summaryrefslogtreecommitdiffstats
path: root/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-02-23 18:07:34 +0100
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-11-12 20:18:54 +0000
commitc57b58ddca8fa19fad93b3aea70e556ad6f045d8 (patch)
treebf43684a4c647fe941d1b492edb182b162d31cbf /kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
parentaf3d4158481aa457d21b894865536e8d5bda1826 (diff)
[AAI][SCHEMA] Remove Hardcoded certificates
Use Certinitializer in order to retrieve needed certificates. It'll also do the retrieval for graphadmin as both microservices are working together. Issue-ID: OOM-2691 Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com> Change-Id: Iad790cc14361cf15d5a6bf4fcad6fd9f4048a1a7
Diffstat (limited to 'kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml')
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml238
1 files changed, 156 insertions, 82 deletions
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
index 5752e54926..1256e71e08 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,7 +58,49 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
- /app/ready.py
args:
@@ -80,46 +122,42 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-readiness
- command:
- - /bin/bash
+ - sh
+ args:
- -c
- - bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'`
+ - |
+ bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'`
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-restore-backup
@@ -128,57 +166,49 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-perform-migration
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ;
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
- resources:
-{{ include "common.resources" . }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
@@ -191,14 +221,12 @@ spec:
- name: {{ include "common.fullname" . }}-snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ - name: properties-input
+ configMap:
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: Never
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
@@ -226,8 +254,50 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- initContainers:
- command:
- /bin/bash
- -c
@@ -247,65 +317,69 @@ spec:
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh dataSnapshot.sh ;
+ bash docker-entrypoint.sh dataSnapshot.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-real.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES/
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- resources:
-{{ include "common.resources" . | indent 10 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.resources" . | nindent 10 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-migration
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-migration-configmap
- - name: {{ include "common.fullname" . }}-snapshots
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
+ - name: migration
+ configMap:
+ name: {{ include "common.fullname" . }}-migration
+ - name: snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
restartPolicy: Never