[SO] Use common secret template in so
Generate passwords for:
- so_user
- so_admin
and distribute them to all SO subcharts.
mariadb-galera root password is taken as a reference to existing
secret (shared mariadb instance) or also generated if local cluster is
used.
Three other DB users also have generated passwords but they are not
distributed outside of so-mariadb as they were never used.
Issue-ID: OOM-2328
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Ic4af5c9b12b00d2a52d2597e3fe1161d0d1a9f20
diff --git a/kubernetes/so/charts/so-bpmn-infra/values.yaml b/kubernetes/so/charts/so-bpmn-infra/values.yaml
index 357a8fd..4c64caf 100755
--- a/kubernetes/so/charts/so-bpmn-infra/values.yaml
+++ b/kubernetes/so/charts/so-bpmn-infra/values.yaml
@@ -30,14 +30,14 @@
- uid: db-user-creds
name: '{{ include "common.release" . }}-so-bpmn-infra-db-user-creds'
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
passwordPolicy: required
- uid: db-admin-creds
name: '{{ include "common.release" . }}-so-bpmn-infra-db-admin-creds'
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
diff --git a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml
index 889f2e8..c276649 100755
--- a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml
+++ b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml
@@ -30,14 +30,14 @@
- uid: db-user-creds
name: '{{ include "common.release" . }}-so-catalog-db-adapter-db-user-creds'
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
passwordPolicy: required
- uid: db-admin-creds
name: '{{ include "common.release" . }}-so-catalog-db-adapter-db-admin-creds'
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
diff --git a/kubernetes/so/charts/so-mariadb/values.yaml b/kubernetes/so/charts/so-mariadb/values.yaml
index d1f3f80..5e7b2fe 100755
--- a/kubernetes/so/charts/so-mariadb/values.yaml
+++ b/kubernetes/so/charts/so-mariadb/values.yaml
@@ -32,13 +32,13 @@
- uid: db-root-pass
name: '{{ include "common.release" . }}-so-mariadb-root-pass'
type: password
- externalSecret: '{{ .Values.db.rootPasswordExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.rootPasswordExternalSecret) . }}'
password: '{{ .Values.db.rootPassword }}'
passwordPolicy: required
- uid: db-backup-creds
name: '{{ include "common.release" . }}-so-mariadb-backup-creds'
type: basicAuth
- externalSecret: '{{ .Values.db.backupCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.backupCredsExternalSecret) . }}'
login: '{{ .Values.db.backupUser }}'
password: '{{ .Values.db.backupPassword }}'
passwordPolicy: required
@@ -48,27 +48,27 @@
helm.sh/hook-delete-policy: before-hook-creation
- uid: db-user-creds
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
- uid: db-admin-creds
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
- uid: camunda-db-creds
type: basicAuth
- externalSecret: '{{ .Values.db.camunda.dbCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.camunda.dbCredsExternalSecret) . }}'
login: '{{ .Values.db.camunda.userName }}'
password: '{{ .Values.db.camunda.password }}'
- uid: request-db-creds
type: basicAuth
- externalSecret: '{{ .Values.db.request.dbCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.request.dbCredsExternalSecret) . }}'
login: '{{ .Values.db.request.userName }}'
password: '{{ .Values.db.request.password }}'
- uid: catalog-db-creds
type: basicAuth
- externalSecret: '{{ .Values.db.catalog.dbCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.catalog.dbCredsExternalSecret) . }}'
login: '{{ .Values.db.catalog.userName }}'
password: '{{ .Values.db.catalog.password }}'
diff --git a/kubernetes/so/charts/so-monitoring/values.yaml b/kubernetes/so/charts/so-monitoring/values.yaml
index d390423..357c61c 100644
--- a/kubernetes/so/charts/so-monitoring/values.yaml
+++ b/kubernetes/so/charts/so-monitoring/values.yaml
@@ -34,13 +34,13 @@
secrets:
- uid: db-user-creds
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
passwordPolicy: required
- uid: db-admin-creds
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
diff --git a/kubernetes/so/charts/so-openstack-adapter/values.yaml b/kubernetes/so/charts/so-openstack-adapter/values.yaml
index 13556c6..6a0b04b 100755
--- a/kubernetes/so/charts/so-openstack-adapter/values.yaml
+++ b/kubernetes/so/charts/so-openstack-adapter/values.yaml
@@ -29,13 +29,13 @@
secrets:
- uid: db-user-creds
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
passwordPolicy: required
- uid: db-admin-creds
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
diff --git a/kubernetes/so/charts/so-request-db-adapter/values.yaml b/kubernetes/so/charts/so-request-db-adapter/values.yaml
index f15b7c2..6324cab 100755
--- a/kubernetes/so/charts/so-request-db-adapter/values.yaml
+++ b/kubernetes/so/charts/so-request-db-adapter/values.yaml
@@ -29,13 +29,13 @@
secrets:
- uid: db-user-creds
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
passwordPolicy: required
- uid: db-admin-creds
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
diff --git a/kubernetes/so/charts/so-sdc-controller/values.yaml b/kubernetes/so/charts/so-sdc-controller/values.yaml
index 0e3bdf4..6d8adf7 100755
--- a/kubernetes/so/charts/so-sdc-controller/values.yaml
+++ b/kubernetes/so/charts/so-sdc-controller/values.yaml
@@ -29,13 +29,13 @@
secrets:
- uid: db-user-creds
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
passwordPolicy: required
- uid: db-admin-creds
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
diff --git a/kubernetes/so/charts/so-sdnc-adapter/values.yaml b/kubernetes/so/charts/so-sdnc-adapter/values.yaml
index b6724aa..b736253 100755
--- a/kubernetes/so/charts/so-sdnc-adapter/values.yaml
+++ b/kubernetes/so/charts/so-sdnc-adapter/values.yaml
@@ -29,13 +29,13 @@
secrets:
- uid: db-user-creds
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
passwordPolicy: required
- uid: db-admin-creds
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
diff --git a/kubernetes/so/charts/so-vfc-adapter/values.yaml b/kubernetes/so/charts/so-vfc-adapter/values.yaml
index 028f2b5..f442860 100755
--- a/kubernetes/so/charts/so-vfc-adapter/values.yaml
+++ b/kubernetes/so/charts/so-vfc-adapter/values.yaml
@@ -29,13 +29,13 @@
secrets:
- uid: db-user-creds
type: basicAuth
- externalSecret: '{{ .Values.db.userCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}'
login: '{{ .Values.db.userName }}'
password: '{{ .Values.db.userPassword }}'
passwordPolicy: required
- uid: db-admin-creds
type: basicAuth
- externalSecret: '{{ .Values.db.adminCredsExternalSecret }}'
+ externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}'
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml
index c0ac078..ca6be72 100755
--- a/kubernetes/so/templates/deployment.yaml
+++ b/kubernetes/so/templates/deployment.yaml
@@ -66,25 +66,13 @@
name: {{ include "common.release" . }}-so-db-secrets
key: mariadb.readwrite.port
- name: DB_USERNAME
- valueFrom:
- secretKeyRef:
- name: {{ include "common.release" . }}-so-db-secrets
- key: mariadb.readwrite.rolename
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }}
- name: DB_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ include "common.release" . }}-so-db-secrets
- key: mariadb.readwrite.password
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }}
- name: DB_ADMIN_USERNAME
- valueFrom:
- secretKeyRef:
- name: {{ include "common.release" . }}-so-db-secrets
- key: mariadb.admin.rolename
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }}
- name: DB_ADMIN_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ include "common.release" . }}-so-db-secrets
- key: mariadb.admin.password
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }}
{{- if eq .Values.global.security.aaf.enabled true }}
- name: TRUSTSTORE
value: /app/org.onap.so.trust.jks
diff --git a/kubernetes/so/templates/secret.yaml b/kubernetes/so/templates/secret.yaml
new file mode 100644
index 0000000..bd7eb8e
--- /dev/null
+++ b/kubernetes/so/templates/secret.yaml
@@ -0,0 +1,15 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml
index 807d2a6..b2a8b68 100755
--- a/kubernetes/so/values.yaml
+++ b/kubernetes/so/values.yaml
@@ -26,7 +26,8 @@
nameOverride: mariadb-galera
serviceName: mariadb-galera
servicePort: "3306"
- mariadbRootPassword: secretpassword
+ # mariadbRootPassword: secretpassword
+ # rootPasswordExternalSecret: some secret
#This flag allows SO to instantiate its own mariadb-galera cluster,
#serviceName and nameOverride should be so-mariadb-galera if this flag is enabled
localCluster: false
@@ -40,6 +41,7 @@
dbPort: 3306
dbUser: root
dbPassword: secretpassword
+ # dbCredsExternalSecret: some secret
msbEnabled: true
security:
aaf:
@@ -69,9 +71,55 @@
certs:
trustStorePassword: b25hcDRzbw==
keyStorePassword: c280b25hcA==
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: db-root-pass
+ name: &dbRootPassSecretName '{{ include "common.release" . }}-so-db-root-pass'
+ type: password
+ externalSecret: '{{ ternary .Values.global.mariadbGalera.rootPasswordExternalSecret (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.rootPasswordExternalSecret) .Values.global.mariadbGalera.localCluster }}'
+ password: '{{ .Values.global.mariadbGalera.mariadbRootpassword }}'
+ - uid: db-backup-creds
+ name: &dbBackupCredsSecretName '{{ include "common.release" . }}-so-db-backup-creds'
+ type: basicAuth
+ externalSecret: '{{ ternary .Values.global.migration.dbCredsExternalSecret "migrationDisabled" .Values.global.migration.enabled }}'
+ login: '{{ ternary .Values.global.migration.dbUser "migrationDisabled" .Values.global.migration.enabled }}'
+ password: '{{ ternary .Values.global.migration.dbPassword "migrationDisabled" .Values.global.migration.enabled }}'
+ passwordPolicy: required
+ annotations:
+ helm.sh/hook: pre-upgrade,pre-install
+ helm.sh/hook-weight: "0"
+ helm.sh/hook-delete-policy: before-hook-creation
+ - uid: db-user-creds
+ name: &dbUserCredsSecretName '{{ include "common.release" . }}-so-db-user-creds'
+ type: basicAuth
+ externalSecret: '{{ .Values.dbCreds.userCredsExternalSecret }}'
+ login: '{{ .Values.dbCreds.userName }}'
+ password: '{{ .Values.dbCreds.userPassword }}'
+ passwordPolicy: generate
+ - uid: db-admin-creds
+ name: &dbAdminCredsSecretName '{{ include "common.release" . }}-so-db-admin-creds'
+ type: basicAuth
+ externalSecret: '{{ .Values.dbCreds.adminCredsExternalSecret }}'
+ login: '{{ .Values.dbCreds.adminName }}'
+ password: '{{ .Values.dbCreds.adminPassword }}'
+ passwordPolicy: generate
+
#################################################################
# Application configuration defaults.
#################################################################
+
+dbSecrets: &dbSecrets
+ userCredsExternalSecret: *dbUserCredsSecretName
+ adminCredsExternalSecret: *dbAdminCredsSecretName
+
+# unused in this, just to pass to subcharts
+dbCreds:
+ userName: so_user
+ adminName: so_admin
+
repository: nexus3.onap.org:10001
image: onap/so/api-handler-infra:1.5.3
pullPolicy: Always
@@ -133,6 +181,8 @@
# --set so.global.mariadbGalera.nameOverride=so-mariadb-galera \
# --set so.global.mariadbGalera.serviceName=so-mariadb-galera
mariadb-galera:
+ config:
+ mariadbRootPasswordExternalSecret: *dbRootPassSecretName
nameOverride: so-mariadb-galera
replicaCount: 1
service:
@@ -172,7 +222,10 @@
auth: 51EA5414022D7BE536E7516C4D1A6361416921849B72C0D6FC1C7F262FD9F2BBC2AD124190A332D9845A188AD80955567A4F975C84C221EEA8243BFD92FFE6896CDD1EA16ADD34E1E3D47D4A
health:
auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ=
+
so-bpmn-infra:
+ db:
+ <<: *dbSecrets
cds:
auth: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw==
aai:
@@ -204,7 +257,10 @@
vnfm:
adapter:
auth: Basic dm5mbTpwYXNzd29yZDEk
+
so-catalog-db-adapter:
+ db:
+ <<: *dbSecrets
mso:
config:
cadi:
@@ -215,7 +271,10 @@
adapters:
db:
auth: Basic YnBlbDpwYXNzd29yZDEk
+
so-openstack-adapter:
+ db:
+ <<: *dbSecrets
aaf:
auth:
encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F
@@ -240,7 +299,10 @@
noAuthn: /manage/health
db:
auth: Basic YnBlbDpwYXNzd29yZDEk
+
so-request-db-adapter:
+ db:
+ <<: *dbSecrets
mso:
config:
cadi:
@@ -251,7 +313,10 @@
adapters:
requestDb:
auth: Basic YnBlbDpwYXNzd29yZDEk
+
so-sdc-controller:
+ db:
+ <<: *dbSecrets
aai:
auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586
mso:
@@ -271,6 +336,8 @@
asdc-controller1:
password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F
so-sdnc-adapter:
+ db:
+ <<: *dbSecrets
org:
onap:
so:
@@ -292,7 +359,10 @@
auth: Basic YnBlbDpwYXNzd29yZDEk
rest:
aafEncrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456
+
so-vfc-adapter:
+ db:
+ <<: *dbSecrets
mso:
config:
cadi:
@@ -322,3 +392,15 @@
aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9
apiEnforcement: org.onap.so.vnfmAdapterPerm
noAuthn: /manage/health
+
+so-monitoring:
+ db:
+ <<: *dbSecrets
+
+so-mariadb:
+ db:
+ rootPasswordExternalSecretLocalDb: *dbRootPassSecretName
+ rootPasswordExternalSecret: '{{ ternary .Values.db.rootPasswordExternalSecretLocalDb (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.localCluster }}'
+ backupCredsExternalSecret: *dbBackupCredsSecretName
+ userCredsExternalSecret: *dbUserCredsSecretName
+ adminCredsExternalSecret: *dbAdminCredsSecretName