[Portal] Remove hardcoded cassandra password

Make cassandra password generate automatically and distribute it to
components that use DB.

Remove also hardcoded encryption key.

Issue-ID: PORTAL-944
Signed-off-by: SandeepLinux <Sandeep.Shah@att.com>
Change-Id: I6e579a76efacc7a0921fea7c74a7a9e49347ebd8
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties
new file mode 100644
index 0000000..368cbe7
--- /dev/null
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties
@@ -0,0 +1,2 @@
+# Encrypted Properties
+cipher.enc.key = ${CIPHER_ENC_KEY}
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
index 37544d1..4efbac7 100644
--- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
+++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties
@@ -29,5 +29,5 @@
 music.atomic.get = false
 music.atomic.put = true
 cassandra.host={{.Values.cassandra.service.name}}
-cassandra.user={{.Values.cassandra.config.cassandraUsername}}
-cassandra.password={{.Values.cassandra.config.cassandraPassword}}
+cassandra.user=${CASSA_USER}
+cassandra.password=${CASSA_PASSWORD}
diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml
index 6964715..0be1fdc 100644
--- a/kubernetes/portal/components/portal-app/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-app/templates/deployment.yaml
@@ -49,6 +49,23 @@
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
+      - name: {{ include "common.name" . }}-portal-config
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command: ["/bin/sh"]
+        args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"]
+        env:
+          - name: CASSA_USER
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }}
+          - name: CASSA_PASSWORD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
+          - name: CIPHER_ENC_KEY
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: properties-onapportal-scrubbed
+        - mountPath: /config
+          name: properties-onapportal
 {{ include "common.certInitializer.initContainer" . | indent 6 }}
       containers:
       - name: {{ include "common.name" . }}
@@ -103,6 +120,9 @@
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/portal.properties"
           subPath: portal.properties
         - name: properties-onapportal
+          mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties"
+          subPath: key.properties
+        - name: properties-onapportal
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/music.properties"
           subPath: music.properties
         - name: properties-onapportal
@@ -114,6 +134,8 @@
         - name: properties-onapportal
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/web.xml"
           subPath: web.xml
+        - name: properties-onapportal
+          mountPath: "{{ .Values.global.env.tomcatDir }}/temp"
         - name: var-log-onap
           mountPath: /var/log/onap
         resources:
@@ -122,7 +144,7 @@
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
       {{- end -}}
-      {{- if .Values.affinity }}
+{{- if .Values.affinity }}
       affinity:
 {{ toYaml .Values.affinity | indent 10 }}
       {{- end }}
@@ -143,6 +165,9 @@
           hostPath:
             path: /etc/localtime
         - name: properties-onapportal
+          emptyDir:
+            medium: Memory
+        - name: properties-onapportal-scrubbed
           configMap:
             name: {{ include "common.fullname" . }}-onapportal
             defaultMode: 0755
diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml
index 73306ba..55a7ccc 100644
--- a/kubernetes/portal/components/portal-app/values.yaml
+++ b/kubernetes/portal/components/portal-app/values.yaml
@@ -23,9 +23,27 @@
   readinessImage: onap/oom/readiness:3.0.1
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
+  envsubstImage: dibi/envsubst
   #AAF service
   aafEnabled: true
 
+################################################################
+# Secrets metaconfig
+#################################################################
+
+secrets:
+  - uid: portal-cass
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}'
+    login: '{{ .Values.cassandra.config.cassandraUsername }}'
+    password: '{{ .Values.cassandra.config.cassandraPassword }}'
+    passwordPolicy: required
+  - uid: cipher-enc-key
+    type: password
+    externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
+    password: '{{ .Values.config.cipherEncKey }}'
+    passwordPolicy: required
+
 #################################################################
 # Application configuration defaults.
 #################################################################
@@ -35,6 +53,11 @@
 image: onap/portal-app:3.2.3
 pullPolicy: Always
 
+# application configuration
+config:
+  # cipherEncKeyExternalSecret: some secret
+  cipherEncKey: AGLDdG4D04BKm2IxIWEr8o==!
+
 #AAF local config
 
 aafURL: https://aaf-service:8100/authz/
@@ -104,6 +127,7 @@
   service:
     name: portal-cassandra
   config:
+    # cassandraExternalSecret: some secret
     cassandraUsername: root
     cassandraPassword: Aa123456
 messageRouter:
diff --git a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml
index 5b4bf0c..16b8971 100644
--- a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml
@@ -64,9 +64,9 @@
           periodSeconds: {{ .Values.readiness.periodSeconds }}
         env:
           - name: CASSUSER
-            value: "{{ .Values.config.cassandraUsername }}"
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12}}
           - name: CASSPASS
-            value: "{{ .Values.config.cassandraPassword }}"
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12}}
           - name: JVM_OPTS
             value: "{{ .Values.config.cassandraJvmOpts }}"
           - name: POD_IP
diff --git a/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml b/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml
new file mode 100644
index 0000000..34932b7
--- /dev/null
+++ b/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/portal/components/portal-cassandra/values.yaml b/kubernetes/portal/components/portal-cassandra/values.yaml
index 65fcdbe..eb6fc12 100644
--- a/kubernetes/portal/components/portal-cassandra/values.yaml
+++ b/kubernetes/portal/components/portal-cassandra/values.yaml
@@ -26,10 +26,21 @@
 image: onap/music/cassandra_music:3.0.0
 pullPolicy: Always
 
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: 'db-creds'
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.config.cassandraExternalSecret) . }}'
+    login: '{{ .Values.config.cassandraUsername }}'
+    password: '{{ .Values.config.cassandraPassword }}'
+
 # application configuration
 config:
   cassandraUsername: root
   cassandraPassword: Aa123456
+#  cassandraCredsExternalSecret: some secret
   cassandraJvmOpts: -Xmx2536m -Xms2536m
 
 # default number of instances
diff --git a/kubernetes/portal/components/portal-mariadb/templates/job.yaml b/kubernetes/portal/components/portal-mariadb/templates/job.yaml
index e8a6e0f..b05b920 100644
--- a/kubernetes/portal/components/portal-mariadb/templates/job.yaml
+++ b/kubernetes/portal/components/portal-mariadb/templates/job.yaml
@@ -72,7 +72,9 @@
           value: "{{ .Values.service.internalPort }}"
         - name: DB_PASS
           valueFrom:
-            secretKeyRef: {name: {{ include "common.fullname" . }}, key: db-root-password}
+            secretKeyRef:
+              name: {{ include "common.fullname" . }}
+              key: db-root-password
         command:
         - /bin/sh
         - -x
diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties
new file mode 100644
index 0000000..0025a58
--- /dev/null
+++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties
@@ -0,0 +1,40 @@
+###
+# ============LICENSE_START==========================================
+# ONAP Portal SDK
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+#
+###
+
+# Properties read by the ECOMP Framework library (epsdk-fw)
+cipher.enc.key = ${CIPHER_ENC_KEY}
diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties
index 83ce9ca..f97b90c 100644
--- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties
+++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties
@@ -30,5 +30,5 @@
 music.atomic.put = true
 
 cassandra.host={{.Values.cassandra.service.name}}
-cassandra.user={{.Values.cassandra.config.cassandraUsername}}
-cassandra.password={{.Values.cassandra.config.cassandraPassword}}
+cassandra.user=${CASSA_USER}
+cassandra.password=${CASSA_PASSWORD}
diff --git a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
index 104c2df..f79098f 100644
--- a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
+++ b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml
@@ -49,6 +49,23 @@
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
+      - name: {{ include "common.name" . }}-portalsdk-config
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command: ["/bin/sh"]
+        args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"]
+        env:
+          - name: CASSA_USER
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }}
+          - name: CASSA_PASSWORD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }}
+          - name: CIPHER_ENC_KEY
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: properties-onapportalsdk-scrubbed
+        - mountPath: /config
+          name: properties-onapportalsdk
 {{ include "common.certInitializer.initContainer" . | indent 6 }}
       containers:
       - name: {{ include "common.name" . }}
@@ -100,6 +117,9 @@
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/portal.properties"
           subPath: portal.properties
         - name: properties-onapportalsdk
+          mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties"
+          subPath: key.properties
+        - name: properties-onapportalsdk
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/music.properties"
           subPath: music.properties
         - name: properties-onapportalsdk
@@ -135,6 +155,9 @@
           hostPath:
             path: /etc/localtime
         - name: properties-onapportalsdk
+          emptyDir:
+            medium: Memory
+        - name: properties-onapportalsdk-scrubbed
           configMap:
             name: {{ include "common.fullname" . }}-onapportalsdk
             defaultMode: 0755
diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml
index ebe49e0..c0f1b58 100644
--- a/kubernetes/portal/components/portal-sdk/values.yaml
+++ b/kubernetes/portal/components/portal-sdk/values.yaml
@@ -24,9 +24,27 @@
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
   persistence: {}
+  envsubstImage: dibi/envsubst
   #AAF service
   aafEnabled: true
 
+################################################################
+# Secrets metaconfig
+#################################################################
+
+secrets:
+  - uid: portal-cass
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}'
+    login: '{{ .Values.cassandra.config.cassandraUsername }}'
+    password: '{{ .Values.cassandra.config.cassandraPassword }}'
+    passwordPolicy: required
+  - uid: cipher-enc-key
+    type: password
+    externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}'
+    password: '{{ .Values.config.cipherEncKey }}'
+    passwordPolicy: required
+
 #################################################################
 # Application configuration defaults.
 #################################################################
@@ -36,6 +54,12 @@
 image: onap/portal-sdk:3.2.0
 pullPolicy: Always
 
+# application configuration
+config:
+  # cipherEncKeyExternalSecret: some secret
+  cipherEncKey: AGLDdG4D04BKm2IxIWEr8o==
+
+
 #AAF local config
 aafURL: https://aaf-service:8100/authz/
 certInitializer:
@@ -98,6 +122,7 @@
   service:
     name: portal-cassandra
   config:
+    # cassandraExternalSecret: some secret
     cassandraUsername: root
     cassandraPassword: Aa123456
 messageRouter: