kubernetes: store passwords in secrets

kubernetes/Makefile

@@ -2,19 +2,30 @@ NAMESPACE=villas-demo
 
 KUBECTL=kubectl -n $(NAMESPACE)
 
-APPLY=--dry-run -o yaml | $(KUBECTL) apply -f -
+APPLY_CHANGES=--dry-run -o yaml | $(KUBECTL) apply -f -
+IGNORE_EXISTING= || true
+
+USERNAME=admin
 
 deploy: config-maps secrets
 	$(KUBECTL) apply -f .
 
 namespace:
-	$(KUBECTL) create namespace $(NAMESPACE) $(APPLY)
+	$(KUBECTL) create namespace $(NAMESPACE) $(APPLY_CHANGES)
 
 config-maps:
-	$(KUBECTL) create configmap nginx-config --from-file=../etc/nginx/ $(APPLY)
-	$(KUBECTL) create configmap node-config --from-file=../etc/villas/node/ $(APPLY)
-	$(KUBECTL) create configmap controller-config --from-file=../etc/villas/controller/ $(APPLY)
+	$(KUBECTL) create configmap nginx-config --from-file=../etc/nginx/ $(APPLY_CHANGES)
+	$(KUBECTL) create configmap node-config --from-file=../etc/villas/node/ $(APPLY_CHANGES)
+	$(KUBECTL) create configmap controller-config --from-file=../etc/villas/controller/ $(APPLY_CHANGES)
 
 secrets:
+	$(KUBECTL) create secret generic mongodb-credentials  --from-literal=username=$(USERNAME) --from-literal=password=$(shell pwgen -c1 16) $(IGNORE_EXISTING)
+	$(KUBECTL) create secret generic rabbitmq-credentials --from-literal=username=$(USERNAME) --from-literal=password=$(shell pwgen -c1 16) $(IGNORE_EXISTING)
+	$(KUBECTL) create secret generic postgres-credentials --from-literal=username=$(USERNAME) --from-literal=password=$(shell pwgen -c1 16) $(IGNORE_EXISTING)
+
+get-secrets:
+	@$(KUBECTL) get secret mongodb-credentials  -o json | jq -r .data.password | base64 -d | xargs printf "MongoDB:    $(USERNAME) / %s\n"
+	@$(KUBECTL) get secret rabbitmq-credentials -o json | jq -r .data.password | base64 -d | xargs printf "RabbitMQ:   $(USERNAME) / %s\n"
+	@$(KUBECTL) get secret postgres-credentials -o json | jq -r .data.password | base64 -d | xargs printf "PostgreSQL: $(USERNAME) / %s\n"
 
 .PHONY: deploy config-maps secrets

kubernetes/backend-deployment.yaml

@@ -18,10 +18,30 @@ spec:
     spec:
       containers:
       - env:
+        - name: RABBITMQ_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: username
+        - name: RABBITMQ_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: password
+        - name: MONGODB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: username
+        - name: MONGODB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: password
         - name: AMQP_ENDPOINT
-          value: amqp://villas:s3c0sim4!@broker/%2F
+          value: amqp://$(RABBITMQ_USERNAME):$(RABBITMQ_PASSWORD)@broker/%2F
         - name: DATABASE_URL
-          value: mongodb://database:27017/
+          value: mongodb://$(MONGODB_USERNAME):$(MONGODB_PASSWORD)@database:27017/
         - name: DEFAULT_ADMIN
           value: "true"
         - name: LOG_FILE

kubernetes/broker-deployment.yaml

@@ -23,9 +23,15 @@ spec:
         - name: RABBITMQ_NODE_PORT
           value: "5672"
         - name: RABBITMQ_DEFAULT_PASS
-          value: "s3c0sim4!"
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: password
         - name: RABBITMQ_DEFAULT_USER
-          value: villas
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: username
         - name: RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
           value: -rabbitmq_management path_prefix "/rabbitmq"
         ports:

kubernetes/controller-deployment.yaml

@@ -17,15 +17,26 @@ spec:
       - args:
         - villas-ctl
         - -b
-        - amqp://villas:s3c0sim4!@broker/%2F
+        - amqp://$(RABBITMQ_USERNAME):$(RABBITMQ_PASSWORD)@broker/%2F
         - -c
         - /etc/villas/controller/config.json
         - daemon
-        image: registry.git.rwth-aachen.de/acs/public/villas/controller
+        image: registry.git.rwth-aachen.de/acs/public/villas/controller:demo-v0.1
         name: controller
         volumeMounts:
         - mountPath: /etc/villas/controller/
           name: config
+        env:
+        - name: RABBITMQ_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: username
+        - name: RABBITMQ_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: password
       volumes:
       - name: config
         configMap:

kubernetes/database-deployment.yaml

@@ -22,6 +22,17 @@ spec:
         ports:
         - containerPort: 27017
           name: mongodb
+        env:
+        - name: MONGO_INITDB_ROOT_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: username
+        - name: MONGO_INITDB_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: password
       volumes:
       - name: database
         persistentVolumeClaim:

kubernetes/mongo-express-deployment.yaml

@@ -20,10 +20,26 @@ spec:
       - image: mongo-express:0.49.0
         name: mongo-express
         env:
+        - name: ME_CONFIG_MONGODB_ADMINUSERNAME
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: username
+        - name: ME_CONFIG_MONGODB_ADMINPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: password
         - name: ME_CONFIG_BASICAUTH_PASSWORD
-          value: mongo-admin
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: password
         - name: ME_CONFIG_BASICAUTH_USERNAME
-          value: admin
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: username
         - name: ME_CONFIG_MONGODB_SERVER
           value: database
         - name: ME_CONFIG_SITE_BASEURL