[DMAAP] Use common secret template for postgres creds

Passwords are still hardcoded in common postrgres chart but as soon as
we remove them they will be auto-generated.

Issue-ID: OOM-2250
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Idb34b36fe8124433f296523e6ac1a1414d8276fe

diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
index 59f64bd..3f5b1b4 100644 (file)
--- a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
+++ b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
@@ -69,10 +69,10 @@ DB.host: {{ .Values.postgres.service.name2 }}
 #DB.schema: {{ .Values.postgres.config.pgDatabase }}
 
 # postgres user name
-#DB.user: {{ .Values.postgres.config.pgUserName }}
+DB.user: ${PG_USER}
 
 # postgres user password
-DB.cred:  {{ .Values.postgres.config.pgUserPassword }}
+DB.cred: ${PG_PASSWORD}
 
 
 #####################################################

diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
index ea2720f..a957ace 100644 (file)
--- a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
@@ -23,6 +23,25 @@ spec:
     spec:
 {{- if or .Values.global.aafEnabled .Values.PG.enabled }}
       initContainers:
+      - command:
+        - sh
+        args:
+        - -c
+        - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done"
+        env:
+        - name: PG_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }}
+        - name: PG_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: {{ include "common.name" . }}-config-input
+        - mountPath: /config
+          name: {{ include "common.name" . }}-config
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: {{ include "common.name" . }}-update-config
+
 {{- if .Values.global.aafEnabled }}
       - name: {{ include "common.name" . }}-aaf-readiness
         command:
@@ -155,10 +174,13 @@ spec:
         - name: localtime
           hostPath:
             path: /etc/localtime
-        - name: {{ include "common.name" . }}-config
+        - name: {{ include "common.name" . }}-config-input
           configMap:
             name: {{ include "common.fullname" . }}-config
         - name: {{ include "common.name" . }}-aaf-config-vol
           emptyDir: {}
+        - name: {{ include "common.name" . }}-config
+          emptyDir:
+            medium: Memory
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"

diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml
index e15a152..25f5e7a 100644 (file)
--- a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml
@@ -28,3 +28,5 @@ type: Opaque
 data:
   aaf-deploy-password: {{ index .Values.aafConfig.aafDeployPass | b64enc | quote }}
 {{- end }}
+---
+{{ include "common.secretFast" . }}

diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml
index 3a18787..d975dba 100644 (file)
--- a/kubernetes/dmaap/components/dmaap-bc/values.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/values.yaml
@@ -22,6 +22,22 @@ global:
   readinessImage: readiness-check:2.0.0
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
+  envsubstImage: dibi/envsubst
+
+secrets:
+  - uid: pg-root-pass
+    name: &pgRootPassSecretName '{{ include "common.release" . }}-dmaap-bc-pg-root-pass'
+    type: password
+    externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dmaap-bc-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}'
+    password: '{{ .Values.postgres.config.pgRootpassword }}'
+    policy: generate
+  - uid: pg-user-creds
+    name: &pgUserCredsSecretName '{{ include "common.release" . }}-dmaap-bc-pg-user-creds'
+    type: basicAuth
+    externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dmaap-bc-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}'
+    login: '{{ .Values.postgres.config.pgUserName }}'
+    password: '{{ .Values.postgres.config.pgUserPassword }}'
+    passwordPolicy: generate
 
 #################################################################
 # Application configuration defaults.
@@ -114,9 +130,8 @@ postgres:
   config:
     pgUserName: dmaap_admin
     pgDatabase: dmaap
-    pgPrimaryPassword: onapdemodb
-    pgUserPassword: onapdemodb
-    pgRootPassword: onapdemodb
+    pgUserExternalSecret: *pgUserCredsSecretName
+    pgRootPasswordExternalSecret: *pgRootPassSecretName
   persistence:
     mountSubPath: dbc/data
     mountInitPath: dbc