From f739bd6b7e48edad36966a00894dc08de0c4de21 Mon Sep 17 00:00:00 2001 From: Grzegorz-Lis Date: Wed, 4 Aug 2021 06:59:03 +0000 Subject: Improve VES Client helm charts in order to use certificates from AAF or CMPv2 Issue-ID: INT-1954 Signed-off-by: Grzegorz Lis Change-Id: I449350101e8af43aabefccded31d6c6c5e717c2c --- helm/ves-client/Chart.yaml | 11 ++- helm/ves-client/templates/NOTES.txt | 17 +++++ helm/ves-client/templates/_helpers.tpl | 11 ++- helm/ves-client/templates/certificate.yaml | 41 ++++++++++ helm/ves-client/templates/configmap.yaml | 11 +-- helm/ves-client/templates/deployment.yaml | 78 ++++++++++++++++--- helm/ves-client/templates/secret.yaml | 8 ++ helm/ves-client/templates/service.yaml | 2 +- helm/ves-client/values.yaml | 116 +++++++++++++++++++++++++---- helm/ves-client/values_aaf.yaml | 33 ++++++++ helm/ves-client/values_basic.yaml | 15 ++++ helm/ves-client/values_cmpv2.yaml | 33 ++++++++ 12 files changed, 335 insertions(+), 41 deletions(-) create mode 100644 helm/ves-client/templates/NOTES.txt create mode 100644 helm/ves-client/templates/certificate.yaml create mode 100644 helm/ves-client/templates/secret.yaml create mode 100644 helm/ves-client/values_aaf.yaml create mode 100644 helm/ves-client/values_basic.yaml create mode 100644 helm/ves-client/values_cmpv2.yaml diff --git a/helm/ves-client/Chart.yaml b/helm/ves-client/Chart.yaml index 1629944..613c988 100644 --- a/helm/ves-client/Chart.yaml +++ b/helm/ves-client/Chart.yaml @@ -26,9 +26,12 @@ dependencies: version: 10.x repository: https://charts.bitnami.com/bitnami condition: mongodb.enabled - - name: mongo-express - version: 2.x - repository: https://cowboysysop.github.io/charts/ - - name: repositoryGenerator + - name: certInitializer version: ~8.x-0 repository: '@local' + - name: common + version: ~8.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' diff --git a/helm/ves-client/templates/NOTES.txt b/helm/ves-client/templates/NOTES.txt new file mode 100644 index 0000000..d6e6f53 --- /dev/null +++ b/helm/ves-client/templates/NOTES.txt @@ -0,0 +1,17 @@ +Application Configuration + +Basic authentication: +config: + useCerts: false + +Certificate authentication with AAF: +config: + useCerts: true + +certMethod: "aaf" + +Certificate authentication with CMPv2: +config: + useCerts: true + +certMethod: "cmpv2" diff --git a/helm/ves-client/templates/_helpers.tpl b/helm/ves-client/templates/_helpers.tpl index 1d8fd9f..e64ffcf 100644 --- a/helm/ves-client/templates/_helpers.tpl +++ b/helm/ves-client/templates/_helpers.tpl @@ -1,4 +1,3 @@ -{{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. */}} @@ -51,3 +50,13 @@ app.kubernetes.io/name: {{ include "ves-client.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{/* +Create the name of the service account to use +*/}} +{{- define "ves-client.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ves-client.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/ves-client/templates/certificate.yaml b/helm/ves-client/templates/certificate.yaml new file mode 100644 index 0000000..4dc0110 --- /dev/null +++ b/helm/ves-client/templates/certificate.yaml @@ -0,0 +1,41 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +{{- with .Values.certificates }} +metadata: + name: {{ .name }} + namespace: {{ .namespace }} +spec: + secretName: {{ .secretName }} + commonName: {{ .commonName }} + renewBefore: {{ .renewBefore }} + {{- if .duration }} + duration: {{ .duration }} + {{- end }} + subject: + organizations: + - {{ .subject.organization }} + countries: + - {{ .subject.country }} + localities: + - {{ .subject.locality }} + provinces: + - {{ .subject.province }} + organizationalUnits: + - {{ .subject.organizationalUnit }} + issuerRef: + group: {{ .issuerRef.group }} + kind: {{ .issuerRef.kind }} + name: {{ .issuerRef.name }} + {{- if .dnsNames }} + dnsNames: + {{- range $.Values.certificates.dnsNames }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .ipAddresses }} + ipAddresses: + - {{ .ipAddresses }} + {{- end }} + keystores: + {{- toYaml .keystores | nindent 4 }} +{{- end }} diff --git a/helm/ves-client/templates/configmap.yaml b/helm/ves-client/templates/configmap.yaml index 4717c38..59c91c9 100644 --- a/helm/ves-client/templates/configmap.yaml +++ b/helm/ves-client/templates/configmap.yaml @@ -1,11 +1,6 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ .Chart.Name }}-configmap -binaryData: - {{- $files := .Files }} - {{- range $key, $value := .Files }} - {{- if hasPrefix "resources/" $key }} - {{ $key | trimPrefix "resources/" }}: {{ $files.Get $key | b64enc | quote }} - {{- end }} - {{- end }} + name: {{ .Values.configMapName }} +data: +{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/helm/ves-client/templates/deployment.yaml b/helm/ves-client/templates/deployment.yaml index 6220ced..090cee6 100644 --- a/helm/ves-client/templates/deployment.yaml +++ b/helm/ves-client/templates/deployment.yaml @@ -5,7 +5,9 @@ metadata: labels: {{- include "ves-client.labels" . | nindent 4 }} spec: +{{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} +{{- end }} selector: matchLabels: {{- include "ves-client.selectorLabels" . | nindent 6 }} @@ -24,30 +26,85 @@ spec: {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{ if eq .Values.certMethod "aaf" }} + - name: {{ include "common.name" . }}-readiness + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ .Values.certInitializer.image }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: {{ .Values.aafVolumeName }} + mountPath: /opt/app/osaaf + {{- end }} containers: - - env: + - env: - name: MONGO_HOSTNAME - value: {{ .Values.config.mongoDbServer | quote }} + value: {{ .Values.config.mongoDbName | quote }} - name: USE_CERTIFICATE_FOR_AUTHORIZATION - value: {{ .Values.config.useCertForAuth | quote }} - name: {{ .Chart.Name }} + value: {{ .Values.config.useCerts | quote }} + - name: STRICT_HOSTNAME_VERIFICATION + value: {{ .Values.config.strictHost | quote }} + name: {{ .Values.configMapName }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: {{ .Values.config.containerPort }} + - containerPort: {{ .Values.service.port }} protocol: TCP + livenessProbe: + httpGet: + path: /simulator/config + port: 5000 + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /simulator/config + port: 5000 + initialDelaySeconds: 60 + periodSeconds: 15 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - - name: store-map - mountPath: {{ .Values.storeMap.directory }} + - name: templates + mountPath: {{ .Values.templatesDir }} + {{ if eq .Values.certMethod "cmpv2" }} + - name: certstore + mountPath: {{ .Values.certsDir }} + {{- end }} + {{ if eq .Values.certMethod "aaf" }} + - name: {{ .Values.aafVolumeName }} + mountPath: /app/store + {{- end }} + volumes: - - name: store-map + - name: templates configMap: - name: {{ .Chart.Name }}-configmap + name: {{ .Values.configMapName }} defaultMode: 0755 + {{ if eq .Values.certMethod "cmpv2" }} + - name: certstore + secret: + secretName: {{.Values.certificates.secretName}} + defaultMode: 0400 + {{- end }} + {{ if eq .Values.certMethod "aaf" }} + {{ include "common.certInitializer.volumes" . | nindent 8 }} + - name: {{ .Values.aafVolumeName }} + emptyDir: {} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -60,4 +117,3 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - diff --git a/helm/ves-client/templates/secret.yaml b/helm/ves-client/templates/secret.yaml new file mode 100644 index 0000000..dd3cf87 --- /dev/null +++ b/helm/ves-client/templates/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secretName }} +data: + p12.pass: MjNlOTE3NzVjOTE4ZTRmNjY4ZTFhYzgyZDY5ZjExYWU0ZWU0ZGM2MTM3YzUwMzZkZjE3MmEyODJhYTA5 +type: Opaque + diff --git a/helm/ves-client/templates/service.yaml b/helm/ves-client/templates/service.yaml index ad67f9b..3e23296 100644 --- a/helm/ves-client/templates/service.yaml +++ b/helm/ves-client/templates/service.yaml @@ -10,6 +10,6 @@ spec: - port: {{ .Values.service.port }} targetPort: {{ .Values.service.port }} protocol: TCP - name: {{ .Values.service.port | quote }} + name: {{ .Values.service.name }} selector: {{- include "ves-client.selectorLabels" . | nindent 4 }} diff --git a/helm/ves-client/values.yaml b/helm/ves-client/values.yaml index 7ad63d3..0a475ae 100644 --- a/helm/ves-client/values.yaml +++ b/helm/ves-client/values.yaml @@ -1,36 +1,88 @@ -# Default values for ves-client. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +global: + importCustomCertsEnabled: false + +certMethod: "aaf" +aafVolumeName: aaf-vol-store replicaCount: 1 image: repository: onap/org.onap.integration.nfsimulator.vesclient pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "ves-client" +secretName: ves-client-secret +configMapName: ves-client-configmap +certificateName: ves-client-certificate + config: - mongoDbServer: nf-simulator-mongodb - useCertForAuth: true - containerPort: 5000 + strictHost: false + useCerts: false + mongoDbName: ves-client-db + +templatesDir: "/app/template" +certsDir: "/app/certs" -storeMap: - directory: "/app/store" +ingress: + enabled: false + +certInitializer: + nameOverride: vesclient-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: ves-client + fqi: ves-client@vesclient.onap.org + public_fqdn: ves-client.onap.org + fqi_namespace: "org.onap.vesclient" + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + image: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 + mountPath: "/opt/app/osaaf" + appMountPath: "/opt/app/osaaf" podAnnotations: {} podSecurityContext: {} + # fsGroup: 2000 securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 service: type: NodePort port: 5000 + name: ves-client-port-name resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 nodeSelector: {} @@ -38,17 +90,49 @@ tolerations: [] affinity: {} -mongo-express: - fullnameOverride: "nf-simulator-mongo-express" - mongodbServer: nf-simulator-mongodb - nameOverride: mongo-express - mongodbAdminPassword: zXcVbN123! - mongodb: - fullnameOverride: "nf-simulator-mongodb" + fullnameOverride: "ves-client-db" persistence: enabled: false auth: rootPassword: zXcVbN123! - database: pnf_simulator + database: simulator username: root + +certificates: + name: ves-client-cert + secretName: ves-client-secret + commonName: ves-client + dnsNames: + - ves-client + renewBefore: 720h #30 days + duration: 8760h #365 days + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" +# issuer: +# group: certmanager.onap.org +# kind: CMPv2Issuer +# name: cmpv2-issuer-onap + issuerRef: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap + +# ipAddresses: "127.0.0.1" + + keystores: + jks: + create: true + passwordSecretRef: + name: ves-client-secret + key: p12.pass + pkcs12: + create: true + passwordSecretRef: + name: ves-client-secret + key: p12.pass + diff --git a/helm/ves-client/values_aaf.yaml b/helm/ves-client/values_aaf.yaml new file mode 100644 index 0000000..cae94a9 --- /dev/null +++ b/helm/ves-client/values_aaf.yaml @@ -0,0 +1,33 @@ +certMethod: "aaf" + +fullnameOverride: "ves-client-aaf" +secretName: ves-client-secret-aaf +configMapName: ves-client-configmap-aaf +certificateName: ves-client-certificate-aaf + +config: + useCerts: true + mongoDbName: ves-client-db-aaf + +mongodb: + fullnameOverride: "ves-client-db-aaf" + +certInitializer: + nameOverride: vesclient-cert-initializer-aaf + + +certificates: + name: ves-client-cert-aaf + secretName: ves-client-secret-aaf + keystores: + jks: + create: true + passwordSecretRef: + name: ves-client-secret-aaf + key: p12.pass + pkcs12: + create: true + passwordSecretRef: + name: ves-client-secret-aaf + key: p12.pass + diff --git a/helm/ves-client/values_basic.yaml b/helm/ves-client/values_basic.yaml new file mode 100644 index 0000000..bfde366 --- /dev/null +++ b/helm/ves-client/values_basic.yaml @@ -0,0 +1,15 @@ +fullnameOverride: "ves-client-basic" +secretName: "ves-client-secret-basic" +configMapName: "ves-client-configmap-basic" +certificateName: "ves-client-certificate-basic" + +config: + useCerts: false + mongoDbName: ves-client-db-basic + +mongodb: + fullnameOverride: "ves-client-db-basic" + +certInitializer: + nameOverride: vesclient-cert-initializer-basic + diff --git a/helm/ves-client/values_cmpv2.yaml b/helm/ves-client/values_cmpv2.yaml new file mode 100644 index 0000000..5a8a60d --- /dev/null +++ b/helm/ves-client/values_cmpv2.yaml @@ -0,0 +1,33 @@ +certMethod: "cmpv2" + +fullnameOverride: "ves-client-cmpv2" +secretName: ves-client-secret-cmpv2 +configMapName: ves-client-configmap-cmpv2 +certificateName: ves-client-certificate-cmpv2 + +config: + useCerts: true + mongoDbName: ves-client-db-cmpv2 + +mongodb: + fullnameOverride: "ves-client-db-cmpv2" + +certInitializer: + nameOverride: vesclient-cert-initializer-cmpv2 + + +certificates: + name: ves-client-cert-cmpv2 + secretName: ves-client-secret-cmpv2 + keystores: + jks: + create: true + passwordSecretRef: + name: ves-client-secret-cmpv2 + key: p12.pass + pkcs12: + create: true + passwordSecretRef: + name: ves-client-secret-cmpv2 + key: p12.pass + -- cgit 1.2.3-korg