[DMAAP] Don't hardcode mariadb-galera password
Let's use common secret template to generate user credentials for
DMAAP data router DB DB and depend on mariadb-galera to generate
secure enough root password.
Issue-ID: OOM-2287
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I82d22a2db2dc9fba655f99f837be689f4a32a871
diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties
index 34662ae..b672311 100644
--- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties
+++ b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties
@@ -7,9 +7,9 @@
# * Licensed under the Apache License, Version 2.0 (the "License");
# * you may not use this file except in compliance with the License.
# * You may obtain a copy of the License at
-# *
+# *
# * http://www.apache.org/licenses/LICENSE-2.0
-# *
+# *
# * Unless required by applicable law or agreed to in writing, software
# * distributed under the License is distributed on an "AS IS" BASIS,
# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -40,9 +40,9 @@
# Database access
org.onap.dmaap.datarouter.db.driver = org.mariadb.jdbc.Driver
-org.onap.dmaap.datarouter.db.url = jdbc:mariadb://{{.Values.config.dmaapDrDb.mariadbServiceName}}:{{.Values.config.dmaapDrDb.mariadbServicePort}}/datarouter
-org.onap.dmaap.datarouter.db.login = datarouter
-org.onap.dmaap.datarouter.db.password = datarouter
+org.onap.dmaap.datarouter.db.url = jdbc:mariadb://{{.Values.config.dmaapDrDb.mariadbServiceName}}:{{.Values.config.dmaapDrDb.mariadbServicePort}}/{{.Values.mariadb.config.mysqlDatabase}}
+org.onap.dmaap.datarouter.db.login = ${DB_USERNAME}
+org.onap.dmaap.datarouter.db.password = ${DB_PASSWORD}
# PROV - DEFAULT ENABLED TLS PROTOCOLS
org.onap.dmaap.datarouter.provserver.https.include.protocols = TLSv1.1|TLSv1.2
@@ -55,4 +55,3 @@
org.onap.dmaap.datarouter.provserver.aaf.instance = legacy
org.onap.dmaap.datarouter.provserver.aaf.action.publish = publish
org.onap.dmaap.datarouter.provserver.aaf.action.subscribe = subscribe
-
diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml
index d6257bb..104fcdc 100644
--- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml
+++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml
@@ -120,6 +120,11 @@
port: {{ .Values.config.dmaapDrProv.internalPort }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
+ env:
+ - name: DB_USERNAME
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "dmaap-dr-db-user-secret" "key" "login") | indent 12 }}
+ - name: DB_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "dmaap-dr-db-user-secret" "key" "password") | indent 12 }}
volumeMounts:
{{- if .Values.global.aafEnabled }}
- mountPath: {{ .Values.persistence.aafCredsPath }}
diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/secret.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/secret.yaml
new file mode 100644
index 0000000..dee311c
--- /dev/null
+++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/secret.yaml
@@ -0,0 +1,15 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secret" . }}
diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml
index 4dcd7c3..6165568 100644
--- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml
+++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml
@@ -20,6 +20,17 @@
loggingDirectory: /opt/app/datartr/logs
#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: dmaap-dr-db-user-secret
+ name: '{{ include "common.release" . }}-dmaap-dr-db-user-secret'
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.config.dmaapDrDb.userCredentialsExternalSecret) . }}'
+ login: '{{ .Values.config.dmaapDrDb.userName }}'
+ password: '{{ .Values.config.dmaapDrDb.userPassword }}'
+
+#################################################################
# Application configuration defaults.
#################################################################
# application image
@@ -88,6 +99,9 @@
mariadbServiceName: dmaap-dr-db-svc
mariadbServicePort: 3306
mariadbContName: dmaap-dr-db
+ userName: datarouter
+# userPassword: password
+# userCredentialsExternalSecret: some secret
# mariadb-galera configuration
mariadb:
@@ -95,9 +109,7 @@
nameOverride: dmaap-dr-db
replicaCount: 2
config:
- mariadbRootPassword: datarouter
- userName: datarouter
- userPassword: datarouter
+ userCredentialsExternalSecret: '{{ include "common.release" . }}-dmaap-dr-db-user-secret'
mysqlDatabase: datarouter
service:
name: dmaap-dr-db-svc
@@ -136,4 +148,4 @@
requests:
cpu: 1000m
memory: 2Gi
- unlimited: {}
\ No newline at end of file
+ unlimited: {}