diff options
30 files changed, 267 insertions, 43 deletions
diff --git a/docs/oom_hardcoded_certificates.rst b/docs/oom_hardcoded_certificates.rst index d5f8672dc3..5aeee2e07f 100644 --- a/docs/oom_hardcoded_certificates.rst +++ b/docs/oom_hardcoded_certificates.rst @@ -48,6 +48,8 @@ Here's the list of these certificates: +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ | SO/VNFM | Yes | No? | Yes | kubernetes/so/resources/config/certificates | +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ + | SO/VNFM | No | Yes? | Yes | kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks | + +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ | VID | No | Yes | No | kubernetes/vid/resources/cert | +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ | OOF/OOF-CMSO | Yes | No | No | kubernetes/oof/charts/oof-cmso/resources/certs | diff --git a/kubernetes/aai b/kubernetes/aai -Subproject ab137ca81f5d4f9eb3d442f37f8e7ea52d7757f +Subproject eb70b3f12b30d4d7ea010723707db8c3e2ef235 diff --git a/kubernetes/appc/charts/appc-cdt/values.yaml b/kubernetes/appc/charts/appc-cdt/values.yaml index 377041a615..118d19c1b3 100644 --- a/kubernetes/appc/charts/appc-cdt/values.yaml +++ b/kubernetes/appc/charts/appc-cdt/values.yaml @@ -26,7 +26,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/appc-cdt-image:1.7.0 +image: onap/appc-cdt-image:1.7.1 pullPolicy: Always # application configuration diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index 8e8c4219ac..fb8230b128 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -56,7 +56,7 @@ secrets: flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/appc-image:1.7.0 +image: onap/appc-image:1.7.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties index d36f0bce85..eee61e7e90 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties @@ -72,7 +72,7 @@ error.catalog.errorDefinitionFileDirectory=/opt/app/onap/config # SDN-C's ODL Restconf Connection Details blueprintsprocessor.restconfEnabled=true blueprintsprocessor.restclient.sdncodl.type=basic-auth -blueprintsprocessor.restclient.sdncodl.url=http://sdnc:8282/ +blueprintsprocessor.restclient.sdncodl.url=http://{{ .Values.global.sdncOamService }}:{{ .Values.global.sdncOamPort }}/ blueprintsprocessor.restclient.sdncodl.username=admin blueprintsprocessor.restclient.sdncodl.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U @@ -92,7 +92,7 @@ blueprintsprocessor.grpcclient.py-executor.trustCertCollection=/opt/app/onap/con blueprintsprocessor.grpcclient.py-executor.type=tls-auth # Config Data REST client settings blueprintsprocessor.restclient.sdnc.type=basic-auth -blueprintsprocessor.restclient.sdnc.url=http://sdnc:8282 +blueprintsprocessor.restclient.sdnc.url=http://{{ .Values.global.sdncOamService }}:{{ .Values.global.sdncOamPort }} blueprintsprocessor.restclient.sdnc.username=admin blueprintsprocessor.restclient.sdnc.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U diff --git a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml index 29047a7404..6cd3c2b554 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml @@ -37,6 +37,10 @@ global: # envsusbt envsubstImage: dibi/envsubst + #This configuration specifies Service and port for SDNC OAM interface + sdncOamService: sdnc-oam + sdncOamPort: 8282 + ################################################################# # Secrets metaconfig ################################################################# diff --git a/kubernetes/clamp/charts/clamp-backend/values.yaml b/kubernetes/clamp/charts/clamp-backend/values.yaml index ce86ec2104..18888547c3 100644 --- a/kubernetes/clamp/charts/clamp-backend/values.yaml +++ b/kubernetes/clamp/charts/clamp-backend/values.yaml @@ -27,7 +27,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/clamp-backend:5.0.2 +image: onap/clamp-backend:5.0.3 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/clamp/values.yaml b/kubernetes/clamp/values.yaml index cf6c572cc9..47eca67f91 100644 --- a/kubernetes/clamp/values.yaml +++ b/kubernetes/clamp/values.yaml @@ -30,7 +30,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/clamp-frontend:5.0.2 +image: onap/clamp-frontend:5.0.3 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/dmaap-plugin.json b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/dmaap-plugin.json index 41404b0199..c52a0a8606 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/dmaap-plugin.json +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/dmaap-plugin.json @@ -2,7 +2,6 @@ "dmaap": { "username": "notused", "password": "doesnotmatter", - "owner": "dcaecm", - "protocol": "http" - } + "owner": "dcaecm" + } }
\ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-policy-handler/resources/config/config.json index b459a989d7..2e47c9e118 100644 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/resources/config/config.json +++ b/kubernetes/dcaegen2/components/dcae-policy-handler/resources/config/config.json @@ -24,7 +24,7 @@ "timeout_in_secs": 60 }, "dmaap_mr" : { - "url" : "https://message-router:3904/events/unauthenticated.POLICY-NOTIFICATION/policy-handler/ph1", + "url" : "https://message-router:3905/events/POLICY-NOTIFICATION/policy-handler/ph1", "query": { "timeout": 15000 }, diff --git a/kubernetes/nbi/templates/configmap-aaf-add-config.yaml b/kubernetes/nbi/templates/configmap-aaf-add-config.yaml new file mode 100644 index 0000000000..fe099b140d --- /dev/null +++ b/kubernetes/nbi/templates/configmap-aaf-add-config.yaml @@ -0,0 +1,28 @@ +{{ if .Values.global.aafEnabled }} +{{/* +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.aafConfig.addconfig -}} +apiVersion: v1 +kind: ConfigMap +{{- $suffix := "aaf-add-config" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +data: + aaf-add-config.sh: |- + /opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.aafConfig.credsPath }}/mycreds.prop +{{- end -}} +{{- end -}} diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml index 528a3f7e76..3283239100 100644 --- a/kubernetes/nbi/templates/deployment.yaml +++ b/kubernetes/nbi/templates/deployment.yaml @@ -32,6 +32,9 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.fullname" . }} spec: +{{- if .Values.global.aafEnabled }} + initContainers: {{ include "common.aaf-config" . | nindent 6 }} +{{- end }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -40,16 +43,39 @@ spec: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container + {{- if .Values.global.aafEnabled }} + command: + - bash + args: + - -c + - | + export $(grep '^c' {{ .Values.aafConfig.credsPath }}/mycreds.prop | xargs -0) + export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ + -Dserver.ssl.key-store={{ .Values.aafConfig.credsPath }}/org.onap.nbi.p12 \ + -Dserver.ssl.key-store-type=PKCS12 \ + -Djavax.net.ssl.trustStore={{ .Values.aafConfig.credsPath }}/org.onap.nbi.trust.jks \ + -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \ + -Djavax.net.ssl.trustStoreType=jks\ + -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443" + {{- if eq "DEBUG" .Values.config.loglevel }} + export JAVA_DEBUG="-Djavax.net.debug=all" + {{- end }} + exec java -XX:+UseContainerSupport $JAVA_DEBUG $JAVA_OPTS -jar /opt/onap/app.jar + {{- end }} {{ if .Values.liveness.enabled }} livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} + scheme: HTTPS initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} + scheme: HTTPS initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -72,7 +98,7 @@ spec: - name: ONAP_CLOUDOWNER value: {{ .Values.config.cloudOwner }} - name: NBI_URL - value: "http://nbi.{{ include "common.namespace" . }}:8080/nbi/api/v4" + value: "https://nbi.{{ include "common.namespace" . }}:8443/nbi/api/v4" - name: SDC_HOST value: "https://sdc-be.{{ include "common.namespace" . }}:8443" - name: SDC_HEADER_ECOMPINSTANCEID @@ -90,7 +116,7 @@ spec: value: {{ .Values.so_authorization }} {{- end }} - name: DMAAP_HOST - value: "https://message-router.{{ include "common.namespace" . }}:3905" + value: "http://message-router.{{ include "common.namespace" . }}:3904" - name: LOGGING_LEVEL_ORG_ONAP_NBI value: {{ .Values.config.loglevel }} - name: MSB_ENABLED @@ -99,7 +125,7 @@ spec: value: "msb-discovery.{{ include "common.namespace" . }}" - name: MSB_DISCOVERY_PORT value: "10081" - volumeMounts: + volumeMounts: {{ include "common.aaf-config-volume-mountpath" . | nindent 12 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -125,7 +151,7 @@ spec: # name: esr-server-logs # - mountPath: /usr/share/filebeat/data # name: esr-server-filebeat - volumes: + volumes: {{ include "common.aaf-config-volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index 4e22af6494..ceab7fad2a 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -28,6 +28,30 @@ global: service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera + aafAgentImage: onap/aaf/aaf_agent:2.1.15 + aafEnabled: true + busyBoxImage: busybox:1.30 + busyBoxRepository: docker.io + +################################################################# +# AAF part +################################################################# +aafConfig: + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: nbi + fqi: nbi@nbi.onap.org + public_fqdn: nbi.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + credsPath: /opt/app/osaaf/local + app_ns: org.osaaf.aaf + permission_user: 1000 + permission_group: 999 + addconfig: true + secret_uid: &aaf_secret_uid nbi-aaf-deploy-creds + ################################################################# # Secrets metaconfig @@ -39,13 +63,19 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' login: '{{ .Values.config.db.userName }}' password: '{{ .Values.config.db.userPassword }}' + - uid: *aaf_secret_uid + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aafConfig.aafDeployFqi }}' + password: '{{ .Values.aafConfig.aafDeployPass }}' + passwordPolicy: required subChartsOnly: enabled: true # application image repository: nexus3.onap.org:10001 -image: onap/externalapi/nbi:6.0.0 +image: onap/externalapi/nbi:6.0.1 pullPolicy: IfNotPresent sdc_authorization: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU= aai_authorization: Basic QUFJOkFBSQ== @@ -109,9 +139,8 @@ affinity: {} # probe configuration parameters liveness: - httpGet: - path: /nbi/api/v4/status - port: 8080 + path: /nbi/api/v4/status + port: 8443 initialDelaySeconds: 180 periodSeconds: 30 # necessary to disable liveness probe when setting breakpoints @@ -119,9 +148,8 @@ liveness: enabled: true readiness: - httpGet: - path: /nbi/api/v4/status - port: 8080 + path: /nbi/api/v4/status + port: 8443 initialDelaySeconds: 185 periodSeconds: 30 @@ -130,7 +158,7 @@ service: portName: api name: nbi nodePort: 74 - internalPort: 8080 + internalPort: 8443 ingress: enabled: false diff --git a/kubernetes/policy/charts/pap/resources/config/config.json b/kubernetes/policy/charts/pap/resources/config/config.json index e4517c7a5d..544ecdfc32 100644 --- a/kubernetes/policy/charts/pap/resources/config/config.json +++ b/kubernetes/policy/charts/pap/resources/config/config.json @@ -41,8 +41,8 @@ "implementation": "org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl", "databaseDriver": "org.mariadb.jdbc.Driver", "databaseUrl": "jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/{{ .Values.global.mariadb.config.mysqlDatabase }}", - "databaseUser": "{{ .Values.global.mariadb.config.userName }}", - "databasePassword": "{{ .Values.global.mariadb.config.userPassword | b64enc }}", + "databaseUser": "${SQL_USER}", + "databasePassword": "${SQL_PASSWORD_BASE64}", "persistenceUnit": "PolicyMariaDb" }, "topicParameterGroup": { diff --git a/kubernetes/policy/charts/pap/templates/deployment.yaml b/kubernetes/policy/charts/pap/templates/deployment.yaml index caef5218ef..85ca9c1486 100644 --- a/kubernetes/policy/charts/pap/templates/deployment.yaml +++ b/kubernetes/policy/charts/pap/templates/deployment.yaml @@ -31,6 +31,25 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + + - command: + - sh + args: + - -c + - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: papconfig + - mountPath: /config + name: papconfig-processed + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -58,7 +77,7 @@ spec: name: localtime readOnly: true - mountPath: /opt/app/policy/pap/etc/mounted - name: papconfig + name: papconfig-processed resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -77,5 +96,8 @@ spec: configMap: name: {{ include "common.fullname" . }}-configmap defaultMode: 0755 + - name: papconfig-processed + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/charts/pap/templates/secrets.yaml b/kubernetes/policy/charts/pap/templates/secrets.yaml new file mode 100644 index 0000000000..bd7eb8ea40 --- /dev/null +++ b/kubernetes/policy/charts/pap/templates/secrets.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/charts/pap/values.yaml b/kubernetes/policy/charts/pap/values.yaml index 05f43d66e0..7edb3ab871 100644 --- a/kubernetes/policy/charts/pap/values.yaml +++ b/kubernetes/policy/charts/pap/values.yaml @@ -22,6 +22,18 @@ ################################################################# global: persistence: {} + envsubstImage: dibi/envsubst + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' + login: '{{ .Values.db.user }}' + password: '{{ .Values.db.password }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -36,6 +48,10 @@ debugEnabled: false # application configuration +db: + user: policy_user + password: policy_user + # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/charts/policy-api/resources/config/config.json b/kubernetes/policy/charts/policy-api/resources/config/config.json index ccfc07ae67..2e46ccae96 100644 --- a/kubernetes/policy/charts/policy-api/resources/config/config.json +++ b/kubernetes/policy/charts/policy-api/resources/config/config.json @@ -30,8 +30,8 @@ "implementation": "org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl", "databaseDriver": "org.mariadb.jdbc.Driver", "databaseUrl": "jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/policyadmin", - "databaseUser": "{{ .Values.global.mariadb.config.userName }}", - "databasePassword": "{{ .Values.global.mariadb.config.userPassword | b64enc }}", + "databaseUser": "${SQL_USER}", + "databasePassword": "${SQL_PASSWORD_BASE64}", "persistenceUnit": "PolicyMariaDb" }, "preloadPolicyTypes": [ diff --git a/kubernetes/policy/charts/policy-api/templates/deployment.yaml b/kubernetes/policy/charts/policy-api/templates/deployment.yaml index 25e80d0ac3..777cc4954d 100644 --- a/kubernetes/policy/charts/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-api/templates/deployment.yaml @@ -31,6 +31,26 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + + - command: + - sh + args: + - -c + - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + volumeMounts: + - mountPath: /config-input + name: apiconfig + - mountPath: /config + name: apiconfig-processed + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -58,7 +78,7 @@ spec: name: localtime readOnly: true - mountPath: /opt/app/policy/api/etc/mounted - name: apiconfig + name: apiconfig-processed resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -77,5 +97,8 @@ spec: configMap: name: {{ include "common.fullname" . }}-configmap defaultMode: 0755 + - name: apiconfig-processed + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/charts/policy-api/templates/secrets.yaml b/kubernetes/policy/charts/policy-api/templates/secrets.yaml new file mode 100644 index 0000000000..bd7eb8ea40 --- /dev/null +++ b/kubernetes/policy/charts/policy-api/templates/secrets.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/charts/policy-api/values.yaml b/kubernetes/policy/charts/policy-api/values.yaml index b5e10493dc..fd66b69e4e 100644 --- a/kubernetes/policy/charts/policy-api/values.yaml +++ b/kubernetes/policy/charts/policy-api/values.yaml @@ -22,6 +22,18 @@ global: nodePortPrefix: 304 persistence: {} + envsubstImage: dibi/envsubst + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' + login: '{{ .Values.db.user }}' + password: '{{ .Values.db.password }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -35,6 +47,9 @@ pullPolicy: Always debugEnabled: false # application configuration +db: + user: policy_user + password: policy_user # default number of instances replicaCount: 1 diff --git a/kubernetes/sdnc/resources/config/bin/startODL.sh b/kubernetes/sdnc/resources/config/bin/startODL.sh index af5c36207c..6aa796a163 100755 --- a/kubernetes/sdnc/resources/config/bin/startODL.sh +++ b/kubernetes/sdnc/resources/config/bin/startODL.sh @@ -4,6 +4,7 @@ # ============LICENSE_START======================================================= # SDNC # ================================================================================ +# Copyright © 2020 Samsung Electronics # Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -133,17 +134,17 @@ echo " AAF_ENABLED=$SDNC_AAF_ENABLED" if $SDNC_AAF_ENABLED; then - export SDNC_STORE_DIR=/opt/app/osaaf/local - export SDNC_CONFIG_DIR=/opt/app/osaaf/local + export SDNC_AAF_STORE_DIR=/opt/app/osaaf/local + export SDNC_AAF_CONFIG_DIR=/opt/app/osaaf/local export SDNC_KEYPASS=`cat /opt/app/osaaf/local/.pass` export SDNC_KEYSTORE=org.onap.sdnc.p12 sed -i '/cadi_prop_files/d' $ODL_HOME/etc/system.properties - echo "cadi_prop_files=$SDNC_CONFIG_DIR/org.onap.sdnc.props" >> $ODL_HOME/etc/system.properties + echo "cadi_prop_files=$SDNC_AAF_CONFIG_DIR/org.onap.sdnc.props" >> $ODL_HOME/etc/system.properties sed -i '/org.ops4j.pax.web.ssl.keystore/d' $ODL_HOME/etc/custom.properties sed -i '/org.ops4j.pax.web.ssl.password/d' $ODL_HOME/etc/custom.properties sed -i '/org.ops4j.pax.web.ssl.keypassword/d' $ODL_HOME/etc/custom.properties - echo org.ops4j.pax.web.ssl.keystore=$SDNC_STORE_DIR/$SDNC_KEYSTORE >> $ODL_HOME/etc/custom.properties + echo org.ops4j.pax.web.ssl.keystore=$SDNC_AAF_STORE_DIR/$SDNC_KEYSTORE >> $ODL_HOME/etc/custom.properties echo org.ops4j.pax.web.ssl.password=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties echo org.ops4j.pax.web.ssl.keypassword=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties fi diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index da5d8f30d4..4511ca9125 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -1,4 +1,5 @@ {{/* +# Copyright © 2020 Samsung Electronics # Copyright © 2017 Amdocs, Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -208,6 +209,9 @@ spec: - mountPath: {{ .Values.config.binDir }}/installSdncDb.sh name: bin subPath: installSdncDb.sh + - mountPath: {{ .Values.config.ccsdkConfigDir }}/aaiclient.properties + name: properties + subPath: aaiclient.properties - mountPath: {{ .Values.config.configDir }}/aaiclient.properties name: properties subPath: aaiclient.properties diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 8cb7c339c7..99ff4b7760 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -1,3 +1,4 @@ +# Copyright © 2020 Samsung Electronics # Copyright © 2017 Amdocs, Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -159,6 +160,7 @@ config: peerODLCluster: 127.0.0.1 isPrimaryCluster: true configDir: /opt/onap/sdnc/data/properties + ccsdkConfigDir: /opt/onap/ccsdk/data/properties dmaapTopic: SUCCESS dmaapPort: 3904 logstashServiceName: log-ls diff --git a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks Binary files differnew file mode 100644 index 0000000000..96931ce168 --- /dev/null +++ b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks diff --git a/kubernetes/so/charts/so-secrets/templates/secrets.yaml b/kubernetes/so/charts/so-secrets/templates/secrets.yaml index 9a749638f0..5be2cc7c41 100644 --- a/kubernetes/so/charts/so-secrets/templates/secrets.yaml +++ b/kubernetes/so/charts/so-secrets/templates/secrets.yaml @@ -25,3 +25,16 @@ data: trustStorePassword: {{ .Values.global.client.certs.trustStorePassword }} keyStorePassword: {{ .Values.global.client.certs.keyStorePassword}} type: Opaque +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.release" . }}-so-truststore-secret + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml index 00b36a838e..a720753f47 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml @@ -40,17 +40,17 @@ spec: image: {{ include "common.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | indent 12 }} - {{- if eq .Values.global.security.aaf.enabled true }} env: - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks + value: {{ .Values.global.client.certs.truststore }} - name: TRUSTSTORE_PASSWORD valueFrom: secretKeyRef: name: {{ .Release.Name}}-so-client-certs-secret key: trustStorePassword + {{ if eq .Values.global.security.aaf.enabled true }} - name: KEYSTORE - value: /app/org.onap.so.jks + value: {{ .Values.global.client.certs.keystore }} - name: KEYSTORE_PASSWORD valueFrom: secretKeyRef: @@ -67,6 +67,9 @@ spec: - name: config mountPath: /app/config readOnly: true + - name: {{ include "common.fullname" . }}-truststore + mountPath: /app/client + readonly: true livenessProbe: tcpSocket: port: {{ index .Values.livenessProbe.port }} @@ -84,5 +87,8 @@ spec: - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap + - name: {{ include "common.fullname" . }}-truststore + secret: + secretName: {{ include "common.release" . }}-so-truststore-secret imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/resources/config/overrides/override.yaml b/kubernetes/so/resources/config/overrides/override.yaml index c57ed023ef..6bd930d7b1 100755 --- a/kubernetes/so/resources/config/overrides/override.yaml +++ b/kubernetes/so/resources/config/overrides/override.yaml @@ -1,3 +1,6 @@ +aai: + endpoint: https://aai.{{ include "common.namespace" . }}:8443 + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} server: port: {{ index .Values.containerPort }} tomcat: diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 4cf991ea60..e9c5637eef 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -60,8 +60,8 @@ global: defaultCloudOwner: onap cadi: cadiLoglevel: DEBUG - cadiKeyFile: /app/org.onap.so.keyfile - cadiTrustStore: /app/org.onap.so.trust.jks + cadiKeyFile: /app/client/org.onap.so.keyfile + cadiTrustStore: /app/client/org.onap.so.trust.jks cadiTruststorePassword: enc:MFpuxKeYK6Eo6QXjDUjtOBbp0FthY7SB4mKSIJm_RWC cadiLatitude: 38.4329 cadiLongitude: -90.43248 @@ -73,7 +73,9 @@ global: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 client: certs: - trustStorePassword: b25hcDRzbw== + truststore: /app/client/org.onap.so.trust.jks + keystore: /app/client/org.onap.so.jks + trustStorePassword: LHN4Iy5DKlcpXXdWZ0pDNmNjRkhJIzpI keyStorePassword: c280b25hcA== certificates: path: /etc/ssl/certs diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index 9529e558a2..96cacfbf82 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/vnfsdk/refrepo:1.3.2 +image: onap/vnfsdk/refrepo:1.5.1 postgresRepository: crunchydata postgresImage: crunchy-postgres:centos7-10.3-1.8.2 pullPolicy: Always |