From bb48fc854a89ae8a9e4efc926df0930ae5a271d5 Mon Sep 17 00:00:00 2001
From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Tue, 5 May 2020 11:36:30 +0200
Subject: [PATCH] [DCAEGEN2] Use common secret template for postgres
 credentials

Even through we use common secret template both passwords are still
hardcoded in common postgres chart but this will be removed as a final
step just like we did for mariadb-galera.

Issue-ID: OOM-2250
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I4b499e277bb084d7d1f2f2d9b72533a6532b751f
---
 .../resources/config/config.json                   |  4 ++--
 .../dcae-inventory-api/templates/deployment.yaml   | 25 ++++++++++++++++++++--
 .../dcae-inventory-api/templates/secret.yaml       | 16 ++++++++++++++
 .../components/dcae-inventory-api/values.yaml      | 25 ++++++++++------------
 4 files changed, 52 insertions(+), 18 deletions(-)
 create mode 100644 kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml

diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json
index d9927314e1..4be8c195d2 100644
--- a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json
@@ -1,8 +1,8 @@
 {
     "database": {
       "driverClass": "org.postgresql.Driver",
-      "user": "{{ .Values.postgres.config.pgUserName }}",
-      "password": "{{ .Values.postgres.config.pgUserPassword }}",
+      "user": "${PG_USER}",
+      "password": "${PG_PASSWORD}",
       "url": "jdbc:postgresql://{{ .Values.postgres.service.name2 }}:5432/{{ .Values.postgres.config.pgDatabase }}",
       "properties": {
         "charSet": "UTF-8"
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml
index 6769c00a2d..bf49157762 100644
--- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml
@@ -34,6 +34,25 @@ spec:
         release: {{ include "common.release" . }}
     spec:
       initContainers:
+        - command:
+          - sh
+          args:
+          - -c
+          - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done"
+          env:
+          - name: PG_USER
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }}
+          - name: PG_PASSWORD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }}
+          volumeMounts:
+          - mountPath: /config-input
+            name: {{ include "common.fullname" . }}-inv-config-input
+          - mountPath: /config
+            name: {{ include "common.fullname" . }}-inv-config
+          image: "{{ .Values.global.envsubstImage }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: {{ include "common.name" . }}-update-config
+
         - name: {{ include "common.name" . }}-readiness
           image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -135,11 +154,13 @@ spec:
             defaultMode: 420
             name: {{ include "common.fullname" . }}-filebeat-configmap
           name: filebeat-conf
-        - name: {{ include "common.fullname" . }}-inv-config
+        - name: {{ include "common.fullname" . }}-inv-config-input
           configMap:
             name: {{ include "common.fullname" . }}-configmap
+        - name: {{ include "common.fullname" . }}-inv-config
+          emptyDir:
+            medium: Memory
         - emptyDir: {}
           name: tls-info
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
-
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml
new file mode 100644
index 0000000000..b143034d8f
--- /dev/null
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml
@@ -0,0 +1,16 @@
+{{/*
+# Copyright © 2020 Samsung Electronics
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# #       http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+*/}}
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
index 51af963343..a26ae5d196 100644
--- a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
@@ -26,10 +26,20 @@ global:
   loggingImage: beats/filebeat:5.5.0
   tlsRepository: nexus3.onap.org:10001
   tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
+  envsubstImage: dibi/envsubst
   repositoryCred:
     user: docker
     password: docker
 
+secrets:
+  - uid: pg-user-creds
+    name: &pgUserCredsSecretName '{{ include "common.release" . }}-dcae-inventory-api-pg-user-creds'
+    type: basicAuth
+    externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dcae-inventory-api-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}'
+    login: '{{ .Values.postgres.config.pgUserName }}'
+    password: '{{ .Values.postgres.config.pgUserPassword }}'
+    passwordPolicy: generate
+
 config:
   logstashServiceName: log-ls
   logstashPort: 5044
@@ -82,24 +92,11 @@ postgres:
       replica: dcae-inv-pg-replica
   config:
     pgUserName: dcae_inv
+    pgUserExternalSecret: *pgUserCredsSecretName
     pgDatabase: dcae_inventory
-    pgPrimaryPassword: onapdemodb
-    pgUserPassword: onapdemodb
-    pgRootPassword: onapdemodb
   persistence:
     mountSubPath: dcae-inv/data
     mountInitPath: dcae-inv
-  pgpool:
-    nameOverride: dcae-inv-pgpool
-    service:
-      name: dcae-inv-pgpool
-    credentials:
-      pgusername: ddcae_inv
-      pgpassword: onapdemodb
-    container:
-      name:
-        primary: dcae-inv-pgpool-primary
-        replica: dcae-inv-pgpool-replica
 
 # Resource Limit flavor -By Default using small
 flavor: small
-- 
2.16.6