diff options
author | Andreas Seelinger <andreas.seelinger@accenture.com> | 2024-11-07 10:20:07 +0100 |
---|---|---|
committer | Andreas Seelinger <andreas.seelinger@accenture.com> | 2024-12-09 12:53:21 +0100 |
commit | 23428032527583798d5e42aa96555728cc71a06d (patch) | |
tree | 82bdc7d9ff753088772a839cfffb6d09592362dd /kubernetes/aai | |
parent | 64e996851eb741093e18b8c9948f23dd91b26d96 (diff) |
[AAI] Fix Kyverno Policy violations
- Refactored code for readiness check and use library readinessCheck
- Fixed securityContext settings
- Limit emptyVolume size and make it configurable
- Important: Need to use aai-haproxy docker image version >= 1.15.2
- Refactore meta labels and use common.labels instead
Issue-ID: AAI-4044
Change-Id: I346316e64cb67222836951cf12b3772bbf509c6a
Signed-off-by: Andreas Seelinger <andreas.seelinger@accenture.com>
Diffstat (limited to 'kubernetes/aai')
53 files changed, 413 insertions, 612 deletions
diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml index 351f01a5e0..77078332c9 100644 --- a/kubernetes/aai/Chart.yaml +++ b/kubernetes/aai/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Active and Available Inventory name: aai -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -34,6 +34,9 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' - name: aai-babel version: ~15.x-0 repository: 'file://components/aai-babel' diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml index d5783066ad..2d0a78bde4 100644 --- a/kubernetes/aai/components/aai-babel/Chart.yaml +++ b/kubernetes/aai/components/aai-babel/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Babel microservice name: aai-babel -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-babel/templates/configmap.yaml b/kubernetes/aai/components/aai-babel/templates/configmap.yaml index baee38c0e2..39d494acc2 100644 --- a/kubernetes/aai/components/aai-babel/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-babel/templates/configmap.yaml @@ -21,10 +21,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml index f3fc04c00c..782ed1226c 100644 --- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml @@ -38,10 +38,12 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} ports: {{- if .Values.debug.enabled }} - containerPort: {{ .Values.debug.port }} @@ -99,6 +101,10 @@ spec: - mountPath: /opt/app/babel/config/logback.xml name: config subPath: logback.xml + - mountPath: /opt/app/babel/logs + name: babel-logs + - mountPath: /tmp + name: tmp resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -120,7 +126,14 @@ spec: secret: secretName: {{ include "common.fullname" . }}-babel-secrets - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + - name: babel-logs + emptyDir: + sizeLimit: {{ .Values.volumes.babelLogsSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-babel/templates/secrets.yaml b/kubernetes/aai/components/aai-babel/templates/secrets.yaml index 9d7d2c5a80..3f2b97c210 100644 --- a/kubernetes/aai/components/aai-babel/templates/secrets.yaml +++ b/kubernetes/aai/components/aai-babel/templates/secrets.yaml @@ -21,11 +21,7 @@ kind: Secret metadata: name: {{ include "common.fullname" . }}-babel-secrets namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index c07b1245d0..2a57bb23cc 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -144,3 +144,15 @@ log: level: root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + artifactDataSizeLimit: 50Mi + babelLogsSizeLimit: 100Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 101 + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml index 1264d7398f..13315415f2 100644 --- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml +++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP AAI GraphAdmin name: aai-graphadmin -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml index 4e9bf7f7ff..04692fefcc 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml +++ b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml index ddf752b480..1a32d7b516 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml @@ -25,11 +25,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -47,11 +43,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-properties namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -68,11 +60,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "0" diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 6ac078b756..991727d7c6 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -23,20 +23,7 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if .Values.config.debug.enabled }} replicas: 1 @@ -54,19 +41,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: hostname: aai-graphadmin terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} @@ -207,11 +182,14 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: tmp-volume - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name: script-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.scriptlogSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: config configMap: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index 3f0c4e11e5..1cc431c94f 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -41,11 +41,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-db-backup namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "2" @@ -54,38 +50,19 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: {{- if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - - command: - - /bin/bash - - -c - - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-db-backup-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForCassandraService ) | indent 6 | trim}} {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index 5d7e9b6cce..19e62ae7c4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -40,18 +40,12 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-create-db-schema namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: initContainers: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 4ec2306eca..f6f2f8b1a7 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -41,11 +41,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} annotations: "helm.sh/hook": post-upgrade,post-rollback,post-install "helm.sh/hook-weight": "1" @@ -54,35 +50,12 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForWithSchemaService) | indent 6 | trim }} - command: - sh args: @@ -125,6 +98,7 @@ spec: echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} sh docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config @@ -172,11 +146,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-db-backup-job namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-db-backup-job - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "2" @@ -185,9 +155,7 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-db-backup-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 8 }} name: {{ include "common.name" . }} spec: initContainers: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml index 563b920c04..cd72d7f219 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml @@ -16,16 +16,13 @@ {{- if .Values.global.jobs.migration.enabled -}} {{- if eq "True" (include "common.needPV" .) -}} +{{- if not .Values.persistence.storageClass -}} kind: PersistentVolume apiVersion: v1 metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} name: {{ include "common.fullname" . }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -42,3 +39,4 @@ spec: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath1 }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml index bf8900686d..19c1016ca4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml @@ -20,11 +20,7 @@ apiVersion: v1 metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "-1" diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index 16924e9d5c..b7c09cfd0e 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -25,12 +25,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -58,6 +53,4 @@ spec: name: {{ .Values.service.actuatorPortName }} targetPort: {{ .Values.service.appPort }} {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index fab3423c42..a2727757cf 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -103,7 +103,7 @@ global: # global defaults clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1 # application image -image: onap/aai-graphadmin:1.15.1 +image: onap/aai-graphadmin:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small @@ -229,6 +229,23 @@ readinessCheck: services: - '{{ .Values.global.cassandra.serviceName }}' - aai-schema-service + waitForCassandra: + containers: + - aai-schema-service + apps: + - cassandra + waitForLocalCassandra: + containers: + - aai-schema-service + apps: + - aai-cassandra + waitForCassandraService: + services: + - '{{ .Values.global.cassandra.serviceName }}' + waitForWithSchemaService: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service service: type: ClusterIP @@ -291,8 +308,8 @@ resources: cpu: "1" memory: "4Gi" requests: - cpu: "0.5" - memory: "1.6Gi" + cpu: "500m" + memory: "1600Mi" large: limits: cpu: "2" @@ -319,9 +336,9 @@ metrics: selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' relabelings: [] @@ -369,3 +386,11 @@ kafkaUser: - name: AAI-EVENT type: topic operations: [Read, Write] + +volumes: + logSizeLimit: 64Mi + scriptlogSizeLimit: 300Mi + tmpSizeLimit: 500Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-modelloader/Chart.yaml b/kubernetes/aai/components/aai-modelloader/Chart.yaml index 23ce50a6c2..2f561334f5 100644 --- a/kubernetes/aai/components/aai-modelloader/Chart.yaml +++ b/kubernetes/aai/components/aai-modelloader/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI modelloader name: aai-modelloader -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml index d3fd509dcd..c2984626b6 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml @@ -19,11 +19,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-prop namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/model-loader.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/application.properties").AsConfig . | indent 2 }} @@ -33,10 +29,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/log/logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index 486ffbaa49..f3753d0040 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -19,20 +19,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if .Values.debug.enabled }} replicas: 1 @@ -51,17 +38,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -69,10 +46,12 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ @@ -90,8 +69,8 @@ spec: value: {{ .Values.debug.args | quote }} {{- end }} ports: - - containerPort: 9500 - name: http + - containerPort: {{ .Values.service.appPort }} + name: {{ .Values.service.appPortName }} {{- if .Values.debug.enabled }} - containerPort: {{ .Values.debug.port }} name: {{ .Values.debug.portName }} @@ -109,6 +88,8 @@ spec: name: prop-config - mountPath: {{ .Values.log.path }} name: logs + - mountPath: /tmp + name: tmp - mountPath: /opt/app/model-loader/logback.xml name: log-config subPath: logback.xml @@ -121,7 +102,11 @@ spec: configMap: name: {{ include "common.fullname" . }}-prop - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: log-config configMap: diff --git a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml index 1eb564ed72..961a850ee9 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml @@ -19,8 +19,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: {{ include "common.fullname" . }} - labels: - {{- include "common.labels" . | nindent 4 }} + labels: {{- include "common.labels" . | nindent 4 }} spec: selector: matchLabels: diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index d76b1d33a3..6c8cdb7d31 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -74,17 +74,22 @@ nodeSelector: {} affinity: {} +service: + # REST API port for the graphadmin microservice + appPortName: http + appPort: 9500 + # probe configuration parameters liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container enabled: true + path: /healthz + periodSeconds: 10 + initialDelaySeconds: 10 readiness: - initialDelaySeconds: 10 + path: /healthz periodSeconds: 10 + initialDelaySeconds: 10 resources: small: @@ -92,7 +97,7 @@ resources: cpu: "1" memory: "4Gi" requests: - cpu: "0.5" + cpu: "500m" memory: "1Gi" large: limits: @@ -135,3 +140,7 @@ log: level: root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + tmpSizeLimit: 100Mi diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml index 7d7075e3a5..c83a28671c 100644 --- a/kubernetes/aai/components/aai-resources/Chart.yaml +++ b/kubernetes/aai/components/aai-resources/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP AAI resources name: aai-resources -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -30,3 +30,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml index 6b703e7cdd..f6063a024d 100644 --- a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml +++ b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml index ed1f8e3ea8..29b191b68d 100644 --- a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml +++ b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml @@ -4,11 +4,7 @@ kind: HorizontalPodAutoscaler metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml index c3c2262ab9..8e13c8c90d 100644 --- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml @@ -20,11 +20,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml index 4c6c12b1f4..cb434ed2cd 100644 --- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml @@ -20,20 +20,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }} replicas: 1 @@ -53,19 +40,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} {{- if .Values.global.msbEnabled }} {{ $values := .Values }} msb.onap.org/service-info: '[ @@ -99,44 +74,20 @@ spec: spec: hostname: aai-resources terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - {{- if .Values.global.jobs.migration.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{- else }} - {{- if .Values.global.jobs.createSchema.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{- else }} - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - {{- end }} - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{- if .Values.global.jobs.migration.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }} + {{- else if .Values.global.jobs.createSchema.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }} + {{- else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: {{- if .Values.config.env }} {{- range $key,$value := .Values.config.env }} @@ -189,6 +140,8 @@ spec: - mountPath: /opt/app/aai-resources/resources/application-keycloak.properties name: {{ include "common.fullname" . }}-config subPath: application-keycloak.properties + - mountPath: /tmp + name: tmp ports: - containerPort: {{ .Values.service.resourcesPort }} name: {{ .Values.service.resourcesPortName }} @@ -252,7 +205,11 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml index 308dc052c8..605679ee52 100644 --- a/kubernetes/aai/components/aai-resources/templates/service.yaml +++ b/kubernetes/aai/components/aai-resources/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -54,8 +49,6 @@ spec: name: {{ .Values.service.metricsPortName }} targetPort: {{ .Values.service.metricsPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index 890276239d..7cba7a425e 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -134,7 +134,7 @@ aai_enpoints: url: external-system # application image -image: onap/aai-resources:1.15.1 +image: onap/aai-resources:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small @@ -354,9 +354,9 @@ metrics: ## selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -421,3 +421,26 @@ kafkaUser: - name: AAI-EVENT type: topic operations: [Read, Write] + +volumes: + logSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-schema-service/Chart.yaml b/kubernetes/aai/components/aai-schema-service/Chart.yaml index 512090d00a..b10eaa2e43 100644 --- a/kubernetes/aai/components/aai-schema-service/Chart.yaml +++ b/kubernetes/aai/components/aai-schema-service/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP AAI Schema Service name: aai-schema-service -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml index 957387158a..0490f4325a 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml @@ -19,11 +19,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/logback.xml").AsConfig . | indent 2 }} --- @@ -32,11 +28,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-localhost-access-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/localhost-access-logback.xml").AsConfig . | indent 2 }} --- @@ -45,11 +37,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-aaiconfig namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/aaiconfig.properties").AsConfig . | indent 2 }} --- @@ -58,11 +46,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-springapp namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/application.properties").AsConfig . | indent 2 }} --- @@ -71,10 +55,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-realm namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/realm.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml index 725467019f..9fadcd7077 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml @@ -19,20 +19,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "" "labels" .Values.labels "annotations" .Values.annotations ) | nindent 2 }} spec: {{- if .Values.debug.enabled }} replicas: 1 @@ -51,24 +38,30 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: ["cp", "-R", "/opt/app/aai-schema-service/.", "/opt/app/aai-schema-service_rw/"] + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: copy-base-folder + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 3m + memory: 20Mi + volumeMounts: + - mountPath: /opt/app/aai-schema-service_rw + name: aai-schema-service containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: {{- if .Values.profiling.enabled }} - name: PRE_JVM_ARGS @@ -79,6 +72,8 @@ spec: value: {{ .Values.debug.args | quote }} {{- end }} volumeMounts: + - mountPath: /opt/app/aai-schema-service + name: aai-schema-service - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties name: aaiconfig-conf subPath: aaiconfig.properties @@ -138,8 +133,12 @@ spec: - name: aai-common-aai-auth-mount secret: secretName: aai-common-aai-auth + - name: aai-schema-service + emptyDir: + sizeLimit: {{ .Values.volumes.aaiSizeLimit }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: log-conf configMap: diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml index 412b62c6fe..de0270f592 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -45,6 +40,4 @@ spec: name: {{ .Values.service.debugPortName }} targetPort: {{ .Values.service.debugPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index 0ffeb55dd5..3763db940e 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -178,3 +178,10 @@ log: level: root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 50Mi + aaiSizeLimit: 150Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml index 9c9185baf3..074e266228 100644 --- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml +++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI sparky-be name: aai-sparky-be -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -29,3 +29,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml index 7c958fa410..407850eb7f 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml @@ -17,13 +17,6 @@ --- apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 28fe1d5c99..ede5b60676 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -38,32 +38,14 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - aai - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: @@ -158,9 +140,11 @@ spec: configMap: name: {{ include "common.fullname" . }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: modeldir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.modeldirSizeLimit }} restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index c4b90d30ca..9cbe9e5fd2 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -128,23 +128,24 @@ serviceMesh: podAnnotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: "0.5" + cpu: "500m" memory: "4Gi" requests: - cpu: "0.25" + cpu: "250m" memory: "1Gi" large: limits: cpu: "1" memory: "8Gi" requests: - cpu: "0.5" + cpu: "500m" memory: "2Gi" unlimited: {} @@ -158,3 +159,16 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + modeldirSizeLimit: 64Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for: + services: + - aai diff --git a/kubernetes/aai/components/aai-traversal/Chart.yaml b/kubernetes/aai/components/aai-traversal/Chart.yaml index e9545b703f..f4e458f0fb 100644 --- a/kubernetes/aai/components/aai-traversal/Chart.yaml +++ b/kubernetes/aai/components/aai-traversal/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI traversal name: aai-traversal -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -29,3 +29,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml index 7c6a252315..966e5663f2 100644 --- a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml +++ b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiTravKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml index 76d2611f16..a14a9b5bda 100644 --- a/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml @@ -1,14 +1,7 @@ {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: scaleTargetRef: apiVersion: apps/v1 diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml index 905c21f4b3..e9415df278 100644 --- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml @@ -18,14 +18,7 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index 6d97b0e7e8..d12fc6b702 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -20,20 +20,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }} replicas: 1 @@ -53,19 +40,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} {{- if .Values.global.msbEnabled }} {{ $values := .Values }} msb.onap.org/service-info: '[ @@ -119,43 +94,19 @@ spec: hostname: aai-traversal terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} initContainers: - - command: - - /app/ready.py - args: {{- if .Values.global.jobs.migration.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{- else }} - {{- if .Values.global.jobs.createSchema.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{- else }} - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - {{- end }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }} + {{- else if .Values.global.jobs.createSchema.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }} + {{- else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }} {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: {{- if .Values.config.env }} {{- range $key,$value := .Values.config.env }} @@ -219,6 +170,8 @@ spec: - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties name: {{ include "common.fullname" . }}-config subPath: application-keycloak.properties + - mountPath: /tmp + name: tmp ports: - containerPort: {{ .Values.service.traversalPort }} name: {{ .Values.service.traversalPortName }} @@ -277,9 +230,14 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: {{ include "common.fullname" . }}-logs-misc - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logmiscSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index db90f824ef..3ea973fb99 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -24,11 +24,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-update-query-data namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{ if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": post-upgrade,post-rollback,post-install @@ -38,33 +34,12 @@ metadata: spec: template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --service-name - - aai - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_service) | nindent 6 }} - name: {{ include "common.name" . }}-wait-for-aai-haproxy image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -85,6 +60,16 @@ spec: requests: cpu: "3m" memory: "20Mi" + securityContext: + runAsUser: 100 + runAsGroup: 65533 + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -101,6 +86,7 @@ spec: sh -x /opt/app/aai-traversal/bin/install/updateQueryData.sh ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties @@ -127,9 +113,11 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name: {{ include "common.fullname" . }}-logs-misc - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logmiscSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml index 49ed56306a..60e8efc2ad 100644 --- a/kubernetes/aai/components/aai-traversal/templates/service.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -54,8 +49,6 @@ spec: name: {{ .Values.service.metricsPortName }} targetPort: {{ .Values.service.metricsPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index e19ea65b9c..fd8206865e 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -111,7 +111,7 @@ global: # global defaults someConfig: random # application image -image: onap/aai-traversal:1.15.1 +image: onap/aai-traversal:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small @@ -353,6 +353,9 @@ endpoints: info: enabled: true +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + metrics: serviceMonitor: enabled: true @@ -383,9 +386,9 @@ metrics: ## selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -418,6 +421,30 @@ log: root: INFO base: INFO # base package (org.onap.aai) logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 50Mi + logmiscSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + wait_for_service: + services: + - aai ################################################################# # Secrets metaconfig ################################################################# diff --git a/kubernetes/aai/resources/config/haproxy/resolvers.conf b/kubernetes/aai/resources/config/haproxy/resolvers.conf new file mode 100644 index 0000000000..c456e3526a --- /dev/null +++ b/kubernetes/aai/resources/config/haproxy/resolvers.conf @@ -0,0 +1,3 @@ +resolvers kubernetes + nameserver dns1 {{.Values.config.NAME_SERVER}}:53 + hold valid 1s diff --git a/kubernetes/aai/templates/authorizationpolicy.yaml b/kubernetes/aai/templates/authorizationpolicy.yaml index fa59f52f35..f48e06eab4 100644 --- a/kubernetes/aai/templates/authorizationpolicy.yaml +++ b/kubernetes/aai/templates/authorizationpolicy.yaml @@ -27,6 +27,7 @@ kind: AuthorizationPolicy metadata: name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} spec: selector: matchLabels: diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml index dac36d729d..c66af502ac 100644 --- a/kubernetes/aai/templates/configmap.yaml +++ b/kubernetes/aai/templates/configmap.yaml @@ -22,12 +22,9 @@ kind: ConfigMap metadata: name: aai-deployment-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: +{{ tpl (.Files.Glob "resources/config/haproxy/resolvers.conf").AsConfig . | indent 2 }} {{ if .Values.global.installSidecarSecurity }} {{ tpl (.Files.Glob "resources/config/haproxy/haproxy-pluggable-security.cfg").AsConfig . | indent 2 }} {{ else }} @@ -40,6 +37,7 @@ kind: Secret metadata: name: aai-fproxy-auth-certs namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/fproxy/auth/*").AsSecrets . | indent 2 }} @@ -49,6 +47,7 @@ kind: Secret metadata: name: aai-rproxy-auth-certs namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/rproxy/auth/*").AsSecrets . | indent 2 }} @@ -58,6 +57,7 @@ kind: Secret metadata: name: aai-rproxy-security-config namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/rproxy/security/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index 58bbc8af78..a743592036 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -18,20 +18,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: matchLabels: @@ -46,59 +33,48 @@ spec: maxSurge: {{ .Values.updateStrategy.maxSurge }} {{- end }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.release" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - aai-resources - - --service-name - - aai-traversal - - --service-name - - aai-graphadmin - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} + {{ include "common.readinessCheck.waitFor" . | indent 6 | trim}} + - command: ["/bin/sh","-c"] + args: ['cp -R /usr/local/etc/haproxy /usr/local/etc/haproxy_rw/'] + image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}' imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: copy-haproxy-config resources: - requests: - memory: {{ .Values.haproxy.initContainers.resources.memory }} - cpu: {{ .Values.haproxy.initContainers.resources.cpu }} limits: - memory: {{ .Values.haproxy.initContainers.resources.memory }} - cpu: {{ .Values.haproxy.initContainers.resources.cpu }} + cpu: 100m + memory: 200Mi + requests: + cpu: 2m + memory: 100Mi + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /usr/local/etc/haproxy_rw + name: haproxy-etc containers: - name: {{ include "common.name" . }} - image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}" + image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}' imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: + - mountPath: /usr/local/etc/haproxy + name: haproxy-etc + - mountPath: /usr/local/etc/haproxy/resolvers.conf + name: haproxy-config + subPath: resolvers.conf + readOnly: true - mountPath: /usr/local/etc/haproxy/haproxy.cfg {{ if .Values.global.installSidecarSecurity }} subPath: haproxy-pluggable-security.cfg {{ else }} subPath: haproxy.cfg {{ end }} - name: haproxy-cfg + name: haproxy-config ports: - containerPort: {{ .Values.service.internalPort }} name: {{ .Values.service.portName }} @@ -113,7 +89,11 @@ spec: initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} readinessProbe: + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} httpGet: path: /aai/util/echo port: {{ .Values.service.internalPort }} @@ -129,9 +109,6 @@ spec: value: OOM_ReadinessCheck_TID - name: Accept value: application/json - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -142,7 +119,10 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: haproxy-cfg - configMap: - name: aai-deployment-configmap + - name: haproxy-config + configMap: + name: aai-deployment-configmap + - name: haproxy-etc + emptyDir: + sizeLimit: {{ .Values.volumes.haProxySizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/templates/secret.yaml b/kubernetes/aai/templates/secret.yaml index d868b9582e..1a592a0801 100644 --- a/kubernetes/aai/templates/secret.yaml +++ b/kubernetes/aai/templates/secret.yaml @@ -19,11 +19,7 @@ kind: Secret metadata: name: aai-common-aai-auth namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} @@ -33,6 +29,7 @@ kind: Secret metadata: name: aai-common-truststore namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml index b5a8cc1a0d..1509311a2b 100644 --- a/kubernetes/aai/templates/service.yaml +++ b/kubernetes/aai/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - name: {{ .Values.service.portName }} @@ -36,8 +31,7 @@ spec: {{ end }} {{- end }} type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }} - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} sessionAffinity: {{ .Values.service.sessionAffinity }} --- apiVersion: v1 @@ -45,38 +39,26 @@ kind: Service metadata: name: {{ include "common.servicename" . }}-internal namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - name: {{ .Values.service.portName }} port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} type: ClusterIP - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} --- apiVersion: v1 kind: Service metadata: name: {{ include "common.servicename" . }}-metrics namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-metrics - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - port: {{ .Values.metricsService.externalPort }} targetPort: {{ .Values.metricsService.internalPort }} name: {{ .Values.metricsService.portName }} type: {{ .Values.metricsService.type }} - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index e129220e23..a000d2f934 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -309,7 +309,7 @@ aai-traversal: # application image dockerhubRepository: registry.hub.docker.com -image: onap/aai-haproxy:1.11.0 +image: onap/aai-haproxy:1.15.2 pullPolicy: Always flavor: small @@ -321,6 +321,9 @@ debugEnabled: false config: logstashServiceName: log-ls logstashPort: 5044 + # IP address of name server is needed in nginx configuration. The secure endpoint for logging with Keycloak need the ip address in the config file. + # You can find this ip address in the /etc/resolv.conf This file is generated by k8s. The name server ip address is in all k8s cluster the same. + NAME_SERVER: coredns.kube-system # default number of instances replicaCount: 1 @@ -408,9 +411,9 @@ metrics: selector: app: '{{ include "common.name" . }}-metrics' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' relabelings: [] @@ -459,15 +462,15 @@ resources: cpu: "2" memory: "4Gi" requests: - cpu: "1" - memory: "1.2Gi" + cpu: "500m" + memory: "1200Mi" large: limits: cpu: "4" memory: "8Gi" requests: - cpu: "2" - memory: "2.4Gi" + cpu: "1" + memory: "2400Mi" unlimited: {} #Pods Service Account @@ -475,3 +478,20 @@ serviceAccount: nameOverride: aai roles: - read + +securityContext: + user_id: 99 + group_id: 99 + +readinessCheck: + wait_for: + services: + - aai-resources + - aai-traversal + - aai-graphadmin + +volumes: + haProxySizeLimit: 20Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' |