[DCAEGEN2][bootstrap] Use common secret template for postgres credentials

author Krzysztof Opasiak <k.opasiak@samsung.com>

Tue, 5 May 2020 10:04:31 +0000 (12:04 +0200)

committer Krzysztof Opasiak <k.opasiak@samsung.com>

Tue, 5 May 2020 10:05:34 +0000 (12:05 +0200)
author Krzysztof Opasiak <k.opasiak@samsung.com>
Tue, 5 May 2020 10:04:31 +0000 (12:04 +0200)
committer Krzysztof Opasiak <k.opasiak@samsung.com>
Tue, 5 May 2020 10:05:34 +0000 (12:05 +0200)
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml

index 23bb080..eb4cf25 100644 (file)
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml
@@ -16,4 +16,4 @@
  # ============LICENSE_END=========================================================
  
  k8s_pgaas_instance_fqdn: {{ .Values.postgres.service.name2 }}.{{include "common.namespace" . }}
-k8s_initial_password: {{ .Values.postgres.config.pgRootPassword }}
+k8s_initial_password: $PG_ROOT_PASSWORD
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml

index a36164d..9009f6b 100644 (file)
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml
@@ -1,130 +1,150 @@
-#============LICENSE_START========================================================\r
-# ================================================================================\r
-# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.\r
-# Modifications Copyright © 2018 Amdocs, Bell Canada\r
-# ================================================================================\r
-# Licensed under the Apache License, Version 2.0 (the "License");\r
-# you may not use this file except in compliance with the License.\r
-# You may obtain a copy of the License at\r
-#\r
-#     http://www.apache.org/licenses/LICENSE-2.0\r
-#\r
-# Unless required by applicable law or agreed to in writing, software\r
-# distributed under the License is distributed on an "AS IS" BASIS,\r
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
-# See the License for the specific language governing permissions and\r
-# limitations under the License.\r
-# ============LICENSE_END=========================================================\r
-\r
-apiVersion: extensions/v1beta1\r
-kind: Deployment\r
-metadata:\r
-  name: {{ include "common.fullname" . }}\r
-  namespace: {{ include "common.namespace" . }}\r
-  labels:\r
-    app: {{ include "common.name" . }}\r
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}\r
-    release: {{ include "common.release" . }}\r
-    heritage: {{ .Release.Service }}\r
-spec:\r
-  replicas: 1\r
-  template:\r
-    metadata:\r
-      labels:\r
-        app: {{ include "common.name" . }}\r
-        release: {{ include "common.release" . }}\r
-    spec:\r
-      initContainers:\r
-      - name: {{ include "common.name" . }}-readiness\r
-        image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}\r
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}\r
-        command:\r
-          - /root/ready.py\r
-        args:\r
-          - --container-name\r
-          - dcae-cloudify-manager\r
-          - --container-name\r
-          - consul-server\r
-          - --container-name\r
-          - msb-discovery\r
-          - --container-name\r
-          - kube2msb\r
-          - --container-name\r
-          - dcae-config-binding-service\r
-          - --container-name\r
-          - dcae-db\r
-          - --container-name\r
-          - dcae-inventory-api\r
-          - "-t"\r
-          - "15"\r
-\r
-        env:\r
-        - name: NAMESPACE\r
-          valueFrom:\r
-            fieldRef:\r
-              apiVersion: v1\r
-              fieldPath: metadata.namespace\r
-      - name: init-tls\r
-        env:\r
-        - name: POD_IP\r
-          valueFrom:\r
-            fieldRef:\r
-              apiVersion: v1\r
-              fieldPath: status.podIP\r
-        - name: aaf_locator_fqdn\r
-          value: dcae\r
-        image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}\r
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}\r
-        resources: {}\r
-        volumeMounts:\r
-        - mountPath: /opt/app/osaaf\r
-          name: tls-info\r
-      containers:\r
-        - name: {{ include "common.name" . }}\r
-          image: "{{ include "common.repository" . }}/{{ .Values.image }}"\r
-          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}\r
-          resources:\r
-{{ include "common.resources" . | indent 12 }}\r
-          volumeMounts:\r
-            - mountPath: /inputs\r
-              name: {{ include "common.fullname" . }}-dcae-inputs\r
-            - mountPath: /dcae-configs\r
-              name: {{ include "common.fullname" . }}-dcae-config\r
-            - mountPath: /etc/localtime\r
-              name: localtime\r
-              readOnly: true\r
-            - mountPath: /certs\r
-              name: tls-info\r
-              readOnly: true\r
-          env:\r
-            - name: CMADDR\r
-              value: {{ .Values.config.address.cm.host }}\r
-            - name: CMPASS\r
-              valueFrom:\r
-                secretKeyRef:\r
-                  name: {{ include "common.name" . }}-cmpass\r
-                  key: password\r
-            - name: CMPROTO\r
-              value: {{ .Values.config.address.cm.proto }}\r
-            - name: CMPORT\r
-              value: !!string {{ .Values.config.address.cm.port }}\r
-            - name: CONSUL\r
-              value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }}\r
-            - name: DCAE_NAMESPACE\r
-              value: {{ .Values.dcae_ns | default "" }}\r
-            - name: ONAP_NAMESPACE\r
-              value: {{ include "common.namespace" . }}\r
-      volumes:\r
-        - name: {{ include "common.fullname" . }}-dcae-inputs\r
-          configMap:\r
-            name: {{ include "common.fullname" . }}-dcae-inputs\r
-        - name: {{ include "common.fullname" . }}-dcae-config\r
-          configMap:\r
-            name: {{ include "common.fullname" . }}-dcae-config\r
-        - name: localtime\r
-          hostPath:\r
-            path: /etc/localtime\r
-        - name: tls-info\r
-          emptyDir: {}\r
-      imagePullSecrets:\r
-        - name: "{{ include "common.namespace" . }}-docker-registry-key"\r
+#============LICENSE_START========================================================
+# ================================================================================
+# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2018 Amdocs, Bell Canada
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: {{ include "common.fullname" . }}
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: {{ include "common.name" . }}
+        release: {{ include "common.release" . }}
+    spec:
+      initContainers:
+      - command:
+        - sh
+        args:
+        - -c
+        - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done"
+        env:
+        - name: PG_ROOT_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 10 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: {{ include "common.fullname" . }}-dcae-inputs-input
+        - mountPath: /config
+          name: {{ include "common.fullname" . }}-dcae-inputs
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: {{ include "common.name" . }}-update-config
+
+      - name: {{ include "common.name" . }}-readiness
+        image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command:
+          - /root/ready.py
+        args:
+          - --container-name
+          - dcae-cloudify-manager
+          - --container-name
+          - consul-server
+          - --container-name
+          - msb-discovery
+          - --container-name
+          - kube2msb
+          - --container-name
+          - dcae-config-binding-service
+          - --container-name
+          - dcae-db
+          - --container-name
+          - dcae-inventory-api
+          - "-t"
+          - "15"
+
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+      - name: init-tls
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: aaf_locator_fqdn
+          value: dcae
+        image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        resources: {}
+        volumeMounts:
+        - mountPath: /opt/app/osaaf
+          name: tls-info
+      containers:
+        - name: {{ include "common.name" . }}
+          image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          resources:
+{{ include "common.resources" . | indent 12 }}
+          volumeMounts:
+            - mountPath: /inputs
+              name: {{ include "common.fullname" . }}-dcae-inputs
+            - mountPath: /dcae-configs
+              name: {{ include "common.fullname" . }}-dcae-config
+            - mountPath: /etc/localtime
+              name: localtime
+              readOnly: true
+            - mountPath: /certs
+              name: tls-info
+              readOnly: true
+          env:
+            - name: CMADDR
+              value: {{ .Values.config.address.cm.host }}
+            - name: CMPASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "common.name" . }}-cmpass
+                  key: password
+            - name: CMPROTO
+              value: {{ .Values.config.address.cm.proto }}
+            - name: CMPORT
+              value: !!string {{ .Values.config.address.cm.port }}
+            - name: CONSUL
+              value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }}
+            - name: DCAE_NAMESPACE
+              value: {{ .Values.dcae_ns | default "" }}
+            - name: ONAP_NAMESPACE
+              value: {{ include "common.namespace" . }}
+      volumes:
+        - name: {{ include "common.fullname" . }}-dcae-inputs-input
+          configMap:
+            name: {{ include "common.fullname" . }}-dcae-inputs
+        - name: {{ include "common.fullname" . }}-dcae-inputs
+          emptyDir:
+            medium: Memory
+        - name: {{ include "common.fullname" . }}-dcae-config
+          configMap:
+            name: {{ include "common.fullname" . }}-dcae-config
+        - name: localtime
+          hostPath:
+            path: /etc/localtime
+        - name: tls-info
+          emptyDir: {}
+      imagePullSecrets:
+        - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml

index d8b2ba2..44395e4 100644 (file)
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml
@@ -29,3 +29,5 @@ metadata:
  type: Opaque
  data:
    password: YWRtaW4=
+---
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml

index a5bd69a..5fcd916 100644 (file)
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml
@@ -28,6 +28,15 @@ global:
    loggingImage: beats/filebeat:5.5.0
    tlsRepository: nexus3.onap.org:10001
    tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
+  envsubstImage: dibi/envsubst
+
+secrets:
+  - uid: pg-root-pass
+    name: &pgRootPassSecretName '{{ include "common.release" . }}-dcae-bootstrap-pg-root-pass'
+    type: password
+    externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dcae-bootstrap-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}'
+    password: '{{ .Values.postgres.config.pgRootpassword }}'
+    policy: generate
  
  config:
    logstashServiceName: log-ls
@@ -77,21 +86,10 @@ postgres:
        primary: dcae-pg-primary
        replica: dcae-pg-replica
    config:
-    pgPrimaryPassword: onapdemodb
-    pgRootPassword: onapdemodb
+    pgRootPasswordExternalSecret: *pgRootPassSecretName
    persistence:
      mountSubPath: dcae/data
      mountInitPath: dcae
-  pgpool:
-    nameOverride: dcae-pgpool
-    service:
-      name: dcae-pgpool
-    credentials:
-      pgpassword: onapdemodb
-    container:
-      name:
-        primary: dcae-pgpool-primary
-        replica: dcae-pgpool-replica
  
  mongo:
    nameOverride: dcae-mongo
author	Krzysztof Opasiak <k.opasiak@samsung.com>
	Tue, 5 May 2020 10:04:31 +0000 (12:04 +0200)
committer	Krzysztof Opasiak <k.opasiak@samsung.com>
	Tue, 5 May 2020 10:05:34 +0000 (12:05 +0200)
kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml		patch \| blob \| history
kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml		patch \| blob \| history
kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml		patch \| blob \| history
kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml		patch \| blob \| history