Hi, sorry for my late response but I've been on a BT with a very limited time for my emails.
On 12.02.2020 19:49, [email protected] wrote: > Hi Krzysztof, > > I'm currently looking with the CDS team to see if we can simply remove > it from the configuration. The processor-db configuration is not needed > for CDS to work properly. It's only to access data from a generic > database which could be cds-db, mariadb-galera or even external database > not provided by ONAP. It's really dependant on the use case/operator needs. > > Base on our discussion at the last DDF i think you're working on > removing all of the hardcoded password from OOM correct? > > How should we proceed generally to do that? Should we use helm template > engine to put in the credentials in the configuration file like here > https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/sdnc/resources/config/conf/dblib.properties;h=1849053411b94b9ce8b4f55ee26e46947d3f3299;hb=refs/heads/master > > <https://protect2.fireeye.com/url?k=aed46ad5-f307336b-aed5e19a-0cc47a31ba82-03a05a69a60c0c7e&u=https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/sdnc/resources/config/conf/dblib.properties;h=1849053411b94b9ce8b4f55ee26e46947d3f3299;hb=refs/heads/master> Nope. You shouldn't use helm templates to put your passwords directly in config files. Rationale behind that is that config files are delivered to pod as ConfigMaps which are stored in plain text by kubernetes and can go also to some logs files. The way to go is to use kuberentes secrets as k8s provides the encryption at rest plugin for that. This means that if your cluster is properly configured secrets will never be written to the disk in plain text. > > This would imply that the password is in the values file though which > kind of defeat the purpose since it's still in OOM but just a different > file. What do you think? We already have solution for this issue and it's called a common secret template:) if you use this template correctly the password may be either delivered by the user (as a string or as a reference to already existing secret) or derived (generated) from deployment masterPasword. You can find the example in mariadb-galera helm chart. For now we still keep the hardcoded password in values file to ensure backward compatibility (some services don't override it in their instance but depends on it to have a specific value) but this will be removed shortly and all passwords for mariadb-galera will be generated at the deployment time (unless user provides the password in the override file). I know that it may be challenging to use the common secret template thus I offer a help to any projects that is willing to use it. If you would like to do sth to help with the migration I'd like to kindly ask you to make sure that all cds passwords can be retrieved from the environment variable. If you are using spring boot then this functionality is available out of the box but if you use just plain properties you need a change in the code similar to this one: https://gerrit.onap.org/r/101091 Actually I already started the work on cds-db: https://gerrit.onap.org/r/#/c/101287/ but it turned out that this particular property does not support this... Best regards, -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20015): https://lists.onap.org/g/onap-discuss/message/20015 Mute This Topic: https://lists.onap.org/mt/71034023/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
