml index 233158f791..3f8eb0b6de 100644 --- a/kubernetes/common/mariadb-galera/templates/secrets.yaml +++ b/kubernetes/common/mariadb-galera/templates/secrets.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2019 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,18 +12,4 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: Opaque -data: - db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }} - user-password: {{ default "" .Values.config.userPassword | b64enc | quote }} \ No newline at end of file +{{ include "common.secret" . }} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index c3cb4aaaf4..a9f1fb37b7 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -1,4 +1,4 @@ -# Copyright © 2019 Amdocs, Bell Canada, Orange +# Copyright © 2019 Amdocs, Bell Canada, Orange, Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -61,19 +61,13 @@ spec: apiVersion: v1 fieldPath: metadata.namespace - name: MYSQL_USER - value: {{ default "" .Values.config.userName | quote }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-credentials" "key" "login") | indent 14}} - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: user-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-credentials" "key" "password") | indent 14}} - name: MYSQL_DATABASE value: {{ default "" .Values.config.mysqlDatabase | quote }} - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 14}} ports: - containerPort: {{ .Values.service.internalPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 14215e46de..a6dd1ca359 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2019 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,6 +13,21 @@ # See the License for the specific language governing permissions and # limitations under the License. +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: "db-root-password" + type: password + externalSecret: '{{ tpl (default "" .Values.config.mariadbRootPasswordExternalSecret) . }}' + password: '{{ .Values.config.mariadbRootPassword }}' + - uid: "db-user-credentials" + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.userName }}' + password: '{{ .Values.config.userPassword }}' + + ################################################################# # Global configuration defaults. ################################################################# @@ -41,7 +57,9 @@ pullPolicy: IfNotPresent # application configuration config: + # .mariadbRootPasswordExternalSecret: 'some-external-secret' mariadbRootPassword: secretpassword + # .userCredentialsExternalSecret: 'some-external-secret' userName: my-user userPassword: my-password mysqlDatabase: my-database diff --git a/kubernetes/common/mariadb-init/templates/_mariadb.tpl b/kubernetes/common/mariadb-init/templates/_mariadb.tpl index 4f111a5f40..fb3f7974b9 100644 --- a/kubernetes/common/mariadb-init/templates/_mariadb.tpl +++ b/kubernetes/common/mariadb-init/templates/_mariadb.tpl @@ -19,7 +19,7 @@ */}} {{- define "mariadbInit.mariadbClusterSecret" -}} {{- if (eq "default" .Values.global.mariadbGalera.userRootSecret) -}} - {{- printf "%s-mariadb-galera-%s" (include "common.release" .) .Values.global.mariadbGalera.nameOverride -}} + {{- printf "%s-mariadb-galera-%s-db-root-password" (include "common.release" .) .Values.global.mariadbGalera.nameOverride -}} {{- else -}} {{- .Values.global.mariadbGalera.userRootSecret -}} {{- end -}} diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml index 095ff62ddf..d148ba6888 100644 --- a/kubernetes/common/mariadb-init/values.yaml +++ b/kubernetes/common/mariadb-init/values.yaml @@ -24,7 +24,7 @@ global: servicePort: 3306 # set these two values if you want to access an 'out of ONAP' mariadb userRootSecret: default - userRootSecretKey: db-root-password + userRootSecretKey: password ################################################################# # Application configuration defaults. -- cgit 1.2.3-korg