[COMMON] Update various common charts

- add kyverno policy fixes for cassandra Operator template
- add new mongodb-init chart
- new parameter in global values to support "NativeSidecar"
  which disables the deployment of the sidecar killer in jobs
- update of "killSideCar" function to use the new option

Issue-ID: OOM-3288
Issue-ID: OOM-3296

Change-Id: If7cafd10a14e9bc6b7843c0c2a62691c4e94ca71
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>

8 files changed, 372 insertions, 0 deletions

diff --git a/kubernetes/common/mongodb-init/.helmignore b/kubernetes/common/mongodb-init/.helmignore
new file mode 100644
index 0000000000..0bab41b6b1
--- /dev/null
+++ b/kubernetes/common/mongodb-init/.helmignore
@@ -0,0 +1,32 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/mongodb-init/Chart.yaml b/kubernetes/common/mongodb-init/Chart.yaml
new file mode 100644
index 0000000000..0cdeecf84b
--- /dev/null
+++ b/kubernetes/common/mongodb-init/Chart.yaml
@@ -0,0 +1,32 @@
+# Copyright © 2024 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v2
+description: Chart for MongoDB init job
+name: mongodb-init
+version: 13.0.2
+
+dependencies:
+  - name: common
+    version: ~13.x-0
+    repository: '@local'
+  - name: repositoryGenerator
+    version: ~13.x-0
+    repository: '@local'
+  - name: readinessCheck
+    version: ~13.x-0
+    repository: '@local'
+  - name: serviceAccount
+    version: ~13.x-0
+    repository: '@local'
diff --git a/kubernetes/common/mongodb-init/README.md b/kubernetes/common/mongodb-init/README.md
new file mode 100644
index 0000000000..aa6c735744
--- /dev/null
+++ b/kubernetes/common/mongodb-init/README.md
@@ -0,0 +1,16 @@
+# mongodb-init
+
+## Introduction
+
+Initialization scripts for mongo database.
+
+- not part of ONAP OOM yet
+
+## Requirements
+
+mongodb-init needs the following ONAP projects to work:
+
+- common/common
+- common/repositoryGenerator
+- common/serviceAccount
+- common/readinessCheck
diff --git a/kubernetes/common/mongodb-init/resources/config/setup.sql b/kubernetes/common/mongodb-init/resources/config/setup.sql
new file mode 100644
index 0000000000..452ee187df
--- /dev/null
+++ b/kubernetes/common/mongodb-init/resources/config/setup.sql
@@ -0,0 +1,11 @@
+// Database Setup
+use ${MONGO_DATABASE}
+
+// UserCreation Setup
+db.createUser(
+  {
+    user: "${MONGODB_USER}",
+    pwd: "${MONGODB_PASSWORD}",
+    roles: [ { role: "readWrite", db: "${MONGO_DATABASE}" } ]
+  }
+)
diff --git a/kubernetes/common/mongodb-init/templates/configmap.yaml b/kubernetes/common/mongodb-init/templates/configmap.yaml
new file mode 100644
index 0000000000..bde790f205
--- /dev/null
+++ b/kubernetes/common/mongodb-init/templates/configmap.yaml
@@ -0,0 +1,29 @@
+{{/*
+# Copyright © 2024 Deutsche Telekom
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
diff --git a/kubernetes/common/mongodb-init/templates/job.yaml b/kubernetes/common/mongodb-init/templates/job.yaml
new file mode 100644
index 0000000000..5e232e26d3
--- /dev/null
+++ b/kubernetes/common/mongodb-init/templates/job.yaml
@@ -0,0 +1,129 @@
+{{/*
+# Copyright © 2024 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "common.fullname" . }}-config-job
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+spec:
+  backoffLimit: 20
+  template:
+    metadata:
+      labels:
+        app: {{ include "common.name" . }}
+        release: {{ include "common.release" . }}
+      name: {{ include "common.name" . }}
+    spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
+      initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
+      - name: {{ include "common.name" . }}-update-config
+        image: {{ include "repositoryGenerator.image.envsubst" . }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        command:
+        - sh
+        args:
+        - -c
+        - |
+          function prepare_password {
+            echo -n $1 | sed -e "s/'/''/g"
+          }
+          export MONGODB_PASSWORD=`prepare_password $MONGODB_PASSWORD_INPUT`;
+          export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`;
+          export MONGODB_USER=`prepare_password $MONGODB_USER_INPUT`;
+          export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`;
+          {{- if include "common.onServiceMesh" . }}
+          echo "waiting 15s for istio side cars to be up"; sleep 15s;
+          {{- end }}
+          cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done;
+        env:
+        - name: MONGODB_HOST
+          value: "{{ .Values.global.mongodb.service.name }}"
+        - name: MONGODB_USER_INPUT
+          #value: "{{ .Values.config.mgUserName }}"
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "login") | indent 10 }}
+        - name: MONGODB_PASSWORD_INPUT
+          #value: "{{ .Values.config.mgUserPassword }}"
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "password") | indent 10 }}
+        - name: MONGO_DATABASE
+          value: "{{ .Values.config.mgDatabase }}"
+        - name: MONGODB_ROOT_USER_INPUT
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootUserKey) | indent 10 }}
+        - name: MONGODB_ROOT_PASSWORD_INPUT
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootPasswordKey) | indent 10 }}
+        volumeMounts:
+        - mountPath: /config-input/setup.sql
+          name: config
+          subPath: setup.sql
+        - mountPath: /config
+          name: mgconf
+      containers:
+      - name: {{ include "common.name" . }}-setup-db
+        image: {{ include "repositoryGenerator.image.mongodbImage" . }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        command:
+        - sh
+        args:
+        - -c
+        - |
+          function prepare_password {
+            echo -n $1 | sed -e "s/'/''/g"
+          }
+          export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`;
+          export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`;
+          mongosh "mongodb://${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$MONGODB_HOST" < /config/setup.sql
+        env:
+        - name: MONGODB_HOST
+          value: "{{ .Values.global.mongodb.service.name }}"
+        - name: MONGODB_ROOT_USER_INPUT
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_USER") | indent 10 }}
+        - name: MONGODB_ROOT_PASSWORD_INPUT
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_PASSWORD") | indent 10 }}
+        volumeMounts:
+        - mountPath: /config-input/setup.sql
+          name: config
+          subPath: setup.sql
+        - mountPath: /config
+          name: mgconf
+        resources: {{ include "common.resources" . | nindent 10 }}
+      {{ include "common.waitForJobContainer" . | indent 6 | trim }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 10 }}
+      {{- end -}}
+      {{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 10 }}
+      {{- end }}
+      serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+      volumes:
+      - name: config
+        configMap:
+          name: {{ include "common.fullname" . }}
+      - name: mgconf
+        emptyDir:
+          medium: Memory
+          sizeLimit: 64Mi
+      restartPolicy: Never
+      imagePullSecrets:
+      - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/common/mongodb-init/templates/secrets.yaml b/kubernetes/common/mongodb-init/templates/secrets.yaml
new file mode 100644
index 0000000000..577d9d581e
--- /dev/null
+++ b/kubernetes/common/mongodb-init/templates/secrets.yaml
@@ -0,0 +1,15 @@
+{{/*
+# ## Copyright © 2024 Deutsche Telekom
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# #       http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+*/}}
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/common/mongodb-init/values.yaml b/kubernetes/common/mongodb-init/values.yaml
new file mode 100644
index 0000000000..478fab5cdd
--- /dev/null
+++ b/kubernetes/common/mongodb-init/values.yaml
@@ -0,0 +1,108 @@
+# Copyright © 2024 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global:
+  mongodb:
+    service:
+      name: mgset
+    container:
+      name: mongodb
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: '{{ include "common.mongodb.secret.rootPassUID" . }}'
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.config.mgExternalSecret) . }}'
+    password: '{{ .Values.config.mgRootPasswordKey }}'
+  - uid: '{{ .Values.config.mgDatabase }}'
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.config.mgUserExternalSecret) . }}'
+    login: '{{ .Values.config.mgUserName }}'
+    password: '{{ .Values.config.mgUserPassword }}'
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+
+pullPolicy: Always
+
+# application configuration
+config:
+  mgUserName: testuser
+  mgUserPassword: testuser123
+  mgDatabase: testdb
+  mgDataPath: data
+  #mgRootPasswordExternalSecret: '{{ include "common.namespace" . }}-mongodb-db-root-password'
+  mgExternalSecret: '{{ include "common.name" . }}-mongo-secrets'
+  mgRootUserKey: MONGODB_DATABASE_ADMIN_USER
+  mgRootPasswordKey: MONGODB_DATABASE_ADMIN_PASSWORD
+  mgUserExternalSecret: '{{ include "common.release" . }}-{{ include "common.name" . }}-mg-secret'
+
+nodeSelector: {}
+
+affinity: {}
+
+flavor: small
+
+#resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+#
+# Example:
+# Configure resource requests and limits
+# ref: http://kubernetes.io/docs/user-guide/compute-resources/
+# Minimum memory for development is 2 CPU cores and 4GB memory
+# Minimum memory for production is 4 CPU cores and 8GB memory
+resources:
+  small:
+    limits:
+      cpu: "100m"
+      memory: "0.3Gi"
+    requests:
+      cpu: "10m"
+      memory: "0.09Gi"
+  large:
+    limits:
+      cpu: "2"
+      memory: "4Gi"
+    requests:
+      cpu: "1"
+      memory: "2Gi"
+  unlimited: {}
+
+#Pods Service Account
+serviceAccount:
+  nameOverride: mongodb-init
+  roles:
+    - read
+
+securityContext:
+  user_id: 100
+  group_id: 65533
+
+readinessCheck:
+  wait_for:
+    services:
+      - '{{ .Values.global.mongodb.service.name }}'
+
+wait_for_job_container:
+  containers:
+    - '{{ include "common.name" . }}-setup-db'