From d3f7afce8dbe4094dc96c201bf2df9ea27af1649 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Capucho?= Date: Mon, 28 Jul 2025 21:43:30 +0100 Subject: [PATCH] chore: Use secrets for authentication data Stores authentication data (MySQL & Artemis) in secrets instead of directly templating it on the manifests. The MySQL deployment was also refactored to properly create all needed databases and update user passwords without templating the passwords in a SQL file that was then stored in a configmap. Deployments were also updated to use the correct MySQL user instead of the root user. --- .../files/mysql-init/01-databases.sql | 11 ---- .../openslice/files/mysql-init/entrypoint.sh | 53 ++++++++++++++++++ .../openslice/templates/artemis-secret.yaml | 13 +++++ .../helm/openslice/templates/artemis.yaml | 11 ++++ .../helm/openslice/templates/bugzilla.yaml | 20 +++++-- .../helm/openslice/templates/centrallog.yaml | 18 +++++- .../helm/openslice/templates/cridge.yaml | 13 ++++- .../openslice/templates/keycloak-secret.yaml | 12 ++++ .../helm/openslice/templates/keycloak.yaml | 20 +++++-- .../helm/openslice/templates/manoclient.yaml | 16 +++++- .../helm/openslice/templates/mcp-server.yaml | 31 ++++++++-- .../helm/openslice/templates/metrico.yaml | 33 +++++++++-- .../openslice/templates/mysql-config.yaml | 6 +- .../templates/mysql-keycloak-secret.yaml | 14 +++++ .../templates/mysql-metrico-secret.yaml | 14 +++++ .../templates/mysql-portal-secret.yaml | 14 +++++ .../openslice/templates/mysql-secret.yaml | 12 ++++ .../helm/openslice/templates/mysql.yaml | 56 +++++++++++++++---- .../helm/openslice/templates/oasapi.yaml | 37 +++++++++--- kubernetes/helm/openslice/templates/osom.yaml | 18 +++++- .../helm/openslice/templates/osportalapi.yaml | 29 ++++++++-- .../helm/openslice/templates/osscapi.yaml | 29 ++++++++-- kubernetes/helm/openslice/values.yaml | 6 +- 23 files changed, 412 insertions(+), 74 deletions(-) delete mode 100644 kubernetes/helm/openslice/files/mysql-init/01-databases.sql create mode 100644 kubernetes/helm/openslice/files/mysql-init/entrypoint.sh create mode 100644 kubernetes/helm/openslice/templates/artemis-secret.yaml create mode 100644 kubernetes/helm/openslice/templates/keycloak-secret.yaml create mode 100644 kubernetes/helm/openslice/templates/mysql-keycloak-secret.yaml create mode 100644 kubernetes/helm/openslice/templates/mysql-metrico-secret.yaml create mode 100644 kubernetes/helm/openslice/templates/mysql-portal-secret.yaml create mode 100644 kubernetes/helm/openslice/templates/mysql-secret.yaml diff --git a/kubernetes/helm/openslice/files/mysql-init/01-databases.sql b/kubernetes/helm/openslice/files/mysql-init/01-databases.sql deleted file mode 100644 index aa16eec..0000000 --- a/kubernetes/helm/openslice/files/mysql-init/01-databases.sql +++ /dev/null @@ -1,11 +0,0 @@ -# create databases -CREATE DATABASE IF NOT EXISTS `{{ .Values.oscreds.mysql.openslicedb | default "osdb" }}`; -CREATE DATABASE IF NOT EXISTS `{{ .Values.oscreds.mysql.keycloak.database | default "keycloak" }}`; - -# create portal user and grant rights -CREATE USER '{{ .Values.oscreds.mysql.portal.username | default "portaluser" }}'@'localhost' IDENTIFIED BY '{{ .Values.oscreds.mysql.portal.password | default "12345" }}'; -GRANT ALL PRIVILEGES ON *.* TO '{{ .Values.oscreds.mysql.portal.username | default "portaluser" }}'@'%' IDENTIFIED BY '{{ .Values.oscreds.mysql.portal.password | default "12345" }}'; - -# create keycloak user and grant rights -CREATE USER '{{ .Values.oscreds.mysql.keycloak.username | default "keycloak" }}'@'localhost' IDENTIFIED BY '{{ .Values.oscreds.mysql.keycloak.password | default "password" }}'; -GRANT ALL PRIVILEGES ON *.* TO '{{ .Values.oscreds.mysql.keycloak.username | default "keycloak" }}'@'%' IDENTIFIED BY '{{ .Values.oscreds.mysql.keycloak.password | default "password" }}'; diff --git a/kubernetes/helm/openslice/files/mysql-init/entrypoint.sh b/kubernetes/helm/openslice/files/mysql-init/entrypoint.sh new file mode 100644 index 0000000..fe7dc19 --- /dev/null +++ b/kubernetes/helm/openslice/files/mysql-init/entrypoint.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env sh +set -eu + +run_mysql() { + mysql -u root -p"$MYSQL_ROOT_PASSWORD" "$@" +} + +echo "Waiting for database to be ready" + +until run_mysql -e 'SELECT 1'; do + sleep 1 +done + +echo "Creating databases and users" + +create_user() { + if ! run_mysql --execute "CREATE USER '$1'@'%' IDENTIFIED BY '$2';" 2>/dev/null; then + run_mysql --execute "ALTER USER '$1'@'%' IDENTIFIED BY '$2';" + fi +} + +PORTAL_USER="$(< /var/run/secrets/portal/username)" +PORTAL_DATABASE="$(< /var/run/secrets/portal/database)" + +KEYCLOAK_USER="$(< /var/run/secrets/keycloak/username)" +KEYCLOAK_DATABASE="$(< /var/run/secrets/keycloak/database)" + +METRICO_USER="$(< /var/run/secrets/metrico/username)" +METRICO_DATABASE="$(< /var/run/secrets/metrico/database)" + +run_mysql --execute \ +" +# create databases +CREATE DATABASE IF NOT EXISTS $PORTAL_DATABASE; +CREATE DATABASE IF NOT EXISTS $KEYCLOAK_DATABASE; +CREATE DATABASE IF NOT EXISTS $METRICO_DATABASE; +" + +create_user "$PORTAL_USER" "$(< /var/run/secrets/portal/password)" +create_user "$KEYCLOAK_USER" "$(< /var/run/secrets/keycloak/password)" +create_user "$METRICO_USER" "$(< /var/run/secrets/metrico/password)" + +run_mysql --execute \ +" +# Grant portal user rights to the portal database +GRANT ALL PRIVILEGES ON $PORTAL_DATABASE.* TO '$PORTAL_USER'@'%'; +# Grant keycloak user rights to the portal database +GRANT ALL PRIVILEGES ON $KEYCLOAK_DATABASE.* TO '$KEYCLOAK_USER'@'%'; +# Grant metrico user rights to the portal database +GRANT ALL PRIVILEGES ON $METRICO_DATABASE.* TO '$METRICO_USER'@'%'; +" + +echo "Finished creating databases and users" diff --git a/kubernetes/helm/openslice/templates/artemis-secret.yaml b/kubernetes/helm/openslice/templates/artemis-secret.yaml new file mode 100644 index 0000000..21c97d0 --- /dev/null +++ b/kubernetes/helm/openslice/templates/artemis-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: mysql + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "openslice.labels" . | nindent 4 }} + name: {{ include "openslice.fullname" . }}-artemis-secret +data: + username: {{ .Values.oscreds.activemq.user | b64enc }} + password: {{ .Values.oscreds.activemq.password | b64enc }} diff --git a/kubernetes/helm/openslice/templates/artemis.yaml b/kubernetes/helm/openslice/templates/artemis.yaml index 87c75ea..2f4cc1f 100644 --- a/kubernetes/helm/openslice/templates/artemis.yaml +++ b/kubernetes/helm/openslice/templates/artemis.yaml @@ -28,6 +28,17 @@ spec: - image: "{{ .Values.image.artemis.repository }}:{{ .Values.image.artemis.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.artemis.pullPolicy | default "Always" }} name: {{ include "openslice.fullname" . }}-artemis + env: + - name: ARTEMIS_USER + valueFrom: + secretKeyRef: + name: {{ include "openslice.fullname" . }}-artemis-secret + key: username + - name: ARTEMIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "openslice.fullname" . }}-artemis-secret + key: password resources: {{- toYaml .Values.resources | nindent 12 }} ports: diff --git a/kubernetes/helm/openslice/templates/bugzilla.yaml b/kubernetes/helm/openslice/templates/bugzilla.yaml index d759a25..1e63a6d 100644 --- a/kubernetes/helm/openslice/templates/bugzilla.yaml +++ b/kubernetes/helm/openslice/templates/bugzilla.yaml @@ -31,11 +31,10 @@ spec: env: - name: SPRING_APPLICATION_JSON value: >- - { + { + "spring.config.import": "configtree:/etc/config/", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", - "bugzillaurl":"{{ .Values.bugzillaurl }}", + "bugzillaurl":"{{ .Values.bugzillaurl }}", "bugzillakey":"{{ .Values.bugzillakey }}", "main_operations_product":"{{ .Values.main_operations_product }}" } @@ -43,7 +42,20 @@ spec: {{- toYaml .Values.resources | nindent 12 }} ports: - containerPort: 13010 + volumeMounts: + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always + volumes: + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/templates/centrallog.yaml b/kubernetes/helm/openslice/templates/centrallog.yaml index b8143fc..e3c4b0e 100644 --- a/kubernetes/helm/openslice/templates/centrallog.yaml +++ b/kubernetes/helm/openslice/templates/centrallog.yaml @@ -31,17 +31,29 @@ spec: env: - name: SPRING_APPLICATION_JSON value: >- - { + { + "spring.config.import": "configtree:/etc/config/", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", "centrallogurl": "{{ .Values.centrallogurl }}" } resources: {{- toYaml .Values.resources | nindent 12 }} ports: - containerPort: 13013 + volumeMounts: + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always + volumes: + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/templates/cridge.yaml b/kubernetes/helm/openslice/templates/cridge.yaml index 1065639..45dc6f3 100644 --- a/kubernetes/helm/openslice/templates/cridge.yaml +++ b/kubernetes/helm/openslice/templates/cridge.yaml @@ -32,8 +32,6 @@ spec: value: >- { "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", "logging.level.org.springframework" : "{{ .Values.cridge.spring.logLevel | default "INFO" }}", "logging.level.org.etsi.osl.cridge" : "{{ .Values.cridge.logLevel | default "INFO" }}" } @@ -43,9 +41,20 @@ spec: - name: kubeconfig readOnly: true mountPath: /root/.kube + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always volumes: - name: kubeconfig secret: secretName: {{ include "openslice.fullname" . }}-kubeconfig + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret {{- end }} diff --git a/kubernetes/helm/openslice/templates/keycloak-secret.yaml b/kubernetes/helm/openslice/templates/keycloak-secret.yaml new file mode 100644 index 0000000..1795c04 --- /dev/null +++ b/kubernetes/helm/openslice/templates/keycloak-secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: mysql + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "openslice.labels" . | nindent 4 }} + name: {{ include "openslice.fullname" . }}-keycloak-secret +data: + admin-password: {{ .Values.oscreds.mysql.keycloak.adminpassword | b64enc }} diff --git a/kubernetes/helm/openslice/templates/keycloak.yaml b/kubernetes/helm/openslice/templates/keycloak.yaml index fca2bdb..d0f469c 100644 --- a/kubernetes/helm/openslice/templates/keycloak.yaml +++ b/kubernetes/helm/openslice/templates/keycloak.yaml @@ -39,15 +39,27 @@ spec: - name: DB_ADDR value: {{ include "openslice.fullname" . }}-mysql - name: DB_DATABASE - value: {{ .Values.oscreds.mysql.keycloak.database }} + valueFrom: + secretKeyRef: + name: {{ include "openslice.fullname" . }}-mysql-keycloak-secrets + key: database - name: DB_PASSWORD - value: {{ .Values.oscreds.mysql.keycloak.password }} + valueFrom: + secretKeyRef: + name: {{ include "openslice.fullname" . }}-mysql-keycloak-secrets + key: password - name: DB_USER - value: {{ .Values.oscreds.mysql.keycloak.username }} + valueFrom: + secretKeyRef: + name: {{ include "openslice.fullname" . }}-mysql-keycloak-secrets + key: username - name: KEYCLOAK_USER value: admin - name: KEYCLOAK_PASSWORD - value: {{ .Values.oscreds.mysql.keycloak.adminpassword }} + valueFrom: + secretKeyRef: + name: {{ include "openslice.fullname" . }}-keycloak-secret + key: admin-password - name: JDBC_PARAMS value: useSSL=false - name: JAVA_OPTS diff --git a/kubernetes/helm/openslice/templates/manoclient.yaml b/kubernetes/helm/openslice/templates/manoclient.yaml index 064c0c1..46d75ae 100644 --- a/kubernetes/helm/openslice/templates/manoclient.yaml +++ b/kubernetes/helm/openslice/templates/manoclient.yaml @@ -32,16 +32,28 @@ spec: - name: SPRING_APPLICATION_JSON value: >- { + "spring.config.import": "configtree:/etc/config/", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", "logging.level.org.springframework" : "{{ .Values.manoclient.spring.logLevel | default "INFO" }}" } resources: {{- toYaml .Values.resources | nindent 12 }} ports: - containerPort: 13011 + volumeMounts: + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always + volumes: + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/templates/mcp-server.yaml b/kubernetes/helm/openslice/templates/mcp-server.yaml index 942f9a9..b5bb331 100644 --- a/kubernetes/helm/openslice/templates/mcp-server.yaml +++ b/kubernetes/helm/openslice/templates/mcp-server.yaml @@ -31,9 +31,8 @@ spec: - name: SPRING_APPLICATION_JSON value: >- { - "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/osdb?createDatabaseIfNotExist=true", - "spring.datasource.username": "{{ .Values.oscreds.mysql.username }}", - "spring.datasource.password": "{{ .Values.oscreds.mysql.password }}", + "spring.config.import": "configtree:/etc/config/", + "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/{{ .Values.oscreds.mysql.portal.database }}", "spring-addons.issuers[0].uri": "{{ .Values.rooturl }}/auth/realms/openslice", "spring-addons.issuers[0].username-json-path":"$.preferred_username", "spring-addons.issuers[0].claims[0].jsonPath":"$.realm_access.roles", @@ -44,15 +43,37 @@ spec: "springdoc.oauth.client-id": "osapiWebClientId", "springdoc.oauth.clientsecret": "{{ .Values.mcpserver.springdoc.clientSecret }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", "logging.level.org.springframework": "{{ .Values.mcpserver.spring.logLevel | default "INFO" }}" } ports: - containerPort: 13015 resources: {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: "/etc/config/spring.datasource.username" + name: mysql-portal-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.datasource.password" + name: mysql-portal-secrets + subPath: password + readOnly: true + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always + volumes: + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret + - name: mysql-portal-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-portal-secrets --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/templates/metrico.yaml b/kubernetes/helm/openslice/templates/metrico.yaml index 620ca0a..b5d1aa4 100644 --- a/kubernetes/helm/openslice/templates/metrico.yaml +++ b/kubernetes/helm/openslice/templates/metrico.yaml @@ -33,14 +33,35 @@ spec: - name: SPRING_APPLICATION_JSON value: >- { - "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/metricodb?createDatabaseIfNotExist=true", - "spring.datasource.username": "{{ .Values.oscreds.mysql.username }}", - "spring.datasource.password": "{{ .Values.oscreds.mysql.password }}", - "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", + "spring.config.import": "configtree:/etc/config/", + "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/{{ .Values.oscreds.mysql.metrico.database }}", + "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework" : "{{ .Values.metrico.spring.logLevel | default "INFO" }}", "logging.level.org.etsi.osl.cridge" : "{{ .Values.metrico.logLevel | default "INFO" }}" } + volumeMounts: + - mountPath: "/etc/config/spring.datasource.username" + name: mysql-metrico-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.datasource.password" + name: mysql-metrico-secrets + subPath: password + readOnly: true + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always + volumes: + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret + - name: mysql-metrico-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-metrico-secrets {{- end }} diff --git a/kubernetes/helm/openslice/templates/mysql-config.yaml b/kubernetes/helm/openslice/templates/mysql-config.yaml index 0de0e52..5a29569 100644 --- a/kubernetes/helm/openslice/templates/mysql-config.yaml +++ b/kubernetes/helm/openslice/templates/mysql-config.yaml @@ -7,7 +7,7 @@ metadata: org.etsi.osl.service: mysql chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" {{- include "openslice.labels" . | nindent 4 }} - name: {{ include "openslice.fullname" . }}-mysql-initdb-config + name: {{ include "openslice.fullname" . }}-mysql-init-config data: - 01-databases.sql: | - {{- tpl (.Files.Get "files/mysql-init/01-databases.sql") . | nindent 4 }} + entrypoint.sh: | + {{- .Files.Get "files/mysql-init/entrypoint.sh" | nindent 4 }} diff --git a/kubernetes/helm/openslice/templates/mysql-keycloak-secret.yaml b/kubernetes/helm/openslice/templates/mysql-keycloak-secret.yaml new file mode 100644 index 0000000..eae26f4 --- /dev/null +++ b/kubernetes/helm/openslice/templates/mysql-keycloak-secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: mysql + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "openslice.labels" . | nindent 4 }} + name: {{ include "openslice.fullname" . }}-mysql-keycloak-secrets +data: + username: {{ .Values.oscreds.mysql.keycloak.username | default "keycloak" | b64enc }} + password: {{ .Values.oscreds.mysql.keycloak.password | default "password" | b64enc }} + database: {{ .Values.oscreds.mysql.keycloak.database | default "keycloak" | b64enc }} diff --git a/kubernetes/helm/openslice/templates/mysql-metrico-secret.yaml b/kubernetes/helm/openslice/templates/mysql-metrico-secret.yaml new file mode 100644 index 0000000..3aa8df0 --- /dev/null +++ b/kubernetes/helm/openslice/templates/mysql-metrico-secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: mysql + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "openslice.labels" . | nindent 4 }} + name: {{ include "openslice.fullname" . }}-mysql-metrico-secrets +data: + username: {{ .Values.oscreds.mysql.metrico.username | default "metricouser" | b64enc }} + password: {{ .Values.oscreds.mysql.metrico.password | default "12345" | b64enc }} + database: {{ .Values.oscreds.mysql.metrico.database | default "metricodb" | b64enc }} diff --git a/kubernetes/helm/openslice/templates/mysql-portal-secret.yaml b/kubernetes/helm/openslice/templates/mysql-portal-secret.yaml new file mode 100644 index 0000000..58bff02 --- /dev/null +++ b/kubernetes/helm/openslice/templates/mysql-portal-secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: mysql + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "openslice.labels" . | nindent 4 }} + name: {{ include "openslice.fullname" . }}-mysql-portal-secrets +data: + username: {{ .Values.oscreds.mysql.portal.username | default "portaluser" | b64enc }} + password: {{ .Values.oscreds.mysql.portal.password | default "12345" | b64enc }} + database: {{ .Values.oscreds.mysql.openslicedb | default "osdb" | b64enc }} diff --git a/kubernetes/helm/openslice/templates/mysql-secret.yaml b/kubernetes/helm/openslice/templates/mysql-secret.yaml new file mode 100644 index 0000000..a17dc36 --- /dev/null +++ b/kubernetes/helm/openslice/templates/mysql-secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: mysql + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "openslice.labels" . | nindent 4 }} + name: {{ include "openslice.fullname" . }}-mysql-secrets +data: + root-password: {{ .Values.oscreds.mysql.password | default "letmein" | b64enc }} diff --git a/kubernetes/helm/openslice/templates/mysql.yaml b/kubernetes/helm/openslice/templates/mysql.yaml index b69a3f1..7f9585f 100644 --- a/kubernetes/helm/openslice/templates/mysql.yaml +++ b/kubernetes/helm/openslice/templates/mysql.yaml @@ -35,26 +35,45 @@ spec: - name: MYSQL_ROOT_HOST value: "%" - name: MYSQL_ROOT_PASSWORD - value: {{ .Values.oscreds.mysql.password | default "letmein" }} - - name: MYSQL_DATABASE - value: {{ .Values.oscreds.mysql.openslicedb | default "osdb" }} - - name: MYSQL_USER - value: {{ .Values.oscreds.mysql.portal.username | default "portaluser" }} - - name: MYSQL_PASSWORD - value: "{{ .Values.oscreds.mysql.portal.password | default 12345 }}" + valueFrom: + secretKeyRef: + name: {{ include "openslice.fullname" . }}-mysql-secrets + key: root-password resources: {{- toYaml .Values.resources | nindent 12 }} ports: - containerPort: 3306 + lifecycle: + postStart: + exec: + command: ["/init/entrypoint.sh"] volumeMounts: - mountPath: /var/lib/mysql name: mysql-portal-claim0 - - mountPath: /docker-entrypoint-initdb.d - name: mysql-initdb + - mountPath: /init + name: mysql-init + - mountPath: "/var/run/secrets/mysql" + readOnly: true + name: mysql-secrets + - mountPath: "/var/run/secrets/portal" + readOnly: true + name: mysql-portal-secrets + - mountPath: "/var/run/secrets/keycloak" + readOnly: true + name: mysql-keycloak-secrets + - mountPath: "/var/run/secrets/metrico" + readOnly: true + name: mysql-metrico-secrets + livenessProbe: + exec: + command: ["sh", "-c", "mysqladmin ping -p\"$MYSQL_ROOT_PASSWORD\""] + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 readinessProbe: exec: # Check we can execute queries over TCP (skip-networking is off). - command: ["mysql", "-h", "127.0.0.1", "-u", "{{ .Values.oscreds.mysql.username | default "root" }}", "-p{{ .Values.oscreds.mysql.password | default "letmein" }}", "-e", "SELECT 1"] + command: ["sh", "-c", "mysql -p\"$MYSQL_ROOT_PASSWORD\" -h 127.0.0.1 -e 'SELECT 1'"] initialDelaySeconds: 5 periodSeconds: 2 timeoutSeconds: 1 @@ -63,9 +82,22 @@ spec: - name: mysql-portal-claim0 persistentVolumeClaim: claimName: {{ include "openslice.fullname" . }}-mysql-portal-claim0 - - name: mysql-initdb + - name: mysql-init configMap: - name: {{ include "openslice.fullname" . }}-mysql-initdb-config + name: {{ include "openslice.fullname" . }}-mysql-init-config + defaultMode: 0755 + - name: mysql-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-secrets + - name: mysql-portal-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-portal-secrets + - name: mysql-keycloak-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-keycloak-secrets + - name: mysql-metrico-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-metrico-secrets --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/templates/oasapi.yaml b/kubernetes/helm/openslice/templates/oasapi.yaml index bf78b5d..3cb458c 100644 --- a/kubernetes/helm/openslice/templates/oasapi.yaml +++ b/kubernetes/helm/openslice/templates/oasapi.yaml @@ -36,15 +36,14 @@ spec: - image: "{{ .Values.image.oasapi.repository }}:{{ .Values.image.oasapi.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.oasapi.pullPolicy | default "Always" }} name: {{ .Release.Name }}-oasapi - env: + env: - name: SPRING_APPLICATION_JSON value: >- { - "origins":"{{ .Values.rooturl }}", - "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/ostmfdb?createDatabaseIfNotExist=true&useUnicode=true&nullCatalogMeansCurrent=true&characterEncoding=utf8&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC", - "spring.datasource.username": "{{ .Values.oscreds.mysql.username }}", - "spring.datasource.password": "{{ .Values.oscreds.mysql.password }}", - "spring-addons.issuers[0].uri": "{{ .Values.rooturl }}/auth/realms/openslice", + "origins":"{{ .Values.rooturl }}", + "spring.config.import": "configtree:/etc/config/", + "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/{{ .Values.oscreds.mysql.portal.database }}", + "spring-addons.issuers[0].uri": "{{ .Values.rooturl }}/auth/realms/openslice", "spring-addons.issuers[0].username-json-path":"$.preferred_username", "spring-addons.issuers[0].claims[0].jsonPath":"$.realm_access.roles", "spring-addons.issuers[0].claims[1].jsonPath":"$.resource_access.*.roles", @@ -54,8 +53,6 @@ spec: "springdoc.oauth.client-id" : "osapiWebClientId", "springdoc.oauth.clientsecret" : "{{ .Values.spring.oauthClientSecret }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", "logging.level.org.springframework" : "{{ .Values.oasapi.spring.logLevel | default "INFO" }}", "server.forward-headers-strategy":"FRAMEWORK" } @@ -67,7 +64,31 @@ spec: httpGet: path: /oas-api/swagger-ui/index.html port: 13101 + volumeMounts: + - mountPath: "/etc/config/spring.datasource.username" + name: mysql-portal-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.datasource.password" + name: mysql-portal-secrets + subPath: password + readOnly: true + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always + volumes: + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret + - name: mysql-portal-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-portal-secrets --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/templates/osom.yaml b/kubernetes/helm/openslice/templates/osom.yaml index 14c8d2d..f5a1617 100644 --- a/kubernetes/helm/openslice/templates/osom.yaml +++ b/kubernetes/helm/openslice/templates/osom.yaml @@ -31,18 +31,30 @@ spec: env: - name: SPRING_APPLICATION_JSON value: >- - { + { + "spring.config.import": "configtree:/etc/config/", "spring.datasource.url" : "{{ .Values.osom.spring.datasource.url | default "jdbc:h2:/tmp/tempdb;DB_CLOSE_DELAY=-1" }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", "logging.level.org.springframework" : "{{ .Values.osom.spring.logLevel | default "INFO" }}" } resources: {{- toYaml .Values.resources | nindent 12 }} ports: - containerPort: 13100 + volumeMounts: + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always + volumes: + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/templates/osportalapi.yaml b/kubernetes/helm/openslice/templates/osportalapi.yaml index 6df11d4..afe161a 100644 --- a/kubernetes/helm/openslice/templates/osportalapi.yaml +++ b/kubernetes/helm/openslice/templates/osportalapi.yaml @@ -42,9 +42,8 @@ spec: value: >- { "origins":"{{ .Values.rooturl }}", - "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/osdb?createDatabaseIfNotExist=true", - "spring.datasource.username": "{{ .Values.oscreds.mysql.username }}", - "spring.datasource.password": "{{ .Values.oscreds.mysql.password }}", + "spring.config.import": "configtree:/etc/config/", + "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/{{ .Values.oscreds.mysql.portal.database }}", "spring-addons.issuers[0].uri": "{{ .Values.rooturl }}/auth/realms/openslice", "spring-addons.issuers[0].username-json-path":"$.preferred_username", "spring-addons.issuers[0].claims[0].jsonPath":"$.realm_access.roles", @@ -55,8 +54,6 @@ spec: "springdoc.oauth.client-id" : "osapiWebClientId", "springdoc.oauth.clientsecret" : "{{ .Values.spring.oauthClientSecret }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", "logging.level.org.springframework" : "{{ .Values.portalapi.spring.logLevel | default "INFO" }}", "logging.level.org.etsi.osl.portal.api": "{{ .Values.portalapi.logLevel | default "INFO" }}", "server.forward-headers-strategy":"FRAMEWORK" @@ -68,11 +65,33 @@ spec: volumeMounts: - name: osportalapi-claim0 mountPath: /root + - mountPath: "/etc/config/spring.datasource.username" + name: mysql-portal-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.datasource.password" + name: mysql-portal-secrets + subPath: password + readOnly: true + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true restartPolicy: Always volumes: - name: osportalapi-claim0 persistentVolumeClaim: claimName: {{ include "openslice.fullname" . }}-osportalapi-claim0 + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret + - name: mysql-portal-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-portal-secrets --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/templates/osscapi.yaml b/kubernetes/helm/openslice/templates/osscapi.yaml index 758d519..2b3be8e 100644 --- a/kubernetes/helm/openslice/templates/osscapi.yaml +++ b/kubernetes/helm/openslice/templates/osscapi.yaml @@ -41,9 +41,8 @@ spec: value: >- { "origins":"{{ .Values.rooturl }}", - "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/osdb?createDatabaseIfNotExist=true", - "spring.datasource.username": "{{ .Values.oscreds.mysql.username }}", - "spring.datasource.password": "{{ .Values.oscreds.mysql.password }}", + "spring.config.import": "configtree:/etc/config/", + "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/{{ .Values.oscreds.mysql.portal.database }}", "spring-addons.issuers[0].uri":"{{ .Values.rooturl }}/auth/realms/openslice", "spring-addons.issuers[0].username-json-path":"$.preferred_username", "spring-addons.issuers[0].claims[0].jsonPath":"$.realm_access.roles", @@ -55,8 +54,6 @@ spec: "springdoc.oauth.client-id":"osapiWebClientId", "springdoc.oauth.clientsecret" : "{{ .Values.spring.oauthClientSecret }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", - "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", - "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", "logging.level.org.springframework": "{{ .Values.osscapi.spring.logLevel | default "INFO" }}", "kroki.serverurl":"{{ .Values.rooturl }}/kroki", "server.forward-headers-strategy":"FRAMEWORK" @@ -68,6 +65,22 @@ spec: volumeMounts: - mountPath: /root name: osscapi-claim0 + - mountPath: "/etc/config/spring.datasource.username" + name: mysql-portal-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.datasource.password" + name: mysql-portal-secrets + subPath: password + readOnly: true + - mountPath: "/etc/config/spring.activemq.user" + name: artemis-secrets + subPath: username + readOnly: true + - mountPath: "/etc/config/spring.activemq.password" + name: artemis-secrets + subPath: password + readOnly: true readinessProbe: httpGet: path: /tmf-api/serviceCatalogManagement/v4/serviceCatalog @@ -77,6 +90,12 @@ spec: - name: osscapi-claim0 persistentVolumeClaim: claimName: {{ include "openslice.fullname" . }}-osscapi-claim0 + - name: artemis-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-artemis-secret + - name: mysql-portal-secrets + secret: + secretName: {{ include "openslice.fullname" . }}-mysql-portal-secrets --- apiVersion: v1 kind: Service diff --git a/kubernetes/helm/openslice/values.yaml b/kubernetes/helm/openslice/values.yaml index cc86020..405de62 100644 --- a/kubernetes/helm/openslice/values.yaml +++ b/kubernetes/helm/openslice/values.yaml @@ -113,7 +113,11 @@ oscreds: portal: database: osdb username: portaluser - password: 12345 + password: "12345" + metrico: + database: metricodb + username: metricouser + password: "12345" spring: oauthClientSecret: secret -- GitLab