From 2849ae544fdaa67cd782b2f79d0de7fd9b82c193 Mon Sep 17 00:00:00 2001 From: krishnaa96 Date: Tue, 28 Jul 2020 19:22:50 +0530 Subject: [PATCH] [OOF] use non-root user to access cmso database Move mariadb galera config from global to root Add service name to mariadb-init config Fix mariadb-init secret to use Additional databases Create separate users for cmso service and optimizer Issue-ID: OPTFRA-800 Signed-off-by: krishnaa96 Change-Id: I5b91d297d35125ca242f40fe1a6328da0f4daa62 --- .../oof-cmso-optimizer/templates/deployment.yaml | 23 +++++++-- .../oof-cmso/charts/oof-cmso-optimizer/values.yaml | 7 +-- .../oof-cmso-service/templates/deployment.yaml | 19 +++++++- .../oof-cmso/charts/oof-cmso-service/values.yaml | 7 +-- kubernetes/oof/charts/oof-cmso/requirements.yaml | 4 ++ kubernetes/oof/charts/oof-cmso/values.yaml | 57 +++++++++++++++------- 6 files changed, 82 insertions(+), 35 deletions(-) diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml index 15ce71b716..2f12eec5c0 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 AT&T +# Copyright (C) 2020 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -48,6 +49,20 @@ spec: image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + - name: {{ include "common.name" . }}-db-config-readiness + command: + - /app/ready.py + args: + - -j + - "{{ include "common.release" . }}-cmso-db-config-config-job" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-chown command: ["/bin/sh", "-c", "chown -Rf 1000:1000 /share/"] image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}" @@ -64,11 +79,11 @@ spec: - name: DB_PORT value: {{ .Values.config.db.port | quote}} - name: DB_USERNAME - value: {{ .Values.config.db.root }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-user-secret" "key" "login") | indent 10}} - name: DB_SCHEMA value: {{ .Values.config.db.mysqlDatabase }} - name: DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-root-password" "key" "password") | indent 10}} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-user-secret" "key" "password") | indent 10}} terminationMessagePolicy: File volumeMounts: - name: {{ include "common.fullname" . }}-config @@ -85,11 +100,11 @@ spec: - name: DB_PORT value: {{ .Values.config.db.port | quote}} - name: DB_USERNAME - value: {{ .Values.config.db.root }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-user-secret" "key" "login") | indent 10}} - name: DB_SCHEMA value: {{ .Values.config.db.mysqlDatabase }} - name: DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-root-password" "key" "password") | indent 10}} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-user-secret" "key" "password") | indent 10}} - name: JAVA_TRUSTSTORE value: /share/etc/certs/{{ .Values.global.truststoreFile }} - name: SSL_KEYSTORE diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml index 5de87f5be1..e511728261 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2019 AT&T +# Copyright (C) 2020 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -39,11 +40,6 @@ debugEnabled: false # Secrets metaconfig ################################################################# secrets: - - uid: cmso-db-root-password - type: password - password: '{{ .Values.config.db.rootPassword }}' - externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' - policy: required - uid: cmso-db-user-secret type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' @@ -88,7 +84,6 @@ service: config: db: port: 3306 - root: root # rootPassword: pass # rootPasswordExternalSecret: some secret # user: cmso-admin diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml index ff37e8f218..cb7a76f546 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2018 AT&T +# Copyright (C) 2020 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -48,6 +49,20 @@ spec: image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + - name: {{ include "common.name" . }}-db-config-readiness + command: + - /app/ready.py + args: + - -j + - "{{ include "common.release" . }}-cmso-db-config-config-job" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-chown command: ["/bin/sh", "-c", "chown -Rf 1000:1000 /share/"] image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}" @@ -64,11 +79,11 @@ spec: - name: DB_PORT value: {{ .Values.config.db.port | quote}} - name: DB_USERNAME - value: {{ .Values.config.db.root }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-user-secret" "key" "login") | indent 10}} - name: DB_SCHEMA value: {{ .Values.config.db.mysqlDatabase }} - name: DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-root-password" "key" "password") | indent 10}} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmso-db-user-secret" "key" "password") | indent 10}} terminationMessagePolicy: File volumeMounts: - name: {{ include "common.fullname" . }}-config diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml index f8326272c6..d086411704 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2018-2019 AT&T +# Copyright (C) 2020 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -39,11 +40,6 @@ debugEnabled: false # Secrets metaconfig ################################################################# secrets: - - uid: cmso-db-root-password - type: password - password: '{{ .Values.config.db.rootPassword }}' - externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' - policy: required - uid: cmso-db-user-secret type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' @@ -88,7 +84,6 @@ service: config: db: port: 3306 - root: root # rootPassword: pass # rootPasswordExternalSecret: some secret # user: cmso-admin diff --git a/kubernetes/oof/charts/oof-cmso/requirements.yaml b/kubernetes/oof/charts/oof-cmso/requirements.yaml index d95b2e76ae..e631333861 100644 --- a/kubernetes/oof/charts/oof-cmso/requirements.yaml +++ b/kubernetes/oof/charts/oof-cmso/requirements.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 AT&T +# Copyright (C) 2020 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,3 +23,6 @@ dependencies: - name: mariadb-galera version: ~6.x-0 repository: '@local' + - name: mariadb-init + version: ~6.x-0 + repository: '@local' diff --git a/kubernetes/oof/charts/oof-cmso/values.yaml b/kubernetes/oof/charts/oof-cmso/values.yaml index b1c3561538..d712965d59 100644 --- a/kubernetes/oof/charts/oof-cmso/values.yaml +++ b/kubernetes/oof/charts/oof-cmso/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 AT&T +# Copyright (C) 2020 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,24 +18,31 @@ ################################################################# secrets: - uid: cmso-db-root-password - name: '{{ include "common.release" . }}-cmso-db-root-password' + name: &rootPassword '{{ include "common.release" . }}-cmso-db-root-password' type: password password: '' policy: generate + - uid: cmso-service-db-secret + name: &serviceDbCreds '{{ include "common.release" . }}-cmso-service-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.service.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.service.userName }}' + password: '{{ .Values.config.db.service.userPassword }}' + passwordPolicy: generate - uid: cmso-db-secret - name: '{{ include "common.release" . }}-cmso-db-secret' + name: &optimizerDbCreds '{{ include "common.release" . }}-cmso-optimizer-db-secret' type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' + externalSecret: '{{ tpl (default "" .Values.config.db.optimizer.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.optimizer.userName }}' + password: '{{ .Values.config.db.optimizer.userPassword }}' passwordPolicy: generate mariadb-galera: replicaCount: 1 - nameOverride: cmso-db + nameOverride: &containerName cmso-db service: type: ClusterIP - name: oof-cmso-dbhost + name: &serviceName oof-cmso-dbhost portName: cmso-dbhost nfsprovisionerPrefix: cmso sdnctlPrefix: cmso @@ -43,9 +51,9 @@ mariadb-galera: enabled: true disableNfsProvisioner: true config: - mariadbRootPasswordExternalSecret: '{{ include "common.release" . }}-cmso-db-root-password' - userCredentialsExternalSecret: '{{ include "common.release" . }}-cmso-db-secret' - mysqlDatabase: cmso + mariadbRootPasswordExternalSecret: *rootPassword + # userCredentialsExternalSecret: *dbCreds + # mysqlDatabase: cmso externalConfig: | [mysqld] lower_case_table_names = 1 @@ -62,6 +70,20 @@ global: busyBoxImage: busybox:1.30 busyBoxRepository: docker.io +mariadb-init: + mariadbGalera: + containerName: *containerName + serviceName: *serviceName + servicePort: 3306 + userRootSecret: *rootPassword + config: + userCredentialsExternalSecret: *serviceDbCreds + mysqlDatabase: cmso + mysqlAdditionalDatabases: + optimizer: + externalSecret: *optimizerDbCreds + nameOverride: cmso-db-config + flavor: small config: @@ -69,15 +91,17 @@ config: logstashServiceName: log-ls logstashPort: 5044 db: - # userCredentialsExternalsecret: some secret - userName: cmso-admin - # userPassword: password + service: + # userCredentialsExternalsecret: some secret + userName: cmso-admin + # userPassword: password + optimizer: + userName: cmso-optimizer oof-cmso-service: config: db: - userCredentialsExternalSecret: '{{ include "common.release" . }}-cmso-db-secret' - rootPasswordExternalSecret: '{{ include "common.release" . }}-cmso-db-root-password' + userCredentialsExternalSecret: *serviceDbCreds host: oof-cmso-dbhost container: cmso-db mysqlDatabase: cmso @@ -85,8 +109,7 @@ oof-cmso-service: oof-cmso-optimizer: config: db: - userCredentialsExternalSecret: '{{ include "common.release" . }}-cmso-db-secret' - rootPasswordExternalSecret: '{{ include "common.release" . }}-cmso-db-root-password' + userCredentialsExternalSecret: *optimizerDbCreds host: oof-cmso-dbhost container: cmso-db mysqlDatabase: optimizer -- 2.16.6