diff options
90 files changed, 1011 insertions, 375 deletions
diff --git a/docs/oom_cloud_setup_guide.rst b/docs/oom_cloud_setup_guide.rst index 8431cf794a..033ba43fe4 100644 --- a/docs/oom_cloud_setup_guide.rst +++ b/docs/oom_cloud_setup_guide.rst @@ -46,9 +46,9 @@ The versions of Kubernetes that are supported by OOM are as follows: .. table:: OOM Software Requirements - ============== =========== ======= ======== ======== - Release Kubernetes Helm kubectl Docker - ============== =========== ======= ======== ======== + ============== =========== ======= ======== ======== ============ + Release Kubernetes Helm kubectl Docker Cert-Manager + ============== =========== ======= ======== ======== ============ amsterdam 1.7.x 2.3.x 1.7.x 1.12.x beijing 1.8.10 2.8.2 1.8.10 17.03.x casablanca 1.11.5 2.9.1 1.11.5 17.03.x @@ -57,7 +57,8 @@ The versions of Kubernetes that are supported by OOM are as follows: frankfurt 1.15.9 2.16.6 1.15.11 18.09.x guilin 1.15.11 2.16.10 1.15.11 18.09.x Honolulu 1.19.9 3.5.2 1.19.9 19.03.x - ============== =========== ======= ======== ======== + Istanbul 1.2.0 + ============== =========== ======= ======== ======== ============ .. note:: Guilin version also supports Kubernetes up to version 1.19.x and should work diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst index 2fedc091d8..d573c94bb0 100644 --- a/docs/oom_quickstart_guide.rst +++ b/docs/oom_quickstart_guide.rst @@ -33,13 +33,19 @@ where <BRANCH> can be an official release tag, such as > cp -R ~/oom/kubernetes/helm/plugins/ ~/.local/share/helm/plugins > helm plugin install https://github.com/chartmuseum/helm-push.git -**Step 3** Install Chartmuseum:: +**Step 3.** Install Chartmuseum:: > curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum > chmod +x ./chartmuseum > mv ./chartmuseum /usr/local/bin -**Step 4.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or +**Step 4.** Install Cert-Manager:: + + > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml + +More details can be found :doc:`here <oom_setup_paas>`. + +**Step 5.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or an override file like `onap-all.yaml`, `onap-vfw.yaml` or `openstack.yaml` file to suit your deployment with items like the OpenStack tenant information. @@ -67,12 +73,6 @@ to suit your deployment with items like the OpenStack tenant information. -.. note:: - If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed. - :doc:`Click here <oom_setup_paas>` to see how to install Cert-Manager. - - - a. Enabling/Disabling Components: Here is an example of the nominal entries that need to be provided. We have different values file available for different contexts. @@ -154,7 +154,7 @@ Example Keystone v3 (required for Rocky and later releases) :language: yaml -**Step 5.** To setup a local Helm server to server up the ONAP charts:: +**Step 6.** To setup a local Helm server to server up the ONAP charts:: > chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 & @@ -163,13 +163,13 @@ follows:: > helm repo add local http://127.0.0.1:8879 -**Step 6.** Verify your Helm repository setup with:: +**Step 7.** Verify your Helm repository setup with:: > helm repo list NAME URL local http://127.0.0.1:8879 -**Step 7.** Build a local Helm repository (from the kubernetes directory):: +**Step 8.** Build a local Helm repository (from the kubernetes directory):: > make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] all ; make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] onap @@ -177,7 +177,7 @@ follows:: Sets the helm binary to be used. The default value use helm from PATH -**Step 8.** Display the onap charts that available to be deployed:: +**Step 9.** Display the onap charts that available to be deployed:: > helm repo update > helm search repo onap @@ -189,7 +189,7 @@ follows:: to your deployment charts or values be sure to use ``make`` to update your local Helm repository. -**Step 9.** Once the repo is setup, installation of ONAP can be done with a +**Step 10.** Once the repo is setup, installation of ONAP can be done with a single command .. note:: @@ -237,7 +237,7 @@ needs. you want to use to deploy VNFs from ONAP and/or additional parameters for the embedded tests. -**Step 10.** Verify ONAP installation +**Step 11.** Verify ONAP installation Use the following to monitor your deployment and determine when ONAP is ready for use:: @@ -251,7 +251,7 @@ for use:: > ~/oom/kubernetes/robot/ete-k8s.sh onap health -**Step 11.** Undeploy ONAP +**Step 12.** Undeploy ONAP :: > helm undeploy dev diff --git a/docs/oom_setup_paas.rst b/docs/oom_setup_paas.rst index 258a4eeadf..845fd473e0 100644 --- a/docs/oom_setup_paas.rst +++ b/docs/oom_setup_paas.rst @@ -9,11 +9,11 @@ .. _oom_setup_paas: -ONAP PaaS set-up (optional) -########################### +ONAP PaaS set-up +################ Starting from Honolulu release, Cert-Manager and Prometheus Stack are a part -of k8s PaaS for ONAP operations and can be optionally installed to provide +of k8s PaaS for ONAP operations and can be installed to provide additional functionality for ONAP engineers. The versions of PaaS compoents that are supported by OOM are as follows: @@ -63,8 +63,8 @@ Installation can be as simple as:: > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml -Prometheus Stack -================ +Prometheus Stack (optional) +=========================== Prometheus is an open-source systems monitoring and alerting toolkit with an active ecosystem. diff --git a/docs/oom_user_guide.rst b/docs/oom_user_guide.rst index 02f5c483b5..3a707e25ea 100644 --- a/docs/oom_user_guide.rst +++ b/docs/oom_user_guide.rst @@ -55,8 +55,8 @@ ONAP with a few simple commands. Pre-requisites -------------- -Your environment must have both the Kubernetes `kubectl` and Helm setup as a -one time activity. +Your environment must have the Kubernetes `kubectl` with Cert-Manager +and Helm setup as a one time activity. Install Kubectl ~~~~~~~~~~~~~~~ @@ -78,6 +78,11 @@ Verify that the Kubernetes config is correct:: At this point you should see Kubernetes pods running. +Install Cert-Manager +~~~~~~~~~~~~~~~~~~~~ +Details on how to install Cert-Manager can be found +:doc:`here <oom_setup_paas>`. + Install Helm ~~~~~~~~~~~~ Helm is used by OOM for package and configuration management. To install Helm, diff --git a/docs/release-notes.rst b/docs/release-notes.rst index d8e529a347..ae0ea457f5 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -42,7 +42,7 @@ Release Data | **Release designation** | Honolulu | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | 2020/12/03 | +| **Release date** | 2021/04/29 | | | | +--------------------------------------+--------------------------------------+ @@ -52,18 +52,53 @@ New features * Kubernetes support for version up to 1.20 * Helm support for version up to 3.5 * Limits are set for most of the components +* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack +* CMPv2 external issuer implemented which extends Cert-Manager with ability to + enroll X.509 certificates from CMPv2 servers +* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual + Stack +* Bump version of common PostgreSQL and ElasticSearch +* Move to automatic certificates retrieval for 80% of the components +* Consistent retrieval of docker images, with ability to configure proxy for + the 4 repositories used by ONAP **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/10826 +https://jira.onap.org/projects/OOM/versions/11073 -**Known Issues** +major issues solved: -- `<https://github.com/bitnami/bitnami-docker-mariadb-galera/issues/35>`_ - bitnami mariadb galera image doesn't support single quote in password. +* Better handling of persistence on PostgreSQL +* Better Ingress templating +* Better Service templating +**Known Issues** +- `OOM-2554 <https://jira.onap.org/browse/OOM-2554>`_ Common pods have java 8 +- `OOM-2435 <https://jira.onap.org/browse/OOM-2435>`_ SDNC karaf shell: + log:list: Error executing command: Unrecognized configuration +- `OOM-2629 <https://jira.onap.org/browse/OOM-2629>`_ NetBox demo entry setup + not complete +- `OOM-2706 <https://jira.onap.org/browse/OOM-2706>`_ CDS Blueprint Processor + does not work with local DB +- `OOM-2713 <https://jira.onap.org/browse/OOM-2713>`_ Problem on onboarding + custom cert to SDNC ONAP during deployment +- `OOM-2698 <https://jira.onap.org/browse/OOM-2698>`_ SO helm override fails in + for value with multi-level replacement +- `OOM-2697 <https://jira.onap.org/browse/OOM-2697>`_ SO with local MariaDB + deployment fails +- `OOM-2538 <https://jira.onap.org/browse/OOM-2538>`_ strange error with + CertInitializer template +- `OOM-2547 <https://jira.onap.org/browse/OOM-2547>`_ Health Check failures + seen after bringing down/up control plane & worker node VM instances on which + ONAP hosted +- `OOM-2699 <https://jira.onap.org/browse/OOM-2699>`_ SO so-mariadb + readinessCheck fails for local MariaDB instance +- `OOM-2705 <https://jira.onap.org/browse/OOM-2705>`_ SDNC DB installation fails + on local MariaDB instance +- `OOM-2603 <https://jira.onap.org/browse/OOM-2603>`_ [SDNC] allign password for + scaleoutUser/restconfUser/odlUser Deliverables ------------ diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat index df2e128407..d29617a4d9 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat @@ -49,6 +49,7 @@ org.onap.clamp|clds.template|dev|*||"{'org.onap.clamp|service'}" org.onap.clamp|clds.template|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" org.onap.clamp|clds.template|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" org.onap.clamp|clds.tosca|dev|*||"{'org.onap.clamp|service'}" +org.onap.clamp|clds.policies|dev|*||"{'org.onap.clamp|service'}" org.onap.clampdemo|access|*|*|ClampDemo Write Access|{'org.onap.clampdemo.admin'} org.onap.clampdemo|access|*|read|ClampDemo Read Access|{'org.onap.clampdemo.owner'} org.onap.clamptest|access|*|*|Onap Write Access|{'org.onap.clamptest.admin'} diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat index ea15da4053..d73a09d4cd 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat @@ -40,7 +40,7 @@ org.onap.clampdemo|admin|Onap Clamp Test Admins|"{'org.onap.clampdemo.access|*| org.onap.clampdemo|owner|onap clamp Test Owners|"{'org.onap.clampdemo.access|*|read'}" org.onap.clamp|owner|AAF Namespace Owners| org.onap.clamp|seeCerts||"{'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}" -org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*'}" +org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*', 'org.onap.clamp|clds.policies|dev|*'}" org.onap.clamptest|admin|Onap Clamp Test Admins|"{'org.onap.clamptest.access|*|*'}" org.onap.clamptest|owner|onap clamp Test Owners|"{'org.onap.clamptest.access|*|read'}" org.onap.cli|admin|AAF Namespace Administrators|"{'org.onap.cli|access|*|*'}" diff --git a/kubernetes/aaf/components/aaf-cass/values.yaml b/kubernetes/aaf/components/aaf-cass/values.yaml index 525674434e..a1a1abe55a 100644 --- a/kubernetes/aaf/components/aaf-cass/values.yaml +++ b/kubernetes/aaf/components/aaf-cass/values.yaml @@ -93,4 +93,4 @@ persistence: mountSubPath: "cass" volumeReclaimPolicy: Retain accessMode: ReadWriteOnce - size: 20Gi + size: 5Gi diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties b/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties new file mode 100644 index 0000000000..dd1956b63f --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties @@ -0,0 +1,13 @@ +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + +multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }} +keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth +keycloak.realm={{ .Values.config.keycloak.realm }} +keycloak.resource={{ .Values.config.keycloak.resource }} +keycloak.public-client=false +keycloak.principal-attribute=preferred_username + +keycloak.ssl-required=external +keycloak.bearer-only=true diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml index c0bcb3b491..8f1bd2ddc8 100644 --- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml @@ -32,6 +32,7 @@ data: {{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} --- apiVersion: v1 diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index 7e54f1d432..dc1c010261 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -188,6 +188,9 @@ spec: - mountPath: /opt/app/aai-traversal/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties + - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties + name: {{ include "common.fullname" . }}-config + subPath: application-keycloak.properties ports: - containerPort: {{ .Values.service.internalPort }} - containerPort: {{ .Values.service.internalPort2 }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index 38011a0c98..ad4279a543 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -59,7 +59,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap,aaf-auth + active: production,dmaap,aaf-auth #,keycloak # Notification event specific properties notification: @@ -168,6 +168,20 @@ aai_enpoints: # application configuration config: + # configure keycloak according to your environment. + # don't forget to add keycloak in active profiles above (global.config.profiles) + keycloak: + host: keycloak.your.domain + port: 8180 + # Specifies a set of users, credentials, roles, and groups + realm: aai-traversal + # Used by any client application for enabling fine-grained authorization for their protected resources + resource: aai-traversal-app + # If set to true, additional criteria will be added into traversal query to returns all the vertices that match + # the data-owner property with the given role to the user in keycloak + multiTenancy: + enabled: true + # Specifies timeout information such as application specific and limits timeout: # If set to true application will timeout for queries taking longer than limit diff --git a/kubernetes/appc/components/appc-cdt/values.yaml b/kubernetes/appc/components/appc-cdt/values.yaml index 3b1ff47116..5765d3482d 100644 --- a/kubernetes/appc/components/appc-cdt/values.yaml +++ b/kubernetes/appc/components/appc-cdt/values.yaml @@ -38,27 +38,17 @@ certInitializer: cadi_longitude: "-72.0" credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving password for keystore" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - cd {{ .Values.credsPath }}; - mkdir -p certs; - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key file" - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - fi + echo "*** transform AAF certs into pem files" + mkdir -p {{ .Values.credsPath }}/certs + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key file" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/key.pem + echo "*** change ownership of certificates to targeted user" + chown -R 1000 {{ .Values.credsPath }} ################################################################# # Application configuration defaults. diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index 2fd6db1360..717ea6679c 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -44,7 +44,7 @@ enable_odl_cluster () { node_index=($(echo ${hm} | awk -F"-" '{print $NF}')) node_list="${node}-0.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}"; - for ((i=1;i<${APPC_REPLICAS};i++)); + for i in $(seq 1 $((${APPC_REPLICAS}-1))); do node_list="${node_list} ${node}-$i.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}" done @@ -65,7 +65,7 @@ DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} # Wait for database to init properly # echo "Waiting for mariadbgalera" -until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null +until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1 do printf "." sleep 1 diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index cc56bb4859..83d00a7545 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -129,6 +129,7 @@ mariadb-galera: disableNfsProvisioner: true serviceAccount: nameOverride: *appc-db + replicaCount: 1 dgbuilder: nameOverride: appc-dgbuilder diff --git a/kubernetes/cli/values.yaml b/kubernetes/cli/values.yaml index c521fb8c84..4dcee4568c 100644 --- a/kubernetes/cli/values.yaml +++ b/kubernetes/cli/values.yaml @@ -35,33 +35,24 @@ certInitializer: cadi_latitude: "0.0" credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving password for keystore and trustore" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ - -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ - -alias ca_local_0 \ - -storepass $cadi_truststore_password - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** generating needed file" - cat {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/cert.pem \ - {{ .Values.credsPath }}/certs/cacert.pem \ - > {{ .Values.credsPath }}/certs/fullchain.pem; - cat {{ .Values.credsPath }}/certs/fullchain.pem - echo "*** change ownership of certificates to targeted user" - chown -R 33 {{ .Values.credsPath }} - fi + echo "*** transform AAF certs into pem files" + mkdir -p {{ .Values.credsPath }}/certs + keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ + -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ + -alias ca_local_0 \ + -storepass $cadi_truststore_password + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** generating needed file" + cat {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/cert.pem \ + {{ .Values.credsPath }}/certs/cacert.pem \ + > {{ .Values.credsPath }}/certs/fullchain.pem; + cat {{ .Values.credsPath }}/certs/fullchain.pem + echo "*** change ownership of certificates to targeted user" + chown -R 33 {{ .Values.credsPath }} ################################################################# diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile index c7aba635c1..6442068b2f 100644 --- a/kubernetes/common/Makefile +++ b/kubernetes/common/Makefile @@ -21,7 +21,7 @@ COMMON_CHARTS_DIR := common EXCLUDES := PROCESSED_LAST := cert-wrapper repository-wrapper -PROCESSED_FIRST := repositoryGenerator readinessCheck certInitializer +PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount certInitializer TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST) HELM_BIN := helm diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 953c89d24d..3553cd4069 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -71,6 +71,17 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} + startupProbe: + exec: + command: + - /bin/bash + - -c + - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + successThreshold: {{ .Values.startup.successThreshold }} + failureThreshold: {{ .Values.startup.failureThreshold }} env: {{- $seed_size := default 1 .Values.replicaCount | int -}} {{- $global := . }} diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index c3d22cedc0..9f19bf5c14 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -54,8 +54,8 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 @@ -64,12 +64,19 @@ liveness: enabled: true readiness: - initialDelaySeconds: 120 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 +startup: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 90 + service: name: cassandra headless: @@ -119,7 +126,7 @@ persistence: ## storageClass: "-" ## Not set as it depends of the backup enabledment or not. accessMode: ReadWriteOnce - size: 2Gi + size: 10Gi mountPath: /dockerdata-nfs mountSubPath: cassandra storageType: local diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index d955ecdf3c..cb4153e778 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -17,6 +17,7 @@ */}} CERTS_DIR=${CERTS_DIR:-/certs} +MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs} WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} @@ -47,10 +48,18 @@ for f in $CERTS_DIR/*; do fi done +for f in $MORE_CERTS_DIR/*; do + if [ ${f: -4} == ".pem" ] + then + cp $f $WORK_DIR/. + fi +done + # Prepare truststore output file if [ "$AAF_ENABLED" = "true" ] then - mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME + echo "AAF is enabled, use 'AAF' truststore" + export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} else echo "AAF is disabled, using JRE truststore" cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh new file mode 100644 index 0000000000..9cc5ec580e --- /dev/null +++ b/kubernetes/common/certInitializer/resources/ingress/onboard.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/ -}} + +echo "*** retrieving certificates and keys" +export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0) +export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0) +export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0) +echo "*** creating tls secret" +cat <<EOF | kubectl apply -f - +apiVersion: v1 +kind: Secret +metadata: + name: {{ tpl .Values.ingressTlsSecret . }} + namespace: {{ include "common.namespace" . }} +data: + ca.crt: "${CACERT}" + tls.crt: "${CRT}" + tls.key: '${KEY}' +type: kubernetes.io/tls +EOF diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh index 25e47693de..76f384502f 100644 --- a/kubernetes/common/certInitializer/resources/retrieval_check.sh +++ b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh @@ -14,7 +14,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} +*/ -}} + echo "*** retrieving passwords for certificates" export $(/opt/app/aaf_config/bin/agent.sh local showpass \ {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) diff --git a/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh new file mode 100644 index 0000000000..f201eadd0a --- /dev/null +++ b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/ -}} + +echo "--- Cert transformation for use with Ingress" +echo "*** transform AAF certs into pem files" +mkdir -p {{ .Values.credsPath }}/certs +keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ + -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ + -alias ca_local_0 \ + -storepass $cadi_truststore_password +openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/tls.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 +cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/tls.key +echo "--- Done" diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index 414192e2bc..f3ba8a24e0 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Bell Canada, Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,6 +59,11 @@ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/retrieval_check.sh subPath: retrieval_check.sh +{{- if hasKey $initRoot "ingressTlsSecret" }} + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh + subPath: tls_certs_configure.sh +{{- end }} {{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh @@ -69,6 +75,9 @@ - | /opt/app/aaf_config/bin/agent.sh . /opt/app/aaf_config/bin/retrieval_check.sh +{{- if hasKey $initRoot "ingressTlsSecret" }} + /opt/app/aaf_config/bin/tls_certs_configure.sh +{{- end -}} {{- if $initRoot.aaf_add_config }} /opt/app/aaf_config/bin/aaf-add-config.sh {{- end }} @@ -137,6 +146,8 @@ volumeMounts: - mountPath: /certs name: aaf-agent-certs + - mountPath: /more_certs + name: provided-custom-certs - mountPath: /root/import-custom-certs.sh name: aaf-agent-certs subPath: import-custom-certs.sh @@ -177,6 +188,21 @@ configMap: name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }} defaultMode: 0700 +{{- if $dot.Values.global.importCustomCertsEnabled }} +- name: provided-custom-certs +{{- if $dot.Values.global.customCertsSecret }} + secret: + secretName: {{ $dot.Values.global.customCertsSecret }} +{{- else }} +{{- if $dot.Values.global.customCertsConfigMap }} + configMap: + name: {{ $dot.Values.global.customCertsConfigMap }} +{{- else }} + emptyDir: + medium: Memory +{{- end }} +{{- end }} +{{- end }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} configMap: name: {{ include "common.fullname" $subchartDot }}-add-config diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml index 1e9254abef..abd1575774 100644 --- a/kubernetes/common/certInitializer/templates/configmap.yaml +++ b/kubernetes/common/certInitializer/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,8 +20,20 @@ kind: ConfigMap {{- $suffix := "add-config" }} metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/retrieval/retrieval_check.sh").AsConfig . | indent 2 }} +{{- if hasKey .Values "ingressTlsSecret" }} +{{ tpl (.Files.Glob "resources/retrieval/tls_certs_configure.sh").AsConfig . | indent 2 }} +{{- end }} {{ if .Values.aaf_add_config }} aaf-add-config.sh: | {{ tpl .Values.aaf_add_config . | indent 4 | trim }} {{- end }} +{{- if hasKey .Values "ingressTlsSecret" }} +--- +apiVersion: v1 +kind: ConfigMap +{{- $suffix := "ingress" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +data: +{{ tpl (.Files.Glob "resources/ingress/onboard.sh").AsConfig . | indent 2 }} +{{- end }} diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml new file mode 100644 index 0000000000..331a58c310 --- /dev/null +++ b/kubernetes/common/certInitializer/templates/job.yaml @@ -0,0 +1,44 @@ +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if hasKey .Values "ingressTlsSecret" }} +apiVersion: batch/v1 +kind: Job +{{- $suffix := "set-tls-secret" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +spec: + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }} + containers: + - name: create tls secret + command: + - /ingress/onboard.sh + image: {{ include "repositoryGenerator.image.kubectl" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }} + - name: ingress-scripts + mountPath: /ingress + volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }} + - name: localtime + hostPath: + path: /etc/localtime + - name: ingress-scripts + configMap: + name: {{ include "common.fullname" . }}-ingress + defaultMode: 0777 +{{- end}} diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml index 52b2765329..747c94f4d1 100644 --- a/kubernetes/common/certInitializer/values.yaml +++ b/kubernetes/common/certInitializer/values.yaml @@ -15,6 +15,15 @@ global: aafAgentImage: onap/aaf/aaf_agent:2.1.20 aafEnabled: true + # Give the name of a config map where certInitializer will onboard all certs + # given (certs must be in pem format) + customCertsConfigMap: + # Give the name of a secret where certInitializer will onboard all certs given + # (certs must be in pem format) + # this one superseedes previous one (so if both are given, only certs from + # secret will be onboarded). + customCertsSecret: + pullPolicy: Always @@ -37,7 +46,6 @@ readinessCheck: - aaf-cm - aaf-service -aafDeployFqi: "changeme" fqdn: "" app_ns: "org.osaaf.aaf" fqi: "" @@ -55,6 +63,7 @@ truststoreMountpath: "" truststoreOutputFileName: truststore.jks truststorePassword: changeit envVarToCheck: cadi_keystore_password_p12 +# ingressTlsSecret: # This introduces implicit dependency on cert-wrapper # if you are using cert initializer cert-wrapper has to be also deployed. diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index 108873b31d..2b9461e50e 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -189,6 +189,8 @@ spec: {{ end }} {{- end -}} +{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}} + {{- define "common.certManager.volumeMounts" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} @@ -217,8 +219,14 @@ spec: sources: - secret: name: {{ $certificatesSecretName }} - {{- if $certificate.keystore }} items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} {{- range $outputType := $certificate.keystore.outputType }} - key: keystore.{{ $outputType }} path: keystore.{{ $outputType }} @@ -248,4 +256,55 @@ spec: {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} {{- end -}} {{ $certsLinkCommand }} -{{- end -}}
\ No newline at end of file +{{- end -}} + +{{/*Using templates below allows only read access to volume mounted at $mountPath*/}} + +{{- define "common.certManager.volumeMountsReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} + {{- range $i, $certificate := $dot.Values.certificates -}} + {{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }} + {{- end -}} +{{- end -}} + +{{- define "common.certManager.volumesReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} + {{- range $i, $certificate := $certificates -}} + {{- $name := include "common.fullname" $dot -}} + {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }} + projected: + sources: + - secret: + name: {{ $certificatesSecretName }} + items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} + {{- range $outputType := $certificate.keystore.outputType }} + - key: keystore.{{ $outputType }} + path: keystore.{{ $outputType }} + - key: truststore.{{ $outputType }} + path: truststore.{{ $outputType }} + {{- end }} + - secret: + name: {{ $certificate.keystore.passwordSecretRef.name }} + items: + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: keystore.pass + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: truststore.pass + {{- end }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index 1be3e3b790..5021c500b0 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -63,7 +63,7 @@ */}} {{- define "common.mariadbService" -}} {{- if .Values.global.mariadbGalera.localCluster -}} - {{- index .Values "mariadb-galera" "service" "name" -}} + {{- index .Values "mariadb-galera" "nameOverride" -}} {{- else -}} {{- .Values.global.mariadbGalera.service -}} {{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index bde971ffe7..7b0d90a9aa 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -129,7 +129,7 @@ spec: livenessProbe: exec: command: - - bash + - sh - -ec - | exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD @@ -143,7 +143,7 @@ spec: readinessProbe: exec: command: - - bash + - sh - -ec - | exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD @@ -153,6 +153,20 @@ spec: successThreshold: {{ .Values.readinessProbe.successThreshold }} failureThreshold: {{ .Values.readinessProbe.failureThreshold }} {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - sh + - -ec + - | + exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- end }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: previous-boot diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 79b1cb2933..4c77efc83f 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -478,18 +478,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2.5Gi + cpu: 1 + memory: 4Gi requests: - cpu: 100m - memory: 750Mi + cpu: 500m + memory: 2Gi large: limits: cpu: 2 - memory: 4Gi + memory: 6Gi requests: cpu: 1 - memory: 2Gi + memory: 3Gi unlimited: {} ## MariaDB Galera containers' liveness and readiness probes @@ -497,20 +497,29 @@ resources: ## livenessProbe: enabled: true - ## Initializing the database could take some time - ## - initialDelaySeconds: 150 + initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 readinessProbe: enabled: true - initialDelaySeconds: 60 + initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 +startupProbe: + ## Initializing the database could take some time + ## + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + # will wait up for initialDelaySeconds + failureThreshold*periodSeconds before + # stating startup wasn't good (910s per default) + failureThreshold: 90 ## Pod disruption budget configuration ## diff --git a/kubernetes/common/music/components/music-cassandra/templates/job.yaml b/kubernetes/common/music/components/music-cassandra/templates/job.yaml index 3cf1ae34fd..d3c89d4a59 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/job.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/job.yaml @@ -39,8 +39,6 @@ spec: command: - /app/ready.py args: - - --timeout - - "{{ .Values.readinessTimeout }}" - --container-name - music-cassandra env: @@ -87,4 +85,3 @@ spec: restartPolicy: Never imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml index 2a1fb4f59e..1aabfb6bcc 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml @@ -73,6 +73,17 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} + startupProbe: + exec: + command: + - /bin/bash + - -c + - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + successThreshold: {{ .Values.startup.successThreshold }} + failureThreshold: {{ .Values.startup.failureThreshold }} lifecycle: preStop: exec: diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml index 8530172269..92ed723989 100644 --- a/kubernetes/common/music/components/music-cassandra/values.yaml +++ b/kubernetes/common/music/components/music-cassandra/values.yaml @@ -18,7 +18,7 @@ global: nodePortPrefix: 302 persistence: {} -replicaCount: 3 +replicaCount: 1 # Cassandra Image - This image is modified from the original on # Docker Hub where the Security has been turned on. @@ -72,8 +72,8 @@ cql: # probe configuration parameters liveness: - initialDelaySeconds: 120 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 @@ -81,15 +81,20 @@ liveness: # in debugger so K8s doesn't restart unresponsive container enabled: true -readinessTimeout: 240 - readiness: - initialDelaySeconds: 10 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 +startup: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 90 + podManagementPolicy: OrderedReady updateStrategy: type: OnDelete diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml index 25cab910a9..f578949196 100644 --- a/kubernetes/common/music/values.yaml +++ b/kubernetes/common/music/values.yaml @@ -164,5 +164,4 @@ certInitializer: credsPath: /opt/app/osaaf/local appMountPath: /opt/app/aafcertman aaf_add_config: > - cd {{ .Values.credsPath }}; - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1; + echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass; diff --git a/kubernetes/common/roles-wrapper/Chart.yaml b/kubernetes/common/roles-wrapper/Chart.yaml new file mode 100644 index 0000000000..862773fc87 --- /dev/null +++ b/kubernetes/common/roles-wrapper/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Wrapper chart to allow default roles to be shared among onap instances +name: roles-wrapper +version: 8.0.0 diff --git a/kubernetes/common/roles-wrapper/requirements.yaml b/kubernetes/common/roles-wrapper/requirements.yaml new file mode 100644 index 0000000000..b2d51ef925 --- /dev/null +++ b/kubernetes/common/roles-wrapper/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~8.x-0 + repository: 'file://../common' diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml new file mode 100644 index 0000000000..e2a84b4151 --- /dev/null +++ b/kubernetes/common/roles-wrapper/templates/role.yaml @@ -0,0 +1,110 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ printf "%s-%s" (include "common.release" $dot) $role_type }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployment + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/roles-wrapper/values.yaml b/kubernetes/common/roles-wrapper/values.yaml new file mode 100644 index 0000000000..8a53d7d733 --- /dev/null +++ b/kubernetes/common/roles-wrapper/values.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +roles: + - nothing + - read + - create diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml index 2082f8466b..7c272aecda 100644 --- a/kubernetes/common/serviceAccount/templates/role-binding.yaml +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -16,18 +16,24 @@ {{- $dot := . -}} {{- range $role_type := $dot.Values.roles }} +{{/* retrieve the names for generic roles */}} +{{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }} +{{- if not (has $role_type $dot.Values.defaultRoles) }} +{{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. kind: RoleBinding metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} namespace: {{ include "common.namespace" $dot }} subjects: - kind: ServiceAccount - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} roleRef: kind: Role - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ $name }} apiGroup: rbac.authorization.k8s.io {{- end }} + diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 6d12164938..2055885f2a 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -14,96 +14,28 @@ # limitations under the License. */}} -{{- $dot := . -}} +{{- $dot := . -}} {{- range $role_type := $dot.Values.roles }} +{{/* Default roles are already created, just creating specific ones */}} +{{- if not (has $role_type $dot.Values.defaultRoles) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} namespace: {{ include "common.namespace" $dot }} rules: -{{- if eq $role_type "read" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - verbs: - - get - - watch - - list -{{- else }} -{{- if eq $role_type "create" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - - secrets - verbs: - - get - - watch - - list -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - statefulsets - verbs: - - patch -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - deployments - - secrets - verbs: - - create -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods - - persistentvolumeclaims - - secrets - - deployment - verbs: - - delete +{{- if hasKey $dot.Values.new_roles_definitions $role_type }} +{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} +{{- else}} +# if no rules are provided, you're back to 'nothing' role - apiGroups: - - "" # "" indicates the core API group - - apps + - authorization.k8s.io resources: - - pods/exec + - selfsubjectaccessreviews + - selfsubjectrulesreviews verbs: - create -{{- else }} -{{- if hasKey $dot.Values.new_roles_definitions $role_type }} -{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} -{{- else}} -# if you don't match read or create, then you're not allowed to use API -- apiGroups: [] - resources: [] - verbs: [] {{- end }} {{- end }} {{- end }} -{{- end }} diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml index 449bea684c..20bd94f49a 100644 --- a/kubernetes/common/serviceAccount/templates/service-account.yaml +++ b/kubernetes/common/serviceAccount/templates/service-account.yaml @@ -20,5 +20,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} -{{- end }} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} +{{- end }}
\ No newline at end of file diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index afa819421c..22faeb6904 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -12,11 +12,18 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Default roles will be created by roles wrapper +# It won't work if roles wrapper is disabled. roles: - nothing # - read # - create +defaultRoles: + - nothing + - read + - create + new_roles_definitions: {} # few-read: # - apiGroups: diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml index 69d993e9a4..57d1e7848e 100644 --- a/kubernetes/contrib/components/ejbca/values.yaml +++ b/kubernetes/contrib/components/ejbca/values.yaml @@ -54,7 +54,7 @@ mysqlDatabase: &dbName ejbca replicaCount: 1 ejbca: - image: primekey/ejbca-ce:6.15.2.5 + image: primekey/ejbca-ce:7.4.3.2 pullPolicy: Always mariadb-galera: diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 9c9cc7074d..5de526288e 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -3,6 +3,7 @@ # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -68,6 +69,83 @@ the the literal string "An example value". {{- end }} {{- end -}} {{/* +For internal use only! + +dcaegen2-services-common._externalVolumes: +This template generates a list of volumes associated with the pod, +based on information provided in .Values.externalVolumes. This +template works in conjunction with dcaegen2-services-common._externalVolumeMounts +to give the microservice access to data in volumes created else. +This initial implementation supports ConfigMaps only, as this is the only +external volume mounting required by current microservices. + +.Values.externalValues is a list of objects. Each object has 3 required fields and 1 optional field: + - name: the name of the resource (in the current implementation, it must be a ConfigMap) + that is to be set up as a volume. The value is a case sensitive string. Because the + names of resources are sometimes set at deployment time (for instance, to prefix the Helm + release to the name), the string can be a Helm template fragment that will be expanded at + deployment time. + - type: the type of the resource (in the current implementation, only "ConfigMap" is supported). + The value is a case-INsensitive string. + - mountPoint: the path to the mount point for the volume in the container file system. The + value is a case-sensitive string. + - readOnly: (Optional) Boolean flag. Set to true to mount the volume as read-only. + Defaults to false. + +Here is an example fragment from a values.yaml file for a microservice: + +externalVolumes: + - name: my-example-configmap + type: configmap + mountPath: /opt/app/config + - name: '{{ include "common.release" . }}-another-example' + type: configmap + mountPath: /opt/app/otherconfig +*/}} +{{- define "dcaegen2-services-common._externalVolumes" -}} + {{- $global := . -}} + {{- if .Values.externalVolumes }} + {{- range $vol := .Values.externalVolumes }} + {{- if eq (lower $vol.type) "configmap" }} + {{- $vname := (tpl $vol.name $global) }} +- configMap: + defaultMode: 420 + name: {{ $vname }} + name: {{ $vname }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{/* +For internal use only! + +dcaegen2-services-common._externalVolumeMounts: +This template generates a list of volume mounts for the microservice container, +based on information provided in .Values.externalVolumes. This +template works in conjunction with dcaegen2-services-common._externalVolumes +to give the microservice access to data in volumes created else. +This initial implementation supports ConfigMaps only, as this is the only +external volume mounting required by current microservices. + +See the documentation for dcaegen2-services-common._externalVolumes for +details on how external volumes are specified in the values.yaml file for +the microservice. +*/}} +{{- define "dcaegen2-services-common._externalVolumeMounts" -}} + {{- $global := . -}} + {{- if .Values.externalVolumes }} + {{- range $vol := .Values.externalVolumes }} + {{- if eq (lower $vol.type) "configmap" }} + {{- $vname := (tpl $vol.name $global) -}} + {{- $readOnly := $vol.readOnly | default false }} +- mountPath: {{ $vol.mountPath }} + name: {{ $vname }} + readOnly: {{ $readOnly }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{/* dcaegen2-services-common.microserviceDeployment: This template produces a Kubernetes Deployment for a DCAE microservice. @@ -190,6 +268,7 @@ spec: - mountPath: /opt/app/osaaf name: tls-info {{- end }} + {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -197,7 +276,7 @@ spec: env: {{- if $certDir }} - name: DCAE_CA_CERTPATH - value: {{ $certDir}}/cacert.pem + value: {{ $certDir }}/cacert.pem {{- end }} - name: CONSUL_HOST value: consul-server.onap @@ -245,11 +324,15 @@ spec: {{- if $certDir }} - mountPath: {{ $certDir }} name: tls-info + {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}} + {{- end -}} {{- end }} {{- if $policy }} - name: policy-shared mountPath: /etc/policies {{- end }} + {{- include "dcaegen2-services-common._externalVolumeMounts" . | nindent 8 }} {{- if $logDir }} - image: {{ include "repositoryGenerator.image.logging" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -291,7 +374,7 @@ spec: name: onap-policy-xacml-pdp-api-creds key: password - name: POLICY_SYNC_PDP_URL - value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 + value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 - name: POLICY_SYNC_OUTFILE value : "/etc/policies/policies.json" - name: POLICY_SYNC_V1_DECISION_ENDPOINT @@ -339,11 +422,61 @@ spec: {{- if $certDir }} - emptyDir: {} name: tls-info + {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{ include "common.certManager.volumesReadOnly" . | nindent 6 }} + {{- end }} {{- end }} {{- if $policy }} - name: policy-shared emptyDir: {} {{- end }} + {{- include "dcaegen2-services-common._externalVolumes" . | nindent 6 }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" {{ end -}} + +{{/* + For internal use + + Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore + and swaps keystore files. +*/}} +{{- define "dcaegen2-services-common._certPostProcessor" -}} + {{- $certDir := default "" .Values.certDirectory . -}} + {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- $cmpv2Certificate := (index .Values.certificates 0) -}} + {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}} + {{- $certType := "pem" -}} + {{- if $cmpv2Certificate.keystore -}} + {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}} + {{- end -}} + {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}} + {{- $truststoresPasswordPaths := ":" -}} + {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}} + {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}} + {{- if not (eq $certType "pem") -}} + {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}} + {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}} + {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}} + {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}} + {{- end }} + - name: cert-post-processor + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + {{- include "common.resources" . | nindent 4 }} + volumeMounts: + - mountPath: {{ $certDir }} + name: tls-info + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }} + env: + - name: TRUSTSTORES_PATHS + value: {{ $truststoresPaths | quote}} + - name: TRUSTSTORES_PASSWORDS_PATHS + value: {{ $truststoresPasswordPaths | quote }} + - name: KEYSTORE_SOURCE_PATHS + value: {{ $keystoreSourcePaths | quote }} + - name: KEYSTORE_DESTINATION_PATHS + value: {{ $keystoreDestinationPaths | quote }} + {{- end }} +{{- end -}} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml index cd69da8346..cbd07dc486 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml @@ -15,4 +15,4 @@ # limitations under the License. # ============LICENSE_END========================================================= # dcaegen2-services-common templates get any values from the scope -# they are passed. There are no locally-defined values.
\ No newline at end of file +# they are passed. There are no locally-defined values. diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml index 639fc2c740..929cdbbc5f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +26,6 @@ dependencies: - name: dcaegen2-services-common version: ~8.x-0 repository: 'file://../../common/dcaegen2-services-common' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml new file mode 100644 index 0000000000..0db2138a4f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ include "certManagerCertificate.certificate" . }} +{{ end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index cec332218d..bb65f37f73 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 ################################################################# # Application configuration defaults. @@ -62,6 +64,24 @@ secrets: password: '{{ .Values.aafCreds.password }}' passwordPolicy: required +# CMPv2 certificate +# It is used only when global parameter cmpv2Enabled is true +# Disabled by default +certificates: + - mountPath: /etc/ves-hv/ssl/external + commonName: dcae-hv-ves-collector + dnsNames: + - dcae-hv-ves-collector + - hv-ves-collector + - hv-ves + keystore: + outputType: + - jks + passwordSecretRef: + name: hv-ves-cmpv2-keystore-password + key: password + create: true + # dependencies readinessCheck: wait_for: diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml index 639fc2c740..929cdbbc5f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +26,6 @@ dependencies: - name: dcaegen2-services-common version: ~8.x-0 repository: 'file://../../common/dcaegen2-services-common' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml new file mode 100644 index 0000000000..0db2138a4f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ include "certManagerCertificate.certificate" . }} +{{ end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 62c640453b..081bcdcc1a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 ################################################################# # Application configuration defaults. @@ -55,6 +57,24 @@ certDirectory: /opt/app/dcae-certificate # and key from AAF and mount them in certDirectory. tlsServer: true +# CMPv2 certificate +# It is used only when global parameter cmpv2Enabled is true +# Disabled by default +certificates: + - mountPath: /opt/app/dcae-certificate/external + commonName: dcae-ves-collector + dnsNames: + - dcae-ves-collector + - ves-collector + - ves + keystore: + outputType: + - jks + passwordSecretRef: + name: ves-cmpv2-keystore-password + key: password + create: true + # dependencies readinessCheck: wait_for: diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml index 51fcd08c4a..4c1c22f766 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml @@ -103,11 +103,11 @@ flavor: small resources: small: limits: - cpu: 0.6 - memory: 1Gi + cpu: 2 + memory: 2Gi requests: - cpu: 0.4 - memory: 600Mib + cpu: 1 + memory: 1Gi large: limits: cpu: 4 diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index 6267a35312..0d434ad877 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -2,7 +2,7 @@ usage() { cat << EOF -Install (or upgrade) an umbrella Helm Chart, and its subcharts, as separate Helm Releases +Install (or upgrade) an umbrella Helm Chart, and its subcharts, as separate Helm Releases The umbrella Helm Chart is broken apart into a parent release and subchart releases. Subcharts the are disabled (<chart>.enabled=false) will not be installed or upgraded. @@ -54,7 +54,7 @@ generate_overrides() { cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \ | sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES else - SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(cut -d':' -f1 <<<"$START")" + SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)" if [[ -d "$SUBCHART_DIR" ]]; then if [[ -z "$END" ]]; then cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \ @@ -70,7 +70,7 @@ generate_overrides() { resolve_deploy_flags() { flags=($1) n=${#flags[*]} - for (( i = 0; i < n; i++ )); do + i=0 ; while [ "$i" -lt "$n" ]; do PARAM=${flags[i]} if [[ $PARAM = "-f" || \ $PARAM = "--values" || \ @@ -82,6 +82,7 @@ resolve_deploy_flags() { else DEPLOY_FLAGS="$DEPLOY_FLAGS $PARAM" fi + i=$((i+1)) done echo "$DEPLOY_FLAGS" } @@ -96,8 +97,8 @@ deploy() { RELEASE=$1 CHART_URL=$2 FLAGS=${@:3} - CHART_REPO="$(cut -d'/' -f1 <<<"$CHART_URL")" - CHART_NAME="$(cut -d'/' -f2 <<<"$CHART_URL")" + CHART_REPO="$(echo "$CHART_URL" |cut -d'/' -f1)" + CHART_NAME="$(echo "$CHART_URL" |cut -d'/' -f2)" if [[ $HELM_VER = "v3."* ]]; then CACHE_DIR=~/.local/share/helm/plugins/deploy/cache else @@ -146,9 +147,9 @@ deploy() { DEPLOY_FLAGS=$(resolve_deploy_flags "$FLAGS") # determine if upgrading individual subchart or entire parent + subcharts - SUBCHART_RELEASE="$(cut -d'-' -f2 <<<"$RELEASE")" + SUBCHART_RELEASE="$(echo "$RELEASE" |cut -d'-' -f2)" # update specified subchart without parent - RELEASE="$(cut -d'-' -f1 <<<"$RELEASE")" + RELEASE="$(echo "$RELEASE" |cut -d'-' -f1)" if [[ $SUBCHART_RELEASE = $RELEASE ]]; then SUBCHART_RELEASE= fi @@ -255,9 +256,9 @@ deploy() { else array=($(echo "$ALL_HELM_RELEASES" | grep "${RELEASE}-${subchart}")) n=${#array[*]} - for (( i = n-1; i >= 0; i-- )); do + for i in $(seq $(($n-1)) -1 0); do if [[ $HELM_VER = "v3."* ]]; then - helm del "${array[i]}" + helm del "${array[i]}" else helm del "${array[i]}" --purge fi diff --git a/kubernetes/helm/plugins/undeploy/undeploy.sh b/kubernetes/helm/plugins/undeploy/undeploy.sh index 8191174314..1689bf1b48 100755 --- a/kubernetes/helm/plugins/undeploy/undeploy.sh +++ b/kubernetes/helm/plugins/undeploy/undeploy.sh @@ -2,7 +2,7 @@ usage() { cat << EOF -Delete an umbrella Helm Chart, and its subcharts, that was previously deployed using 'Helm deploy'. +Delete an umbrella Helm Chart, and its subcharts, that was previously deployed using 'Helm deploy'. Example of deleting all Releases that have the prefix 'demo'. $ helm undeploy demo @@ -23,7 +23,7 @@ undeploy() { array=($(helm ls -q --all | grep $RELEASE)) n=${#array[*]} - for (( i = n-1; i >= 0; i-- )) + for i in $(seq $(($n-1)) -1 0) do helm del "${array[i]}" $FLAGS done diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml index ff158b592c..3629eb43ec 100644 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ b/kubernetes/msb/components/msb-eag/values.yaml @@ -35,27 +35,18 @@ certInitializer: app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving passwords for certificates" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c') - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - fi + mkdir -p {{ .Values.credsPath }}/certs + echo "*** retrieve certificate from pkcs12" + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key to relevant place" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key + echo "*** change ownership and read/write attributes" + chown -R 1000 {{ .Values.credsPath }}/certs + chmod 600 {{ .Values.credsPath }}/certs/cert.crt + chmod 600 {{ .Values.credsPath }}/certs/cert.key ################################################################# # Application configuration defaults. diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml index 51e78e1de3..b95a11914d 100644 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ b/kubernetes/msb/components/msb-iag/values.yaml @@ -35,27 +35,18 @@ certInitializer: app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving passwords for certificates" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c') - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - fi + mkdir -p {{ .Values.credsPath }}/certs + echo "*** retrieve certificate from pkcs12" + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key to relevant place" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key + echo "*** change ownership and read/write attributes" + chown -R 1000 {{ .Values.credsPath }}/certs + chmod 600 {{ .Values.credsPath }}/certs/cert.crt + chmod 600 {{ .Values.credsPath }}/certs/cert.key ################################################################# # Application configuration defaults. diff --git a/kubernetes/onap/requirements.yaml b/kubernetes/onap/requirements.yaml index 6034063a0e..fa3efd3b40 100755 --- a/kubernetes/onap/requirements.yaml +++ b/kubernetes/onap/requirements.yaml @@ -169,3 +169,7 @@ dependencies: version: ~8.x-0 repository: '@local' condition: cert-wrapper.enabled + - name: roles-wrapper + version: ~8.x-0 + repository: '@local' + condition: roles-wrapper.enabled diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index ca9ccd48f4..d91284a6c3 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -398,3 +398,5 @@ cert-wrapper: enabled: true repository-wrapper: enabled: true +roles-wrapper: + enabled: true diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index c34ebad982..fd34b1ef28 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -73,7 +73,7 @@ cmpv2issuer: certEndpoint: v1/certificate caName: RA certSecretRef: - name: oom-cert-service-server-tls-secret + name: oom-cert-service-client-tls-secret certRef: tls.crt keyRef: tls.key cacertRef: ca.crt diff --git a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml deleted file mode 100644 index ba12874eb6..0000000000 --- a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* - # Copyright © 2020, Nokia - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. -*/}} - -{{- if .Values.global.offlineDeploymentBuild }} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "common.repository" . }}/{{ .Values.certificateGenerationImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 829d3a01d1..2e149683d7 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -22,7 +22,6 @@ global: # Standard OOM pullPolicy: "Always" repository: "nexus3.onap.org:10001" - offlineDeploymentBuild: false # Service configuration @@ -33,9 +32,6 @@ service: port: 8443 port_protocol: http -# Certificates generation configuration -certificateGenerationImage: onap/integration-java11:7.2.0 - # Deployment configuration repository: "nexus3.onap.org:10001" image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 22edcff601..aa1daf703f 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -80,9 +80,6 @@ certInitializer: uid: 101 gid: 102 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWORD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 0b2ea9f20c..da983e5b5b 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -69,9 +69,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); @@ -146,4 +143,3 @@ resources: cpu: 200m memory: 2Gi unlimited: {} - diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties index 17185cc4bb..a6334668b1 100644 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties @@ -48,22 +48,22 @@ spring.datasource.url=jdbc:mariadb:sequential://{{ .Values.db.service.name }}:{{ spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements #The log folder that will be used in logback.xml file -clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config.json +clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config-pass.json # # Configuration Settings for Policy Engine Components -clamp.config.policy.api.url=https4://policy-api.{{ include "common.namespace" . }}:6969 +clamp.config.policy.api.url=https://policy-api.{{ include "common.namespace" . }}:6969 clamp.config.policy.api.userName=healthcheck clamp.config.policy.api.password=zb!XztG34 -clamp.config.policy.pap.url=https4://policy-pap.{{ include "common.namespace" . }}:6969 +clamp.config.policy.pap.url=https://policy-pap.{{ include "common.namespace" . }}:6969 clamp.config.policy.pap.userName=healthcheck clamp.config.policy.pap.password=zb!XztG34 #DCAE Inventory Url Properties -clamp.config.dcae.inventory.url=https4://inventory.{{ include "common.namespace" . }}:8080 -clamp.config.dcae.dispatcher.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443 +clamp.config.dcae.inventory.url=https://inventory.{{ include "common.namespace" . }}:8080 +clamp.config.dcae.dispatcher.url=https://deployment-handler.{{ include "common.namespace" . }}:8443 #DCAE Deployment Url Properties -clamp.config.dcae.deployment.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443 +clamp.config.dcae.deployment.url=https://deployment-handler.{{ include "common.namespace" . }}:8443 clamp.config.dcae.deployment.userName=none clamp.config.dcae.deployment.password=none diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh index 329479fad2..ad9984c26c 100755 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh @@ -16,4 +16,4 @@ # limitations under the License. */}} -mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" policyclamp < /dbcmd-config/policy-clamp-create-tables.sql +mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" -f policyclamp < /dbcmd-config/policy-clamp-create-tables.sql diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json index 3adda95c11..6021b21d21 100644 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json @@ -6,7 +6,7 @@ "consumerId": "clamp", "environmentName": "AUTO", "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443", - "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981", + "password": "${SDC_CLIENT_PASSWORD_ENC}", "pollingInterval":30, "pollingTimeout":30, "activateServerTLSAuth":"false", diff --git a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml index 1120f9b2b6..c243e30540 100644 --- a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml @@ -67,6 +67,8 @@ spec: - | {{- if .Values.global.aafEnabled }} export $(grep '^cadi_' {{ .Values.certInitializer.credsPath }}/org.onap.clamp.cred.props | xargs -0) + export SDC_CLIENT_PASSWORD_ENC=`java -jar {{ .Values.certInitializer.credsPath }}/aaf-cadi-aaf-2.1.20-full.jar cadi digest ${SDC_CLIENT_PASSWORD} {{ .Values.certInitializer.credsPath }}/org.onap.clamp.keyfile`; + envsubst < "/opt/policy/clamp/sdc-controllers-config.json" > "/opt/policy/clamp/sdc-controllers-config-pass.json" {{- end }} java -Djava.security.egd=file:/dev/./urandom ${JAVA_RAM_CONFIGURATION} -jar ./policy-clamp-backend.jar ports: @@ -99,6 +101,8 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} - name: MYSQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }} + - name: SDC_CLIENT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 12 }} {{- if ne "unlimited" (include "common.flavor" .) }} - name: JAVA_RAM_CONFIGURATION value: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=75 diff --git a/kubernetes/policy/components/policy-clamp-be/values.yaml b/kubernetes/policy/components/policy-clamp-be/values.yaml index 50ec8fafea..71d2517be1 100644 --- a/kubernetes/policy/components/policy-clamp-be/values.yaml +++ b/kubernetes/policy/components/policy-clamp-be/values.yaml @@ -45,10 +45,6 @@ certInitializer: credsPath: /opt/app/osaaf/local aaf_add_config: > /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; - grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_truststore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_truststore_password.pwd; - grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_key_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_key_password.pwd; - grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password.pwd; - grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password_p12=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd; cd {{ .Values.credsPath }}; chmod a+rx *; @@ -59,11 +55,16 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required + - uid: sdc-creds + type: password + externalSecret: '{{ tpl (default "" .Values.sdc.sdcClientExternalSecret) . }}' + password: '{{ .Values.sdc.clientPassword }}' + passwordPolicy: required flavor: small # application image -image: onap/policy-clamp-backend:6.0.2 +image: onap/policy-clamp-backend:6.1.1 pullPolicy: Always # flag to enable debugging - application support required @@ -79,6 +80,9 @@ log: #####dummy values for db user and password to pass lint!!!####### +sdc: + clientPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + db: user: policy_user password: policy_user diff --git a/kubernetes/policy/components/policy-clamp-fe/values.yaml b/kubernetes/policy/components/policy-clamp-fe/values.yaml index c2f4d157c8..9712a38e10 100644 --- a/kubernetes/policy/components/policy-clamp-fe/values.yaml +++ b/kubernetes/policy/components/policy-clamp-fe/values.yaml @@ -48,8 +48,6 @@ certInitializer: app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; - export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); cd {{ .Values.credsPath }}; openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; @@ -62,7 +60,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-clamp-frontend:6.0.2 +image: onap/policy-clamp-frontend:6.1.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index 09805bd496..6788613ceb 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -105,9 +105,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 658fa65a31..4eb37c6106 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -89,9 +89,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; echo "export CADI_KEYFILE='{{ .Values.credsPath }}/org.onap.policy.keyfile'" >> {{ .Values.credsPath }}/.ci; diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index ec177d82c1..18e0e3e171 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -83,9 +83,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); @@ -172,4 +169,3 @@ resources: cpu: 200m memory: 2Gi unlimited: {} - diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 76b0f3a42a..64c00e9bed 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -74,9 +74,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); @@ -155,4 +152,3 @@ resources: cpu: 200m memory: 2Gi unlimited: {} - diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml index 71b2aa3227..39393efb59 100644 --- a/kubernetes/portal/components/portal-app/templates/deployment.yaml +++ b/kubernetes/portal/components/portal-app/templates/deployment.yaml @@ -104,7 +104,7 @@ spec: -Djavax.net.ssl.keyStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }}" -Djavax.net.ssl.trustStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }}" {{- else }} - args: ["/start-apache-tomcat.sh -i "" -n "" -b {{ .Values.global.env.tomcatDir }}"] + args: ["/start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"] {{- end }} ports: - containerPort: {{ .Values.service.internalPort }} diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml index 0a818102c6..b46876ced9 100644 --- a/kubernetes/portal/components/portal-app/values.yaml +++ b/kubernetes/portal/components/portal-app/values.yaml @@ -77,10 +77,9 @@ certInitializer: permission_group: 999 keystoreFile: "org.onap.portal.p12" truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop # default number of instances replicaCount: 1 diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh index 390241fa1d..c4a21b927f 100644 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh @@ -107,7 +107,7 @@ docker_temp_server_start() { if [ -z "$DATABASE_ALREADY_EXISTS" ]; then extraArgs+=( '--dont-use-mysql-root-password' ) fi - if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then + if echo 'SELECT 1' |docker_process_sql "${extraArgs[@]}" --database=mysql >/dev/null 2>&1; then break fi sleep 1 @@ -263,19 +263,19 @@ docker_setup_db() { # Creates a custom database and user if specified if [ -n "$MYSQL_DATABASE" ]; then mysql_note "Creating database ${MYSQL_DATABASE}" - docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" + echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql fi if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then mysql_note "Creating user ${MYSQL_USER}" - docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" + echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql if [ -n "$MYSQL_DATABASE" ]; then mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}" - docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" + echo "GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" |docker_process_sql --database=mysql fi - docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;" + echo "FLUSH PRIVILEGES ;" |docker_process_sql --database=mysql fi } diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml index 11ce5a6e42..7631c3a482 100644 --- a/kubernetes/portal/components/portal-sdk/values.yaml +++ b/kubernetes/portal/components/portal-sdk/values.yaml @@ -78,10 +78,9 @@ certInitializer: permission_group: 999 keystoreFile: "org.onap.portal.p12" truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop # flag to enable debugging - application support required debugEnabled: false diff --git a/kubernetes/robot/instantiate-k8s.sh b/kubernetes/robot/instantiate-k8s.sh index f10ad7e493..f4f6b04e4c 100755 --- a/kubernetes/robot/instantiate-k8s.sh +++ b/kubernetes/robot/instantiate-k8s.sh @@ -111,9 +111,9 @@ kubectl --namespace $NAMESPACE cp $FOLDER ${POD}:/tmp/vnfdata.${BUILDNUM} echo "Executing instantiation..." if [ $POLL = 1 ]; then - kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM > /tmp/vnf_instantiation.$BUILDNUM.log 2>&1 &" + kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM > /tmp/vnf_instantiation.$BUILDNUM.log 2>&1 &" - pid=`kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "pgrep runTags.sh -n"` + pid=`kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "pgrep runTags.sh -n"` if [ -z "$pid" ]; then echo "robot testsuite unable to start" @@ -123,10 +123,10 @@ if [ $POLL = 1 ]; then kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "while ps -p \"$pid\" --no-headers | grep -v defunct; do echo \$'\n\n'; echo \"Testsuite still running \"\`date\`; echo \"LOG FILE: \"; tail -10 /tmp/vnf_instantiation.$BUILDNUM.log; sleep 30; done" else - kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM" + kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM" fi -set +x +set +x echo "testsuite has finished" diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml index 6f54c6b340..9e5f222f48 100644 --- a/kubernetes/robot/values.yaml +++ b/kubernetes/robot/values.yaml @@ -22,7 +22,7 @@ global: # global defaults # application image repository: nexus3.onap.org:10001 -image: onap/testsuite:1.7.3 +image: onap/testsuite:1.8.0 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index 1277fc9176..fc3b53fc50 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -63,9 +63,9 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # SDC Config part diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index dcebc475ad..dde22b5b55 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -39,9 +39,9 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index eb85465855..7251006d38 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -93,7 +93,7 @@ spec: memory: 20Mi {{- end }} - name: volume-permissions - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - sh diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index ddff1d3f1a..f26a0208b9 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -51,9 +51,9 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml index 0d75ae3c8b..d4414f1986 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -50,9 +50,9 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml index 235931bd7d..3cc9b9542f 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml @@ -39,9 +39,9 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. diff --git a/kubernetes/sdnc/templates/service.yaml b/kubernetes/sdnc/templates/service.yaml index e3be4bc46a..693ef41af6 100644 --- a/kubernetes/sdnc/templates/service.yaml +++ b/kubernetes/sdnc/templates/service.yaml @@ -174,3 +174,27 @@ spec: selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2 {{ end }} + +{{ if .Values.config.sdnr.netconfCallHome.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }}-callhome + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: NodePort + ports: + - name: "{{ .Values.service.portName }}-callhome" + port: {{ .Values.service.callHomePort }} + targetPort: {{ .Values.service.callHomePort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.callHomeNodePort }} + selector: + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} +{{ end }} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 152337ee52..8a7259ba0d 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -192,6 +192,9 @@ spec: - containerPort: {{ .Values.service.internalPort2 }} - containerPort: {{ .Values.service.internalPort3 }} - containerPort: {{ .Values.service.clusterPort }} + {{- if .Values.config.sdnr.netconfCallHome.enabled }} + - containerPort: {{ .Values.service.callHomePort }} + {{- end }} readinessProbe: tcpSocket: port: {{ .Values.service.internalPort }} @@ -305,6 +308,8 @@ spec: {{- end }} - name: ENABLE_OAUTH value: "{{ .Values.config.sdnr.oauth.enabled | default "false" }}" + - name: SDNR_NETCONF_CALLHOME_ENABLED + value: "{{ .Values.config.sdnr.netconfCallHome.enabled | default "false" }}" volumeMounts: {{ include "common.certInitializer.volumeMount" . | indent 10 }} {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 43201fef4b..9f6118051b 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -323,6 +323,8 @@ config: sdnrdbTrustAllCerts: true mountpointRegistrarEnabled: false mountpointStateProviderEnabled: false + netconfCallHome: + enabled: true # # enable and set dmaap-proxy for mountpointRegistrar dmaapProxy: @@ -550,6 +552,9 @@ service: geoNodePort5: 65 geoNodePort6: 66 + callHomePort: 6666 + callHomeNodePort: 66 + ## Persist data to a persitent volume persistence: enabled: true diff --git a/kubernetes/vfc/values.yaml b/kubernetes/vfc/values.yaml index 19197c7f76..0560832a5f 100644 --- a/kubernetes/vfc/values.yaml +++ b/kubernetes/vfc/values.yaml @@ -55,6 +55,7 @@ mariadb-galera: disableNfsProvisioner: true serviceAccount: nameOverride: *vfc-mariadb + replicaCount: 1 db: &dbConfig mariadbService: vfc-mariadb @@ -100,4 +101,4 @@ vfc-workflow-engine: workflowPort: 10550 vfc-zte-vnfm-driver: - enabled: true
\ No newline at end of file + enabled: true |