[SDNC] Use common secret template in dmaap-listener

Whole SDNC strongly depends on the assumption that it is using a
common mariadb-galera instance and that root password is secret
password. Also user and password to sdnc DB is hardcoded.

Let's start working on removing this assumption and component by
component add support for local and shared mariadb instance without
hardcoding any passwords to the database.

In this patch all passwords are still hardcoded in the helm chart to
not break other parts of SDNC. Those values will be removed in a final patch.

Issue-ID: OOM-2309
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I3280f9d7ff4933d4e50b94ca248676ed9aa6688d

diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties
index 66e6267..f9640a9 100644 (file)
--- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties
+++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties
@@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000
 AFT_DME2_EP_READ_TIMEOUT_MS=50000
 sessionstickinessrequired=NO
 DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt
-sdnc.odl.user=admin
-sdnc.odl.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+sdnc.odl.user=${ODL_USER}
+sdnc.odl.password=${ODL_PASSWORD}
 sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations
\ No newline at end of file

diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties
index 8a0a102..beb514e 100644 (file)
--- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties
+++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties
@@ -1,7 +1,6 @@
 ###
 # ============LICENSE_START=======================================================
-# Copyright (C) 2018 ONAP Intellectual Property. All rights
-#                                              reserved.
+# Copyright (C) 2018 ONAP Intellectual Property. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,11 +17,11 @@
 ###
 org.onap.ccsdk.sli.dbtype=jdbc
 org.onap.ccsdk.sli.jdbc.hosts=sdnctldb01
-org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}:{{.Values.config.mariadbGalera.internalPort}}/sdnctl
+org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{include "common.mariadbService" $}}:{{include "common.mariadbPort" $}}/{{index $.Values "mariadb-galera" "config" "mysqlDatabase"}}
 org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver
-org.onap.ccsdk.sli.jdbc.database=sdnctl
-org.onap.ccsdk.sli.jdbc.user=sdnctl
-org.onap.ccsdk.sli.jdbc.password=gamma
+org.onap.ccsdk.sli.jdbc.database={{index $.Values "mariadb-galera" "config" "mysqlDatabase"}}
+org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER}
+org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWORD}
 org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01
 org.onap.ccsdk.sli.jdbc.connection.timeout=50
 org.onap.ccsdk.sli.jdbc.request.timeout=100

diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties
index 422696a..96f4079 100644 (file)
--- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties
+++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties
@@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000
 AFT_DME2_EP_READ_TIMEOUT_MS=50000
 sessionstickinessrequired=NO
 DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt
-sdnc.odl.user=admin
-sdnc.odl.password={{.Values.config.odlPassword}}
+sdnc.odl.user=${ODL_USER}
+sdnc.odl.password=${ODL_PASSWORD}
 sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations

diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties
index f38f701..0b52b3f 100644 (file)
--- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties
+++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties
@@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000
 AFT_DME2_EP_READ_TIMEOUT_MS=50000
 sessionstickinessrequired=NO
 DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt
-sdnc.odl.user=admin
-sdnc.odl.password={{.Values.config.odlPassword}}
+sdnc.odl.user=${ODL_USER}
+sdnc.odl.password=${ODL_PASSWORD}
 sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations
\ No newline at end of file

diff --git a/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml b/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml
index 7d8178b..7ef5ca4 100644 (file)
--- a/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml
+++ b/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml
@@ -31,11 +31,34 @@ spec:
         release: {{ include "common.release" . }}
     spec:
       initContainers:
+      - command:
+        - sh
+        args:
+        - -c
+        - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+        env:
+        - name: SDNC_DB_USER
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+        - name: SDNC_DB_PASSWORD
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+        - name: ODL_USER
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "login") | indent 10 }}
+        - name: ODL_PASSWORD
+          {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: config-input
+        - mountPath: /config
+          name: properties
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: {{ include "common.name" . }}-update-config
+
       - command:
         - /root/ready.py
         args:
         - --container-name
-        - {{ .Values.config.mariadbGalera.chartName }}
+        - {{ include "common.mariadbService" . }}
         - --container-name
         - {{ .Values.config.sdncChartName }}
         - --container-name
@@ -91,9 +114,12 @@ spec:
         - name: localtime
           hostPath:
             path: /etc/localtime
-        - name: properties
+        - name: config-input
           configMap:
             name: {{ include "common.fullname" . }}
             defaultMode: 0644
+        - name: properties
+          emptyDir:
+            medium: Memory
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"

diff --git a/kubernetes/sdnc/charts/dmaap-listener/values.yaml b/kubernetes/sdnc/charts/dmaap-listener/values.yaml
index 4965d96..d90da63 100644 (file)
--- a/kubernetes/sdnc/charts/dmaap-listener/values.yaml
+++ b/kubernetes/sdnc/charts/dmaap-listener/values.yaml
@@ -21,6 +21,35 @@ global:
   readinessImage: readiness-check:2.0.2
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
+  # envsusbt
+  envsubstImage: dibi/envsubst
+  mariadbGalera:
+    #This flag allows SO to instantiate its own mariadb-galera cluster
+    #If shared instance is used, this chart assumes that DB already exists
+    localCluster: false
+    service: mariadb-galera
+    internalPort: 3306
+    nameOverride: mariadb-galera
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: db-secret
+    name: &dbSecretName '{{ include "common.release" . }}-sdnc-dmaap-listener-db-secret'
+    type: basicAuth
+    # This is a nasty trick that allows you override this secret using external one
+    # with the same field that is used to pass this to subchart
+    externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-dmaap-listener-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}'
+    login: '{{ index .Values "mariadb-galera" "config" "userName" }}'
+    password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}'
+    passwordPolicy: required
+  - uid: odl-creds
+    type: basicAuth
+    externalSecret: '{{ .Values.config.odlCredsExternalSecret }}'
+    login: '{{ .Values.config.odlUser }}'
+    password: '{{ .Values.config.odlPassword }}'
+    passwordPolicy: required
 
 #################################################################
 # Application configuration defaults.
@@ -40,11 +69,25 @@ config:
   sdncPort: 8282
   msgRouterContainerName: message-router
   configDir: /opt/onap/sdnc/data/properties
+  odlUser: admin
   odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
-  mariadbGalera:
-    chartName: mariadb-galera
-    serviceName: mariadb-galera
+  # odlCredsExternalSecret: some secret
+
+mariadb-galera:
+  config:
+    userCredentialsExternalSecret: *dbSecretName
+    userName: sdnctl
+    userPassword: gamma
+    mysqlDatabase: sdnctl
+  nameOverride: dmaap-listener-galera
+  service:
+    name: dmaap-listener-galera
+    portName: dmaap-listener-galera
     internalPort: 3306
+  replicaCount: 1
+  persistence:
+    enabled: true
+    mountSubPath: dmaap-listener/maria/data
 
 # default number of instances
 replicaCount: 1