From 4a4703b68172a3d24b47d1510b0c7707805cc6a4 Mon Sep 17 00:00:00 2001
From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Sat, 8 Feb 2020 01:04:48 +0100
Subject: [VID] Don't hardcode mariadb-galera password

Let's use common secret template to generate user credentials for VID
DB and depend on mariadb-galera to generate secure enough root
password.

Issue-ID: OOM-2293
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Ib474e202e9e35e6b2959d29648f542a89c87a4e5
---
 kubernetes/vid/templates/deployment.yaml | 10 +++-------
 kubernetes/vid/templates/job.yaml        |  8 +++-----
 kubernetes/vid/templates/secrets.yaml    | 30 ++----------------------------
 3 files changed, 8 insertions(+), 40 deletions(-)

(limited to 'kubernetes/vid/templates')

diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml
index 0a5c0c5ba4..d449da1140 100644
--- a/kubernetes/vid/templates/deployment.yaml
+++ b/kubernetes/vid/templates/deployment.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
+# Copyright © 2020 Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -105,14 +106,9 @@ spec:
             - name: VID_MYSQL_DBNAME
               value: {{ index .Values "mariadb-galera" "config" "mysqlDatabase" }}
             - name: VID_MYSQL_USER
-              value: {{ index .Values "mariadb-galera" "config" "userName" }}
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 14 }}
             - name: VID_MYSQL_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "common.fullname" . }}-db
-                  key: db-user-password
-              #valueFrom:
-              #  secretKeyRef: {name: {{ include "common.fullname" . }}, key: vid-password}
+              {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }}
             - name: VID_MYSQL_MAXCONNECTIONS
               value: "{{ .Values.config.vidmysqlmaxconnections }}"
           volumeMounts:
diff --git a/kubernetes/vid/templates/job.yaml b/kubernetes/vid/templates/job.yaml
index 625fb0c6a1..75e40a1201 100644
--- a/kubernetes/vid/templates/job.yaml
+++ b/kubernetes/vid/templates/job.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2020 Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -60,14 +61,11 @@ spec:
         - /dbcmd-config/db_cmd.sh
         env:
         - name: MYSQL_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ template "common.fullname" . }}-db
-              key: db-user-password
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 10 }}
         - name: MYSQL_HOST
           value: {{ index .Values "mariadb-galera" "service" "name" }}
         - name: MYSQL_USER
-          value: {{ index .Values "mariadb-galera" "config" "userName" }}
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 10 }}
         - name: MYSQL_PORT
           value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}"
       restartPolicy: Never
diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml
index 2a66c4fbec..44a9b3e9e0 100644
--- a/kubernetes/vid/templates/secrets.yaml
+++ b/kubernetes/vid/templates/secrets.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
+# Copyright © 2020 Samsung Electronics
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,19 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-type: Opaque
-data:
-  vid-password: {{ .Values.config.vidmysqlpassword | b64enc | quote }}
+{{ include "common.secret" . }}
 ---
 apiVersion: v1
 kind: Secret
@@ -39,18 +28,3 @@ metadata:
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}-db
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ include "common.release" . }}"
-    heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
-  db-user-password: {{ index .Values "mariadb-galera" "config" "userPassword" | b64enc | quote }}
-  db-root-password: {{ index .Values "mariadb-galera" "config" "mariadbRootPassword" | b64enc | quote }}
-- 
cgit 1.2.3-korg