diff options
15 files changed, 203 insertions, 12 deletions
diff --git a/kubernetes/Makefile b/kubernetes/Makefile index fc73dd40f9..08b028afe1 100644 --- a/kubernetes/Makefile +++ b/kubernetes/Makefile @@ -107,7 +107,7 @@ check-for-staging-images: helm-repo-update: ifeq "$(findstring v3,$(HELM_VER))" "v3" - @$(HELM_BIN) repo update $(HELM_REPO) + @$(HELM_BIN) repo update endif %: diff --git a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml index d572ec2d54..430b6dd1bd 100644 --- a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml +++ b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml @@ -42,10 +42,8 @@ spec: containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" - command: - - sh + command: ["/usr/local/bin/docker-entrypoint.sh"] args: - - /usr/local/bin/docker-entrypoint.sh - "agent" - "-bootstrap-expect={{ .Values.replicaCount }}" - "-enable-script-checks" diff --git a/kubernetes/msb/charts/msb-consul/resources/docker-entrypoint.sh b/kubernetes/msb/charts/msb-consul/resources/docker-entrypoint.sh new file mode 100755 index 0000000000..0cd46167e4 --- /dev/null +++ b/kubernetes/msb/charts/msb-consul/resources/docker-entrypoint.sh @@ -0,0 +1,100 @@ +#!/usr/bin/dumb-init /bin/sh +set -e +set -x + +# Note above that we run dumb-init as PID 1 in order to reap zombie processes +# as well as forward signals to all processes in its session. Normally, sh +# wouldn't do either of these functions so we'd leak zombies as well as do +# unclean termination of all our sub-processes. +# As of docker 1.13, using docker run --init achieves the same outcome. + +# You can set CONSUL_BIND_INTERFACE to the name of the interface you'd like to +# bind to and this will look up the IP and pass the proper -bind= option along +# to Consul. +CONSUL_BIND= +if [ -n "$CONSUL_BIND_INTERFACE" ]; then + CONSUL_BIND_ADDRESS=$(ip -o -4 addr list $CONSUL_BIND_INTERFACE | head -n1 | awk '{print $4}' | cut -d/ -f1) + if [ -z "$CONSUL_BIND_ADDRESS" ]; then + echo "Could not find IP for interface '$CONSUL_BIND_INTERFACE', exiting" + exit 1 + fi + + CONSUL_BIND="-bind=$CONSUL_BIND_ADDRESS" + echo "==> Found address '$CONSUL_BIND_ADDRESS' for interface '$CONSUL_BIND_INTERFACE', setting bind option..." +fi + +# You can set CONSUL_CLIENT_INTERFACE to the name of the interface you'd like to +# bind client intefaces (HTTP, DNS, and RPC) to and this will look up the IP and +# pass the proper -client= option along to Consul. +CONSUL_CLIENT= +if [ -n "$CONSUL_CLIENT_INTERFACE" ]; then + CONSUL_CLIENT_ADDRESS=$(ip -o -4 addr list $CONSUL_CLIENT_INTERFACE | head -n1 | awk '{print $4}' | cut -d/ -f1) + if [ -z "$CONSUL_CLIENT_ADDRESS" ]; then + echo "Could not find IP for interface '$CONSUL_CLIENT_INTERFACE', exiting" + exit 1 + fi + + CONSUL_CLIENT="-client=$CONSUL_CLIENT_ADDRESS" + echo "==> Found address '$CONSUL_CLIENT_ADDRESS' for interface '$CONSUL_CLIENT_INTERFACE', setting client option..." +fi + +# CONSUL_DATA_DIR is exposed as a volume for possible persistent storage. The +# CONSUL_CONFIG_DIR isn't exposed as a volume but you can compose additional +# config files in there if you use this image as a base, or use CONSUL_LOCAL_CONFIG +# below. +CONSUL_DATA_DIR=/consul/data +CONSUL_CONFIG_DIR=/consul/config + +# You can also set the CONSUL_LOCAL_CONFIG environemnt variable to pass some +# Consul configuration JSON without having to bind any volumes. +if [ -n "$CONSUL_LOCAL_CONFIG" ]; then + echo "$CONSUL_LOCAL_CONFIG" > "$CONSUL_CONFIG_DIR/local.json" +fi + +# If the user is trying to run Consul directly with some arguments, then +# pass them to Consul. +if [ "${1:0:1}" = '-' ]; then + set -- consul "$@" +fi + +# Look for Consul subcommands. +if [ "$1" = 'agent' ]; then + shift + set -- consul agent \ + -data-dir="$CONSUL_DATA_DIR" \ + -config-dir="$CONSUL_CONFIG_DIR" \ + $CONSUL_BIND \ + $CONSUL_CLIENT \ + "$@" +elif [ "$1" = 'version' ]; then + # This needs a special case because there's no help output. + set -- consul "$@" +elif consul --help "$1" 2>&1 | grep -q "consul $1"; then + # We can't use the return code to check for the existence of a subcommand, so + # we have to use grep to look for a pattern in the help output. + set -- consul "$@" +fi + +# If we are running Consul, make sure it executes as the proper user. +if [ "$1" = 'consul' ]; then + # If the data or config dirs are bind mounted then chown them. + # Note: This checks for root ownership as that's the most common case. + if [ "$(stat -c %u /consul/data)" != "$(id -u consul)" ]; then + chown consul:consul /consul/data + fi + if [ "$(stat -c %u /consul/config)" != "$(id -u consul)" ]; then + chown consul:consul /consul/config + fi + + # If requested, set the capability to bind to privileged ports before + # we drop to the non-root user. Note that this doesn't work with all + # storage drivers (it won't work with AUFS). + if [ ! -z ${CONSUL_ALLOW_PRIVILEGED_PORTS+x} ]; then + setcap "cap_net_bind_service=+ep" /bin/consul + fi + +# Instead of using this we run our pod as a non-root user. +# set -- su-exec consul:consul "$@" +fi + +exec "$@" diff --git a/kubernetes/msb/charts/msb-consul/templates/configmap.yaml b/kubernetes/msb/charts/msb-consul/templates/configmap.yaml new file mode 100644 index 0000000000..32adcaec5f --- /dev/null +++ b/kubernetes/msb/charts/msb-consul/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-entrypoint + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/charts/msb-consul/templates/deployment.yaml b/kubernetes/msb/charts/msb-consul/templates/deployment.yaml index 2639a8ed36..c7472cca72 100644 --- a/kubernetes/msb/charts/msb-consul/templates/deployment.yaml +++ b/kubernetes/msb/charts/msb-consul/templates/deployment.yaml @@ -41,6 +41,16 @@ spec: - name: {{ include "common.name" . }} image: "{{ .Values.global.dockerHubRepository | default .Values.dockerHubRepository }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + command: + - docker-entrypoint.sh + args: + - "agent" + - "-dev" + - "-client" + - "0.0.0.0" ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -62,6 +72,9 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true + - mountPath: /usr/local/bin/docker-entrypoint.sh + name: entrypoint + subPath: docker-entrypoint.sh resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -76,5 +89,9 @@ spec: - name: localtime hostPath: path: /etc/localtime + - name: entrypoint + configMap: + name: {{ include "common.fullname" . }}-entrypoint + defaultMode: 0777 imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/msb/charts/msb-consul/values.yaml b/kubernetes/msb/charts/msb-consul/values.yaml index d11649754f..49c51d1e39 100644 --- a/kubernetes/msb/charts/msb-consul/values.yaml +++ b/kubernetes/msb/charts/msb-consul/values.yaml @@ -83,3 +83,8 @@ resources: cpu: 20m memory: 100Mi unlimited: {} + +securityContext: + fsGroup: 1000 + runAsUser: 100 + runAsGroup: 1000 diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 9473a6abcb..5baa804792 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -146,6 +146,11 @@ global: truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" truststorePassword: "secret" + # Indicates offline deployment build + # Set to true if you are rendering helm charts for offline deployment + # Otherwise keep it disabled + offlineDeploymentBuild: false + # TLS # Set to false if you want to disable TLS for NodePorts. Be aware that this # will loosen your security. diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile index c4723dfdd1..736a19fbd4 100644 --- a/kubernetes/platform/components/oom-cert-service/Makefile +++ b/kubernetes/platform/components/oom-cert-service/Makefile @@ -27,7 +27,12 @@ all: start_docker \ # Starts docker container for generating certificates - deletes first, if already running start_docker: @make stop_docker - docker run -d --rm --name ${DOCKER_CONTAINER} --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs docker.io/openjdk:11-jre-slim tail -f /dev/null + $(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2)) + $(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2)) + $(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE)) + $(eval USERNAME :=$(shell id -u)) + $(eval GROUP :=$(shell id -g)) + docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/app -w /app --entrypoint "sh" -td $(FULL_JAVA_IMAGE) # Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted stop_docker: @@ -89,7 +94,7 @@ client_sign_certificate_by_root: #Import root certificate into client client_import_root_certificate: @echo "Import root certificate into intermediate" - ${DOCKER_EXEC} bash -c "cat root.crt >> certServiceClientByRoot.crt" + ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt" @echo "####done####" #Import signed certificate into certService's client @@ -124,7 +129,7 @@ server_sign_certificate_by_root: #Import root certificate into server server_import_root_certificate: @echo "Import root certificate into intermediate(server)" - ${DOCKER_EXEC} bash -c "cat root.crt >> certServiceServerByRoot.crt" + ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt" @echo "####done####" #Import signed certificate into certService diff --git a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml new file mode 100644 index 0000000000..ba12874eb6 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml @@ -0,0 +1,31 @@ +{{/* + # Copyright © 2020, Nokia + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} + +{{- if .Values.global.offlineDeploymentBuild }} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "common.repository" . }}/{{ .Values.certificateGenerationImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} +{{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 3ab9895037..bcb2544ce5 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -34,6 +34,7 @@ global: # Standard OOM pullPolicy: "Always" repository: "nexus3.onap.org:10001" + offlineDeploymentBuild: false # Service configuration @@ -44,6 +45,8 @@ service: port: 8443 port_protocol: http +# Certificates generation configuration +certificateGenerationImage: onap/integration-java11:7.1.0 # Deployment configuration repository: nexus3.onap.org:10001 diff --git a/kubernetes/sdnc/components/dmaap-listener/values.yaml b/kubernetes/sdnc/components/dmaap-listener/values.yaml index dfc1c53ebd..0f3f18b6b2 100644 --- a/kubernetes/sdnc/components/dmaap-listener/values.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/values.yaml @@ -55,7 +55,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-dmaap-listener-image:2.0.3 +image: onap/sdnc-dmaap-listener-image:2.0.4 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml index a674f78b4b..080ae9c15f 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml @@ -55,7 +55,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-ansible-server-image:2.0.3 +image: onap/sdnc-ansible-server-image:2.0.4 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml index 7319e2272f..136379a7a2 100644 --- a/kubernetes/sdnc/components/sdnc-web/values.yaml +++ b/kubernetes/sdnc/components/sdnc-web/values.yaml @@ -27,7 +27,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: "onap/sdnc-web-image:2.0.3" +image: "onap/sdnc-web-image:2.0.4" pullPolicy: Always config: diff --git a/kubernetes/sdnc/components/ueb-listener/values.yaml b/kubernetes/sdnc/components/ueb-listener/values.yaml index 33dbb792f9..2b0da14424 100644 --- a/kubernetes/sdnc/components/ueb-listener/values.yaml +++ b/kubernetes/sdnc/components/ueb-listener/values.yaml @@ -61,7 +61,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-ueb-listener-image:2.0.3 +image: onap/sdnc-ueb-listener-image:2.0.4 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 77b4a0e274..7f6312fd5d 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -136,7 +136,7 @@ secrets: repository: nexus3.onap.org:10001 pullPolicy: Always -image: onap/sdnc-image:2.0.3 +image: onap/sdnc-image:2.0.4 busyboxRepository: docker.io busyboxImage: busybox:1.30 |