From a1542335303b3cd9a2b2df533b45bb5e34c06326 Mon Sep 17 00:00:00 2001
From: Steffen Vogel <post@steffenvogel.de>
Date: Mon, 11 Nov 2019 22:12:52 +0100
Subject: [PATCH] kubernetes: store passwords in secrets

---
 kubernetes/Makefile                      | 21 ++++++++++++++++-----
 kubernetes/backend-deployment.yaml       | 24 ++++++++++++++++++++++--
 kubernetes/broker-deployment.yaml        | 10 ++++++++--
 kubernetes/controller-deployment.yaml    | 15 +++++++++++++--
 kubernetes/database-deployment.yaml      | 11 +++++++++++
 kubernetes/mongo-express-deployment.yaml | 20 ++++++++++++++++++--
 6 files changed, 88 insertions(+), 13 deletions(-)

diff --git a/kubernetes/Makefile b/kubernetes/Makefile
index 3622670..558465c 100644
--- a/kubernetes/Makefile
+++ b/kubernetes/Makefile
@@ -2,19 +2,30 @@ NAMESPACE=villas-demo
 
 KUBECTL=kubectl -n $(NAMESPACE)
 
-APPLY=--dry-run -o yaml | $(KUBECTL) apply -f -
+APPLY_CHANGES=--dry-run -o yaml | $(KUBECTL) apply -f -
+IGNORE_EXISTING= || true
+
+USERNAME=admin
 
 deploy: config-maps secrets
 	$(KUBECTL) apply -f .
 
 namespace:
-	$(KUBECTL) create namespace $(NAMESPACE) $(APPLY)
+	$(KUBECTL) create namespace $(NAMESPACE) $(APPLY_CHANGES)
 
 config-maps:
-	$(KUBECTL) create configmap nginx-config --from-file=../etc/nginx/ $(APPLY)
-	$(KUBECTL) create configmap node-config --from-file=../etc/villas/node/ $(APPLY)
-	$(KUBECTL) create configmap controller-config --from-file=../etc/villas/controller/ $(APPLY)
+	$(KUBECTL) create configmap nginx-config --from-file=../etc/nginx/ $(APPLY_CHANGES)
+	$(KUBECTL) create configmap node-config --from-file=../etc/villas/node/ $(APPLY_CHANGES)
+	$(KUBECTL) create configmap controller-config --from-file=../etc/villas/controller/ $(APPLY_CHANGES)
 
 secrets:
+	$(KUBECTL) create secret generic mongodb-credentials  --from-literal=username=$(USERNAME) --from-literal=password=$(shell pwgen -c1 16) $(IGNORE_EXISTING)
+	$(KUBECTL) create secret generic rabbitmq-credentials --from-literal=username=$(USERNAME) --from-literal=password=$(shell pwgen -c1 16) $(IGNORE_EXISTING)
+	$(KUBECTL) create secret generic postgres-credentials --from-literal=username=$(USERNAME) --from-literal=password=$(shell pwgen -c1 16) $(IGNORE_EXISTING)
+
+get-secrets:
+	@$(KUBECTL) get secret mongodb-credentials  -o json | jq -r .data.password | base64 -d | xargs printf "MongoDB:    $(USERNAME) / %s\n"
+	@$(KUBECTL) get secret rabbitmq-credentials -o json | jq -r .data.password | base64 -d | xargs printf "RabbitMQ:   $(USERNAME) / %s\n"
+	@$(KUBECTL) get secret postgres-credentials -o json | jq -r .data.password | base64 -d | xargs printf "PostgreSQL: $(USERNAME) / %s\n"
 
 .PHONY: deploy config-maps secrets
diff --git a/kubernetes/backend-deployment.yaml b/kubernetes/backend-deployment.yaml
index 4738c04..10cbf9f 100644
--- a/kubernetes/backend-deployment.yaml
+++ b/kubernetes/backend-deployment.yaml
@@ -18,10 +18,30 @@ spec:
     spec:
       containers:
       - env:
+        - name: RABBITMQ_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: username
+        - name: RABBITMQ_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: password
+        - name: MONGODB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: username
+        - name: MONGODB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: password
         - name: AMQP_ENDPOINT
-          value: amqp://villas:s3c0sim4!@broker/%2F
+          value: amqp://$(RABBITMQ_USERNAME):$(RABBITMQ_PASSWORD)@broker/%2F
         - name: DATABASE_URL
-          value: mongodb://database:27017/
+          value: mongodb://$(MONGODB_USERNAME):$(MONGODB_PASSWORD)@database:27017/
         - name: DEFAULT_ADMIN
           value: "true"
         - name: LOG_FILE
diff --git a/kubernetes/broker-deployment.yaml b/kubernetes/broker-deployment.yaml
index 47cff24..0f9090a 100644
--- a/kubernetes/broker-deployment.yaml
+++ b/kubernetes/broker-deployment.yaml
@@ -23,9 +23,15 @@ spec:
         - name: RABBITMQ_NODE_PORT
           value: "5672"
         - name: RABBITMQ_DEFAULT_PASS
-          value: "s3c0sim4!"
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: password
         - name: RABBITMQ_DEFAULT_USER
-          value: villas
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: username
         - name: RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
           value: -rabbitmq_management path_prefix "/rabbitmq"
         ports:
diff --git a/kubernetes/controller-deployment.yaml b/kubernetes/controller-deployment.yaml
index c146ca1..dbb7490 100644
--- a/kubernetes/controller-deployment.yaml
+++ b/kubernetes/controller-deployment.yaml
@@ -17,15 +17,26 @@ spec:
       - args:
         - villas-ctl
         - -b
-        - amqp://villas:s3c0sim4!@broker/%2F
+        - amqp://$(RABBITMQ_USERNAME):$(RABBITMQ_PASSWORD)@broker/%2F
         - -c
         - /etc/villas/controller/config.json
         - daemon
-        image: registry.git.rwth-aachen.de/acs/public/villas/controller
+        image: registry.git.rwth-aachen.de/acs/public/villas/controller:demo-v0.1
         name: controller
         volumeMounts:
         - mountPath: /etc/villas/controller/
           name: config
+        env:
+        - name: RABBITMQ_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: username
+        - name: RABBITMQ_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: rabbitmq-credentials
+              key: password
       volumes:
       - name: config
         configMap:
diff --git a/kubernetes/database-deployment.yaml b/kubernetes/database-deployment.yaml
index ffd90b5..b5bcf7e 100644
--- a/kubernetes/database-deployment.yaml
+++ b/kubernetes/database-deployment.yaml
@@ -22,6 +22,17 @@ spec:
         ports:
         - containerPort: 27017
           name: mongodb
+        env:
+        - name: MONGO_INITDB_ROOT_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: username
+        - name: MONGO_INITDB_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: password
       volumes:
       - name: database
         persistentVolumeClaim:
diff --git a/kubernetes/mongo-express-deployment.yaml b/kubernetes/mongo-express-deployment.yaml
index c4f3ee2..c9cf64e 100644
--- a/kubernetes/mongo-express-deployment.yaml
+++ b/kubernetes/mongo-express-deployment.yaml
@@ -20,10 +20,26 @@ spec:
       - image: mongo-express:0.49.0
         name: mongo-express
         env:
+        - name: ME_CONFIG_MONGODB_ADMINUSERNAME
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: username
+        - name: ME_CONFIG_MONGODB_ADMINPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: password
         - name: ME_CONFIG_BASICAUTH_PASSWORD
-          value: mongo-admin
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: password
         - name: ME_CONFIG_BASICAUTH_USERNAME
-          value: admin
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-credentials
+              key: username
         - name: ME_CONFIG_MONGODB_SERVER
           value: database
         - name: ME_CONFIG_SITE_BASEURL
-- 
GitLab