Verified Commit d3f7afce authored by João Capucho's avatar João Capucho
Browse files

chore: Use secrets for authentication data 

Stores authentication data (MySQL & Artemis) in secrets instead of
directly templating it on the manifests.

The MySQL deployment was also refactored to properly create all needed
databases and update user passwords without templating the passwords in
a SQL file that was then stored in a configmap. Deployments were also
updated to use the correct MySQL user instead of the root user.
parent 212bb2e4

kubernetes/helm/openslice/files/mysql-init/01-databases.sql

deleted100644 → 0
+0 −11
Original line number Diff line number Diff line 
# create databases

CREATE DATABASE IF NOT EXISTS `{{ .Values.oscreds.mysql.openslicedb | default "osdb" }}`;

CREATE DATABASE IF NOT EXISTS `{{ .Values.oscreds.mysql.keycloak.database | default "keycloak" }}`;



# create portal user and grant rights

CREATE USER '{{ .Values.oscreds.mysql.portal.username | default "portaluser" }}'@'localhost' IDENTIFIED BY '{{ .Values.oscreds.mysql.portal.password | default "12345" }}';

GRANT ALL PRIVILEGES ON *.* TO '{{ .Values.oscreds.mysql.portal.username | default "portaluser" }}'@'%' IDENTIFIED BY '{{ .Values.oscreds.mysql.portal.password | default "12345" }}';



# create keycloak user and grant rights

CREATE USER '{{ .Values.oscreds.mysql.keycloak.username | default "keycloak" }}'@'localhost' IDENTIFIED BY '{{ .Values.oscreds.mysql.keycloak.password | default "password" }}';

GRANT ALL PRIVILEGES ON *.* TO '{{ .Values.oscreds.mysql.keycloak.username | default "keycloak" }}'@'%' IDENTIFIED BY '{{ .Values.oscreds.mysql.keycloak.password | default "password" }}';

kubernetes/helm/openslice/files/mysql-init/entrypoint.sh

0 → 100644
+53 −0
Original line number Diff line number Diff line 
#!/usr/bin/env sh

set -eu



run_mysql() {

    mysql -u root -p"$MYSQL_ROOT_PASSWORD" "$@"

}



echo "Waiting for database to be ready"



until run_mysql -e 'SELECT 1'; do

    sleep 1

done



echo "Creating databases and users"



create_user() {

    if ! run_mysql --execute "CREATE USER '$1'@'%' IDENTIFIED BY '$2';" 2>/dev/null; then

        run_mysql --execute "ALTER USER '$1'@'%' IDENTIFIED BY '$2';"

    fi

}



PORTAL_USER="$(< /var/run/secrets/portal/username)"

PORTAL_DATABASE="$(< /var/run/secrets/portal/database)"



KEYCLOAK_USER="$(< /var/run/secrets/keycloak/username)"

KEYCLOAK_DATABASE="$(< /var/run/secrets/keycloak/database)"



METRICO_USER="$(< /var/run/secrets/metrico/username)"

METRICO_DATABASE="$(< /var/run/secrets/metrico/database)"



run_mysql --execute \

"

# create databases

CREATE DATABASE IF NOT EXISTS $PORTAL_DATABASE;

CREATE DATABASE IF NOT EXISTS $KEYCLOAK_DATABASE;

CREATE DATABASE IF NOT EXISTS $METRICO_DATABASE;

"



create_user "$PORTAL_USER" "$(< /var/run/secrets/portal/password)"

create_user "$KEYCLOAK_USER" "$(< /var/run/secrets/keycloak/password)"

create_user "$METRICO_USER" "$(< /var/run/secrets/metrico/password)"



run_mysql --execute \

"

# Grant portal user rights to the portal database

GRANT ALL PRIVILEGES ON $PORTAL_DATABASE.* TO '$PORTAL_USER'@'%';

# Grant keycloak user rights to the portal database

GRANT ALL PRIVILEGES ON $KEYCLOAK_DATABASE.* TO '$KEYCLOAK_USER'@'%';

# Grant metrico user rights to the portal database

GRANT ALL PRIVILEGES ON $METRICO_DATABASE.* TO '$METRICO_USER'@'%';

"



echo "Finished creating databases and users"

kubernetes/helm/openslice/templates/artemis-secret.yaml

0 → 100644
+13 −0
Original line number Diff line number Diff line 
apiVersion: v1

kind: Secret

metadata:

  namespace: {{ .Release.Namespace }}

  labels:

    app: {{ include "openslice.fullname" . }}

    org.etsi.osl.service: mysql

    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"

    {{- include "openslice.labels" . | nindent 4 }}

  name: {{ include "openslice.fullname" . }}-artemis-secret

data:

  username: {{ .Values.oscreds.activemq.user | b64enc }}

  password: {{ .Values.oscreds.activemq.password | b64enc }}

kubernetes/helm/openslice/templates/artemis.yaml

+11 −0
Original line number Diff line number Diff line
@@ -28,6 +28,17 @@ spec: 
        - image: "{{ .Values.image.artemis.repository }}:{{ .Values.image.artemis.tag | default .Chart.AppVersion }}"

          imagePullPolicy: {{ .Values.image.artemis.pullPolicy | default "Always" }}

          name: {{ include "openslice.fullname" . }}-artemis

          env:

            - name: ARTEMIS_USER

              valueFrom:

                secretKeyRef:

                  name: {{ include "openslice.fullname" . }}-artemis-secret

                  key: username

            - name: ARTEMIS_PASSWORD

              valueFrom:

                secretKeyRef:

                  name: {{ include "openslice.fullname" . }}-artemis-secret

                  key: password

          resources:

            {{- toYaml .Values.resources | nindent 12 }}

          ports:

kubernetes/helm/openslice/templates/bugzilla.yaml

+16 −4
Original line number Diff line number Diff line
@@ -32,9 +32,8 @@ spec: 
            - name: SPRING_APPLICATION_JSON

              value: >-

                {

                  "spring.config.import": "configtree:/etc/config/",

                  "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", 

                  "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", 

                  "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", 

                  "bugzillaurl":"{{ .Values.bugzillaurl }}",

                  "bugzillakey":"{{ .Values.bugzillakey }}", 

                  "main_operations_product":"{{ .Values.main_operations_product }}"
@@ -43,7 +42,20 @@ spec: 
            {{- toYaml .Values.resources | nindent 12 }}

          ports:

            - containerPort: 13010

          volumeMounts:

            - mountPath: "/etc/config/spring.activemq.user"

              name: artemis-secrets

              subPath: username

              readOnly: true

            - mountPath: "/etc/config/spring.activemq.password"

              name: artemis-secrets

              subPath: password

              readOnly: true

      restartPolicy: Always

      volumes:

        - name: artemis-secrets

          secret:

            secretName: {{ include "openslice.fullname" . }}-artemis-secret

---

apiVersion: v1

kind: Service