Merge "Store sensitive configs in secret"
This commit is contained in:
commit
a6858883d7
|
@ -75,6 +75,7 @@ class Action(object):
|
|||
CONF.configs._update(action_parameters=self._get_custom_parameters())
|
||||
data = {
|
||||
"config": CONF.configs._json(sort_keys=True),
|
||||
"secret-config": CONF.secret_configs._json(sort_keys=True),
|
||||
"nodes-config": utils.get_nodes_config(CONF.nodes),
|
||||
"workflow": self._get_workflow()
|
||||
}
|
||||
|
@ -156,6 +157,10 @@ class Action(object):
|
|||
"key": "config",
|
||||
"path": "globals/globals.json"
|
||||
},
|
||||
{
|
||||
"key": "secret-config",
|
||||
"path": "global-secrets/global-secrets.json"
|
||||
},
|
||||
{
|
||||
"key": "nodes-config",
|
||||
"path": "nodes-config/nodes-config.json"
|
||||
|
@ -356,8 +361,8 @@ def list_actions():
|
|||
for filename in os.listdir(action_path):
|
||||
if filename.endswith(".yaml"):
|
||||
action_file = os.path.join(action_path, filename)
|
||||
data = jinja_utils.jinja_render(action_file,
|
||||
CONF.configs._dict)
|
||||
conf = utils.get_rendering_config()
|
||||
data = jinja_utils.jinja_render(action_file, conf._dict)
|
||||
for action_dict in yaml.load(data).get("actions", ()):
|
||||
actions.append(Action(component=component_name,
|
||||
component_dir=repo,
|
||||
|
|
|
@ -206,5 +206,6 @@ def _cleanup_kubernetes_objects():
|
|||
|
||||
def cleanup(auth_url=None, skip_os_cleanup=False, verify=True):
|
||||
if not skip_os_cleanup:
|
||||
_cleanup_openstack_environment(CONF.configs, auth_url, verify)
|
||||
conf = utils.get_rendering_config()
|
||||
_cleanup_openstack_environment(conf, auth_url, verify)
|
||||
_cleanup_kubernetes_objects()
|
||||
|
|
|
@ -192,7 +192,7 @@ def extend_with_service_configs(service_name, config):
|
|||
|
||||
|
||||
def get_deploy_components_info():
|
||||
rendering_context = CONF.configs
|
||||
rendering_context = get_rendering_config()
|
||||
service_definitions_map = get_service_definitions_map()
|
||||
services_map = {}
|
||||
custom_services_map = {}
|
||||
|
@ -295,3 +295,9 @@ def get_nodes_config(nodes):
|
|||
if 'configs' in nodes[node]:
|
||||
nodes_config[node] = nodes[node]['configs']
|
||||
return nodes_config._json(sort_keys=True)
|
||||
|
||||
|
||||
def get_rendering_config():
|
||||
conf = copy.deepcopy(CONF.configs)
|
||||
conf._merge(CONF.secret_configs)
|
||||
return conf
|
||||
|
|
|
@ -76,7 +76,7 @@ def get_config_defaults():
|
|||
'urllib3=WARN'
|
||||
]
|
||||
})
|
||||
for name in ['configs', 'nodes', 'roles', 'versions']:
|
||||
for name in ['configs', 'secret_configs', 'nodes', 'roles', 'versions']:
|
||||
defaults[name] = _yaml.AttrDict()
|
||||
for module in CONFIG_MODULES:
|
||||
defaults._merge(module.DEFAULTS)
|
||||
|
@ -102,7 +102,7 @@ def get_config_schema():
|
|||
for name in ignore_opts:
|
||||
schema['properties'][name] = {}
|
||||
# Also for now don't validate sections that used to be in deploy config
|
||||
for name in ['configs', 'nodes', 'roles', 'versions']:
|
||||
for name in ['configs', 'secret_configs', 'nodes', 'roles', 'versions']:
|
||||
schema['properties'][name] = {'type': 'object'}
|
||||
return schema
|
||||
|
||||
|
@ -118,7 +118,7 @@ def load_component_defaults():
|
|||
from fuel_ccp.common import utils
|
||||
|
||||
sections = ['versions', 'sources', 'configs', 'nodes', 'roles', 'replicas',
|
||||
'url', 'files', 'services']
|
||||
'url', 'files', 'services', 'secret_configs']
|
||||
new_config = _yaml.AttrDict((k, _yaml.AttrDict()) for k in sections)
|
||||
for path in utils.get_config_paths():
|
||||
if not os.path.exists(path):
|
||||
|
|
|
@ -121,8 +121,9 @@ def parse_role(component, topology, configmaps):
|
|||
if CONF.action.dry_run:
|
||||
cm_version = 'dry-run'
|
||||
else:
|
||||
rendering_context = utils.get_rendering_config()
|
||||
cm_version = _get_configmaps_version(
|
||||
configmaps, service_dir, files, CONF.configs._dict)
|
||||
configmaps, service_dir, files, rendering_context._dict)
|
||||
|
||||
for cont in service["containers"]:
|
||||
daemon_cmd = cont["daemon"]
|
||||
|
@ -348,6 +349,13 @@ def _create_globals_configmap(config):
|
|||
return kubernetes.process_object(cm)
|
||||
|
||||
|
||||
def _create_globals_secret(conf):
|
||||
data = {templates.GLOBAL_SECRET_CONFIG: conf._json(sort_keys=True)}
|
||||
secret = templates.serialize_secret(
|
||||
templates.GLOBAL_SECRET_CONFIG, data=data)
|
||||
return kubernetes.process_object(secret)
|
||||
|
||||
|
||||
def _create_nodes_configmap(nodes):
|
||||
nodes_config = utils.get_nodes_config(nodes)
|
||||
data = {templates.NODES_CONFIG: nodes_config}
|
||||
|
@ -647,6 +655,7 @@ def deploy_components(components_map, components):
|
|||
_create_namespace(CONF.configs)
|
||||
_create_registry_secret()
|
||||
_create_globals_configmap(CONF.configs)
|
||||
_create_globals_secret(CONF.secret_configs)
|
||||
_create_nodes_configmap(CONF.nodes)
|
||||
start_script_cm = create_start_script_configmap()
|
||||
|
||||
|
@ -697,4 +706,5 @@ def deploy_components(components_map, components):
|
|||
topology, exports_ctx)
|
||||
|
||||
if 'keystone' in components:
|
||||
_create_openrc(CONF.configs)
|
||||
conf = utils.get_rendering_config()
|
||||
_create_openrc(conf)
|
||||
|
|
|
@ -16,6 +16,7 @@ UPDATABLE_OBJECTS = (
|
|||
'Service',
|
||||
'Ingress',
|
||||
'StatefulSet',
|
||||
'Secret',
|
||||
)
|
||||
|
||||
|
||||
|
|
|
@ -8,6 +8,7 @@ configs:
|
|||
domain: external
|
||||
port: 8443
|
||||
|
||||
secret_configs:
|
||||
security:
|
||||
tls:
|
||||
create_certificates: true
|
||||
|
|
|
@ -9,6 +9,7 @@ from fuel_ccp.config import images
|
|||
CONF = config.CONF
|
||||
|
||||
GLOBAL_CONFIG = "globals"
|
||||
GLOBAL_SECRET_CONFIG = "global-secrets"
|
||||
NODES_CONFIG = "nodes-config"
|
||||
SERVICE_CONFIG = "service-config"
|
||||
SCRIPT_CONFIG = "start-script"
|
||||
|
@ -61,6 +62,10 @@ def serialize_volume_mounts(container, for_job=None):
|
|||
"name": GLOBAL_CONFIG,
|
||||
"mountPath": "/etc/ccp/%s" % GLOBAL_CONFIG
|
||||
},
|
||||
{
|
||||
"name": GLOBAL_SECRET_CONFIG,
|
||||
"mountPath": "/etc/ccp/%s" % GLOBAL_SECRET_CONFIG
|
||||
},
|
||||
{
|
||||
"name": ROLE_CONFIG,
|
||||
"mountPath": "/etc/ccp/%s" % ROLE_CONFIG
|
||||
|
@ -280,6 +285,14 @@ def serialize_volumes(service, for_job=None):
|
|||
"path": "globals.json"}]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": GLOBAL_SECRET_CONFIG,
|
||||
"secret": {
|
||||
"secretName": GLOBAL_SECRET_CONFIG,
|
||||
"items": [{"key": GLOBAL_SECRET_CONFIG,
|
||||
"path": "%s.json" % GLOBAL_SECRET_CONFIG}]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": SCRIPT_CONFIG,
|
||||
"configMap": {
|
||||
|
|
|
@ -45,6 +45,8 @@ class TestDeploy(base.TestCase):
|
|||
],
|
||||
"volumeMounts": [
|
||||
{'mountPath': '/etc/ccp/globals', 'name': 'globals'},
|
||||
{'mountPath': '/etc/ccp/global-secrets',
|
||||
'name': 'global-secrets'},
|
||||
{'mountPath': '/etc/ccp/role', 'name': 'role'},
|
||||
{'mountPath': '/etc/ccp/meta', 'name': 'meta'},
|
||||
{'mountPath': '/opt/ccp_start_script/bin',
|
||||
|
|
Loading…
Reference in New Issue