From 9cb8203749334feff087412a6903b719514b5fb0 Mon Sep 17 00:00:00 2001
From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Tue, 5 May 2020 12:04:31 +0200
Subject: [DCAEGEN2][bootstrap] Use common secret template for postgres
credentials
Even through we use common secret template both passwords are still
hardcoded in common postgres chart but this will be removed as a final
step just like we did for mariadb-galera.
Issue-ID: OOM-2250
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Icaa5334d6ebad4fbce23ed4f59b74448c02783cf
---
.../resources/inputs/k8s-pgaas-initdb-inputs.yaml | 2 +-
.../dcae-bootstrap/templates/deployment.yaml | 280 +++++++++++----------
.../dcae-bootstrap/templates/secret.yaml | 2 +
.../dcaegen2/components/dcae-bootstrap/values.yaml | 22 +-
4 files changed, 163 insertions(+), 143 deletions(-)
(limited to 'kubernetes')
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml
index 23bb080690..eb4cf252d4 100644
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml
@@ -16,4 +16,4 @@
# ============LICENSE_END=========================================================
k8s_pgaas_instance_fqdn: {{ .Values.postgres.service.name2 }}.{{include "common.namespace" . }}
-k8s_initial_password: {{ .Values.postgres.config.pgRootPassword }}
+k8s_initial_password: $PG_ROOT_PASSWORD
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml
index a36164d164..9009f6b114 100644
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml
@@ -1,130 +1,150 @@
-#============LICENSE_START========================================================
-# ================================================================================
-# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
-# Modifications Copyright © 2018 Amdocs, Bell Canada
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ============LICENSE_END=========================================================
-
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-spec:
- replicas: 1
- template:
- metadata:
- labels:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
- spec:
- initContainers:
- - name: {{ include "common.name" . }}-readiness
- image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command:
- - /root/ready.py
- args:
- - --container-name
- - dcae-cloudify-manager
- - --container-name
- - consul-server
- - --container-name
- - msb-discovery
- - --container-name
- - kube2msb
- - --container-name
- - dcae-config-binding-service
- - --container-name
- - dcae-db
- - --container-name
- - dcae-inventory-api
- - "-t"
- - "15"
-
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: init-tls
- env:
- - name: POD_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- - name: aaf_locator_fqdn
- value: dcae
- image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- resources: {}
- volumeMounts:
- - mountPath: /opt/app/osaaf
- name: tls-info
- containers:
- - name: {{ include "common.name" . }}
- image: "{{ include "common.repository" . }}/{{ .Values.image }}"
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- resources:
-{{ include "common.resources" . | indent 12 }}
- volumeMounts:
- - mountPath: /inputs
- name: {{ include "common.fullname" . }}-dcae-inputs
- - mountPath: /dcae-configs
- name: {{ include "common.fullname" . }}-dcae-config
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- - mountPath: /certs
- name: tls-info
- readOnly: true
- env:
- - name: CMADDR
- value: {{ .Values.config.address.cm.host }}
- - name: CMPASS
- valueFrom:
- secretKeyRef:
- name: {{ include "common.name" . }}-cmpass
- key: password
- - name: CMPROTO
- value: {{ .Values.config.address.cm.proto }}
- - name: CMPORT
- value: !!string {{ .Values.config.address.cm.port }}
- - name: CONSUL
- value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }}
- - name: DCAE_NAMESPACE
- value: {{ .Values.dcae_ns | default "" }}
- - name: ONAP_NAMESPACE
- value: {{ include "common.namespace" . }}
- volumes:
- - name: {{ include "common.fullname" . }}-dcae-inputs
- configMap:
- name: {{ include "common.fullname" . }}-dcae-inputs
- - name: {{ include "common.fullname" . }}-dcae-config
- configMap:
- name: {{ include "common.fullname" . }}-dcae-config
- - name: localtime
- hostPath:
- path: /etc/localtime
- - name: tls-info
- emptyDir: {}
- imagePullSecrets:
- - name: "{{ include "common.namespace" . }}-docker-registry-key"
+#============LICENSE_START========================================================
+# ================================================================================
+# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2018 Amdocs, Bell Canada
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: {{ include "common.fullname" . }}
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: {{ include "common.name" . }}
+ release: {{ include "common.release" . }}
+ spec:
+ initContainers:
+ - command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: PG_ROOT_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: {{ include "common.fullname" . }}-dcae-inputs-input
+ - mountPath: /config
+ name: {{ include "common.fullname" . }}-dcae-inputs
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+
+ - name: {{ include "common.name" . }}-readiness
+ image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command:
+ - /root/ready.py
+ args:
+ - --container-name
+ - dcae-cloudify-manager
+ - --container-name
+ - consul-server
+ - --container-name
+ - msb-discovery
+ - --container-name
+ - kube2msb
+ - --container-name
+ - dcae-config-binding-service
+ - --container-name
+ - dcae-db
+ - --container-name
+ - dcae-inventory-api
+ - "-t"
+ - "15"
+
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: init-tls
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: aaf_locator_fqdn
+ value: dcae
+ image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources: {}
+ volumeMounts:
+ - mountPath: /opt/app/osaaf
+ name: tls-info
+ containers:
+ - name: {{ include "common.name" . }}
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources:
+{{ include "common.resources" . | indent 12 }}
+ volumeMounts:
+ - mountPath: /inputs
+ name: {{ include "common.fullname" . }}-dcae-inputs
+ - mountPath: /dcae-configs
+ name: {{ include "common.fullname" . }}-dcae-config
+ - mountPath: /etc/localtime
+ name: localtime
+ readOnly: true
+ - mountPath: /certs
+ name: tls-info
+ readOnly: true
+ env:
+ - name: CMADDR
+ value: {{ .Values.config.address.cm.host }}
+ - name: CMPASS
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.name" . }}-cmpass
+ key: password
+ - name: CMPROTO
+ value: {{ .Values.config.address.cm.proto }}
+ - name: CMPORT
+ value: !!string {{ .Values.config.address.cm.port }}
+ - name: CONSUL
+ value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }}
+ - name: DCAE_NAMESPACE
+ value: {{ .Values.dcae_ns | default "" }}
+ - name: ONAP_NAMESPACE
+ value: {{ include "common.namespace" . }}
+ volumes:
+ - name: {{ include "common.fullname" . }}-dcae-inputs-input
+ configMap:
+ name: {{ include "common.fullname" . }}-dcae-inputs
+ - name: {{ include "common.fullname" . }}-dcae-inputs
+ emptyDir:
+ medium: Memory
+ - name: {{ include "common.fullname" . }}-dcae-config
+ configMap:
+ name: {{ include "common.fullname" . }}-dcae-config
+ - name: localtime
+ hostPath:
+ path: /etc/localtime
+ - name: tls-info
+ emptyDir: {}
+ imagePullSecrets:
+ - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml
index d8b2ba2220..44395e48e8 100644
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml
@@ -29,3 +29,5 @@ metadata:
type: Opaque
data:
password: YWRtaW4=
+---
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml
index a5bd69af02..5fcd916989 100644
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml
@@ -28,6 +28,15 @@ global:
loggingImage: beats/filebeat:5.5.0
tlsRepository: nexus3.onap.org:10001
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
+ envsubstImage: dibi/envsubst
+
+secrets:
+ - uid: pg-root-pass
+ name: &pgRootPassSecretName '{{ include "common.release" . }}-dcae-bootstrap-pg-root-pass'
+ type: password
+ externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dcae-bootstrap-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}'
+ password: '{{ .Values.postgres.config.pgRootpassword }}'
+ policy: generate
config:
logstashServiceName: log-ls
@@ -77,21 +86,10 @@ postgres:
primary: dcae-pg-primary
replica: dcae-pg-replica
config:
- pgPrimaryPassword: onapdemodb
- pgRootPassword: onapdemodb
+ pgRootPasswordExternalSecret: *pgRootPassSecretName
persistence:
mountSubPath: dcae/data
mountInitPath: dcae
- pgpool:
- nameOverride: dcae-pgpool
- service:
- name: dcae-pgpool
- credentials:
- pgpassword: onapdemodb
- container:
- name:
- primary: dcae-pgpool-primary
- replica: dcae-pgpool-replica
mongo:
nameOverride: dcae-mongo
--
cgit