From d73224418141fb7a2bae8d083de8f6e88e493c3d Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 30 Jan 2020 12:10:40 +0100 Subject: [COMMON] Use common secret template in mariadb-init Use common secret template for all passwords that are used inside this chart. Issue-ID: OOM-2248 Change-Id: Ia94b87a4d0316a3d334fd492521be5a255c14b4e Signed-off-by: Krzysztof Opasiak Signed-off-by: Sylvain Desbureaux --- kubernetes/common/common/templates/_mariadb.tpl | 8 ++--- .../common/mariadb-init/templates/_mariadb.tpl | 6 +--- kubernetes/common/mariadb-init/templates/job.yaml | 21 ++++-------- .../common/mariadb-init/templates/secret.yaml | 39 +++++++++++++--------- kubernetes/common/mariadb-init/values.yaml | 24 +++++++++++-- 5 files changed, 54 insertions(+), 44 deletions(-) (limited to 'kubernetes') diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index de8dfe83ca..d4af1807fa 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -43,7 +43,7 @@ {{- if .Values.global.mariadbGalera.localCluster -}} {{ printf "%s-%s-db-user-credentials" (include "common.fullname" .) (index .Values "mariadb-galera" "nameOverride") -}} {{- else -}} - {{ printf "%s-%s" (include "common.release" .) (index .Values "mariadb-init" "nameOverride") -}} + {{ printf "%s-%s-%s" ( include "common.release" .) (index .Values "mariadb-init" "nameOverride") (index .Values "mariadb-init" "config" "mysqlDatabase" ) -}} {{- end -}} {{- end -}} @@ -51,9 +51,5 @@ Choose the value of secret param to retrieve user value. */}} {{- define "common.mariadbSecretParam" -}} - {{- if .Values.global.mariadbGalera.localCluster -}} - {{ printf "password" -}} - {{- else -}} - {{ printf "db-user-password" -}} - {{- end -}} + {{ printf "password" -}} {{- end -}} diff --git a/kubernetes/common/mariadb-init/templates/_mariadb.tpl b/kubernetes/common/mariadb-init/templates/_mariadb.tpl index 231fd875e2..64c15ed862 100644 --- a/kubernetes/common/mariadb-init/templates/_mariadb.tpl +++ b/kubernetes/common/mariadb-init/templates/_mariadb.tpl @@ -18,9 +18,5 @@ Choose the name of the mariadb secret to use. */}} {{- define "mariadbInit.mariadbClusterSecret" -}} - {{- if (eq "default" .Values.global.mariadbGalera.userRootSecret) -}} - {{- printf "%s-%s-db-root-password" (include "common.release" .) .Values.global.mariadbGalera.nameOverride -}} - {{- else -}} - {{- .Values.global.mariadbGalera.userRootSecret -}} - {{- end -}} + {{- printf "%s-%s-db-root-password" (include "common.release" .) (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride) -}} {{- end -}} diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml index 1cdd5024ff..5202d572a2 100644 --- a/kubernetes/common/mariadb-init/templates/job.yaml +++ b/kubernetes/common/mariadb-init/templates/job.yaml @@ -60,26 +60,17 @@ spec: - name: DB_PORT value: "{{ .Values.global.mariadbGalera.servicePort }}" - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mariadbInit.mariadbClusterSecret" . }} - key: {{ .Values.global.mariadbGalera.userRootSecretKey }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "root-password" "key" (default "password" .Values.global.mariadbGalera.userRootSecretKey)) | indent 10 }} - name: {{ printf "MYSQL_USER_%s" .Values.config.mysqlDatabase | upper }} - value: "{{ .Values.config.userName }}" + {{- include "common.secret.envFromSecret" (dict "global" . "uid" .Values.config.mysqlDatabase "key" "login") | indent 10 }} - name: {{ printf "MYSQL_PASSWORD_%s" .Values.config.mysqlDatabase | upper }} - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-user-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" .Values.config.mysqlDatabase "key" "password") | indent 10 }} {{- $root := . }} -{{ range $db, $dbInfos := .Values.config.mysqlAdditionalDatabases }} +{{ range $db, $_values := .Values.config.mysqlAdditionalDatabases }} - name: {{ printf "MYSQL_USER_%s" $db | upper }} - value: {{ $dbInfos.user }} + {{- include "common.secret.envFromSecret" (dict "global" $root "uid" $db "key" "login") | indent 10 }} - name: {{ printf "MYSQL_PASSWORD_%s" $db | upper }} - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" $root }}-secret - key: {{ printf "db-%s-user-password" $db }} + {{- include "common.secret.envFromSecret" (dict "global" $root "uid" $db "key" "password") | indent 10 }} {{ end }} volumeMounts: - mountPath: /etc/localtime diff --git a/kubernetes/common/mariadb-init/templates/secret.yaml b/kubernetes/common/mariadb-init/templates/secret.yaml index f30d582110..71a89d019b 100644 --- a/kubernetes/common/mariadb-init/templates/secret.yaml +++ b/kubernetes/common/mariadb-init/templates/secret.yaml @@ -12,19 +12,26 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-user-password: {{ index .Values.config.userPassword | b64enc | quote }} -{{ range $db, $dbInfos := .Values.config.mysqlAdditionalDatabases }} - {{ printf "db-%s-user-password" $db}}: {{ $dbInfos.password | b64enc | quote }} -{{ end }} +{{- define "mariadb-init._update-secrets" -}} + {{ range $db, $dbInfos := .Values.config.mysqlAdditionalDatabases }} +{{ printf "- uid: %s" $db }} +{{ printf " type: basicAuth" }} + {{- if $dbInfos.externalSecret }} +{{ printf " externalSecret: %s" $dbInfos.externalSecret }} + {{- end }} +{{ printf " login: %s" $dbInfos.user }} +{{ printf " password: %s" $dbInfos.password }} +{{ printf " passwordPolicy: required" }} + {{- end -}} +{{- end -}} + +{{ $global := . }} +{{ $secretsString := .Values.secrets | toYaml | indent 2 }} +{{ $additionalSecretsString := (include "mariadb-init._update-secrets" .) | indent 2 }} +{{ $finalSecretsString := (cat "\nsecrets:\n" $secretsString $additionalSecretsString) | replace " -" " -" }} +{{ $finalSecrets := ($finalSecretsString | fromYaml).secrets }} + +{{ $newValues := set $global.Values "secrets" $finalSecrets }} +{{ $tmpGlobal := set $global "Values" $newValues }} + +{{ include "common.secret" $tmpGlobal }} diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml index d148ba6888..cac6f79f16 100644 --- a/kubernetes/common/mariadb-init/values.yaml +++ b/kubernetes/common/mariadb-init/values.yaml @@ -23,8 +23,24 @@ global: nameOverride: mariadb-galera servicePort: 3306 # set these two values if you want to access an 'out of ONAP' mariadb - userRootSecret: default - userRootSecretKey: password + # userRootPassword: some-password + # userRootSecret: some-secret-name + # userRootSecretKey: password + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: root-password + type: password + externalSecret: '{{ tpl (default (include "mariadbInit.mariadbClusterSecret" .) .Values.global.mariadbGalera.userRootSecret) . }}' + password: '{{ tpl (default "" .global.mariadbGalera.userRootPassword) . }}' + - uid: '{{ .Values.config.mysqlDatabase }}' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.mysqlExternalSecret) . }}' + login: '{{ .Values.config.userName }}' + password: '{{ .Values.config.userPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -39,6 +55,8 @@ pullPolicy: IfNotPresent config: userPassword: Ci@shsOd3pky1Vji userName: u5WZ1GMSIS1wHZF + # set this value if you would like to use external secret instead of providing a password + # mysqlExternalsecret: some-secret-name mysqlDatabase: ynsaUCru6mUNwGal mysqlAdditionalDatabases: {} # add addtional dabases @@ -48,9 +66,11 @@ config: # dbOne: # user: one # password: pwd1 + # externalSecret: some-secret-name # dbTwo: # user: two # password: pwd2 + # externalSecret: some-secret-name config_map: default nodeSelector: {} -- cgit 1.2.3-korg