From 9a311475baf4a20cb19f1854ecb81188bc1fdff1 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Fri, 24 Aug 2018 09:18:53 -0500 Subject: [PATCH] Charts: Use secrets for configs in chart This updates the osh-infra charts to use a secret for their configuration files instead of a configmap, allowing for the storage of sensitive information Change-Id: Ia32587162288df0b297c45fd43b55cef381cb064 --- elasticsearch/templates/configmap-etc.yaml | 18 ++++----- elasticsearch/templates/cron-job-curator.yaml | 4 +- .../templates/deployment-client.yaml | 4 +- .../templates/deployment-master.yaml | 4 +- .../templates/etc/_log4j2.properties.tpl | 37 ------------------- elasticsearch/templates/statefulset-data.yaml | 4 +- elasticsearch/values.yaml | 24 ++++++++++-- fluent-logging/templates/configmap-etc.yaml | 15 +++----- .../templates/daemonset-fluent-bit.yaml | 4 +- .../templates/deployment-fluentd.yaml | 4 +- .../templates/job-elasticsearch-template.yaml | 6 +-- grafana/templates/configmap-etc.yaml | 17 ++++----- grafana/templates/deployment.yaml | 4 +- kibana/templates/configmap-etc.yaml | 8 ++-- kibana/templates/deployment.yaml | 4 +- nagios/templates/configmap-etc.yaml | 28 +++++++------- nagios/templates/deployment.yaml | 4 +- prometheus/templates/configmap-etc.yaml | 11 +++--- prometheus/templates/statefulset.yaml | 5 ++- 19 files changed, 88 insertions(+), 117 deletions(-) delete mode 100644 elasticsearch/templates/etc/_log4j2.properties.tpl diff --git a/elasticsearch/templates/configmap-etc.yaml b/elasticsearch/templates/configmap-etc.yaml index 17e1065c5..d81bf78a6 100644 --- a/elasticsearch/templates/configmap-etc.yaml +++ b/elasticsearch/templates/configmap-etc.yaml @@ -20,21 +20,17 @@ limitations under the License. {{- if and (.Values.conf.elasticsearch.repository.enabled) (empty .Values.conf.elasticsearch.config.path.repo) -}} {{- set .Values.conf.elasticsearch.config.path "repo" .Values.conf.elasticsearch.repository.location -}} {{- end -}} - --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: elasticsearch-etc +type: Opaque data: - elasticsearch.yml: | -{{ toYaml .Values.conf.elasticsearch.config | indent 4 }} - log4j2.properties: | -{{- tuple .Values.conf.elasticsearch "etc/_log4j2.properties.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - action_file.yml: | -{{ toYaml .Values.conf.curator.action_file | indent 4 }} - config.yml: | -{{ toYaml .Values.conf.curator.config | indent 4 }} + elasticsearch.yml: {{ toYaml .Values.conf.elasticsearch.config | b64enc }} + action_file.yml: {{ toYaml .Values.conf.curator.action_file | b64enc }} + config.yml: {{ toYaml .Values.conf.curator.config | b64enc }} #NOTE(portdirect): this must be last, to work round helm ~2.7 bug. -{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.log4j2 "key" "log4j2.properties" "format" "Secret") | indent 2 }} {{- end }} diff --git a/elasticsearch/templates/cron-job-curator.yaml b/elasticsearch/templates/cron-job-curator.yaml index 77dc6caa1..343ba78a0 100644 --- a/elasticsearch/templates/cron-job-curator.yaml +++ b/elasticsearch/templates/cron-job-curator.yaml @@ -74,7 +74,7 @@ spec: name: elasticsearch-bin defaultMode: 0555 - name: elasticsearch-etc - configMap: - name: elasticsearch-etc + secret: + secretName: elasticsearch-etc defaultMode: 0444 {{- end }} diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml index f0883b566..ee6beef60 100644 --- a/elasticsearch/templates/deployment-client.yaml +++ b/elasticsearch/templates/deployment-client.yaml @@ -234,8 +234,8 @@ spec: name: elasticsearch-bin defaultMode: 0555 - name: elasticsearch-etc - configMap: - name: elasticsearch-etc + secret: + secretName: elasticsearch-etc defaultMode: 0444 - name: storage emptyDir: {} diff --git a/elasticsearch/templates/deployment-master.yaml b/elasticsearch/templates/deployment-master.yaml index 2e90cbbc8..1abd509f2 100644 --- a/elasticsearch/templates/deployment-master.yaml +++ b/elasticsearch/templates/deployment-master.yaml @@ -190,8 +190,8 @@ spec: name: elasticsearch-bin defaultMode: 0555 - name: elasticsearch-etc - configMap: - name: elasticsearch-etc + secret: + secretName: elasticsearch-etc defaultMode: 0444 - name: storage emptyDir: {} diff --git a/elasticsearch/templates/etc/_log4j2.properties.tpl b/elasticsearch/templates/etc/_log4j2.properties.tpl deleted file mode 100644 index bf0ceb5cd..000000000 --- a/elasticsearch/templates/etc/_log4j2.properties.tpl +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -appender.console.type = Console -appender.console.name = console -appender.console.layout.type = PatternLayout -appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n - -appender.rolling.type = RollingFile -appender.rolling.name = rolling -appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${hostName}.log -appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${hostName}.log.%i -appender.rolling.layout.type = PatternLayout -appender.rolling.layout.pattern = [%d{DEFAULT}][%-5p][%-25c] %.10000m%n -appender.rolling.policies.type = Policies -appender.rolling.policies.size.type = SizeBasedTriggeringPolicy -appender.rolling.policies.size.size=100MB -appender.rolling.strategy.type = DefaultRolloverStrategy -appender.rolling.strategy.max = 5 -appender.rolling.strategy.fileIndex = min - -rootLogger.level = info -rootLogger.appenderRef.console.ref = console -rootLogger.appenderRef.rolling.ref = rolling diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml index 6250d906f..fb038a0bf 100644 --- a/elasticsearch/templates/statefulset-data.yaml +++ b/elasticsearch/templates/statefulset-data.yaml @@ -187,8 +187,8 @@ spec: name: elasticsearch-bin defaultMode: 0555 - name: elasticsearch-etc - configMap: - name: elasticsearch-etc + secret: + secretName: elasticsearch-etc defaultMode: 0444 {{ if .Values.storage.filesystem_repository.enabled }} - name: snapshots diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index ebd6adad8..f87a69e9b 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -271,6 +271,26 @@ conf: Require valid-user + log4j2: | + appender.console.type=Console + appender.console.name=console + appender.console.layout.type=PatternLayout + appender.console.layout.pattern="[%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n" + appender.rolling.type=RollingFile + appender.rolling.name=rolling + appender.rolling.fileName="${sys:es.logs.base_path}${sys:file.separator}${hostName}.log" + appender.rolling.filePattern="${sys:es.logs.base_path}${sys:file.separator}${hostName}.log.%i" + appender.rolling.layout.type=PatternLayout + appender.rolling.layout.pattern="[%d{DEFAULT}][%-5p][%-25c] %.10000m%n" + appender.rolling.policies.type=Policies + appender.rolling.policies.size.type=SizeBasedTriggeringPolicy + appender.rolling.policies.size.size=100MB + appender.rolling.strategy.type=DefaultRolloverStrategy + appender.rolling.strategy.max=5 + appender.rolling.strategy.fileIndex=min + rootLogger.level=info + rootLogger.appenderRef.console.ref=console + rootLogger.appenderRef.rolling.ref=rolling init: max_map_count: 262144 curator: @@ -408,10 +428,6 @@ conf: type: fs env: java_opts: "-Xms256m -Xmx256m" - log4j2: - override: - prefix: - append: prometheus_elasticsearch_exporter: es: all: true diff --git a/fluent-logging/templates/configmap-etc.yaml b/fluent-logging/templates/configmap-etc.yaml index f76de40e5..723526ecb 100644 --- a/fluent-logging/templates/configmap-etc.yaml +++ b/fluent-logging/templates/configmap-etc.yaml @@ -18,18 +18,15 @@ limitations under the License. {{- $envAll := . }} --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: fluent-logging-etc +type: Opaque data: - fluent-bit.conf: | -{{ include "fluent_logging.utils.to_fluentbit_conf" .Values.conf.fluentbit | indent 4 }} - parsers.conf: | -{{ include "fluent_logging.utils.to_fluentbit_conf" .Values.conf.parsers | indent 4 }} - fluent.conf: | -{{ include "fluent_logging.utils.to_fluentd_conf" .Values.conf.td_agent | indent 4 }} + fluent-bit.conf: {{ include "fluent_logging.utils.to_fluentbit_conf" .Values.conf.fluentbit | b64enc }} + parsers.conf: {{ include "fluent_logging.utils.to_fluentbit_conf" .Values.conf.parsers | b64enc }} + fluent.conf: {{ include "fluent_logging.utils.to_fluentd_conf" .Values.conf.td_agent | b64enc }} {{ range $template, $fields := .Values.conf.templates }} - {{ $template }}.json: | -{{ toJson $fields | indent 4 }} + {{ $template }}.json: {{ toJson $fields | b64enc }} {{ end }} {{- end }} diff --git a/fluent-logging/templates/daemonset-fluent-bit.yaml b/fluent-logging/templates/daemonset-fluent-bit.yaml index 01349b0ba..4c59d51b0 100644 --- a/fluent-logging/templates/daemonset-fluent-bit.yaml +++ b/fluent-logging/templates/daemonset-fluent-bit.yaml @@ -148,8 +148,8 @@ spec: name: fluent-logging-bin defaultMode: 0555 - name: fluent-logging-etc - configMap: - name: fluent-logging-etc + secret: + secretName: fluent-logging-etc defaultMode: 0444 {{ if $mounts_fluentbit.volumes }}{{ toYaml $mounts_fluentbit.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/fluent-logging/templates/deployment-fluentd.yaml b/fluent-logging/templates/deployment-fluentd.yaml index dd7e80ab6..bfcc8bdcd 100644 --- a/fluent-logging/templates/deployment-fluentd.yaml +++ b/fluent-logging/templates/deployment-fluentd.yaml @@ -150,8 +150,8 @@ spec: - name: pod-etc-fluentd emptyDir: {} - name: fluent-logging-etc - configMap: - name: fluent-logging-etc + secret: + secretName: fluent-logging-etc defaultMode: 0444 - name: fluent-logging-bin configMap: diff --git a/fluent-logging/templates/job-elasticsearch-template.yaml b/fluent-logging/templates/job-elasticsearch-template.yaml index 958a992b8..f24cdd40a 100644 --- a/fluent-logging/templates/job-elasticsearch-template.yaml +++ b/fluent-logging/templates/job-elasticsearch-template.yaml @@ -78,8 +78,8 @@ spec: name: fluent-logging-bin defaultMode: 0555 - name: fluent-logging-etc - configMap: - name: fluent-logging-etc - defaultMode: 0666 + secret: + secretName: fluent-logging-etc + defaultMode: 0444 {{ if $mounts_elasticsearch_template.volumes }}{{ toYaml $mounts_elasticsearch_template.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/grafana/templates/configmap-etc.yaml b/grafana/templates/configmap-etc.yaml index 1a7cb395e..d459e8d69 100644 --- a/grafana/templates/configmap-etc.yaml +++ b/grafana/templates/configmap-etc.yaml @@ -30,21 +30,18 @@ limitations under the License. {{- end -}} --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: grafana-etc +type: Opaque data: - datasources.yaml: | -{{- include "grafana.utils.generate_datasources" (dict "envAll" $envAll "datasources" .Values.conf.provisioning.datasources) | indent 4 }} - dashboards.yaml: | -{{ toYaml .Values.conf.provisioning.dashboards | indent 4 }} - grafana.ini: | -{{ include "helm-toolkit.utils.to_ini" .Values.conf.grafana | indent 4 }} + datasources.yaml: {{ include "grafana.utils.generate_datasources" (dict "envAll" $envAll "datasources" .Values.conf.provisioning.datasources) | b64enc }} + dashboards.yaml: {{ toYaml .Values.conf.provisioning.dashboards | b64enc }} + grafana.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.grafana | b64enc }} {{ if not (empty .Values.conf.ldap) }} -{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ldap.template "key" "ldap.toml") | indent 2 }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ldap.template "key" "ldap.toml" "format" "Secret") | indent 2 }} {{ end }} {{ range $key, $value := .Values.conf.dashboards }} - {{$key}}.json: | -{{ toJson $value | indent 4 }} + {{$key}}.json: {{ toJson $value | b64enc }} {{ end }} {{- end }} diff --git a/grafana/templates/deployment.yaml b/grafana/templates/deployment.yaml index 2b83c696a..13f603c02 100644 --- a/grafana/templates/deployment.yaml +++ b/grafana/templates/deployment.yaml @@ -115,8 +115,8 @@ spec: name: grafana-bin defaultMode: 0555 - name: grafana-etc - configMap: - name: grafana-etc + secret: + secretName: grafana-etc defaultMode: 0444 - name: data emptyDir: {} diff --git a/kibana/templates/configmap-etc.yaml b/kibana/templates/configmap-etc.yaml index 93742d7c2..22d646158 100644 --- a/kibana/templates/configmap-etc.yaml +++ b/kibana/templates/configmap-etc.yaml @@ -18,12 +18,12 @@ limitations under the License. {{- $envAll := . }} --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: kibana-etc +type: Opaque data: - kibana.yml: | -{{ toYaml .Values.conf.kibana | indent 4 }} + kibana.yml: {{ toYaml .Values.conf.kibana | b64enc }} #NOTE(portdirect): this must be last, to work round helm ~2.7 bug. -{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }} {{- end }} diff --git a/kibana/templates/deployment.yaml b/kibana/templates/deployment.yaml index 74e885e1a..3ba32d749 100644 --- a/kibana/templates/deployment.yaml +++ b/kibana/templates/deployment.yaml @@ -127,7 +127,7 @@ spec: name: kibana-bin defaultMode: 0555 - name: kibana-etc - configMap: - name: kibana-etc + secret: + secretName: kibana-etc defaultMode: 0444 {{- end }} diff --git a/nagios/templates/configmap-etc.yaml b/nagios/templates/configmap-etc.yaml index 6503b84a3..75a54c6b4 100644 --- a/nagios/templates/configmap-etc.yaml +++ b/nagios/templates/configmap-etc.yaml @@ -14,25 +14,27 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{ define "configmap_etc._nagios_objects" }} +{{- tuple "contact" $.Values.conf.nagios.contacts | include "nagios.utils.object_definition" }} +{{- tuple "contactgroup" $.Values.conf.nagios.contactgroups | include "nagios.utils.object_definition" }} +{{- tuple "host" $.Values.conf.nagios.hosts | include "nagios.utils.object_definition" }} +{{- tuple "hostgroup" $.Values.conf.nagios.host_groups | include "nagios.utils.object_definition" }} +{{- tuple "command" $.Values.conf.nagios.commands | include "nagios.utils.object_definition" }} +{{- tuple "service" $.Values.conf.nagios.services | include "nagios.utils.object_definition" }} +{{- end }} + {{- if .Values.manifests.configmap_etc }} {{- $envAll := . }} --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: nagios-etc +type: Opaque data: - cgi.cfg: |+ -{{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.cgi | indent 4 }} - nagios.cfg: |+ -{{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.nagios | indent 4 }} - nagios_objects.cfg: |+ -{{- tuple "contact" .Values.conf.nagios.contacts | include "nagios.utils.object_definition" | indent 4 }} -{{- tuple "contactgroup" .Values.conf.nagios.contactgroups | include "nagios.utils.object_definition" | indent 4 }} -{{- tuple "host" .Values.conf.nagios.hosts | include "nagios.utils.object_definition" | indent 4 }} -{{- tuple "hostgroup" .Values.conf.nagios.host_groups | include "nagios.utils.object_definition" | indent 4 }} -{{- tuple "command" .Values.conf.nagios.commands | include "nagios.utils.object_definition" | indent 4 }} -{{- tuple "service" .Values.conf.nagios.services | include "nagios.utils.object_definition" | indent 4 }} + cgi.cfg: {{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.cgi | b64enc }} + nagios.cfg: {{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.nagios | b64enc }} + nagios_objects.cfg: {{ include "configmap_etc._nagios_objects" $ | b64enc }} #NOTE(portdirect): this must be last, to work round helm ~2.7 bug. -{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }} {{- end }} diff --git a/nagios/templates/deployment.yaml b/nagios/templates/deployment.yaml index a82c35d73..d838802e0 100644 --- a/nagios/templates/deployment.yaml +++ b/nagios/templates/deployment.yaml @@ -162,8 +162,8 @@ spec: readOnly: true volumes: - name: nagios-etc - configMap: - name: nagios-etc + secret: + secretName: nagios-etc defaultMode: 0444 - name: pod-etc-apache emptyDir: {} diff --git a/prometheus/templates/configmap-etc.yaml b/prometheus/templates/configmap-etc.yaml index 38c1b2294..38314a944 100644 --- a/prometheus/templates/configmap-etc.yaml +++ b/prometheus/templates/configmap-etc.yaml @@ -38,16 +38,15 @@ limitations under the License. --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: prometheus-etc +type: Opaque data: - prometheus.yml: |+ -{{ toYaml .Values.conf.prometheus.scrape_configs | indent 4 }} + prometheus.yml: {{ toYaml .Values.conf.prometheus.scrape_configs | b64enc }} {{ range $key, $value := .Values.conf.prometheus.rules }} - {{ $key }}.rules: | -{{ toYaml $value | indent 4 }} + {{ $key }}.rules: {{ toYaml $value | b64enc }} {{ end }} #NOTE(srwilkers): this must be last, to work round helm ~2.7 bug. -{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }} {{- end }} diff --git a/prometheus/templates/statefulset.yaml b/prometheus/templates/statefulset.yaml index c4feeaf5c..83dc5b5b2 100644 --- a/prometheus/templates/statefulset.yaml +++ b/prometheus/templates/statefulset.yaml @@ -189,8 +189,9 @@ spec: - name: rulesprometheus emptyDir: {} - name: prometheus-etc - configMap: - name: prometheus-etc + secret: + secretName: prometheus-etc + defaultMode: 0444 - name: prometheus-bin configMap: name: prometheus-bin