[Portal] Remove hardcoded cassandra password
Make cassandra password generate automatically and distribute it to
components that use DB.
Remove also hardcoded encryption key.
Issue-ID: PORTAL-944
Signed-off-by: SandeepLinux <Sandeep.Shah@att.com>
Change-Id: I6e579a76efacc7a0921fea7c74a7a9e49347ebd8
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties
new file mode 100644
index 0000000..368cbe7
--- /dev/null
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties
@@ -0,0 +1,2 @@
+# Encrypted Properties
+cipher.enc.key = ${CIPHER_ENC_KEY}
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
index 37544d1..4efbac7 100644
--- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
@@ -29,5 +29,5 @@
music.atomic.get = false
music.atomic.put = true
cassandra.host={{.Values.cassandra.service.name}}
-cassandra.user={{.Values.cassandra.config.cassandraUsername}}
-cassandra.password={{.Values.cassandra.config.cassandraPassword}}
+cassandra.user=${CASSA_USER}
+cassandra.password=${CASSA_PASSWORD}
diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml
index 6964715..0be1fdc 100644
--- a/kubernetes/portal/components/portal-app/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-app/templates/deployment.yaml
@@ -49,6 +49,23 @@
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ - name: {{ include "common.name" . }}-portal-config
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["/bin/sh"]
+ args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"]
+ env:
+ - name: CASSA_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }}
+ - name: CASSA_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
+ - name: CIPHER_ENC_KEY
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: properties-onapportal-scrubbed
+ - mountPath: /config
+ name: properties-onapportal
{{ include "common.certInitializer.initContainer" . | indent 6 }}
containers:
- name: {{ include "common.name" . }}
@@ -103,6 +120,9 @@
mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/portal.properties"
subPath: portal.properties
- name: properties-onapportal
+ mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties"
+ subPath: key.properties
+ - name: properties-onapportal
mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/music.properties"
subPath: music.properties
- name: properties-onapportal
@@ -114,6 +134,8 @@
- name: properties-onapportal
mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/web.xml"
subPath: web.xml
+ - name: properties-onapportal
+ mountPath: "{{ .Values.global.env.tomcatDir }}/temp"
- name: var-log-onap
mountPath: /var/log/onap
resources:
@@ -122,7 +144,7 @@
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 10 }}
{{- end -}}
- {{- if .Values.affinity }}
+{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
@@ -143,6 +165,9 @@
hostPath:
path: /etc/localtime
- name: properties-onapportal
+ emptyDir:
+ medium: Memory
+ - name: properties-onapportal-scrubbed
configMap:
name: {{ include "common.fullname" . }}-onapportal
defaultMode: 0755
diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml
index 73306ba..55a7ccc 100644
--- a/kubernetes/portal/components/portal-app/values.yaml
+++ b/kubernetes/portal/components/portal-app/values.yaml
@@ -23,9 +23,27 @@
readinessImage: onap/oom/readiness:3.0.1
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
+ envsubstImage: dibi/envsubst
#AAF service
aafEnabled: true
+################################################################
+# Secrets metaconfig
+#################################################################
+
+secrets:
+ - uid: portal-cass
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}'
+ login: '{{ .Values.cassandra.config.cassandraUsername }}'
+ password: '{{ .Values.cassandra.config.cassandraPassword }}'
+ passwordPolicy: required
+ - uid: cipher-enc-key
+ type: password
+ externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
+ password: '{{ .Values.config.cipherEncKey }}'
+ passwordPolicy: required
+
#################################################################
# Application configuration defaults.
#################################################################
@@ -35,6 +53,11 @@
image: onap/portal-app:3.2.3
pullPolicy: Always
+# application configuration
+config:
+ # cipherEncKeyExternalSecret: some secret
+ cipherEncKey: AGLDdG4D04BKm2IxIWEr8o==!
+
#AAF local config
aafURL: https://aaf-service:8100/authz/
@@ -104,6 +127,7 @@
service:
name: portal-cassandra
config:
+ # cassandraExternalSecret: some secret
cassandraUsername: root
cassandraPassword: Aa123456
messageRouter:
diff --git a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml
index 5b4bf0c..16b8971 100644
--- a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml
@@ -64,9 +64,9 @@
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
- name: CASSUSER
- value: "{{ .Values.config.cassandraUsername }}"
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12}}
- name: CASSPASS
- value: "{{ .Values.config.cassandraPassword }}"
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12}}
- name: JVM_OPTS
value: "{{ .Values.config.cassandraJvmOpts }}"
- name: POD_IP
diff --git a/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml b/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml
new file mode 100644
index 0000000..34932b7
--- /dev/null
+++ b/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/portal/components/portal-cassandra/values.yaml b/kubernetes/portal/components/portal-cassandra/values.yaml
index 65fcdbe..eb6fc12 100644
--- a/kubernetes/portal/components/portal-cassandra/values.yaml
+++ b/kubernetes/portal/components/portal-cassandra/values.yaml
@@ -26,10 +26,21 @@
image: onap/music/cassandra_music:3.0.0
pullPolicy: Always
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: 'db-creds'
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.config.cassandraExternalSecret) . }}'
+ login: '{{ .Values.config.cassandraUsername }}'
+ password: '{{ .Values.config.cassandraPassword }}'
+
# application configuration
config:
cassandraUsername: root
cassandraPassword: Aa123456
+# cassandraCredsExternalSecret: some secret
cassandraJvmOpts: -Xmx2536m -Xms2536m
# default number of instances
diff --git a/kubernetes/portal/components/portal-mariadb/templates/job.yaml b/kubernetes/portal/components/portal-mariadb/templates/job.yaml
index e8a6e0f..b05b920 100644
--- a/kubernetes/portal/components/portal-mariadb/templates/job.yaml
+++ b/kubernetes/portal/components/portal-mariadb/templates/job.yaml
@@ -72,7 +72,9 @@
value: "{{ .Values.service.internalPort }}"
- name: DB_PASS
valueFrom:
- secretKeyRef: {name: {{ include "common.fullname" . }}, key: db-root-password}
+ secretKeyRef:
+ name: {{ include "common.fullname" . }}
+ key: db-root-password
command:
- /bin/sh
- -x
diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties
new file mode 100644
index 0000000..0025a58
--- /dev/null
+++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties
@@ -0,0 +1,40 @@
+###
+# ============LICENSE_START==========================================
+# ONAP Portal SDK
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+#
+###
+
+# Properties read by the ECOMP Framework library (epsdk-fw)
+cipher.enc.key = ${CIPHER_ENC_KEY}
diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties
index 83ce9ca..f97b90c 100644
--- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties
+++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties
@@ -30,5 +30,5 @@
music.atomic.put = true
cassandra.host={{.Values.cassandra.service.name}}
-cassandra.user={{.Values.cassandra.config.cassandraUsername}}
-cassandra.password={{.Values.cassandra.config.cassandraPassword}}
+cassandra.user=${CASSA_USER}
+cassandra.password=${CASSA_PASSWORD}
diff --git a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
index 104c2df..f79098f 100644
--- a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
@@ -49,6 +49,23 @@
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ - name: {{ include "common.name" . }}-portalsdk-config
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["/bin/sh"]
+ args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"]
+ env:
+ - name: CASSA_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }}
+ - name: CASSA_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
+ - name: CIPHER_ENC_KEY
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: properties-onapportalsdk-scrubbed
+ - mountPath: /config
+ name: properties-onapportalsdk
{{ include "common.certInitializer.initContainer" . | indent 6 }}
containers:
- name: {{ include "common.name" . }}
@@ -100,6 +117,9 @@
mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/portal.properties"
subPath: portal.properties
- name: properties-onapportalsdk
+ mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties"
+ subPath: key.properties
+ - name: properties-onapportalsdk
mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/music.properties"
subPath: music.properties
- name: properties-onapportalsdk
@@ -135,6 +155,9 @@
hostPath:
path: /etc/localtime
- name: properties-onapportalsdk
+ emptyDir:
+ medium: Memory
+ - name: properties-onapportalsdk-scrubbed
configMap:
name: {{ include "common.fullname" . }}-onapportalsdk
defaultMode: 0755
diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml
index ebe49e0..c0f1b58 100644
--- a/kubernetes/portal/components/portal-sdk/values.yaml
+++ b/kubernetes/portal/components/portal-sdk/values.yaml
@@ -24,9 +24,27 @@
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
persistence: {}
+ envsubstImage: dibi/envsubst
#AAF service
aafEnabled: true
+################################################################
+# Secrets metaconfig
+#################################################################
+
+secrets:
+ - uid: portal-cass
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}'
+ login: '{{ .Values.cassandra.config.cassandraUsername }}'
+ password: '{{ .Values.cassandra.config.cassandraPassword }}'
+ passwordPolicy: required
+ - uid: cipher-enc-key
+ type: password
+ externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
+ password: '{{ .Values.config.cipherEncKey }}'
+ passwordPolicy: required
+
#################################################################
# Application configuration defaults.
#################################################################
@@ -36,6 +54,12 @@
image: onap/portal-sdk:3.2.0
pullPolicy: Always
+# application configuration
+config:
+ # cipherEncKeyExternalSecret: some secret
+ cipherEncKey: AGLDdG4D04BKm2IxIWEr8o==
+
+
#AAF local config
aafURL: https://aaf-service:8100/authz/
certInitializer:
@@ -98,6 +122,7 @@
service:
name: portal-cassandra
config:
+ # cassandraExternalSecret: some secret
cassandraUsername: root
cassandraPassword: Aa123456
messageRouter: