[OOM] Fixing k8s ServiceAccounts

Adding service account for the jobs Cleanup MSB, ES and other common charts from AAF dependencies Issue-ID: OOM-3199 Issue-ID: OOM-3114 Issue-ID: OOM-3116 Change-Id: I55bf80876c9fb3b110e538ed1a5504e0dc1d4e1a Signed-off-by: vladimir turok <vladimir.turok@t-systems.com>
author: vladimir turok <vladimir.turok@t-systems.com> 2023-07-27 16:28:36 +0200
committer: Andreas Geissler <andreas-geissler@telekom.de> 2023-08-07 18:34:04 +0200
commit: d804418c890dde93bff26125b8cf1a9fd7fc82d1 (patch)
tree: 5c8d93188819e6a913f8e0566d061607b5be9095 /kubernetes/msb
parent: 7a34dfca27abc3a13f89ed8d6b87e4aa7be9613f (diff)
10 files changed, 11 insertions, 182 deletions
diff --git a/kubernetes/msb/components/msb-eag/Chart.yaml b/kubernetes/msb/components/msb-eag/Chart.yaml
index 53c66f7bfa..d42c99388d 100644
--- a/kubernetes/msb/components/msb-eag/Chart.yaml
+++ b/kubernetes/msb/components/msb-eag/Chart.yaml
@@ -25,9 +25,6 @@ dependencies:
   - name: repositoryGenerator
     version: ~13.x-0
     repository: '@local'
-  - name: certInitializer
-    version: ~13.x-0
-    repository: '@local'
   - name: serviceAccount
     version: ~13.x-0
     repository: '@local'
diff --git a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf
deleted file mode 100644
index 70125753ed..0000000000
--- a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-{{/*
-#
-# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE)
-# Copyright © 2021 Orange
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-*/}}
-server {
-  listen 443 ssl;
-  ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt;
-  ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key;
-  ssl_protocols TLSv1.1 TLSv1.2;
-  ssl_dhparam ../ssl/dh-pubkey/dhparams.pem;
-  include ../msb-enabled/location-default/msblocations.conf;
-  # Add below settings for making SDC to work
-  underscores_in_headers on;
-}
-\ No newline at end of file
diff --git a/kubernetes/msb/components/msb-eag/templates/configmap.yaml b/kubernetes/msb/components/msb-eag/templates/configmap.yaml
index 30c0a80209..62bbf4272a 100644
--- a/kubernetes/msb/components/msb-eag/templates/configmap.yaml
+++ b/kubernetes/msb/components/msb-eag/templates/configmap.yaml
@@ -21,11 +21,4 @@ metadata:
   namespace: {{ include "common.namespace" . }}
 data:
 {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "common.fullname" . }}-nginx
-  namespace: {{ include "common.namespace" . }}
-data:
-{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }}
+
diff --git a/kubernetes/msb/components/msb-eag/templates/deployment.yaml b/kubernetes/msb/components/msb-eag/templates/deployment.yaml
index cbab98b9fa..ee6db2dc30 100644
--- a/kubernetes/msb/components/msb-eag/templates/deployment.yaml
+++ b/kubernetes/msb/components/msb-eag/templates/deployment.yaml
@@ -24,7 +24,6 @@ spec:
     metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
       initContainers:
-      {{ include "common.certInitializer.initContainer" . | indent 6 | trim }}
       - command:
         - /app/ready.py
         args:
@@ -49,13 +48,13 @@ spec:
           {{- if eq .Values.liveness.enabled true }}
           livenessProbe:
             tcpSocket:
-              port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+              port: {{ .Values.service.internalPort }}
             initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
             periodSeconds: {{ .Values.liveness.periodSeconds }}
           {{ end -}}
           readinessProbe:
             tcpSocket:
-              port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+              port: {{ .Values.service.internalPort }}
             initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
             periodSeconds: {{ .Values.readiness.periodSeconds }}
           env:
@@ -66,17 +65,11 @@ spec:
           - name: ROUTE_LABELS
             value: {{ .Values.config.routeLabels }}
           volumeMounts:
-          {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
           - mountPath: /usr/local/apiroute-works/logs
             name: {{ include "common.fullname" . }}-logs
-          {{- if (include "common.needTLS" .) }}
-          - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf
-            name: {{ include "common.fullname" . }}-nginx-conf
-            subPath: msbhttps.conf
-          {{- end }}
           resources: {{ include "common.resources" . | nindent 12 }}
         {{- if .Values.nodeSelector }}
         nodeSelector:
@@ -90,15 +83,9 @@ spec:
         {{ include "common.log.sidecar" . | nindent 8 }}
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
-        {{ include "common.certInitializer.volumes" . | indent 8 | trim }}
         - name: {{ include "common.fullname" . }}-log-conf
           configMap:
             name: {{ include "common.fullname" . }}-log
-        {{- if (include "common.needTLS" .) }}
-        - name: {{ include "common.fullname" . }}-nginx-conf
-          configMap:
-            name: {{ include "common.fullname" . }}-nginx
-        {{- end }}
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }}
         - name:  {{ include "common.fullname" . }}-logs
           emptyDir: {}
diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml
index 836673ffb1..d66c4a8e13 100644
--- a/kubernetes/msb/components/msb-eag/values.yaml
+++ b/kubernetes/msb/components/msb-eag/values.yaml
@@ -19,36 +19,6 @@ global:
   nodePortPrefix: 302
 
 #################################################################
-# AAF part
-#################################################################
-certInitializer:
-  nameOverride: msb-eag-cert-initializer
-  aafDeployFqi: deployer@people.osaaf.org
-  aafDeployPass: demo123456!
-  # aafDeployCredsExternalSecret: some secret
-  fqdn: msb-eag
-  fqi: msb-eag@msb-eag.onap.org
-  fqi_namespace: org.onap.msb-eag
-  public_fqdn: msb-eag.onap.org
-  cadi_longitude: "0.0"
-  cadi_latitude: "0.0"
-  app_ns: org.osaaf.aaf
-  credsPath: /opt/app/osaaf/local
-  aaf_add_config: |
-    mkdir -p {{ .Values.credsPath }}/certs
-    echo "*** retrieve certificate from pkcs12"
-    openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
-      -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
-      -passin pass:$cadi_keystore_password_p12 \
-      -passout pass:$cadi_keystore_password_p12
-    echo "*** copy key to relevant place"
-    cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
-    echo "*** change ownership and read/write attributes"
-    chown -R 1000 {{ .Values.credsPath }}/certs
-    chmod 600 {{ .Values.credsPath }}/certs/cert.crt
-    chmod 600 {{ .Values.credsPath }}/certs/cert.key
-
-#################################################################
 # Application configuration defaults.
 #################################################################
 # application image
@@ -82,15 +52,12 @@ readiness:
 service:
   type: NodePort
   name: msb-eag
-  both_tls_and_plain: true
   # for liveness and readiness probe only
   # internalPort:
-  internalPort: 443
-  internalPlainPort: 80
+  internalPort: 80
   ports:
     - name: msb-eag
-      port: 443
-      plain_port: 80
+      port: 80
       port_protocol: http
       nodePort: '84'
 
@@ -99,8 +66,7 @@ ingress:
   service:
     - baseaddr: "msb-eag-ui"
       name: "msb-eag"
-      port: 443
-      plain_port: 80
+      port: 80
   config:
     ssl: "redirect"
 
diff --git a/kubernetes/msb/components/msb-iag/Chart.yaml b/kubernetes/msb/components/msb-iag/Chart.yaml
index f7cb95b81e..50fa020c8b 100644
--- a/kubernetes/msb/components/msb-iag/Chart.yaml
+++ b/kubernetes/msb/components/msb-iag/Chart.yaml
@@ -25,9 +25,6 @@ dependencies:
   - name: repositoryGenerator
     version: ~13.x-0
     repository: '@local'
-  - name: certInitializer
-    version: ~13.x-0
-    repository: '@local'
   - name: serviceAccount
     version: ~13.x-0
     repository: '@local'
diff --git a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf
deleted file mode 100644
index 70125753ed..0000000000
--- a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-{{/*
-#
-# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE)
-# Copyright © 2021 Orange
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-*/}}
-server {
-  listen 443 ssl;
-  ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt;
-  ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key;
-  ssl_protocols TLSv1.1 TLSv1.2;
-  ssl_dhparam ../ssl/dh-pubkey/dhparams.pem;
-  include ../msb-enabled/location-default/msblocations.conf;
-  # Add below settings for making SDC to work
-  underscores_in_headers on;
-}
-\ No newline at end of file
diff --git a/kubernetes/msb/components/msb-iag/templates/configmap.yaml b/kubernetes/msb/components/msb-iag/templates/configmap.yaml
index 30c0a80209..7214c8a95f 100644
--- a/kubernetes/msb/components/msb-iag/templates/configmap.yaml
+++ b/kubernetes/msb/components/msb-iag/templates/configmap.yaml
@@ -21,11 +21,3 @@ metadata:
   namespace: {{ include "common.namespace" . }}
 data:
 {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "common.fullname" . }}-nginx
-  namespace: {{ include "common.namespace" . }}
-data:
-{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }}
diff --git a/kubernetes/msb/components/msb-iag/templates/deployment.yaml b/kubernetes/msb/components/msb-iag/templates/deployment.yaml
index cbab98b9fa..ee6db2dc30 100644
--- a/kubernetes/msb/components/msb-iag/templates/deployment.yaml
+++ b/kubernetes/msb/components/msb-iag/templates/deployment.yaml
@@ -24,7 +24,6 @@ spec:
     metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
       initContainers:
-      {{ include "common.certInitializer.initContainer" . | indent 6 | trim }}
       - command:
         - /app/ready.py
         args:
@@ -49,13 +48,13 @@ spec:
           {{- if eq .Values.liveness.enabled true }}
           livenessProbe:
             tcpSocket:
-              port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+              port: {{ .Values.service.internalPort }}
             initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
             periodSeconds: {{ .Values.liveness.periodSeconds }}
           {{ end -}}
           readinessProbe:
             tcpSocket:
-              port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+              port: {{ .Values.service.internalPort }}
             initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
             periodSeconds: {{ .Values.readiness.periodSeconds }}
           env:
@@ -66,17 +65,11 @@ spec:
           - name: ROUTE_LABELS
             value: {{ .Values.config.routeLabels }}
           volumeMounts:
-          {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
           - mountPath: /usr/local/apiroute-works/logs
             name: {{ include "common.fullname" . }}-logs
-          {{- if (include "common.needTLS" .) }}
-          - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf
-            name: {{ include "common.fullname" . }}-nginx-conf
-            subPath: msbhttps.conf
-          {{- end }}
           resources: {{ include "common.resources" . | nindent 12 }}
         {{- if .Values.nodeSelector }}
         nodeSelector:
@@ -90,15 +83,9 @@ spec:
         {{ include "common.log.sidecar" . | nindent 8 }}
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
-        {{ include "common.certInitializer.volumes" . | indent 8 | trim }}
         - name: {{ include "common.fullname" . }}-log-conf
           configMap:
             name: {{ include "common.fullname" . }}-log
-        {{- if (include "common.needTLS" .) }}
-        - name: {{ include "common.fullname" . }}-nginx-conf
-          configMap:
-            name: {{ include "common.fullname" . }}-nginx
-        {{- end }}
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }}
         - name:  {{ include "common.fullname" . }}-logs
           emptyDir: {}
diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml
index 004a1a7840..5c455d8984 100644
--- a/kubernetes/msb/components/msb-iag/values.yaml
+++ b/kubernetes/msb/components/msb-iag/values.yaml
@@ -19,36 +19,6 @@ global:
   nodePortPrefix: 302
 
 #################################################################
-# AAF part
-#################################################################
-certInitializer:
-  nameOverride: msb-iag-cert-initializer
-  aafDeployFqi: deployer@people.osaaf.org
-  aafDeployPass: demo123456!
-  # aafDeployCredsExternalSecret: some secret
-  fqdn: msb-iag
-  fqi: msb-iag@msb-iag.onap.org
-  fqi_namespace: org.onap.msb-iag
-  public_fqdn: msb-iag.onap.org
-  cadi_longitude: "0.0"
-  cadi_latitude: "0.0"
-  app_ns: org.osaaf.aaf
-  credsPath: /opt/app/osaaf/local
-  aaf_add_config: |
-    mkdir -p {{ .Values.credsPath }}/certs
-    echo "*** retrieve certificate from pkcs12"
-    openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
-      -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
-      -passin pass:$cadi_keystore_password_p12 \
-      -passout pass:$cadi_keystore_password_p12
-    echo "*** copy key to relevant place"
-    cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
-    echo "*** change ownership and read/write attributes"
-    chown -R 1000 {{ .Values.credsPath }}/certs
-    chmod 600 {{ .Values.credsPath }}/certs/cert.crt
-    chmod 600 {{ .Values.credsPath }}/certs/cert.key
-
-#################################################################
 # Application configuration defaults.
 #################################################################
 # application image
@@ -82,15 +52,12 @@ readiness:
 service:
   type: NodePort
   name: msb-iag
-  both_tls_and_plain: true
   # for liveness and readiness probe only
   # internalPort:
-  internalPort: 443
-  internalPlainPort: 80
+  internalPort: 80
   ports:
     - name: msb-iag
-      port: 443
-      plain_port: 80
+      port: 80
       port_protocol: http
       nodePort: '83'
 
@@ -99,8 +66,7 @@ ingress:
   service:
     - baseaddr: "msb-iag-ui"
       name: "msb-iag"
-      port: 443
-      plain_port: 80
+      port: 80
   config:
     ssl: "redirect"
author	vladimir turok <vladimir.turok@t-systems.com>	2023-07-27 16:28:36 +0200
committer	Andreas Geissler <andreas-geissler@telekom.de>	2023-08-07 18:34:04 +0200
commit	d804418c890dde93bff26125b8cf1a9fd7fc82d1 (patch)
tree	5c8d93188819e6a913f8e0566d061607b5be9095 /kubernetes/msb
parent	7a34dfca27abc3a13f89ed8d6b87e4aa7be9613f (diff)