From 4a4703b68172a3d24b47d1510b0c7707805cc6a4 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Sat, 8 Feb 2020 01:04:48 +0100 Subject: [VID] Don't hardcode mariadb-galera password Let's use common secret template to generate user credentials for VID DB and depend on mariadb-galera to generate secure enough root password. Issue-ID: OOM-2293 Signed-off-by: Krzysztof Opasiak Change-Id: Ib474e202e9e35e6b2959d29648f542a89c87a4e5 --- kubernetes/vid/templates/deployment.yaml | 10 +++------- kubernetes/vid/templates/job.yaml | 8 +++----- kubernetes/vid/templates/secrets.yaml | 30 ++---------------------------- kubernetes/vid/values.yaml | 21 +++++++++++++++++---- 4 files changed, 25 insertions(+), 44 deletions(-) (limited to 'kubernetes') diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml index 0a5c0c5ba4..d449da1140 100644 --- a/kubernetes/vid/templates/deployment.yaml +++ b/kubernetes/vid/templates/deployment.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -105,14 +106,9 @@ spec: - name: VID_MYSQL_DBNAME value: {{ index .Values "mariadb-galera" "config" "mysqlDatabase" }} - name: VID_MYSQL_USER - value: {{ index .Values "mariadb-galera" "config" "userName" }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 14 }} - name: VID_MYSQL_PASS - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-db - key: db-user-password - #valueFrom: - # secretKeyRef: {name: {{ include "common.fullname" . }}, key: vid-password} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }} - name: VID_MYSQL_MAXCONNECTIONS value: "{{ .Values.config.vidmysqlmaxconnections }}" volumeMounts: diff --git a/kubernetes/vid/templates/job.yaml b/kubernetes/vid/templates/job.yaml index 625fb0c6a1..75e40a1201 100644 --- a/kubernetes/vid/templates/job.yaml +++ b/kubernetes/vid/templates/job.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -60,14 +61,11 @@ spec: - /dbcmd-config/db_cmd.sh env: - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-db - key: db-user-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 10 }} - name: MYSQL_HOST value: {{ index .Values "mariadb-galera" "service" "name" }} - name: MYSQL_USER - value: {{ index .Values "mariadb-galera" "config" "userName" }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 10 }} - name: MYSQL_PORT value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" restartPolicy: Never diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml index 2a66c4fbec..44a9b3e9e0 100644 --- a/kubernetes/vid/templates/secrets.yaml +++ b/kubernetes/vid/templates/secrets.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,19 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - vid-password: {{ .Values.config.vidmysqlpassword | b64enc | quote }} +{{ include "common.secret" . }} --- apiVersion: v1 kind: Secret @@ -39,18 +28,3 @@ metadata: type: Opaque data: {{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-db - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -type: Opaque -data: - db-user-password: {{ index .Values "mariadb-galera" "config" "userPassword" | b64enc | quote }} - db-root-password: {{ index .Values "mariadb-galera" "config" "mariadbRootPassword" | b64enc | quote }} diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml index 805e337f57..e8d0595284 100644 --- a/kubernetes/vid/values.yaml +++ b/kubernetes/vid/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,17 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: vid-db-user-secret + name: '{{ include "common.release" . }}-vid-db-user-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + subChartsOnly: enabled: true @@ -35,7 +47,10 @@ mariadb_image: library/mariadb:10 # application configuration config: - vidmysqlpassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + db: + userName: vidadmin +# userCredentialsExternalSecret: some secret +# userPassword: password vidkeystorepassword: '\^7w\!f+aR\{EJcTRsDuA7x\,+c\!' asdcclientrestauth: "Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU=" asdcclientrestport: "8443" @@ -54,9 +69,7 @@ config: mariadb-galera: config: - userName: vidadmin - userPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - mariadbRootPassword: kjgsdhjqhawxvnbpoiawsfgjsqhsgjhjhdqihhjqdvcbxkjchizpw + userCredentialsExternalSecret: '{{ include "common.release" . }}-vid-db-user-secret' mysqlDatabase: vid_openecomp_epsdk nameOverride: vid-galera service: -- cgit 1.2.3-korg