[AAI] Fix Kyverno Policy violations

- Refactored code for readiness check and use library readinessCheck
- Fixed securityContext settings
- Limit emptyVolume size and make it configurable
- Important: Need to use aai-haproxy docker image version >= 1.15.2
- Refactore meta labels and use common.labels instead

Issue-ID: AAI-4044
Change-Id: I346316e64cb67222836951cf12b3772bbf509c6a
Signed-off-by: Andreas Seelinger <andreas.seelinger@accenture.com>

7 files changed, 54 insertions, 86 deletions

diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml
index 7d7075e3a5..c83a28671c 100644
--- a/kubernetes/aai/components/aai-resources/Chart.yaml
+++ b/kubernetes/aai/components/aai-resources/Chart.yaml
@@ -18,7 +18,7 @@
 apiVersion: v2
 description: ONAP AAI resources
 name: aai-resources
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common
@@ -30,3 +30,6 @@ dependencies:
   - name: serviceAccount
     version: ~13.x-0
     repository: '@local'
+  - name: readinessCheck
+    version: ~13.x-0
+    repository: '@local'
\ No newline at end of file
diff --git a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml
index 6b703e7cdd..f6063a024d 100644
--- a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml
+++ b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml
@@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2
 kind: KafkaUser
 metadata:
   name: {{ include "common.release" . }}-{{ .Values.global.aaiKafkaUser }}
-  labels:
+  labels: {{- include "common.labels" . | nindent 4 }}
     strimzi.io/cluster: {{ include "common.release" . }}-strimzi
 spec:
   authentication:
diff --git a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml
index ed1f8e3ea8..29b191b68d 100644
--- a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml
@@ -4,11 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "common.fullname" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml
index c3c2262ab9..8e13c8c90d 100644
--- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml
@@ -20,11 +20,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }}
 {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }}
diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
index 4c6c12b1f4..cb434ed2cd 100644
--- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
@@ -20,20 +20,7 @@
 
 apiVersion: apps/v1
 kind: Deployment
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    {{- if .Chart.AppVersion }}
-    version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-    {{- else }}
-    version: "{{ .Chart.Version | replace "+" "_" }}"
-    {{- end }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 spec:
   {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }}
   replicas: 1
@@ -53,19 +40,7 @@ spec:
     matchLabels:
       app: {{ include "common.name" . }}
   template:
-    metadata:
-      labels:
-        app: {{ include "common.name" . }}
-        release: {{ include "common.release" . }}
-        app.kubernetes.io/name: {{ include "common.name" . }}
-        {{- if .Chart.AppVersion }}
-        version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-        {{- else }}
-        version: "{{ .Chart.Version | replace "+" "_" }}"
-        {{- end }}
-      name: {{ include "common.name" . }}
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
       {{- if .Values.global.msbEnabled }}
         {{ $values := .Values }}
         msb.onap.org/service-info: '[
@@ -99,44 +74,20 @@ spec:
     spec:
       hostname: aai-resources
       terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
-      - name: {{ include "common.name" . }}-readiness
-        command:
-        - /app/ready.py
-        args:
-        {{- if .Values.global.jobs.migration.enabled }}
-        - --job-name
-        - {{ include "common.release" . }}-aai-graphadmin-migration
-        {{- else }}
-          {{- if .Values.global.jobs.createSchema.enabled  }}
-        - --job-name
-        - {{ include "common.release" . }}-aai-graphadmin-create-db-schema
-          {{- else }}
-        - --service-name
-        - {{ .Values.global.cassandra.serviceName }}
-        - --service-name
-        - aai-schema-service
-          {{- end }}
-        {{- end }}
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: {{ include "repositoryGenerator.image.readiness" . }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        resources:
-          limits:
-            cpu: "100m"
-            memory: "500Mi"
-          requests:
-            cpu: "3m"
-            memory: "20Mi"
+      {{- if .Values.global.jobs.migration.enabled }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }}
+      {{- else if .Values.global.jobs.createSchema.enabled  }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }}
+      {{- else }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }}
+      {{- end }}
       containers:
       - name: {{ include "common.name" . }}
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         env:
         {{- if .Values.config.env }}
         {{- range $key,$value := .Values.config.env }}
@@ -189,6 +140,8 @@ spec:
         - mountPath: /opt/app/aai-resources/resources/application-keycloak.properties
           name: {{ include "common.fullname" . }}-config
           subPath: application-keycloak.properties
+        - mountPath: /tmp
+          name: tmp
         ports:
         - containerPort: {{ .Values.service.resourcesPort }}
           name: {{ .Values.service.resourcesPortName }}
@@ -252,7 +205,11 @@ spec:
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
       - name: logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
+      - name: tmp
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.tmpSizeLimit }}
       {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
       - name: {{ include "common.fullname" . }}-config
         configMap:
diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml
index 308dc052c8..605679ee52 100644
--- a/kubernetes/aai/components/aai-resources/templates/service.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/service.yaml
@@ -19,12 +19,7 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -54,8 +49,6 @@ spec:
     name: {{ .Values.service.metricsPortName }}
     targetPort: {{ .Values.service.metricsPortName }}
   {{- end }}
-  selector:
-    app: {{ include "common.name" . }}
-    release: {{ include "common.release" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
   clusterIP: None
   sessionAffinity: {{ .Values.service.sessionAffinity }}
diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml
index 890276239d..7cba7a425e 100644
--- a/kubernetes/aai/components/aai-resources/values.yaml
+++ b/kubernetes/aai/components/aai-resources/values.yaml
@@ -134,7 +134,7 @@ aai_enpoints:
     url: external-system
 
 # application image
-image: onap/aai-resources:1.15.1
+image: onap/aai-resources:1.15.2
 pullPolicy: Always
 restartPolicy: Always
 flavor: small
@@ -354,9 +354,9 @@ metrics:
     ##
     selector:
       app: '{{ include "common.name" . }}'
-      chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-      release: '{{ include "common.release" . }}'
-      heritage: '{{ .Release.Service }}'
+      helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      app.kubernetes.io/instance: '{{ include "common.release" . }}'
+      app.kubernetes.io/managed-by: '{{ .Release.Service }}'
 
     ## RelabelConfigs to apply to samples before scraping
     ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
@@ -421,3 +421,26 @@ kafkaUser:
     - name: AAI-EVENT
       type: topic
       operations: [Read, Write]
+
+volumes:
+  logSizeLimit: 50Mi
+  tmpSizeLimit: 100Mi
+
+securityContext:
+  user_id: 1000
+  group_id: 1000
+
+readinessCheck:
+  wait_for_migration:
+    jobs:
+      - '{{ include "common.release" . }}-aai-graphadmin-migration'
+  wait_for_createSchema:
+    jobs:
+      - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema'
+  wait_for_cassandra:
+    services:
+      - '{{ .Values.global.cassandra.serviceName }}'
+      - aai-schema-service
+
+podAnnotations:
+  checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'