diff options
37 files changed, 585 insertions, 143 deletions
diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties index ea799e2119..0beaf4a42a 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties @@ -1,6 +1,6 @@ {{/* # -# Copyright (c) 2017-2019 AT&T, IBM, Bell Canada, Nordix Foundation. +# Copyright (c) 2017-2022 AT&T, IBM, Bell Canada, Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -109,19 +109,70 @@ blueprintsprocessor.restclient.aai-data.additionalHeaders.X-FromAppId=cds-app-id blueprintsprocessor.restclient.aai-data.additionalHeaders.Accept=application/json # Self Service Request Kafka Message Consumer -blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable=false -blueprintsprocessor.messageconsumer.self-service-api.type=kafka-basic-auth -blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers=message-router-kafka:9092 -blueprintsprocessor.messageconsumer.self-service-api.groupId=cds-consumer-group -blueprintsprocessor.messageconsumer.self-service-api.topic=cds-consumer -blueprintsprocessor.messageconsumer.self-service-api.clientId=cds-client -blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 +blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable={{ .Values.kafkaRequestConsumer.enabled }} +blueprintsprocessor.messageconsumer.self-service-api.type={{ .Values.kafkaRequestConsumer.type }} +{{- if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +{{- else -}} +blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ .Values.kafkaRequestConsumer.bootstrapServers }} +{{- end }} +blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .Values.kafkaRequestConsumer.groupId }} +blueprintsprocessor.messageconsumer.self-service-api.topic={{ .Values.kafkaRequestConsumer.topic }} +blueprintsprocessor.messageconsumer.self-service-api.clientId={{ .Values.kafkaRequestConsumer.clientId }} +blueprintsprocessor.messageconsumer.self-service-api.pollMillSec={{ .Values.kafkaRequestConsumer.pollMillSec }} +{{- if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} +# SCRAM +blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} +blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${JAAS_PASS} +{{ end }} # Self Service Response Kafka Message Producer -blueprintsprocessor.messageproducer.self-service-api.bootstrapServers=message-router-kafka:9092 - -# Kafka Audit Service Configurations -blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable=false +blueprintsprocessor.messageproducer.self-service-api.type={{ .Values.kafkaRequestProducer.type }} +{{- if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +{{- else -}} +blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ .Values.kafkaRequestProducer.bootstrapServers }} +{{- end }} +blueprintsprocessor.messageproducer.self-service-api.clientId={{ .Values.kafkaRequestProducer.clientId }} +blueprintsprocessor.messageproducer.self-service-api.topic={{ .Values.kafkaRequestProducer.topic }} +{{- if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} +# SCRAM +blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} +blueprintsprocessor.messageproducer.self-service-api.scramPassword=${JAAS_PASS} +{{ end }} + +# AUDIT KAFKA FEATURE CONFIGURATION +# Audit feature dumps CDS request to a topic as well as a truncated response message to another topic. +## Audit request +blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable={{ .Values.kafkaAuditRequest.enabled }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.type={{ .Values.kafkaAuditRequest.type }} +{{- if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +{{- else -}} +blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} +{{- end }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId={{ .Values.kafkaAuditRequest.clientId }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.topic={{ .Values.kafkaAuditRequest.topic }} +{{- if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} +# SCRAM +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${JAAS_PASS} +{{ end }} + +## Audit response +blueprintsprocessor.messageproducer.self-service-api.audit.response.type={{ .Values.kafkaAuditResponse.type }} +{{- if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +{{- else -}} +blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} +{{- end }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId={{ .Values.kafkaAuditResponse.clientId }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.topic={{ .Values.kafkaAuditResponse.topic }} +{{- if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} +# SCRAM +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${JAAS_PASS} +{{ end }} # Executor Options blueprintsprocessor.resourceResolution.enabled=true @@ -132,10 +183,10 @@ blueprintsprocessor.remoteScriptCommand.enabled=true ## Enable py-executor blueprintsprocessor.streamingRemoteExecution.enabled=true -# Used in Health Check -blueprintsprocessor.messageproducer.self-service-api.type=kafka-basic-auth -blueprintsprocessor.messageproducer.self-service-api.clientId=cds-client -blueprintsprocessor.messageproducer.self-service-api.topic=cds-producer +## Used in Health Check +#blueprintsprocessor.messageproducer.self-service-api.type=kafka-basic-auth +#blueprintsprocessor.messageproducer.self-service-api.clientId=cds-client +#blueprintsprocessor.messageproducer.self-service-api.topic=cds-producer #Encrypted username and password for health check service diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml new file mode 100644 index 0000000000..555f4d4e60 --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml @@ -0,0 +1,68 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if eq .Values.useStrimziKafka true }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.kafkaRequestConsumer.topic }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: 10 + replicas: 2 + config: + retention.ms: 7200000 + segment.bytes: 1073741824 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.kafkaRequestProducer.topic }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: 10 + replicas: 2 + config: + retention.ms: 7200000 + segment.bytes: 1073741824 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.kafkaAuditRequest.topic }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: 10 + replicas: 2 + config: + retention.ms: 7200000 + segment.bytes: 1073741824 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.kafkaAuditResponse.topic }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: 10 + replicas: 2 + config: + retention.ms: 7200000 + segment.bytes: 1073741824 +{{ end }}
\ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml new file mode 100644 index 0000000000..65ee1d2a96 --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml @@ -0,0 +1,49 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if eq .Values.useStrimziKafka true }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: group + name: {{ .Values.kafkaRequestConsumer.groupId }} + operation: All + - resource: + type: topic + name: {{ .Values.kafkaRequestConsumer.topic }} + operation: All + - resource: + type: topic + name: {{ .Values.kafkaRequestProducer.topic }} + operation: All + - resource: + type: topic + name: {{ .Values.kafkaAuditRequest.topic }} + operation: All + - resource: + type: topic + name: {{ .Values.kafkaAuditResponse.topic }} + operation: All +{{ end }}
\ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index d92f09a4c8..d68e900222 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -78,10 +79,6 @@ spec: args: - --container-name - cds-db - {{- if .Values.dmaapEnabled }} - - --container-name - - message-router - {{ end }} env: - name: NAMESPACE valueFrom: @@ -121,6 +118,10 @@ spec: fieldPath: metadata.name - name: CLUSTER_CONFIG_FILE value: {{ .Values.config.appConfigDir }}/hazelcast.yaml + {{ if .Values.useStrimziKafka }} + - name: JAAS_PASS + value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-kafka-secret" "key" "password") | indent 12 }} + {{ end }} ports: - containerPort: {{ .Values.service.http.internalPort }} - containerPort: {{ .Values.service.grpc.internalPort }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index a5180c53c6..af9482b663 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -1,5 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,6 +58,13 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.sdncDB.dbRootPassExternalSecret) . }}' password: '{{ .Values.config.sdncDB.dbRootPass }}' passwordPolicy: required + - uid: cds-kafka-secret + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: password + value: '{{ .Values.config.someConfig }}' + policy: generate ################################################################# # AAF part @@ -111,6 +119,7 @@ config: # dbCredsExternalSecret: <some secret name> # dbRootPassword: password # dbRootPassExternalSecret + someConfig: blah # default number of instances replicaCount: 1 @@ -119,10 +128,40 @@ nodeSelector: {} affinity: {} -# flag for kafka-listener dependency. Set to true if you are using message-router otherwise set to false if you are using -# custom kafka cluster. -dmaapEnabled: true +# If useStrimziKafka is true, the following also applies: +# strimzi will create an associated kafka user and the topics defined for Request and Audit elements below. +# The connection type must be kafka-scram-plain-text-auth +# The bootstrapServers will target the strimzi kafka cluster by default +useStrimziKafka: false +cdsKafkaUser: cds-kafka-user +kafkaRequestConsumer: + enabled: false + type: kafka-scram-plain-text-auth + bootstrapServers: host:port + groupId: cds-consumer + topic: cds.blueprint-processor.self-service-api.request + clientId: request-receiver-client-id + pollMillSec: 1000 +kafkaRequestProducer: + type: kafka-scram-plain-text-auth + bootstrapServers: host:port + clientId: request-producer-client-id + topic: cds.blueprint-processor.self-service-api.response + enableIdempotence: false +kafkaAuditRequest: + enabled: false + type: kafka-scram-plain-text-auth + bootstrapServers: host:port + clientId: audit-request-producer-client-id + topic: cds.blueprint-processor.self-service-api.audit.request + enableIdempotence: false +kafkaAuditResponse: + type: kafka-scram-plain-text-auth + bootstrapServers: host:port + clientId: audit-response-producer-client-id + topic: cds.blueprint-processor.self-service-api.audit.response + enableIdempotence: false # probe configuration parameters startup: diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index edac066f6f..58e6b65c6f 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2020 Samsung Electronics # Copyright © 2019 Orange, Bell Canada # Copyright © 2017 Amdocs, Bell Canada +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,7 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs + cdsKafkaUser: cds-kafka-user ################################################################# # Secrets metaconfig @@ -212,6 +214,7 @@ cds-blueprints-processor: dbPort: 3306 dbName: *mysqlDbName dbCredsExternalSecret: *dbUserSecretName + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.kafkaUser }}' cds-command-executor: enabled: true diff --git a/kubernetes/contrib/components/awx/templates/service.yaml b/kubernetes/contrib/components/awx/templates/service.yaml index 10f031da82..85ec8c8428 100755 --- a/kubernetes/contrib/components/awx/templates/service.yaml +++ b/kubernetes/contrib/components/awx/templates/service.yaml @@ -49,7 +49,6 @@ spec: ports: - port: {{ .Values.service.web.externalPort }} targetPort: {{ .Values.service.web.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.web.nodePort }} name: {{ .Values.service.web.portName }} selector: app: {{ include "common.fullname" . }} diff --git a/kubernetes/contrib/components/awx/values.yaml b/kubernetes/contrib/components/awx/values.yaml index 0a247c5743..44c57414a4 100755 --- a/kubernetes/contrib/components/awx/values.yaml +++ b/kubernetes/contrib/components/awx/values.yaml @@ -92,11 +92,10 @@ service: internalPort: 15672 externalPort: 15672 web: - type: NodePort + type: ClusterIP portName: web internalPort: 8052 externalPort: 8052 - nodePort: 78 rabbitmq: type: ClusterIP http: diff --git a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml index e9958f1114..e295a37b45 100644 --- a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml @@ -1,7 +1,7 @@ {{/* # Copyright (C) 2021 Pantheon.tech # Modifications Copyright (C) 2020 Bell Canada. -# Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright (C) 2021-2022 Nordix Foundation. # Modifications Copyright (C) 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -28,17 +28,21 @@ spring: password: ${DB_PASSWORD} driverClassName: org.postgresql.Driver initialization-mode: always - liquibase: change-log: classpath:changelog/changelog-master.yaml labels: {{ .Values.config.liquibaseLabels }} + kafka: + producer: + client-id: cps-core + security: - # comma-separated uri patterns which do not require authorization - permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/api-docs - auth: - username: ${CPS_USERNAME} - password: ${CPS_PASSWORD} + # comma-separated uri patterns which do not require authorization + permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/api-docs + auth: + username: ${CPS_USERNAME} + password: ${CPS_PASSWORD} + logging: level: org: @@ -49,12 +53,18 @@ dmi: username: ${DMI_USERNAME} password: ${DMI_PASSWORD} -{{- if .Values.config.eventPublisher }} +{{- if .Values.config.useStrimziKafka }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 +spring.kafka.security.protocol: SASL_PLAINTEXT +spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 +spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN} +{{ else }} {{ toYaml .Values.config.eventPublisher | nindent 2 }} {{- end }} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} {{- end }} + # Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/cps-core/templates/deployment.yaml b/kubernetes/cps/components/cps-core/templates/deployment.yaml index e6ee161feb..54e2cc6cdf 100644 --- a/kubernetes/cps/components/cps-core/templates/deployment.yaml +++ b/kubernetes/cps/components/cps-core/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright (C) 2021 Pantheon.tech, Orange # Modifications Copyright (C) 2021 Bell Canada. -# Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright (C) 2021-2022 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,7 +57,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "login") | indent 12 }} - name: DMI_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "password") | indent 12 }} - + {{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} + {{- end }} volumeMounts: - mountPath: /config-input name: init-data-input diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index d65924e90f..2afc1fd6f4 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -1,5 +1,6 @@ # Copyright (C) 2021 Pantheon.tech, Orange, Bell Canada. # Modifications Copyright (C) 2022 Bell Canada +# Modifications Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -42,6 +43,13 @@ secrets: login: '{{ .Values.config.dmiPluginUserName }}' password: '{{ .Values.config.dmiPluginUserPassword }}' passwordPolicy: generate + - uid: cps-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate ################################################################# # Global configuration defaults. @@ -170,17 +178,23 @@ config: #appUserPassword: dmiPluginUserName: dmiuser # Any new property can be added in the env by setting in overrides in the format mentioned below -# All the added properties must be in "key: value" format insead of yaml. +# All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 - eventPublisher: - spring.kafka.bootstrap-servers: message-router-kafka:9092 - spring.kafka.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username=admin password=admin_secret; - spring.kafka.producer.client-id: cps-core +# kafka config + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. + +# eventPublisher: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: SASL_PLAINTEXT +# spring.kafka.properties.sasl.mechanism: PLAIN +# spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username=admin password=admin_secret; additional: notification.data-updated.enabled: true diff --git a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml index 32ae51b51a..6e80843949 100644 --- a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. +# Modifications Copyright © 2022 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,19 +25,31 @@ spring: username: ${DB_USERNAME} password: ${DB_PASSWORD} -security: - auth: - username: ${APP_USERNAME} - password: ${APP_PASSWORD} + kafka: + consumer: + group-id: {{ .Values.config.kafka.consumer.groupId }} + +app: + listener: + data-updated: + topic: {{ .Values.config.app.listener.dataUpdatedTopic }} -# Event consumption properties (kafka) -{{- if .Values.config.eventConsumption }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} +{{- if .Values.config.useStrimziKafka }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 +spring.kafka.security.protocol: SASL_PLAINTEXT +spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 +spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN} +{{ else }} +{{ toYaml .Values.config.eventPublisher | nindent 2 }} {{- end }} -# Additional properties {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} {{- end }} +security: + auth: + username: ${APP_USERNAME} + password: ${APP_PASSWORD} + # Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml index 806e65a865..71ff37193b 100644 --- a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml +++ b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. +# Modifications Copyright © 2022 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -53,6 +54,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }} - name: APP_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }} + {{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} + {{- end }} volumeMounts: - mountPath: /config-input name: init-data-input diff --git a/kubernetes/cps/components/cps-temporal/values.yaml b/kubernetes/cps/components/cps-temporal/values.yaml index 68bc2a7e8a..a92791e019 100644 --- a/kubernetes/cps/components/cps-temporal/values.yaml +++ b/kubernetes/cps/components/cps-temporal/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. +# Modifications Copyright © 2022 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -39,6 +40,13 @@ secrets: login: '{{ .Values.config.appUserName }}' password: '{{ .Values.config.appUserPassword }}' passwordPolicy: generate + - uid: cps-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate image: onap/cps-temporal:1.1.0 containerPort: &svc_port 8080 @@ -139,13 +147,23 @@ config: profile: helm #appUserPassword: - # Event consumption (kafka) properties - # All Kafka properties must be in "key: value" format instead of yaml. - eventConsumption: - spring.kafka.bootstrap-servers: message-router-kafka:9092 - spring.kafka.security.protocol: PLAINTEXT - spring.kafka.consumer.group-id: cps-temporal-group - app.listener.data-updated.topic: cps.data-updated-events +# Event consumption (kafka) properties + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap + kafka: + consumer: + groupId: cps-temporal-group + app: + listener: + dataUpdatedTopic: cps.data-updated-events +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. + +# eventConsumption: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: PLAINTEXT +# spring.kafka.consumer.group-id: cps-temporal-group # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. diff --git a/kubernetes/cps/templates/cps-kafka-topic.yaml b/kubernetes/cps/templates/cps-kafka-topic.yaml new file mode 100644 index 0000000000..1a23ddfc9b --- /dev/null +++ b/kubernetes/cps/templates/cps-kafka-topic.yaml @@ -0,0 +1,28 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.config.useStrimziKafka }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.config.dataUpdatedTopic.name }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: {{ .Values.config.dataUpdatedTopic.partitions }} + config: + retention.ms: {{ .Values.config.dataUpdatedTopic.retentionMs }} + segment.bytes: {{ .Values.config.dataUpdatedTopic.segmentBytes }} +{{- end }}
\ No newline at end of file diff --git a/kubernetes/cps/templates/cps-kafka-user.yaml b/kubernetes/cps/templates/cps-kafka-user.yaml new file mode 100644 index 0000000000..b3136d7f04 --- /dev/null +++ b/kubernetes/cps/templates/cps-kafka-user.yaml @@ -0,0 +1,41 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.config.useStrimziKafka }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.global.cpsKafkaUser }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: group + name: {{ .Values.config.dataUpdatedTopic.consumer.groupId }} + operation: Read + - resource: + type: topic + name: {{ .Values.config.dataUpdatedTopic.name }} + operation: Read + - resource: + type: topic + name: {{ .Values.config.dataUpdatedTopic.name }} + operation: Write +{{- end }}
\ No newline at end of file diff --git a/kubernetes/cps/values.yaml b/kubernetes/cps/values.yaml index 754b016fe8..700ad38844 100755 --- a/kubernetes/cps/values.yaml +++ b/kubernetes/cps/values.yaml @@ -1,4 +1,5 @@ # Copyright (C) 2021 Bell Canada +# Modifications Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,9 +41,20 @@ global: virtualhost: baseurl: "simpledemo.onap.org" + kafkaBootstrap: strimzi-kafka-bootstrap + cpsKafkaUser: cps-kafka-user + config: coreUserName: cpsuser dmiPluginUserName: dmiuser + useStrimziKafka: true + dataUpdatedTopic: + name: cps.data-updated-events + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 + consumer: + groupId: cps-temporal-group # Enable all CPS components by default cps-core: @@ -50,9 +62,12 @@ cps-core: config: appUserExternalSecret: *core-creds-secret dmiPluginUserExternalSecret: *dmi-plugin-creds-secret + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.cpsKafkaUser }}' cps-temporal: enabled: true + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.cpsKafkaUser }}' ncmp-dmi-plugin: enabled: true diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml index 869472e2d8..ef272eef23 100644 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml @@ -2,6 +2,7 @@ # ============================================================================ # Copyright (C) 2021-2022 Wipro Limited. # Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (C) 2022 Huawei Canada Limited. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,7 +58,7 @@ tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.0.7 +image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.1.1 # Log directory where logging sidecar should look for log files # if path is set to null sidecar won't be deployed in spite of @@ -144,6 +145,17 @@ applicationConfig: sliceanalysisms.rannfnssiDetailsTemplateId: get-rannfnssiid-details sliceanalysisms.desUrl: http://dl-des:1681/datalake/v1/exposure/pm_data sliceanalysisms.pmDataDurationInWeeks: 4 + sliceanalysisms.vesNotifPollingInterval: 15 + sliceanalysisms.vesNotifChangeIdentifier: PM_BW_UPDATE + sliceanalysisms.vesNotifChangeType: BandwidthChanged + sliceanalysisms.aaiNotif.targetAction: UPDATE + sliceanalysisms.aaiNotif.targetSource: UUI + sliceanalysisms.aaiNotif.targetEntity: service-instance + sliceanalysisms.ccvpnEvalInterval: 15 + sliceanalysisms.ccvpnEvalThreshold: 0.8 + sliceanalysisms.ccvpnEvalPrecision: 100.0 + sliceanalysisms.ccvpnEvalPeriodicCheckOn: true + sliceanalysisms.ccvpnEvalOnDemandCheckOn: true streams_publishes: CL_topic: type: message-router @@ -162,6 +174,19 @@ applicationConfig: type: message-router dmaap_info: topic_url: http://message-router:3904/events/DCAE_CL_RSP + ves_ccvpn_notification_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT + aai_subscriber: + type: message-router + servers : ["message-router:3904"] + consumer_group: dcae_ccvpn_cl + consumer_instance: dcae_ccvpn_cl_aaievent + fetch_timeout: 15000 + fetch_limit: 100 + dmaap_info: + topic_url: http://message-router:3904/events/AAI-EVENT applicationEnv: STANDALONE: 'false' diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml index 7475a4d2bf..9e62ccf2f7 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml @@ -31,7 +31,7 @@ server: logging: # The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL. - level: ALL + level: INFO # Logger-specific levels. loggers: @@ -41,7 +41,7 @@ logging: appenders: - type: console - threshold: ALL + threshold: INFO timeZone: UTC logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" - type: file @@ -51,7 +51,7 @@ logging: archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/engine-d-error-%d{yyyy-MM-dd}.log.gz archivedFileCount: 7 - type: file - threshold: DEBUG + threshold: INFO logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" currentLogFilename: /var/log/ONAP/holmes/engine-d-debug.log archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/engine-d-debug-%d{yyyy-MM-dd}.log.gz diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml index c8ec225545..5781dabb85 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml @@ -28,7 +28,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/holmes/engine-management:10.0.2 +image: onap/holmes/engine-management:10.0.3 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 ################################################################# diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml index 43a83d09b0..89269dede8 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml @@ -24,7 +24,7 @@ server: logging: # The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL. - level: ALL + level: INFO # Logger-specific levels. loggers: @@ -34,7 +34,7 @@ logging: appenders: - type: console - threshold: ALL + threshold: INFO timeZone: UTC logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" - type: file @@ -45,7 +45,7 @@ logging: archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/rulemgt-relation-error-%d{yyyy-MM-dd}.log.gz archivedFileCount: 7 - type: file - threshold: DEBUG + threshold: INFO logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" currentLogFilename: /var/log/ONAP/holmes/rulemgt-relation-debug.log archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/rulemgt-relation-debug-%d{yyyy-MM-dd}.log.gz diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml index 94076194e0..fbe873b184 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml @@ -28,7 +28,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/holmes/rule-management:10.0.2 +image: onap/holmes/rule-management:10.0.3 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 ################################################################# diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml index 72c5ddc9c2..228302fed4 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml @@ -16,7 +16,7 @@ global: # global defaults nodePortPrefix: 302 image: - optf_has: onap/optf-has:2.2.1 + optf_has: onap/optf-has:2.3.0 ################################################################# # secrets metaconfig diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml index 0157c569a0..a8c5dd216a 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml @@ -14,7 +14,7 @@ global: image: - optf_has: onap/optf-has:2.2.1 + optf_has: onap/optf-has:2.3.0 ################################################################# # Secrets metaconfig diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml index 5623cde904..0aaf4286cd 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml @@ -14,7 +14,7 @@ global: image: - optf_has: onap/optf-has:2.2.1 + optf_has: onap/optf-has:2.3.0 ################################################################# # secrets metaconfig diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml index fa8bdd97ed..fd88273dce 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml @@ -14,7 +14,7 @@ global: image: - optf_has: onap/optf-has:2.2.1 + optf_has: onap/optf-has:2.3.0 ################################################################# # secrets metaconfig diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml index e7ceddd9a4..36c1945835 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml @@ -14,7 +14,7 @@ global: image: - optf_has: onap/optf-has:2.2.1 + optf_has: onap/optf-has:2.3.0 ################################################################# # secrets metaconfig diff --git a/kubernetes/oof/components/oof-has/resources/config/conductor.conf b/kubernetes/oof/components/oof-has/resources/config/conductor.conf index 7d724a593d..22a20fe64e 100755 --- a/kubernetes/oof/components/oof-has/resources/config/conductor.conf +++ b/kubernetes/oof/components/oof-has/resources/config/conductor.conf @@ -753,3 +753,47 @@ certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer #password = get_ta_list_url = "/api/v1/execute/ran-coverage-area/get_ta_list" + +[dcae] + +# +# From conductor +# +# +# Data Store table prefix. (string value) +#table_prefix = dcae + +# Base URL for DCAE, up to and not including the version, and without a +# trailing slash. (string value) +server_url = https://{{.Values.config.dcae.service}}.{{ include "common.namespace" . }}:{{.Values.config.dcae.port}} + +# Timeout for DCAE Rest Call (string value) +#dcae_rest_timeout = 30 + +# Number of retry for DCAE Rest Call (string value) +#dcae_retries = 3 + +# The version of A&AI in v# format. (string value) +server_url_version = v1 + +# SSL/TLS certificate file in pem format. This certificate must be registered +# with the SDC endpoint. (string value) +#certificate_file = certificate.pem +certificate_file = + +# Private Certificate Key file in pem format. (string value) +#certificate_key_file = certificate_key.pem +certificate_key_file = + +# Certificate Authority Bundle file in pem format. Must contain the appropriate +# trust chain for the Certificate file. (string value) +#certificate_authority_bundle_file = certificate_authority_bundle.pem +certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer + +# Username for DCAE. (string value) +#username = + +# Password for DCAE. (string value) +#password = + +get_slice_config_url = "/api/v1/slices-config"
\ No newline at end of file diff --git a/kubernetes/oof/components/oof-has/values.yaml b/kubernetes/oof/components/oof-has/values.yaml index bc129beb3e..8a146a90b8 100755 --- a/kubernetes/oof/components/oof-has/values.yaml +++ b/kubernetes/oof/components/oof-has/values.yaml @@ -19,7 +19,7 @@ global: commonConfigPrefix: onap-oof-has image: - optf_has: onap/optf-has:2.2.1 + optf_has: onap/optf-has:2.3.0 persistence: enabled: true @@ -71,6 +71,9 @@ config: cps: service: cps-tbdmt port: 8080 + dcae: + service: dcae-slice-analysis-ms + port: 8080 etcd: serviceName: &etcd-service oof-has-etcd port: 2379 diff --git a/kubernetes/policy/components/policy-gui/resources/config/default.conf b/kubernetes/policy/components/policy-gui/resources/config/default.conf deleted file mode 100644 index 98417cd822..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/default.conf +++ /dev/null @@ -1,32 +0,0 @@ -server { - - listen 2443 default ssl; - ssl_protocols TLSv1.2; - {{ if .Values.global.aafEnabled }} - ssl_certificate {{.Values.certInitializer.credsPath}}/{{.Values.certInitializer.clamp_pem}}; - ssl_certificate_key {{.Values.certInitializer.credsPath}}/{{.Values.certInitializer.clamp_key}}; - {{ else }} - ssl_certificate /etc/ssl/clamp.pem; - ssl_certificate_key /etc/ssl/clamp.key; - {{ end }} - - ssl_verify_client optional_no_ca; - absolute_redirect off; - - location / { - root /usr/share/nginx/html; - index index.html index.htm; - try_files $uri $uri/ =404; - } - - location /clamp/restservices/clds/ { - proxy_pass https://policy-clamp-be:8443/restservices/clds/; - proxy_set_header X-SSL-Cert $ssl_client_escaped_cert; - } - - location = /50x.html { - root /var/lib/nginx/html; - } - error_page 500 502 503 504 /50x.html; - error_log /var/log/nginx/error.log warn; -} diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml index b67fa273de..a155715580 100644 --- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-gui/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. +# Copyright (C) 2021-2022 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -62,6 +62,20 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} +{{- if .Values.global.aafEnabled }} + command: ["sh","-c"] + args: ["source {{ .Values.certInitializer.credsPath }}/.ci;/opt/app/policy/gui/bin/policy-gui.sh"] + env: +{{- else }} + command: ["/opt/app/policy/gui/bin/policy-gui.sh"] + env: + - name: KEYSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} +{{- end }} + - name: CLAMP_URL + value: https://policy-clamp-be:8443 ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -81,9 +95,6 @@ spec: volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - name: logs mountPath: {{ .Values.log.path }} - - mountPath: /etc/nginx/conf.d/default.conf - name: {{ include "common.fullname" . }}-config - subPath: default.conf resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -99,9 +110,6 @@ spec: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - items: - - key: default.conf - path: default.conf - name: logs emptyDir: {} {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml index 6ee7715678..aa2b9d3122 100644 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ b/kubernetes/policy/components/policy-gui/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. +# Copyright (C) 2021-2022 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,36 +26,46 @@ global: # global defaults aafEnabled: true ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: keystore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required + - uid: truststore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required + +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap + +################################################################# # AAF part ################################################################# certInitializer: - permission_user: 1000 - permission_group: 999 - addconfig: true - keystoreFile: "org.onap.clamp.p12" - truststoreFile: "org.onap.clamp.trust.jks" - keyFile: "org.onap.clamp.keyfile" - truststoreFileONAP: "truststoreONAPall.jks" - clamp_key: "clamp.key" - clamp_pem: "clamp.pem" - clamp_ca_certs_pem: "clamp-ca-certs.pem" nameOverride: policy-gui-cert-initializer aafDeployFqi: deployer@people.osaaf.org aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: clamp - fqi: clamp@clamp.onap.org - public_fqdn: clamp.onap.org - cadi_longitude: "0.0" + fqdn: policy + fqi: policy@policy.onap.org + public_fqdn: policy.onap.org cadi_latitude: "0.0" - app_ns: org.osaaf.aaf + cadi_longitude: "0.0" credsPath: /opt/app/osaaf/local + app_ns: org.osaaf.aaf + uid: 100 + gid: 101 aaf_add_config: > - cd {{ .Values.credsPath }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }}; - chmod a+rx *; + echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; + echo "export TRUSTSTORE='{{ .Values.credsPath }}/org.onap.policy.trust.jks'" >> {{ .Values.credsPath }}/.ci; + echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; + echo "export TRUSTSTORE_PASSWD='${cadi_truststore_password}'" >> {{ .Values.credsPath }}/.ci; + chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); subChartsOnly: enabled: true @@ -63,7 +73,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-gui:2.2.0 +image: onap/policy-gui:2.2.2 pullPolicy: Always # flag to enable debugging - application support required @@ -71,7 +81,7 @@ debugEnabled: false # log configuration log: - path: /var/log/nginx/ + path: /var/log/onap/policy/gui ################################################################# # Application configuration defaults. diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh index d76e002170..63d266b75c 100644 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh @@ -1,7 +1,6 @@ #!/bin/bash set -eo pipefail -shopt -s nullglob # logging functions mysql_log() { diff --git a/kubernetes/sdc/components/sdc-fe/templates/service.yaml b/kubernetes/sdc/components/sdc-fe/templates/service.yaml index f899d58971..968a09c77e 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/service.yaml @@ -42,9 +42,6 @@ spec: - port: {{ .Values.service.internalPort }} name: {{ .Values.service.portName }} targetPort: {{ .Values.service.internalPort }} - {{ if eq .Values.service.type "NodePort" -}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{ end }} {{ if (include "common.needTLS" .) }} - port: {{ .Values.service.internalPort2 }} targetPort: {{ .Values.service.internalPort2 }} diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index a2502a9fca..6267da90f3 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -112,7 +112,6 @@ service: type: NodePort name: sdc-fe portName: http - nodePort: "06" internalPort: 8181 externalPort: 8181 nodePort2: "07" diff --git a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml new file mode 100644 index 0000000000..2653c6799c --- /dev/null +++ b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml @@ -0,0 +1,31 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ .Values.kafkaStrimziAdminUser }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: {{ .Values.saslMechanism }} + authorization: + type: simple + acls: + - resource: + type: group + name: onap-group + operation: Read
\ No newline at end of file diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index a94879b8a0..5f1e7303d9 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -57,16 +57,18 @@ spec: authorization: type: simple superUsers: - - {{ include "common.release" . }}-{{ .Values.kafkaStrimziAdminUser }} + - {{ .Values.kafkaStrimziAdminUser }} template: pod: securityContext: runAsUser: 0 fsGroup: 0 config: + default.replication.factor: {{ .Values.replicaCount }} + min.insync.replicas: {{ .Values.replicaCount }} offsets.topic.replication.factor: {{ .Values.replicaCount }} transaction.state.log.replication.factor: {{ .Values.replicaCount }} - transaction.state.log.min.isr: 2 + transaction.state.log.min.isr: {{ .Values.replicaCount }} log.message.format.version: "3.0" inter.broker.protocol.version: "3.0" storage: |