summaryrefslogtreecommitdiffstats
path: root/kubernetes
diff options
context:
space:
mode:
authorVijay Venkatesh Kumar <vv770d@att.com>2020-02-20 21:50:14 +0000
committerVijay Venkatesh Kumar <vv770d@att.com>2020-02-27 21:54:11 +0000
commit694394bbd53bbeca17b7f99dc3a635e422817d25 (patch)
tree4b09fc3d237badc3b6394d9316acde6cbeda2c0e /kubernetes
parent86de3eeeda61299847aa24f3e61f13c8e0b94322 (diff)
dcae sec updates for dashboard and inventory
- Dashboard switched to https + non-root + portal sdk 2.6.0 - InventoryAPI keystore pwd read from file and filebeat support Change-Id: I40d2f6a8414f0a8fc8ed7b60ed0118e69cdbb2fd Signed-off-by: Vijay Venkatesh Kumar <vv770d@att.com> Issue-ID: DCAEGEN2-1592 Issue-ID: OJSI-159 Signed-off-by: Vijay Venkatesh Kumar <vv770d@att.com>
Diffstat (limited to 'kubernetes')
-rw-r--r--kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml2
-rw-r--r--kubernetes/dcaegen2/components/dcae-dashboard/values.yaml8
-rw-r--r--kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json2
-rw-r--r--kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml72
-rw-r--r--kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml8
-rw-r--r--kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml29
-rw-r--r--kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml2
7 files changed, 117 insertions, 6 deletions
diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml
index 116a77fd8b..a926fb396b 100644
--- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml
@@ -104,6 +104,8 @@ spec:
volumeMounts:
- mountPath: /usr/local/share/ca-certificates/
name: tls-info
+ - mountPath: /opt/logs/dcae/dashboard
+ name: component-log
env:
- name: CONSUL_HOST
value: consul-server.{{ include "common.namespace" . }}
diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
index 03cb99ad14..22076e5c6a 100644
--- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
@@ -44,7 +44,7 @@ config:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.1.0
+image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.3.0
pullPolicy: Always
# probe configuration parameters
@@ -60,13 +60,13 @@ readiness:
initialDelaySeconds: 30
periodSeconds: 30
path: /ccsdk-app/health
- scheme: HTTP
+ scheme: HTTPS
service:
type: NodePort
name: dashboard
- externalPort: 8080
- internalPort: 8080
+ externalPort: 8443
+ internalPort: 8443
nodePort: 18
# application configuration override for postgres
postgres:
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json
index c8c7dd79f1..d9927314e1 100644
--- a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json
@@ -36,7 +36,7 @@
"type": "https",
"port": 8080,
"keyStorePath": "/opt/cert/cert.jks",
- "keyStorePassword": "hD:!w:CxF]lGvM6Mz9l^j[7U",
+ "keyStorePassword": "/opt/cert/jks.pass",
"keyStoreType": "JKS"
}]
}
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml
new file mode 100644
index 0000000000..0e5ee9bffa
--- /dev/null
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml
@@ -0,0 +1,72 @@
+#============LICENSE_START========================================================
+# ================================================================================
+# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2018 Amdocs, Bell Canada
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+filebeat.prospectors:
+#it is mandatory, in our case it's log
+- input_type: log
+ #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory.
+ paths:
+ - /var/log/onap/*/*/*/*.log
+ - /var/log/onap/*/*/*.log
+ - /var/log/onap/*/*.log
+ #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive
+ ignore_older: 48h
+ # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit
+ clean_inactive: 96h
+
+
+# Name of the registry file. If a relative path is used, it is considered relative to the
+# data path. Else full qualified file name.
+#filebeat.registry_file: ${path.data}/registry
+
+
+output.logstash:
+ #List of logstash server ip addresses with port number.
+ #But, in our case, this will be the loadbalancer IP address.
+ #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately.
+ hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"]
+ #If enable will do load balancing among availabe Logstash, automatically.
+ loadbalance: true
+
+ #The list of root certificates for server verifications.
+ #If certificate_authorities is empty or not set, the trusted
+ #certificate authorities of the host system are used.
+ #ssl.certificate_authorities: $ssl.certificate_authorities
+
+ #The path to the certificate for SSL client authentication. If the certificate is not specified,
+ #client authentication is not available.
+ #ssl.certificate: $ssl.certificate
+
+ #The client certificate key used for client authentication.
+ #ssl.key: $ssl.key
+
+ #The passphrase used to decrypt an encrypted key stored in the configured key file
+ #ssl.key_passphrase: $ssl.key_passphrase
+
+logging:
+ level: debug
+
+ # enable file rotation with default configuration
+ to_files: true
+
+ # do not log to syslog
+ to_syslog: false
+
+ files:
+ path: /usr/share/filebeat/logs
+ name: mybeat.log
+ keepfiles: 7
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml
index 96ba64f945..5b7a244835 100644
--- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml
@@ -24,3 +24,11 @@ metadata:
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{include "common.fullname" . }}-filebeat-configmap
+ namespace: {{include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }}
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml
index 2bfb01d970..f056079fe4 100644
--- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml
@@ -101,10 +101,38 @@ spec:
subPath: config.json
- mountPath: /opt/cert/
name: tls-info
+ - mountPath: /opt/logs/
+ name: component-log
env:
- name: CONSUL_HOST
value: consul.{{ include "common.namespace" . }}
+ - name: {{ include "common.name" . }}-filebeat
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ image: {{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}
+ imagePullPolicy: IfNotPresent
+ resources: {}
+ volumeMounts:
+ - mountPath: /var/log/onap/inventory
+ name: component-log
+ - mountPath: /usr/share/filebeat/data
+ name: filebeat-data
+ - mountPath: /usr/share/filebeat/filebeat.yml
+ name: filebeat-conf
+ subPath: filebeat.yml
volumes:
+ - emptyDir: {}
+ name: component-log
+ - emptyDir: {}
+ name: filebeat-data
+ - configMap:
+ defaultMode: 420
+ name: {{ include "common.fullname" . }}-filebeat-configmap
+ name: filebeat-conf
- name: {{ include "common.fullname" . }}-inv-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -112,3 +140,4 @@ spec:
name: tls-info
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
+
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
index 8e4430c37e..a6e51256b9 100644
--- a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
@@ -44,7 +44,7 @@ config:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.inventory-api:3.4.0
+image: onap/org.onap.dcaegen2.platform.inventory-api:3.4.1
pullPolicy: Always