k8s vs vault secret option (#18)

* k8s vs vault secret option

* k8s vs vault secret option

* k8s vs vault secret option

Author: paulparkinson

grabdish/atp-secrets-setup/deleteAll.sh

@@ -3,13 +3,13 @@
 ## Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 
-echo deleting all secrets in msdataworkshop namespace...
-kubectl delete --all secrets --namespace=msdataworkshop
+echo deleting secrets in msdataworkshop namespace...
+kubectl delete secret atp-demo-binding-inventory --namespace=msdataworkshop
+kubectl delete secret atp-demo-binding-order --namespace=msdataworkshop
+
 
 echo deleting generated-yaml dir...
 rm -rf generated-yaml
 
-echo deleting wallet dirs...
-rm -rf orderdbwallet
-rm -rf inventorydbwallet
-rm -rf tls
+echo deleting wallet dir...
+rm -rf wallet

grabdish/atpaqadmin/atpaqadmin-deployment.yaml

@@ -54,6 +54,12 @@ spec:
           value: "%OCI_REGION%"
         - name: VAULT_SECRET_OCID
           value: "%VAULT_SECRET_OCID%"
+        - name: dbpassword
+          valueFrom:
+            secretKeyRef:
+              name: dbuser
+              key: dbpassword
+              optional: true #not needed/used if using VAULT_SECRET_OCID exists
         - name: cwalletobjecturi
           value: "%cwalletobjecturi%"
         - name: orderhostname

grabdish/atpaqadmin/src/main/java/oracle/db/microservices/ATPAQAdminResource.java

@@ -15,7 +15,6 @@
 import javax.enterprise.event.Observes;
 import javax.inject.Inject;
 import javax.inject.Named;
-import javax.sql.DataSource;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -27,6 +26,7 @@ public class ATPAQAdminResource {
   PropagationSetup propagationSetup;
   static String regionId = System.getenv("OCI_REGION").trim();
   static String pwSecretOcid = System.getenv("VAULT_SECRET_OCID").trim();
+  static String pwSecretFromK8s = System.getenv("dbpassword");
   static String orderuser = "ORDERUSER";
   static String orderpw;
   static String inventoryuser = "INVENTORYUSER";
@@ -61,8 +61,14 @@ public class ATPAQAdminResource {
   private PoolDataSource inventorypdbDataSource;
 
   public void init(@Observes @Initialized(ApplicationScoped.class) Object init) throws SQLException {
-    System.out.println("ATPAQAdminResource.init " + init);
-    orderpw = inventorypw = OCISDKUtility.getSecreteFromVault(true, regionId, pwSecretOcid);
+    String pw;
+    if(!"".equals(pwSecretOcid.trim())) {
+      System.out.println("Using OCI Vault secret");
+      pw = OCISDKUtility.getSecreteFromVault(true, regionId, pwSecretOcid);
+    } else {
+      pw = pwSecretFromK8s;
+    }
+    orderpw = inventorypw = pw;
     orderpdbDataSource.setUser("ADMIN");
     orderpdbDataSource.setPassword(orderpw);
     inventorypdbDataSource.setUser("ADMIN");

grabdish/createATPPDBs.sh

@@ -28,9 +28,13 @@ then
   echo Usage example :  ./createATPPDBs.sh ocid1.vaultsecret.oc1.phx.DBADMINSECRETOCIDd3ejhlewv3wieyd5q ocid1.vaultsecret.oc1.phx.FRONTENDAUTHSECRETOCIDd3ejhlewv3wieyd5q
   exit
 fi
-echo $1 > $WORKINGDIR/msdataworkshopvaultsecretocid.txt
 
-PASSWORD=`oci secrets secret-bundle get --secret-id $1 --query "data.\"secret-bundle-content\".content" --raw-output | base64 --decode`
+
+echo "" > $WORKINGDIR/msdataworkshopvaultsecretocid.txt
+# todo if(!greenbutton) echo $1 > $WORKINGDIR/msdataworkshopvaultsecretocid.txt
+
+PASSWORDENCODED=`oci secrets secret-bundle get --secret-id $1 --query "data.\"secret-bundle-content\".content" --raw-output`
+PASSWORD=`echo -n Welcome12345 | base64`
 umask 177
 cat >pw <<!
 { "adminPassword": "$PASSWORD" }
@@ -39,11 +43,25 @@ echo create order PDB...
 oci db autonomous-database create --compartment-id $MSDATAWORKSHOP_COMPARTMENT_ID --cpu-core-count 1 --data-storage-size-in-tbs 1 --db-name ORDERDB --display-name ORDERDB --from-json file://pw | jq --raw-output '.data | .["id"] '> $WORKINGDIR/msdataworkshoporderdbid.txt
 echo create inventory PDB...
 oci db autonomous-database create --compartment-id $MSDATAWORKSHOP_COMPARTMENT_ID --cpu-core-count 1 --data-storage-size-in-tbs 1 --db-name INVENTORYDB --display-name INVENTORYDB --from-json file://pw | jq --raw-output '.data | .["id"] '> $WORKINGDIR/msdataworkshopinventorydbid.txt
-rm pw
 
 echo create msdataworkshop namespace
 kubectl create namespace msdataworkshop
 
+echo create db pw secret...
+kubectl create -n msdataworkshop -f - <<!
+{
+   "apiVersion": "v1",
+   "kind": "Secret",
+   "metadata": {
+      "name": "dbuser"
+   },
+   "data": {
+      "dbpassword": "${PASSWORDENCODED}"
+   }
+}
+!
+rm pw
+
 echo create frontendadmin auth secret...
 AUTHPASSWORD=`oci secrets secret-bundle get --secret-id $2 --query "data.\"secret-bundle-content\".content" --raw-output`
 kubectl create -n msdataworkshop -f - <<!
@@ -58,3 +76,4 @@ kubectl create -n msdataworkshop -f - <<!
    }
 }
 !
+

grabdish/frontend-helidon/frontend-helidon-deployment-2021-04-01_13:20:41.yaml

@@ -0,0 +1,31 @@
+
+##
+## Copyright (c) 2021 Oracle and/or its affiliates.
+## Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend-helidon
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+        version: helidon-mp
+    spec:
+      containers:
+      - name: frontend
+        image: %DOCKER_REGISTRY%/frontend-helidon:0.1
+        imagePullPolicy: Always
+        env:
+          - name: SECRETS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: frontendadmin
+                key: password
+        ports:
+        - containerPort: 8080

grabdish/inventory-helidon-se/dependency-reduced-pom.xml

@@ -1,12 +1,3 @@
-<!--
-
-
-##
-## Copyright (c) 2021 Oracle and/or its affiliates.
-## Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
-
-
--->
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
@@ -113,7 +104,7 @@
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
-      <version>4.13</version>
+      <version>4.13.1</version>
       <scope>test</scope>
       <exclusions>
         <exclusion>
@@ -125,7 +116,7 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.10.2</version>
+      <version>2.10.5.1</version>
       <scope>provided</scope>
     </dependency>
     <dependency>
@@ -188,21 +179,39 @@
       <version>1.4.3</version>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>com.oracle.oci.sdk</groupId>
+      <artifactId>oci-java-sdk-vault</artifactId>
+      <version>1.32.2</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.oracle.oci.sdk</groupId>
+      <artifactId>oci-java-sdk-common</artifactId>
+      <version>1.32.2</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.oracle.oci.sdk</groupId>
+      <artifactId>oci-java-sdk-secrets</artifactId>
+      <version>1.32.2</version>
+      <scope>provided</scope>
+    </dependency>
   </dependencies>
   <properties>
     <project.build.targetEncoding>UTF-8</project.build.targetEncoding>
     <java.version>1.8</java.version>
     <docker.image.prefix>${env.DOCKER_REGISTRY}</docker.image.prefix>
     <docker.image.version>${env.IMAGE_VERSION}</docker.image.version>
-    <jackson.version>2.10.2</jackson.version>
+    <jackson.version>2.10.5.1</jackson.version>
     <compiler-plugin.version>3.8.1</compiler-plugin.version>
     <jar-plugin.version>3.2.0</jar-plugin.version>
     <lombok.version>1.18.2</lombok.version>
     <docker.image.name>${env.IMAGE_NAME}</docker.image.name>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <jar.main.class>com.helidon.se.Main</jar.main.class>
     <skipTests>true</skipTests>
-    <junit.version>4.13</junit.version>
+    <junit.version>4.13.1</junit.version>
     <ojdbc10.version>19.3.0.0</ojdbc10.version>
     <helidon.version>1.4.3</helidon.version>
     <shade-plugin.version>3.2.1</shade-plugin.version>

grabdish/inventory-helidon-se/inventory-helidon-se-deployment.yaml

@@ -76,6 +76,12 @@ spec:
               value: "%OCI_REGION%"
             - name: VAULT_SECRET_OCID
               value: "%VAULT_SECRET_OCID%"
+            - name: dbpassword
+              valueFrom:
+                secretKeyRef:
+                  name: dbuser
+                  key: dbpassword
+                  optional: true #not needed/used if using VAULT_SECRET_OCID exists
       restartPolicy: Always
       volumes:
         - name: creds-raw

grabdish/inventory-helidon/inventory-helidon-deployment.yaml

@@ -45,6 +45,12 @@ spec:
           value: "%OCI_REGION%"
         - name: VAULT_SECRET_OCID
           value: "%VAULT_SECRET_OCID%"
+        - name: dbpassword
+          valueFrom:
+            secretKeyRef:
+              name: dbuser
+              key: dbpassword
+              optional: true #not needed/used if using VAULT_SECRET_OCID exists
         volumeMounts:
         - name: creds
           mountPath: /msdataworkshop/creds

grabdish/inventory-helidon/src/main/java/io/helidon/data/examples/InventoryResource.java

@@ -29,6 +29,7 @@ public class InventoryResource {
     PoolDataSource atpInventoryPDB;
     static String regionId = System.getenv("OCI_REGION").trim();
     static String pwSecretOcid = System.getenv("VAULT_SECRET_OCID").trim();
+    static String pwSecretFromK8s = System.getenv("dbpassword").trim();
     static String inventoryuser = "INVENTORYUSER";
     static String inventorypw;
     static String inventoryQueueName = "inventoryqueue";
@@ -40,12 +41,16 @@ public class InventoryResource {
 
     public void init(@Observes @Initialized(ApplicationScoped.class) Object init) throws SQLException {
         System.out.println("InventoryResource.init " + init);
-        String secreteFromVault = OCISDKUtility.getSecreteFromVault(true, regionId, pwSecretOcid);
-        inventorypw = secreteFromVault;
+        String pw;
+        if(!pwSecretOcid.trim().equals("")) {
+            pw = OCISDKUtility.getSecreteFromVault(true, regionId, pwSecretOcid);
+        } else {
+            pw = pwSecretFromK8s;
+        }
+        inventorypw = pw;
         atpInventoryPDB.setUser(inventoryuser);
-        atpInventoryPDB.setPassword(secreteFromVault);
+        atpInventoryPDB.setPassword(pw);
         inventoryuser = atpInventoryPDB.getUser();
-        System.out.println("InventoryResource.init inventoryuser:" + inventoryuser + " inventorypw:" + inventorypw);
         try (Connection connection  = atpInventoryPDB.getConnection()) { //fail if connection is not successful rather than go into listening loop
             System.out.println("InventoryResource.init connection:" + connection);
         }

grabdish/inventory-nodejs/inventory-nodejs-deployment.yaml

@@ -59,6 +59,12 @@ spec:
             value: "%OCI_REGION%"
           - name: VAULT_SECRET_OCID
             value: "%VAULT_SECRET_OCID%"
+          - name: dbpassword
+            valueFrom:
+              secretKeyRef:
+                name: dbuser
+                key: dbpassword
+                optional: true #not needed/used if using VAULT_SECRET_OCID exists
         readinessProbe:
           exec:
             command: