summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-03-16 15:25:24 +0000
committerGerrit Code Review <gerrit@onap.org>2020-03-16 15:25:24 +0000
commitf2cff9603964bdb9a25e6ba6dfdfbd8db918bf56 (patch)
tree1619b79a1cc54a327ba230b470900976a6582945
parentfff1538bebabc6230b1a5a5e070633dd0ad8bdc4 (diff)
parentde7a02b8315cd614e8fe277675423872d490fbb6 (diff)
Merge "Deploy dmaap-bc with downloaded certs"
-rw-r--r--kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env2
-rw-r--r--kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties137
-rw-r--r--kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml34
-rw-r--r--kubernetes/dmaap/components/dmaap-bc/values.yaml7
4 files changed, 127 insertions, 53 deletions
diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
index cde43f95b7..84a42d6436 100644
--- a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
+++ b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
@@ -14,4 +14,4 @@
# Environment settings for starting a container
DMAAPBC_WAIT_TO_EXIT=Y
-
+DMAAPBC_KSTOREFILE=/opt/app/osaaf/local/org.onap.dmaap-bc.jks
diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
index e43182daa3..59f64bd99c 100644
--- a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
+++ b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
@@ -12,43 +12,47 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-#####################################################
-#
-# ONAP Casablanca oom configurable deployment params:
-#
-#####################################################
-
#####################################################
#
# Hooks for specific environment configurations
#
#####################################################
-# Indicator for whether to use AAF
+# Indicator for whether to use AAF for authentication
UseAAF: {{ .Values.global.aafEnabled }}
-# csit: stubs out some southbound APIs for csit
-csit: No
+# Stub out southbound calls for Unit Test cases to run. e.g. not timeout
+# Comment out in other environments to get default (No)
+#UnitTest: Yes
-# name of this DMaaP instance (deprecated)
-#DmaapName: demo
#####################################################
#
# Settings for Southbound API: Datarouter
#
#####################################################
-# FQDN of DR Prov Server (deprecated)
-#DR.provhost: dcae-drps.domain.not.set
# URI to retrieve dynamic DR configuration
ProvisioningURI: /internal/prov
# indicator for handling feed delete:
# DeleteOnDR - means use the DR API to DELETE a feed. (default for backwards compatibility)
-# SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL. Better for cfy environments.
+# SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL. Better for cloudify environments.
Feed.deleteHandling: SimulateDelete
+###########################################################
+# The following properties default to match ONAP DR instance.
+# However, there are some non-ONAP DR instances that require other values.
+# Sets the X-DR-ON-BEHALF-OF HTTP Header value
+#DR.onBehalfHeader:
+# Value for the Content-Type Header in DR Feed API
+#DR.feedContentType:
+# Value for the Content-Type Header in DR Subscription API
+#DR.subContentType:
+#
+# END OF properties helpful for non-ONAP DR instance.
+############################################################
+
#####################################################
#
# Settings for Soutbound API: Postgresql
@@ -86,6 +90,9 @@ MR.multisite: false
# In a multi-site, MR cluster deployment, use the CNAME DNS entry which resolves to the primary central MR
MR.CentralCname: {{ .Values.dmaapMessageRouterService }}
+# Indicator for whether we want hostname verification on SSL connection to MR
+MR.hostnameVerify: false
+
# MR Client Delete Level thoroughness:
# 0 = don't delete
# 1 = delete from persistent store
@@ -104,6 +111,12 @@ MR.projectID: mr
# Use Basic Authentication when provisioning topics
MR.authentication: basicAuth
+# MR topic name style (default is FQTN_LEGACY_FORMAT)
+#MR.topicStyle: FQTN_LEGACY_FORMAT
+#
+# end of MR Related Properties
+################################################################################
+
#####################################################
#
@@ -136,14 +149,20 @@ aaf.AdminPassword: {{ .Values.adminPwd }}
# Identity that is owner of any created namespaces for topics
aaf.NsOwnerIdentity: {{ .Values.adminUser }}
-# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF
-CredentialCodeKeyfile: etc/LocalKey
# this overrides the Class used for Decryption.
# This allows for a plugin encryption/decryption method if needed.
# Call this Class for decryption at runtime.
#AafDecryption.Class: com.company.proprietaryDecryptor
+# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF
+# Not used in ONAP, but possibly used with Decryption override class.
+#CredentialCodeKeyfile: etc/LocalKey
+
+#
+# endof AAF Properties
+####################################################
+
#####################################################
#
@@ -172,11 +191,53 @@ MM.ProvUserMechId: dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org
# pwd for Identity used to publish MM prov cmds
MM.ProvUserPwd: demo123456!
-# AAF Role of MirrorMaker agent subscribed to prov cmds
+# AAF Role of MirrorMaker agent subscribed to prov cmds.
MM.AgentRole: org.onal.dmaap-bc-mm-prov.agent
#####################################################
#
+# Certificate Management
+#
+#####################################################
+
+# Indicates how we are expecting certificates to be provided:
+# cadi - a set of artifacts will be downloaded from AAF at deployment time, and details will be in a cadi properties file
+# legacy (default) - artifacts will be installed manually or some other way and details will be in this file
+CertificateManagement: cadi
+
+# When CertificateManagement is cadi, then this is where all the cadi properties will be.
+# Note that the cadi properties include where the cert is, and the encrypted passwords to read.
+cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props
+
+###########################################################################################
+# When CertificateManagement is legacy, we need to provide more details about cert handling:
+#CertificateManagement: legacy
+# the type of keystore for https (for legacy CertificateManagment only)
+#KeyStoreType: jks
+
+# path to the keystore file (for legacy CertificateManagment only)
+#KeyStoreFile: etc/keystore
+
+# password for the https keystore (for legacy CertificateManagment only)
+#KeyStorePassword: Y@Y5f&gm?PAz,CVQL,lk[VAF
+# password for the private key in the https keystore (for legacy CertificateManagment only)
+#KeyPassword: changeit
+
+# type of truststore for https (for legacy CertificateManagment only)
+#TrustStoreType: jks
+
+# path to the truststore for https (for legacy CertificateManagment only)
+#TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks
+
+# password for the https truststore (for legacy CertificateManagment only)
+#TrustStorePassword: changeit
+#
+# END OF legacy CertificateManagement properties
+###########################################################################################
+
+
+#####################################################
+#
# HTTP Server Configuration
#
#####################################################
@@ -191,30 +252,24 @@ IntHttpPort: 8080
# set to 0 if no certificates are available.
IntHttpsPort: 8443
-# external port number for https taking port mapping into account
-ExtHttpsPort: 443
-
-# the type of keystore for https
-KeyStoreType: jks
-
-# path to the keystore file
-KeyStoreFile: etc/keystore
-
-# password for the https keystore
-KeyStorePassword: Y@Y5f&gm?PAz,CVQL,lk[VAF
-# password for the private key in the https keystore
-KeyPassword: Y@Y5f&gm?PAz,CVQL,lk[VAF
-# type of truststore for https
-TrustStoreType: jks
-
-# path to the truststore for https
-TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks
-
-# password for the https truststore
-TrustStorePassword: 8b&R5%l$l:@jSWz@FCs;rhY*
-
-# path to the file used to trigger an orderly shutdown
-QuiesceFile: etc/SHUTDOWN
inHttpsPort: 0
+
+#####################################################
+#
+# Deprecated
+#
+#####################################################
+# csit: stubs out some southbound APIs for csit (deprecated)
+#csit: No
+# name of this DMaaP instance (deprecated)
+#DmaapName: demo
+# external port number for https taking port mapping into account (deprecated)
+#ExtHttpsPort: 443
+# path to the file used to trigger an orderly shutdown (deprecated)
+#QuiesceFile: etc/SHUTDOWN
+# FQDN of DR Prov Server (deprecated)
+#DR.provhost: dcae-drps.domain.not.set
+# root of topic namespace (decrecated)
+#topicNsRoot: org.onap.dcae.dmaap
diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
index 3e08185a20..ea2720f9ce 100644
--- a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
@@ -48,7 +48,7 @@ spec:
command: ["bash","-c","exec /opt/app/aaf_config/bin/agent.sh"]
volumeMounts:
- mountPath: {{ .Values.persistence.aafCredsPath }}
- name: {{ include "common.name" . }}-aaf-config
+ name: {{ include "common.name" . }}-aaf-config-vol
env:
- name: APP_FQI
value: "{{ .Values.aafConfig.fqi }}"
@@ -75,6 +75,26 @@ spec:
value: "{{ .Values.aafConfig.cadiLongitude }}"
- name: cadi_latitude
value: "{{ .Values.aafConfig.cadiLatitude }}"
+ - name: {{ include "common.name" . }}-permission-fixer
+ image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts:
+ - mountPath: {{ .Values.persistence.aafCredsPath }}
+ name: {{ include "common.name" . }}-aaf-config-vol
+ command: ["chown","-Rf","1000:1001", "/opt/app/"]
+# See AAF-425 for explanation of why this is needed.
+# This artifact is provisioned in AAF for both pks12 and jks format and apparently
+# the cadi library is not using the jks password on the jks keystore.
+# So, this attempts to "fix" the credential property file until this is fixed properly.
+ - name: {{ include "common.name" . }}-cred-fixer
+ image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts:
+ - mountPath: {{ .Values.persistence.aafCredsPath }}
+ name: {{ include "common.name" . }}-aaf-config-vol
+ command: ["/bin/sh"]
+ args: [ "-c", "sed -i -e '/cadi_keystore_password=/d' -e '/cadi_keystore_password_jks/p' -e 's/cadi_keystore_password_jks/cadi_keystore_password/' -e 's/dmaap-bc.p12/dmaap-bc.jks/' /opt/app/osaaf/local/org.onap.dmaap-bc.cred.props" ]
+
{{- end }}
{{- if .Values.PG.enabled }}
- name: {{ include "common.name" . }}-postgres-readiness
@@ -95,7 +115,7 @@ spec:
{{- end }}
containers:
- name: {{ include "common.name" . }}
- image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ image: "{{ .Values.repository }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports: {{ include "common.containerPorts" . | nindent 10 }}
{{ if eq .Values.liveness.enabled true -}}
@@ -118,13 +138,12 @@ spec:
- mountPath: /etc/localtime
name: localtime
readOnly: true
+ - mountPath: {{ .Values.persistence.aafCredsPath }}
+ name: {{ include "common.name" . }}-aaf-config-vol
# NOTE: on the following several configMaps, careful to include / at end
# since there may be more than one file in each mountPath
- name: {{ include "common.name" . }}-config
mountPath: /opt/app/config/conf/
- - name: {{ include "common.name" . }}-aaf-config
- mountPath: /opt/app/dmaapbc/etc/org.onap.dmaap-bc.props
- subPath: org.onap.dmaap-bc.props
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }}
@@ -139,8 +158,7 @@ spec:
- name: {{ include "common.name" . }}-config
configMap:
name: {{ include "common.fullname" . }}-config
- - name: {{ include "common.name" . }}-aaf-config
- configMap:
- name: {{ include "common.fullname" . }}-aaf-config
+ - name: {{ include "common.name" . }}-aaf-config-vol
+ emptyDir: {}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml
index 28c77eb54c..3a18787826 100644
--- a/kubernetes/dmaap/components/dmaap-bc/values.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/values.yaml
@@ -30,7 +30,8 @@ pullPolicy: Always
# application images
repository: nexus3.onap.org:10001
-image: onap/dmaap/dmaap-bc:2.0.3
+#repository: 10.12.7.57:5000
+image: onap/dmaap/dmaap-bc:2.0.4
# application configuration
@@ -49,7 +50,7 @@ adminPwd: demo123456!
#AAF local config
aafConfig:
- aafDeployFqi: dmaap-bc@dmaap-bc.onap.org
+ aafDeployFqi: deployer@people.osaaf.org
aafDeployPass: demo123456!
fqdn: dmaap-bc
fqi: dmaap-bc@dmaap-bc.onap.org
@@ -58,7 +59,7 @@ aafConfig:
cadiLongitude: 0.0
persistence:
- aafCredsPath: /opt/app/osaaf/local
+ aafCredsPath: /opt/app/osaaf/local/
# for Casablanca default deployment, leave this true to
# get a topic namespace that matches MR. When set to false,