valitydev/helmsdeep
14
0
Fork 0
mirror of https://github.com/valitydev/helmsdeep.git synced 2024-11-06 08:55:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix capi-pcidss configs (#61)

Browse Source 
Add oops bodies
Use general value keys names
Remove salt template parts from v1 configs
This commit is contained in:
Andrey Fadeev 2020-10-07 18:39:47 +03:00 committed by GitHub
parent 0a92b19a56
commit 1cdb59ba5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 88 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
config/capi-pcidss-v1/sys.config
View File

@ -58,7 +58,7 @@
jwt => #{ jwt => #{
keyset => #{ keyset => #{
keycloak => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"}, keycloak => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"},
capi => {pem_file, "/var/lib/capi/keys/private.pem" } capi => {pem_file, "/var/lib/capi/keys/capi.privkey.pem"}
} }
}, },
access => #{ access => #{
@ -69,11 +69,11 @@
} }
}}, }},
{oops_bodies, #{ {oops_bodies, #{
500 => "{{ kitty_file1 }}", 500 => "/var/lib/capi/oops-bodies/oops-body1",
501 => "{{ kitty_file1 }}", 501 => "/var/lib/capi/oops-bodies/oops-body1",
502 => "{{ kitty_file1 }}", 502 => "/var/lib/capi/oops-bodies/oops-body1",
503 => "{{ kitty_file2 }}", 503 => "/var/lib/capi/oops-bodies/oops-body2",
504 => "{{ kitty_file2 }}" 504 => "/var/lib/capi/oops-bodies/oops-body2"
}}, }},
{health_checkers, [ {health_checkers, [
{erl_health, disk , ["/", 99]}, {erl_health, disk , ["/", 99]},
@ -81,8 +81,10 @@
{erl_health, service , [<<"capi-pcidss-v1">>]} {erl_health, service , [<<"capi-pcidss-v1">>]}
]}, ]},
{lechiffre_opts, #{ {lechiffre_opts, #{
encryption_key_path => <<"/var/lib/capi/keys/jwk.json">>, encryption_key_path => <<"/var/lib/capi/keys/token_encryption_key1.jwk">>,
decryption_key_paths => [<<"/var/lib/capi/keys/jwk.json">>] decryption_key_paths => [
<<"/var/lib/capi/keys/token_encryption_key1.jwk">>
]
}}, }},
{validation, #{ {validation, #{
%% By default now = current datetime. %% By default now = current datetime.
@ -103,7 +105,5 @@
{os_mon, [ {os_mon, [
{disksup_posix_only, true} {disksup_posix_only, true}
]}, ]}
{snowflake, [{machine_id, {{ salt['pillar.get']('snowflake:machine-id:' + grains['id']) }}}]}
]. ].

16
config/capi-pcidss-v2/sys.config
View File

@ -58,7 +58,7 @@
jwt => #{ jwt => #{
keyset => #{ keyset => #{
keycloak => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"}, keycloak => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"},
capi => {pem_file, "/var/lib/capi/keys/private.pem" } capi => {pem_file, "/var/lib/capi/keys/capi.privkey.pem"}
} }
}, },
access => #{ access => #{
@ -68,7 +68,13 @@
} }
} }
}}, }},
{oops_bodies, #{}}, {oops_bodies, #{
500 => "/var/lib/capi/oops-bodies/oops-body1",
501 => "/var/lib/capi/oops-bodies/oops-body1",
502 => "/var/lib/capi/oops-bodies/oops-body1",
503 => "/var/lib/capi/oops-bodies/oops-body2",
504 => "/var/lib/capi/oops-bodies/oops-body2"
}},
{health_checkers, [ {health_checkers, [
{erl_health, disk , ["/", 99]}, {erl_health, disk , ["/", 99]},
{erl_health, cg_memory, [70]}, {erl_health, cg_memory, [70]},
@ -76,8 +82,10 @@
]}, ]},
{max_request_deadline, 60000}, % milliseconds {max_request_deadline, 60000}, % milliseconds
{lechiffre_opts, #{ {lechiffre_opts, #{
encryption_key_path => <<"/var/lib/capi/keys/jwk.json">>, encryption_key_path => <<"/var/lib/capi/keys/token_encryption_key1.jwk">>,
decryption_key_paths => [<<"/var/lib/capi/keys/jwk.json">>] decryption_key_paths => [
<<"/var/lib/capi/keys/token_encryption_key1.jwk">>
]
}}, }},
{validation, #{ {validation, #{
%% By default now = current datetime. %% By default now = current datetime.

6
helmfile.lock
View File

@ -1,4 +1,4 @@
version: v0.130.0 version: 0.128.0
dependencies: dependencies:
- name: consul - name: consul
repository: https://kubernetes-charts.storage.googleapis.com repository: https://kubernetes-charts.storage.googleapis.com
@ -18,5 +18,5 @@ dependencies:
- name: zookeeper - name: zookeeper
repository: https://kubernetes-charts-incubator.storage.googleapis.com repository: https://kubernetes-charts-incubator.storage.googleapis.com
version: 2.1.3 version: 2.1.3
digest: sha256:7c0791eacdaee9bcbdf186ef6171aca3c06c79f360cfec3abc3f34f7e1fd50a9 digest: sha256:4b3dec413fd867399ba7099a0f940ee145435fce0e5f267a6c5244b09fc65567
generated: "2020-10-07T11:55:17.658461+03:00" generated: "2020-10-07T19:26:45.913498+05:00"

16
helmfile.yaml
View File

@ -170,10 +170,14 @@ releases:
file: config/capi-pcidss-v2/sys.config file: config/capi-pcidss-v2/sys.config
- name: vmConfig - name: vmConfig
file: config/vm/erl_inetrc file: config/vm/erl_inetrc
- name: privatePem - name: oopsBody1
file: config/api-common/keys/capi.privkey.pem file: config/api-common/oops-bodies/sad-kitty1
- name: oopsBody2
file: config/api-common/oops-bodies/sad-kitty2
- name: tokenEncryptionKey1 - name: tokenEncryptionKey1
file: config/api-common/keys/token-encryption-keys/1.jwk file: config/api-common/keys/token-encryption-keys/1.jwk
- name: capiPrivkey
file: config/api-common/keys/capi.privkey.pem
needs: needs:
- default/keycloak - default/keycloak
- name: capi-pcidss-v1 - name: capi-pcidss-v1
@ -185,10 +189,14 @@ releases:
file: config/capi-pcidss-v1/sys.config file: config/capi-pcidss-v1/sys.config
- name: vmConfig - name: vmConfig
file: config/vm/erl_inetrc file: config/vm/erl_inetrc
- name: privatePem - name: oopsBody1
file: config/api-common/keys/capi.privkey.pem file: config/api-common/oops-bodies/sad-kitty1
- name: oopsBody2
file: config/api-common/oops-bodies/sad-kitty2
- name: tokenEncryptionKey1 - name: tokenEncryptionKey1
file: config/api-common/keys/token-encryption-keys/1.jwk file: config/api-common/keys/token-encryption-keys/1.jwk
- name: capiPrivkey
file: config/api-common/keys/capi.privkey.pem
needs: needs:
- default/keycloak - default/keycloak
- name: url-shortener - name: url-shortener

8
services/capi-pcidss-v1/templates/_helpers.tpl
View File

@ -52,12 +52,14 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }} {{- end }}
{{/* {{/*
Configs hash Create the configs hash
*/}} */}}
{{- define "capi-pcidss-v1.propertiesHash" -}} {{- define "capi-pcidss-v1.propertiesHash" -}}
{{- $config := include (print $.Template.BasePath "/configmap.yaml") . | sha256sum -}} {{- $configmap_path := print $.Template.BasePath "/configmap.yaml" -}}
{{- $oopsbodies_path := print $.Template.BasePath "/oops-bodies.yaml" -}}
{{- $config := cat (include $configmap_path .) (include $oopsbodies_path .) | sha256sum -}}
{{- $secret := include (print $.Template.BasePath "/secret.yaml") . | sha256sum -}} {{- $secret := include (print $.Template.BasePath "/secret.yaml") . | sha256sum -}}
{{ print $secret $config | sha256sum }} {{- print $secret $config | sha256sum -}}
{{- end -}} {{- end -}}
{{/* {{/*

6
services/capi-pcidss-v1/templates/deployment.yaml
View File

@ -74,6 +74,9 @@ spec:
mountPath: /opt/capi_pcidss/erl_inetrc mountPath: /opt/capi_pcidss/erl_inetrc
subPath: erl_inetrc subPath: erl_inetrc
readOnly: true readOnly: true
- name: oops-bodies
mountPath: /var/lib/capi/oops-bodies
readOnly: true
- name: secret - name: secret
mountPath: /var/lib/capi/keys mountPath: /var/lib/capi/keys
readOnly: true readOnly: true
@ -96,6 +99,9 @@ spec:
path: vm.args path: vm.args
- key: erl_inetrc - key: erl_inetrc
path: erl_inetrc path: erl_inetrc
- name: oops-bodies
configMap:
name: {{ include "capi-pcidss-v1.fullname" . }}-oops-bodies
- name: secret - name: secret
secret: secret:
secretName: {{ include "capi-pcidss-v1.fullname" . }} secretName: {{ include "capi-pcidss-v1.fullname" . }}

12
services/capi-pcidss-v1/templates/oops-bodies.yaml Normal file
View File

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "capi-pcidss-v1.fullname" . }}-oops-bodies
labels:
{{- include "capi-pcidss-v1.labels" . | nindent 4 }}
data:
oops-body1: |
{{ .Values.oopsBody1 | nindent 4 }}
oops-body2: |
{{ .Values.oopsBody2 | nindent 4 }}

4
services/capi-pcidss-v1/templates/secret.yaml
View File

@ -5,5 +5,5 @@ metadata:
name: {{ include "capi-pcidss-v1.fullname" . }} name: {{ include "capi-pcidss-v1.fullname" . }}
type: Opaque type: Opaque
data: data:
private.pem: {{ .Values.privatePem | b64enc | quote }} token_encryption_key1.jwk: {{ .Values.tokenEncryptionKey1 | b64enc | quote }}
jwk.json: {{ .Values.tokenEncryptionKey1 | b64enc | quote }} capi.privkey.pem: {{ .Values.capiPrivkey | b64enc | quote }}

8
services/capi-pcidss-v2/templates/_helpers.tpl
View File

@ -52,12 +52,14 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }} {{- end }}
{{/* {{/*
Configs hash Create the configs hash
*/}} */}}
{{- define "capi-pcidss-v2.propertiesHash" -}} {{- define "capi-pcidss-v2.propertiesHash" -}}
{{- $config := include (print $.Template.BasePath "/configmap.yaml") . | sha256sum -}} {{- $configmap_path := print $.Template.BasePath "/configmap.yaml" -}}
{{- $oopsbodies_path := print $.Template.BasePath "/oops-bodies.yaml" -}}
{{- $config := cat (include $configmap_path .) (include $oopsbodies_path .) | sha256sum -}}
{{- $secret := include (print $.Template.BasePath "/secret.yaml") . | sha256sum -}} {{- $secret := include (print $.Template.BasePath "/secret.yaml") . | sha256sum -}}
{{ print $secret $config | sha256sum }} {{- print $secret $config | sha256sum -}}
{{- end -}} {{- end -}}
{{/* {{/*

6
services/capi-pcidss-v2/templates/deployment.yaml
View File

@ -74,6 +74,9 @@ spec:
mountPath: /opt/capi_pcidss/erl_inetrc mountPath: /opt/capi_pcidss/erl_inetrc
subPath: erl_inetrc subPath: erl_inetrc
readOnly: true readOnly: true
- name: oops-bodies
mountPath: /var/lib/capi/oops-bodies
readOnly: true
- name: secret - name: secret
mountPath: /var/lib/capi/keys mountPath: /var/lib/capi/keys
readOnly: true readOnly: true
@ -96,6 +99,9 @@ spec:
path: vm.args path: vm.args
- key: erl_inetrc - key: erl_inetrc
path: erl_inetrc path: erl_inetrc
- name: oops-bodies
configMap:
name: {{ include "capi-pcidss-v2.fullname" . }}-oops-bodies
- name: secret - name: secret
secret: secret:
secretName: {{ include "capi-pcidss-v2.fullname" . }} secretName: {{ include "capi-pcidss-v2.fullname" . }}

12
services/capi-pcidss-v2/templates/oops-bodies.yaml Normal file
View File

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "capi-pcidss-v2.fullname" . }}-oops-bodies
labels:
{{- include "capi-pcidss-v2.labels" . | nindent 4 }}
data:
oops-body1: |
{{ .Values.oopsBody1 | nindent 4 }}
oops-body2: |
{{ .Values.oopsBody2 | nindent 4 }}

4
services/capi-pcidss-v2/templates/secret.yaml
View File

@ -5,5 +5,5 @@ metadata:
name: {{ include "capi-pcidss-v2.fullname" . }} name: {{ include "capi-pcidss-v2.fullname" . }}
type: Opaque type: Opaque
data: data:
private.pem: {{ .Values.privatePem | b64enc | quote }} token_encryption_key1.jwk: {{ .Values.tokenEncryptionKey1 | b64enc | quote }}
jwk.json: {{ .Values.tokenEncryptionKey1 | b64enc | quote }} capi.privkey.pem: {{ .Values.capiPrivkey | b64enc | quote }}