diff options
111 files changed, 2201 insertions, 184 deletions
diff --git a/docs/release-notes-honolulu.rst b/docs/release-notes-honolulu.rst new file mode 100644 index 0000000000..0c8d81f164 --- /dev/null +++ b/docs/release-notes-honolulu.rst @@ -0,0 +1,162 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_honolulu: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Guilin <release_notes_guilin>` +- :ref:`Frankfurt <release_notes_frankfurt>` +- :ref:`El Alto <release_notes_elalto>` +- :ref:`Dublin <release_notes_dublin>` +- :ref:`Casablanca <release_notes_casablanca>` +- :ref:`Beijing <release_notes_beijing>` +- :ref:`Amsterdam <release_notes_amsterdam>` + +Abstract +======== + +This document provides the release notes for the Honolulu release. + +Summary +======= + +The focus of this release is to strengthen the foundation of OOM installer. + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Honolulu | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2021/04/29 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Kubernetes support for version up to 1.20 +* Helm support for version up to 3.5 +* Limits are set for most of the components +* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack +* CMPv2 external issuer implemented which extends Cert-Manager with ability to + enroll X.509 certificates from CMPv2 servers +* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual + Stack +* Bump version of common PostgreSQL and ElasticSearch +* Move to automatic certificates retrieval for 80% of the components +* Consistent retrieval of docker images, with ability to configure proxy for + the 4 repositories used by ONAP + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11073 + +major issues solved: + +* Better handling of persistence on PostgreSQL +* Better Ingress templating +* Better Service templating + +**Known Issues** + +- `OOM-2554 <https://jira.onap.org/browse/OOM-2554>`_ Common pods have java 8 +- `OOM-2435 <https://jira.onap.org/browse/OOM-2435>`_ SDNC karaf shell: + log:list: Error executing command: Unrecognized configuration +- `OOM-2629 <https://jira.onap.org/browse/OOM-2629>`_ NetBox demo entry setup + not complete +- `OOM-2706 <https://jira.onap.org/browse/OOM-2706>`_ CDS Blueprint Processor + does not work with local DB +- `OOM-2713 <https://jira.onap.org/browse/OOM-2713>`_ Problem on onboarding + custom cert to SDNC ONAP during deployment +- `OOM-2698 <https://jira.onap.org/browse/OOM-2698>`_ SO helm override fails in + for value with multi-level replacement +- `OOM-2697 <https://jira.onap.org/browse/OOM-2697>`_ SO with local MariaDB + deployment fails +- `OOM-2538 <https://jira.onap.org/browse/OOM-2538>`_ strange error with + CertInitializer template +- `OOM-2547 <https://jira.onap.org/browse/OOM-2547>`_ Health Check failures + seen after bringing down/up control plane & worker node VM instances on which + ONAP hosted +- `OOM-2699 <https://jira.onap.org/browse/OOM-2699>`_ SO so-mariadb + readinessCheck fails for local MariaDB instance +- `OOM-2705 <https://jira.onap.org/browse/OOM-2705>`_ SDNC DB installation fails + on local MariaDB instance +- `OOM-2603 <https://jira.onap.org/browse/OOM-2603>`_ [SDNC] allign password for + scaleoutUser/restconfUser/odlUser + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts <https://git.onap.org/oom/>`_ that needs to be +"compiled" into Helm package. see step 6 in +:doc:`quickstart guide <oom_quickstart_guide>`. + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :doc:`Project Description <oom_project_description>` +- :doc:`Cloud Setup Guide <oom_cloud_setup_guide>` +- :doc:`Quick Start Guide <oom_quickstart_guide>` +- :doc:`Setup Ingress Controller <oom_setup_ingress_controller>` +- :doc:`Developer Guide <oom_developer_guide>` +- :doc:`Hardcoded Certificates <oom_hardcoded_certificates>` + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +- Hard coded password used for all OOM deployments + [`OJSI-188 <https://jira.onap.org/browse/OJSI-188>`_] +- :doc:`Hard coded certificates <oom_hardcoded_certificates>` in Helm packages + +Workarounds +----------- + +- `<https://github.com/bitnami/bitnami-docker-mariadb-galera/issues/35>`_ + Workaround is to generate a password with "short" strenght or pregenerate + passwords without single quote in it. Default deployment is using "short" + password generation for mariadb. + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Frankfurt release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/release-notes.rst b/docs/release-notes.rst index ae0ea457f5..730acd5eea 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -11,6 +11,7 @@ ONAP Operations Manager Release Notes Previous Release Notes ====================== +- :ref:`Honolulu <release_notes_honolulu>` - :ref:`Guilin <release_notes_guilin>` - :ref:`Frankfurt <release_notes_frankfurt>` - :ref:`El Alto <release_notes_elalto>` @@ -22,12 +23,12 @@ Previous Release Notes Abstract ======== -This document provides the release notes for the Honolulu release. +This document provides the release notes for the Istanbul release. Summary ======= -The focus of this release is to strengthen the foundation of OOM installer. + Release Data ============ @@ -39,66 +40,25 @@ Release Data | **Docker images** | N/A | | | | +--------------------------------------+--------------------------------------+ -| **Release designation** | Honolulu | +| **Release designation** | Istanbul | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | 2021/04/29 | +| **Release date** | | | | | +--------------------------------------+--------------------------------------+ New features ------------ -* Kubernetes support for version up to 1.20 -* Helm support for version up to 3.5 -* Limits are set for most of the components -* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack -* CMPv2 external issuer implemented which extends Cert-Manager with ability to - enroll X.509 certificates from CMPv2 servers -* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual - Stack -* Bump version of common PostgreSQL and ElasticSearch -* Move to automatic certificates retrieval for 80% of the components -* Consistent retrieval of docker images, with ability to configure proxy for - the 4 repositories used by ONAP **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11073 - -major issues solved: +https://jira.onap.org/projects/OOM/versions/11074 -* Better handling of persistence on PostgreSQL -* Better Ingress templating -* Better Service templating **Known Issues** -- `OOM-2554 <https://jira.onap.org/browse/OOM-2554>`_ Common pods have java 8 -- `OOM-2435 <https://jira.onap.org/browse/OOM-2435>`_ SDNC karaf shell: - log:list: Error executing command: Unrecognized configuration -- `OOM-2629 <https://jira.onap.org/browse/OOM-2629>`_ NetBox demo entry setup - not complete -- `OOM-2706 <https://jira.onap.org/browse/OOM-2706>`_ CDS Blueprint Processor - does not work with local DB -- `OOM-2713 <https://jira.onap.org/browse/OOM-2713>`_ Problem on onboarding - custom cert to SDNC ONAP during deployment -- `OOM-2698 <https://jira.onap.org/browse/OOM-2698>`_ SO helm override fails in - for value with multi-level replacement -- `OOM-2697 <https://jira.onap.org/browse/OOM-2697>`_ SO with local MariaDB - deployment fails -- `OOM-2538 <https://jira.onap.org/browse/OOM-2538>`_ strange error with - CertInitializer template -- `OOM-2547 <https://jira.onap.org/browse/OOM-2547>`_ Health Check failures - seen after bringing down/up control plane & worker node VM instances on which - ONAP hosted -- `OOM-2699 <https://jira.onap.org/browse/OOM-2699>`_ SO so-mariadb - readinessCheck fails for local MariaDB instance -- `OOM-2705 <https://jira.onap.org/browse/OOM-2705>`_ SDNC DB installation fails - on local MariaDB instance -- `OOM-2603 <https://jira.onap.org/browse/OOM-2603>`_ [SDNC] allign password for - scaleoutUser/restconfUser/odlUser Deliverables ------------ @@ -126,17 +86,25 @@ Known Limitations, Issues and Workarounds Known Vulnerabilities --------------------- -- Hard coded password used for all OOM deployments - [`OJSI-188 <https://jira.onap.org/browse/OJSI-188>`_] -- :doc:`Hard coded certificates <oom_hardcoded_certificates>` in Helm packages Workarounds ----------- -- `<https://github.com/bitnami/bitnami-docker-mariadb-galera/issues/35>`_ - Workaround is to generate a password with "short" strenght or pregenerate - passwords without single quote in it. Default deployment is using "short" - password generation for mariadb. +- `OOM-2754 <https://jira.onap.org/browse/OOM-2754>`_ + Because of *updateEndpoint* property added to *cmpv2issuer* CRD + it is impossible to upgrade platform component from Honolulu to Istanbul + release without manual steps. Actions that should be performed: + + #. Update the CRD definition:: + + > kubectl -n onap apply -f cmpv2-cert-provider/crds/cmpv2issuer.yaml + #. Upgrade the component + #. Make sure that *cmpv2issuer* contains correct value for + *spec.updateEndpoint*. The value should be: *v1/certificate-update*. + If it's not, edit the resource:: + + > kubectl -n onap edit cmpv2issuer cmpv2-issuer-onap + Security Notes -------------- @@ -146,7 +114,7 @@ Security Notes References ========== -For more information on the ONAP Frankfurt release, please see: +For more information on the ONAP Istanbul release, please see: #. `ONAP Home Page`_ #. `ONAP Documentation`_ diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties new file mode 100644 index 0000000000..21ed6cd9ee --- /dev/null +++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties @@ -0,0 +1,14 @@ +server.port=9516 +{{ if ( include "common.needTLS" .) }} +server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore +server.ssl.client-auth=need +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} + +server.servlet.context-path=/services/babel-service + +logging.config=${CONFIG_HOME}/logback.xml + +tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json diff --git a/kubernetes/aai/components/aai-babel/templates/service.yaml b/kubernetes/aai/components/aai-babel/templates/service.yaml index db54ce14f2..87a29db457 100644 --- a/kubernetes/aai/components/aai-babel/templates/service.yaml +++ b/kubernetes/aai/components/aai-babel/templates/service.yaml @@ -32,11 +32,11 @@ spec: {{- if eq .Values.service.type "NodePort" }} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} {{- else }} - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} {{- end }} selector: diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index 4a2246793e..74c79ec05e 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -55,7 +55,7 @@ readiness: service: type: NodePort - portName: babel + portName: http externalPort: 9516 internalPort: 9516 nodePort: 79 diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties index e62ba07bfd..512e906b00 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties @@ -24,20 +24,28 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten +{{ if ( include "common.needTLS" .) }} aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ +{{ else }} +aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ +aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ +aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ +{{ end }} -{{ if .Values.global.config.basic.auth.enabled }} +{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} +{{ if ( include "common.needTLS" .) }} aai.truststore.filename={{ .Values.global.config.truststore.filename }} aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }} aai.keystore.filename={{ .Values.global.config.keystore.filename }} aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }} +{{ end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties index 8cefebc825..367e9038cd 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties @@ -33,7 +33,7 @@ server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration -spring.profiles.active={{ .Values.config.profiles.active }} +spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -48,6 +48,7 @@ server.local.startpath=aai-graphadmin/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8449 +{{ if ( include "common.needTLS" .) }} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }} server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }}) @@ -55,11 +56,15 @@ server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.conf server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }}) server.ssl.client-auth=want server.ssl.key-store-type=JKS +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61649 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:3905 -dmaap.ribbon.transportType=https +dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} +dmaap.ribbon.transportType={{ include "common.scheme" . }} # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -91,23 +96,28 @@ schema.version.edge.label.start={{ .Values.global.config.schema.version.edge.lab schema.version.api.default={{ .Values.global.config.schema.version.api.default }} schema.translator.list={{ .Values.global.config.schema.translator.list }} -schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ +schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ .Values.global.config.schema.service.client }} +schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +{{ if ( include "common.needTLS" .) }} schema.service.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }} schema.service.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }} schema.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }}) schema.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }}) +{{ end }} aperture.rdbmsname=aai_relational -aperture.service.client={{ .Values.global.config.schema.service.client }} +aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} + aperture.service.base.url=http://localhost:8457/aai/aperture +{{ if ( include "common.needTLS" .) }} aperture.service.ssl.key-store=${server.local.startpath}etc/auth/{{ .Values.global.config.keystore.filename }} aperture.service.ssl.trust-store=${server.local.startpath}etc/auth/{{ .Values.global.config.truststore.filename }} aperture.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }}) aperture.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }}) +{{ end }} aperture.service.timeout-in-milliseconds=300000 diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 45e4802ede..610290061f 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -210,4 +210,4 @@ spec: {{ end }} restartPolicy: {{ .Values.restartPolicy }} imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: {{ include "common.namespace" . }}-docker-registry-key diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index 154ad30c1a..0cdce11395 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -80,8 +80,10 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /bin/bash - - docker-entrypoint.sh - - dataSnapshot.sh + - -c + - | + bash docker-entrypoint.sh dataSnapshot.sh ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index 79144680b4..7c078e9236 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -80,8 +80,10 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /bin/bash - - docker-entrypoint.sh - - createDBSchema.sh + - -c + - | + bash docker-entrypoint.sh createDBSchema.sh ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} @@ -149,5 +151,5 @@ spec: {{ end }} restartPolicy: Never imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: {{ include "common.namespace" . }}-docker-registry-key {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 4b100dd97b..9b4be4e4c7 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -130,7 +130,9 @@ spec: command: - /bin/bash - -c - - bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges + - | + bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} @@ -248,8 +250,10 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /bin/bash - - docker-entrypoint.sh - - dataSnapshot.sh + - -c + - | + bash docker-entrypoint.sh dataSnapshot.sh ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index 2f7aaa960d..85165e2dc4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -35,17 +35,16 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} {{- end}} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} - clusterIP: None diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index c29004e837..89c4b024d6 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -61,6 +61,7 @@ global: # global defaults # Schema specific properties that include supported versions of api schema: # Specifies if the connection should be one way ssl, two way ssl or no auth + # will be set to no-auth if tls is disabled service: client: one-way-ssl # Specifies which translator to use if it has schema-service, then it will @@ -139,7 +140,9 @@ config: # Specify the profiles for the graphadmin microservice profiles: - active: "dmaap,one-way-ssl" + # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and + # serviceMesh.tls is set to tru + active: dmaap #,one-way-ssl" # Specifies the timeout limit for the REST API requests timeout: @@ -208,9 +211,9 @@ readiness: service: type: ClusterIP # REST API port for the graphadmin microservice - portName: aai-graphadmin-8449 + portName: http internalPort: 8449 - portName2: aai-graphadmin-5005 + portName2: tcp-5005 internalPort2: 5005 terminationGracePeriodSeconds: 120 diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties index 772fa0da1b..41b855490a 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties +++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties @@ -16,13 +16,19 @@ # Model Loader Distribution Client Configuration */}} ml.distribution.ACTIVE_SERVER_TLS_AUTH=false +{{ if ( include "common.needTLS" .) }} ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443 -ml.distribution.CONSUMER_GROUP=aai-ml-group -ml.distribution.CONSUMER_ID=aai-ml -ml.distribution.ENVIRONMENT_NAME=AUTO +ml.distribution.ASDC_USE_HTTPS=true ml.distribution.KEYSTORE_PASSWORD= ml.distribution.KEYSTORE_FILE=asdc-client.jks ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp +{{ else }} +ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080 +ml.distribution.ASDC_USE_HTTPS=false +{{ end }} +ml.distribution.CONSUMER_GROUP=aai-ml-group +ml.distribution.CONSUMER_ID=aai-ml +ml.distribution.ENVIRONMENT_NAME=AUTO ml.distribution.POLLING_INTERVAL=30 ml.distribution.POLLING_TIMEOUT=20 ml.distribution.USER=aai @@ -30,19 +36,26 @@ ml.distribution.ARTIFACT_TYPES=MODEL_QUERY_SPEC,TOSCA_CSAR ml.distribution.MSG_BUS_ADDRESSES=message-router.{{.Release.Namespace}} # Model Loader AAI REST Client Configuration +{{ if ( include "common.needTLS" .) }} ml.aai.BASE_URL=https://aai.{{.Release.Namespace}}:8443 +ml.aai.KEYSTORE_FILE=aai-os-cert.p12 +ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o +{{ else }} +ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:8080 +{{ end }} ml.aai.MODEL_URL=/aai/v*/service-design-and-creation/models/model/ ml.aai.NAMED_QUERY_URL=/aai/v*/service-design-and-creation/named-queries/named-query/ ml.aai.VNF_IMAGE_URL=/aai/v*/service-design-and-creation/vnf-images -ml.aai.KEYSTORE_FILE=aai-os-cert.p12 -ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o + ml.aai.AUTH_USER=ModelLoader ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw # Model Loader Babel REST Client Configuration\r -ml.babel.BASE_URL=https://aai-babel.{{.Release.Namespace}}:9516 +ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516 ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts +{{ if ( include "common.needTLS" .) }} ml.babel.KEYSTORE_FILE=babel-client-cert.p12 ml.babel.KEYSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 ml.babel.TRUSTSTORE_FILE=tomcat_keystore ml.babel.TRUSTSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 +{{ end }} diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index 5da0e5736f..c0806fea0d 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -50,11 +50,11 @@ readiness: service: type: NodePort - portName: aai-modelloader + portName: http externalPort: 8080 internalPort: 8080 nodePort: 10 - portName2: aai-modelloader-ssl + portName2: https externalPort2: 8443 internalPort2: 8443 nodePort2: 29 diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties index 0d51326f3b..2e6fd25c2b 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties @@ -38,9 +38,15 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten +{{ if ( include "common.needTLS" .) }} aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ +{{ else }} +aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ +aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ +aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ +{{ end }} {{ if .Values.global.config.basic.auth.enabled }} aai.tools.enableBasicAuth=true @@ -48,10 +54,12 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} +{{ if ( include "common.needTLS" .) }} aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 aai.keystore.passwd.x=${KEYSTORE_PASSWORD} +{{ end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED diff --git a/kubernetes/aai/components/aai-resources/resources/config/application.properties b/kubernetes/aai/components/aai-resources/resources/config/application.properties index 70ebd3ac54..2891e0385f 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application.properties @@ -28,8 +28,7 @@ spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration - -spring.profiles.active={{ .Values.global.config.profiles.active }} +spring.profiles.active={{ .Values.global.config.profiles.active }}{{ .Values.global.aafEnabled | ternary ",aaf-auth" "" }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -44,6 +43,7 @@ server.local.startpath=aai-resources/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8447 +{{ if ( include "common.needTLS" .) }} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 server.ssl.key-store-password=${KEYSTORE_PASSWORD} @@ -51,11 +51,15 @@ server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certIn server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} server.ssl.client-auth=want server.ssl.key-store-type=JKS +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:3905 -dmaap.ribbon.transportType=https +dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} +dmaap.ribbon.transportType={{ include "common.scheme" . }} # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -87,13 +91,15 @@ schema.version.edge.label.start={{ .Values.global.config.schema.version.edge.lab schema.version.api.default={{ .Values.global.config.schema.version.api.default }} schema.translator.list={{ .Values.global.config.schema.translator.list }} -schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ +schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ .Values.global.config.schema.service.client }} +schema.service.client={{ (eq "true" ( include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +{{ if ( include "common.needTLS" .) }} schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} +{{ end }} diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml index e4f84a963d..46118461d1 100644 --- a/kubernetes/aai/components/aai-resources/templates/service.yaml +++ b/kubernetes/aai/components/aai-resources/templates/service.yaml @@ -30,13 +30,13 @@ spec: {{ if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} {{- end }} diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index 2ec78c57c4..e244e76753 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -33,6 +33,8 @@ global: # global defaults migration: enabled: false + aafEnabled: false + config: # Specifies that the cluster connected to a dynamic # cluster being spinned up by kubernetes deployment @@ -49,7 +51,8 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap,aaf-auth #,keycloak + # aaf-auth profile will be automatically set if aaf enabled is set to true + active: production,dmaap #,aaf-auth # Notification event specific properties notification: @@ -224,9 +227,9 @@ readiness: service: type: ClusterIP - portName: aai-resources-8447 + portName: http internalPort: 8447 - portName2: aai-resources-5005 + portName2: tcp-5005 internalPort2: 5005 terminationGracePeriodSeconds: 120 diff --git a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties index b107cd4f3a..b0ed0e89a0 100644 --- a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties @@ -19,20 +19,28 @@ # ============LICENSE_END========================================================= */}} +{{ if ( include "common.needTLS" .) }} aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ +{{ else }} +aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ +aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ +aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ +{{ end }} -{{ if .Values.global.config.basic.auth.enabled }} +{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} +{{ if ( include "common.needTLS" .) }} aai.truststore.filename={{ .Values.global.config.truststore.filename }} aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }} aai.keystore.filename={{ .Values.global.config.keystore.filename }} aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }} +{{ end }} aai.default.api.version={{ .Values.global.config.schema.version.api.default }} diff --git a/kubernetes/aai/components/aai-schema-service/config/application.properties b/kubernetes/aai/components/aai-schema-service/config/application.properties index 499fa96cd5..ad700dce6e 100644 --- a/kubernetes/aai/components/aai-schema-service/config/application.properties +++ b/kubernetes/aai/components/aai-schema-service/config/application.properties @@ -37,6 +37,7 @@ server.local.startpath=aai-schema-service/src/main/resources/ server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties server.port=8452 +{{ if ( include "common.needTLS" .) }} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }} server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }}) @@ -44,6 +45,10 @@ server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.conf server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }}) server.ssl.client-auth=want server.ssl.key-store-type=JKS +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} schema.configuration.location=N/A schema.source.name={{ .Values.global.config.schema.source.name }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml index 66dfd493dd..b54b6be644 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml @@ -30,17 +30,16 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} - {{- end}} + {{- end }} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} - clusterIP: None diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index e7479b8818..8a7d17f8dc 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -99,9 +99,9 @@ readiness: service: type: ClusterIP - portName: aai-schema-service-8452 + portName: http internalPort: 8452 - portName2: aai-schema-service-5005 + portName2: tcp-5005 internalPort2: 5005 ingress: diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties index fe8bd16fa1..ee1341751f 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties @@ -18,12 +18,15 @@ oxm.schemaNodeDir=/opt/app/sparky/onap/oxm #schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config oxm.schemaServiceTranslatorList=config # The end point for onap is https://<hostname>:<port>/onap/schema-service/v1/ +{{ if ( include "common.needTLS" .) }} oxm.schemaServiceBaseUrl=https://<schema-service/config>/aai/schema-service/v1/ oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD} oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD} - +{{ else }} +oxm.schemaServiceBaseUrl=http://<schema-service/config>/aai/schema-service/v1/ +{{ end }} # Schema Service need this variable for the time being diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties index 3c6bd4e1ad..8bd4494a2b 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties @@ -15,6 +15,7 @@ */}} resources.hostname=aai +{{ if ( include "common.needTLS" .) }} resources.port=8443 resources.authType=SSL_BASIC resources.basicAuthUserName=aai@aai.onap.org @@ -23,3 +24,7 @@ resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certIni resources.trust-store-password=${TRUSTSTORE_PASSWORD} resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 resources.client-cert-password=${KEYSTORE_PASSWORD} +{{ else }} +resources.port=8080 +resources.authType=HTTP_NOAUTH +{{ end }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties index 2e2351ad95..422e7ce150 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties @@ -13,8 +13,13 @@ # limitations under the License. server.port=8000 +{{ if ( include "common.needTLS" .) }} server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 server.ssl.key-store-password=${KEYSTORE_PASSWORD} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties index 120f8ac114..90cb00069e 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties @@ -22,14 +22,16 @@ spring.mvc.favicon.enabled=false # and in the values.yaml change the internalPort to 9517 # -spring.profiles.active=camel,ssl,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy +spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,{{ ( eq "true" ( include "common.needTLS" .)) | ternary "ssl" "http" }} portal.cadiFileLocation={{.Values.config.cadiFileLocation}} searchservice.hostname={{.Values.global.searchData.serviceName}} searchservice.port=9509 +{{ if ( include "common.needTLS" .) }} searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 searchservice.client-cert-password=${KEYSTORE_PASSWORD} searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks searchservice.truststore-password=${TRUSTSTORE_PASSWORD} +{{ end }} schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 7d0dfe39e2..7c09dcd228 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -39,6 +39,7 @@ spec: name: {{ include "common.name" . }} spec: initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- if ( include "common.needTLS" .) }} - command: - sh args: @@ -66,6 +67,7 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config + {{- end }} - command: - /app/ready.py args: diff --git a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml index 4633472a3b..457b3576a0 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml @@ -30,11 +30,11 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} + name: {{ .Values.service.portName }}{{ ternary "s" "" (eq "true" (include "common.needTLS" .)) }} + {{- end }} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index 420517f8f0..342df7a5d5 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -113,7 +113,7 @@ readiness: service: type: NodePort - portName: aai-sparky-be + portName: http internalPort: 8000 nodePort: 20 diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties index 843a90bbcd..b8a2b5fe03 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties @@ -28,20 +28,28 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten +{{ if ( include "common.needTLS" .) }} aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ +{{else}} +aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ +aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ +aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ +{{ end }} -{{ if .Values.global.config.basic.auth.enabled }} +{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} +{{ if ( include "common.needTLS" .) }} aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 aai.keystore.passwd.x=${KEYSTORE_PASSWORD} +{{ end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application.properties b/kubernetes/aai/components/aai-traversal/resources/config/application.properties index a5e92c5a61..54bb1c4afd 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/application.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/application.properties @@ -29,7 +29,7 @@ server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration -spring.profiles.active={{ .Values.global.config.profiles.active }} +spring.profiles.active={{ .Values.global.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -44,6 +44,7 @@ server.local.startpath=aai-traversal/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8446 +{{ if ( include "common.needTLS" .) }} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 server.ssl.key-store-password=${KEYSTORE_PASSWORD} @@ -51,11 +52,15 @@ server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certIn server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} server.ssl.client-auth=want server.ssl.key-store-type=JKS +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3905 -dmaap.ribbon.transportType=https +dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} +dmaap.ribbon.transportType={{ include "common.scheme" . }} # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -89,14 +94,16 @@ schema.version.edge.label.start={{ .Values.global.config.schema.version.edge.lab schema.version.api.default={{ .Values.global.config.schema.version.api.default }} schema.translator.list={{ .Values.global.config.schema.translator.list }} -schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ +schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions schema.service.custom.queries.endpoint=stored-queries -schema.service.client={{ .Values.global.config.schema.service.client }} +schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +{{ if ( include "common.needTLS" .) }} schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} +{{ end }} diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index 2eac7fe722..42f0f47bb0 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -69,10 +69,16 @@ spec: - bash - "-c" - | - set -x - if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi - until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done; - bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh + set -x + if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi + {{- if (include "common.needTLS" .) }} + until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done; + bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh + {{- else }} + until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do echo "Retrying to reach aai on port 80"; done; + bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} + {{- end }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml index fad857bb41..b54b6be644 100644 --- a/kubernetes/aai/components/aai-traversal/templates/service.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml @@ -30,16 +30,16 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} - {{- end}} + {{- end }} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index 7ad96005ad..fc4ff7a983 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -59,7 +59,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap,aaf-auth #,keycloak + active: production,dmaap #,aaf-auth ,keycloak # Notification event specific properties notification: @@ -249,9 +249,9 @@ readiness: service: type: ClusterIP - portName: aai-traversal-8446 + portName: http internalPort: 8446 - portName2: aai-traversal-5005 + portName2: tcp-5005 internalPort2: 5005 terminationGracePeriodSeconds: 120 diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg index e605e1886f..9fa6d2ee9b 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -106,7 +106,7 @@ frontend IST_8443 ####################### -#DEFAULT BACKEND 847### +#DEFAULT BACKEND 8447## ####################### backend IST_Default_8447 diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg index c8f3670349..1db4addb5a 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -35,7 +35,9 @@ defaults log global mode http option httplog +{{- if ( include "common.needTLS" .) }} option ssl-hello-chk +{{- end }} option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ== default-server init-addr none # option dontlognull @@ -58,6 +60,37 @@ defaults timeout http-keep-alive 30000 +frontend IST_8080 + mode http + bind 0.0.0.0:8080 + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" + option httplog + log global + option logasap + option forwardfor + capture request header Host len 100 + capture response header Host len 100 + option log-separate-errors + option forwardfor + http-request set-header X-Forwarded-Proto http + reqadd X-Forwarded-Proto:\ http + reqadd X-Forwarded-Port:\ 8080 + +####################### +#ACLS FOR PORT 8446#### +####################### + + acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ + acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ + acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$ + acl is_named-query path_beg -i /aai/search/named-query + acl is_search-model path_beg -i /aai/search/model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl + + default_backend IST_Default_8447 + +{{- if ( include "common.needTLS" .) }} frontend IST_8443 mode http bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem @@ -88,6 +121,7 @@ frontend IST_8443 http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 8443 +{{- end }} ####################### #ACLS FOR PORT 8446#### @@ -103,17 +137,19 @@ frontend IST_8443 default_backend IST_Default_8447 - ####################### -#DEFAULT BACKEND 847### +#DEFAULT BACKEND 8447## ####################### backend IST_Default_8447 balance roundrobin http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; +{{- if ( include "common.needTLS" .) }} server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none - +{{- else }} + server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 +{{- end }} ####################### # BACKEND 8446######### @@ -123,5 +159,8 @@ backend IST_AAI_8446 balance roundrobin http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; +{{- if ( include "common.needTLS" .) }} server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none - +{{- else }} + server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 +{{- end }} diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index 4b08d10e45..80fcebbef7 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -78,20 +78,22 @@ spec: {{- include "common.certInitializer.volumeMount" . | nindent 8 }} ports: - containerPort: {{ .Values.service.internalPort }} + - containerPort: {{ .Values.service.internalPlainPort }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: httpGet: path: /aai/util/echo - port: {{ .Values.service.internalPort }} - scheme: HTTPS + port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + #scheme: HTTPS + scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }} httpHeaders: - name: X-FromAppId value: OOM_ReadinessCheck diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml index a9b3af9301..d93bfc9fd3 100644 --- a/kubernetes/aai/templates/service.yaml +++ b/kubernetes/aai/templates/service.yaml @@ -26,16 +26,12 @@ metadata: heritage: {{ .Release.Service }} spec: ports: - {{if eq .Values.service.type "NodePort" -}} - - name: {{ .Values.service.portName }} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} + - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} + port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort .Values.service.externalPlainPort }} + targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + {{- if eq .Values.service.type "NodePort" }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} + {{- end }} type: {{ .Values.service.type }} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index 1cb297078e..684e592d30 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -202,8 +202,9 @@ global: # global defaults passwd: AAI # Active spring profiles for the resources microservice + # aaf-auth profile will be automatically set if aaf enabled is set to true profiles: - active: production,dmaap,aaf-auth + active: production,dmaap #,aaf-auth # Notification event specific properties notification: @@ -213,6 +214,7 @@ global: # global defaults # Schema specific properties that include supported versions of api schema: # Specifies if the connection should be one way ssl, two way ssl or no auth + # will be set to no-auth if tls is disabled service: client: one-way-ssl # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service @@ -359,13 +361,16 @@ readiness: service: type: NodePort - portName: aai-ssl + portName: http externalPort: 8443 internalPort: 8443 nodePort: 33 # POLICY hotfix - Note this must be temporary # See https://jira.onap.org/browse/POLICY-510 aaiServiceClusterIp: + externalPlainPort: 80 + internalPlainPort: 8080 + nodeport: 33 ingress: enabled: false @@ -373,8 +378,8 @@ ingress: - baseaddr: "aai.api" name: "aai" port: 8443 - config: - ssl: "redirect" + config: + ssl: "redirect" resources: small: diff --git a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml index 523339ca70..3ce24e2e84 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml @@ -47,6 +47,12 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{- if .Values.metrics.serviceMonitor.enabled }} + - name: PROMETHEUS_METRICS_ENABLED + value: {{ .Values.metrics.serviceMonitor.enabled | quote }} + - name: PROMETHEUS_PORT + value: {{ .Values.service.metrics.internalPort | quote }} + {{ end }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness diff --git a/kubernetes/cds/components/cds-command-executor/templates/service.yaml b/kubernetes/cds/components/cds-command-executor/templates/service.yaml index 2301902f56..7540728ee9 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/service.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/service.yaml @@ -34,6 +34,14 @@ spec: nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} {{- end}} name: {{ .Values.service.grpc.portName | default "grpc" }} + {{- if .Values.metrics.serviceMonitor.enabled }} + - port: {{ .Values.service.metrics.externalPort }} + targetPort: {{ .Values.service.metrics.internalPort }} + {{- if eq .Values.service.type "NodePort"}} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + {{- end}} + name: {{ .Values.service.metrics.portName | default "metrics" }} + {{- end}} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }}
\ No newline at end of file diff --git a/kubernetes/cds/components/cds-command-executor/templates/servicemonitor.yaml b/kubernetes/cds/components/cds-command-executor/templates/servicemonitor.yaml new file mode 100644 index 0000000000..101b24a8a2 --- /dev/null +++ b/kubernetes/cds/components/cds-command-executor/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Bitnami, Orange, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }}
\ No newline at end of file diff --git a/kubernetes/cds/components/cds-command-executor/values.yaml b/kubernetes/cds/components/cds-command-executor/values.yaml index cb3668656a..b10fa2754b 100755 --- a/kubernetes/cds/components/cds-command-executor/values.yaml +++ b/kubernetes/cds/components/cds-command-executor/values.yaml @@ -66,6 +66,10 @@ service: portName: command-executor-grpc internalPort: 50051 externalPort: 50051 + metrics: + portName: command-executor-metrics + internalPort: 10005 + externalPort: 10005 persistence: enabled: true @@ -97,3 +101,19 @@ serviceAccount: nameOverride: cds-command-executor roles: - read + +metrics: + serviceMonitor: + enabled: false + port: command-executor-metrics + path: /actuator/prometheus + basicAuth: + enabled: false + externalSecretName: mysecretname + externalSecretUserKey: login + externalSecretPasswordKey: password + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ .Release.Name }}' + heritage: '{{ .Release.Service }}' diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index eb07a74cd4..fa3de03ece 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -22,6 +22,7 @@ WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks} +SSL_WORKDIR=${SSL_WORKDIR:-/usr/local/share/ca-certificates} mkdir -p $WORK_DIR @@ -75,3 +76,15 @@ for f in $WORK_DIR/*; do fi fi done + +# Import certificates to Linux SSL Truststore +cp $CERTS_DIR/*.crt $SSL_WORKDIR/. +cp $MORE_CERTS_DIR/*.crt $SSL_WORKDIR/. +update-ca-certificates +if [ $? != 0 ] + then + echo "failed importing certificates" + exit 1 + else + cp /etc/ssl/certs/ca-certificates.crt $WORK_DIR/. +fi
\ No newline at end of file diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index f3ba8a24e0..32bba457ee 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -174,6 +174,9 @@ - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }} name: updated-truststore subPath: {{ $initRoot.truststoreOutputFileName }} +- mountPath: /etc/ssl/certs/ca-certificates.crt + name: updated-truststore + subPath: ca-certificates.crt {{- end -}} {{- end -}} diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 02595b348d..4b8438ace2 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -35,5 +35,5 @@ global: truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 49f1b940a6..a488e0d5fa 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -323,6 +323,16 @@ true {{- end }} {{- end -}} +{{/* + generate needed scheme: + - https if needTLS + - http if not +*/}} + +{{- define "common.scheme" -}} + {{- ternary "https" "http" (eq "true" (include "common.needTLS" .)) }} +{{- end -}} + {{- define "common.port.buildCache" -}} {{- $global := . }} {{- if not $global.Values._DmaapDrNodePortsCache }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index 4457762754..d4fc182b34 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -25,3 +25,15 @@ true {{- end -}} {{- end -}} {{- end -}} + +{{- define "common.serviceMesh.killSidecar" -}} +{{- if (include "common.onServiceMesh" .) }} +RCODE="$?"; +echo "*** script finished with exit code $RCODE" ; +echo "*** killing service mesh sidecar" ; +curl -sf -X POST http://127.0.0.1:15020/quitquitquit ; +echo "" ; +echo "*** exiting with script exit code" ; +exit "$RCODE" +{{- end }} +{{- end -}} diff --git a/kubernetes/common/timescaledb/.helmignore b/kubernetes/common/timescaledb/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/kubernetes/common/timescaledb/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml new file mode 100644 index 0000000000..7aeafa01f2 --- /dev/null +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +appVersion: "1.0" +description: ONAP timescaledb +name: timescaledb +version: 8.0.0 diff --git a/kubernetes/common/timescaledb/requirements.yaml b/kubernetes/common/timescaledb/requirements.yaml new file mode 100644 index 0000000000..de0c414c19 --- /dev/null +++ b/kubernetes/common/timescaledb/requirements.yaml @@ -0,0 +1,28 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: common + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/timescaledb/resources/init/init-schema.sh b/kubernetes/common/timescaledb/resources/init/init-schema.sh new file mode 100644 index 0000000000..ab83cffae2 --- /dev/null +++ b/kubernetes/common/timescaledb/resources/init/init-schema.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -e +set echo on; +psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER $DB_USERNAME WITH PASSWORD '$DB_PASSWORD'; + CREATE SCHEMA $POSTGRES_DB; + GRANT ALL PRIVILEGES ON SCHEMA $POSTGRES_DB TO $DB_USERNAME; + CREATE EXTENSION IF NOT EXISTS timescaledb WITH SCHEMA $POSTGRES_DB; +EOSQL diff --git a/kubernetes/common/timescaledb/templates/configmap-init.yaml b/kubernetes/common/timescaledb/templates/configmap-init.yaml new file mode 100644 index 0000000000..82c1de6255 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/configmap-init.yaml @@ -0,0 +1,33 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-init + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + init-schema.sh: |- +{{ .Files.Get "resources/init/init-schema.sh" | indent 4}} diff --git a/kubernetes/common/timescaledb/templates/pv.yaml b/kubernetes/common/timescaledb/templates/pv.yaml new file mode 100644 index 0000000000..f99b5f3562 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/pv.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.PV" . }} diff --git a/kubernetes/common/timescaledb/templates/secrets.yaml b/kubernetes/common/timescaledb/templates/secrets.yaml new file mode 100644 index 0000000000..c888d48b6c --- /dev/null +++ b/kubernetes/common/timescaledb/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/timescaledb/templates/service.yaml b/kubernetes/common/timescaledb/templates/service.yaml new file mode 100644 index 0000000000..c205ff4889 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml new file mode 100644 index 0000000000..9b63de434d --- /dev/null +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -0,0 +1,90 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + imagePullPolicy: {{ .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 60 + readinessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "password") | indent 14 }} + - name: POSTGRES_DB + value: {{ .Values.config.pgDatabase }} + - name: POSTGRES_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "login") | indent 14 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "password") | indent 14 }} + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + resources: +{{ include "common.resources" . | indent 12 }} + volumeMounts: + - name: {{ include "common.fullname" . }}-init + mountPath: /docker-entrypoint-initdb.d + - name: {{ include "common.fullname" . }} + mountPath: /var/lib/postgresql/data + volumes: + - name: {{ include "common.fullname" . }}-init + configMap: + name: {{ include "common.fullname" . }}-init + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} +{{- end }} diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml new file mode 100644 index 0000000000..b6d2face3a --- /dev/null +++ b/kubernetes/common/timescaledb/values.yaml @@ -0,0 +1,111 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +replicaCount: 1 +global: + persistence: {} + +################################################################# +# Secrets. +############################################################## +image: timescale/timescaledb:2.1.1-pg13 + +pullPolicy: Always +containerPorts: 5432 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + nameOverride: timescaledb + roles: + - read + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 0.5 + memory: 256Mi + requests: + cpu: 20m + memory: 256Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +service: + type: ClusterIP + name: timescaledb + ports: + - name: tcp-timescaledb + port: 5432 + +persistence: + enabled: true + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + volumeReclaimPolicy: Retain + + ## database data Persistent Volume Storage Class + ## If defined, storageClassName: <storageClass> + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + accessMode: ReadWriteOnce + size: 1Gi + mountPath: /dockerdata-nfs + +config: + pgUserName: timescaledb + pgRootUserName: postgres + pgDatabase: timescaledb + +secrets: + - uid: root-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgRootPasswordExternalSecret) . }}' + login: '{{ .Values.config.pgRootUserName }}' + password: '{{ .Values.config.pgRootpassword }}' + - uid: user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgUserExternalSecret) . }}' + login: '{{ .Values.config.pgUserName }}' + password: '{{ .Values.config.pgUserPassword }}' + diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml index 31db08aa3a..8762d969f9 100644 --- a/kubernetes/contrib/components/ejbca/requirements.yaml +++ b/kubernetes/contrib/components/ejbca/requirements.yaml @@ -26,3 +26,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh index ad10240b94..2c672e2f07 100755 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh @@ -8,16 +8,31 @@ waitForEjbcaToStart() { } configureEjbca() { + ejbca.sh ca init \ + --caname ManagementCA \ + --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ + --tokenType soft \ + --keyspec 3072 \ + --keytype RSA \ + -v 3652 \ + --policy null \ + -s SHA256WithRSA \ + -type "x509" ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' + ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') + ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true @@ -27,6 +42,13 @@ configureEjbca() { ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN ejbca.sh config cmp dumpalias --alias cmp ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem + #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) + ejbca.sh roles addrole "Certificate Update Admin" + ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT + ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" } diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml index 46f7d3521c..fc163ee2e2 100644 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml @@ -61,6 +61,8 @@ spec: env: - name: INITIAL_ADMIN value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" + - name: NO_CREATE_CA + value: "true" - name: DATABASE_JDBC_URL value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - name: DATABASE_USER diff --git a/kubernetes/cps/components/cps-temporal/.helmignore b/kubernetes/cps/components/cps-temporal/.helmignore new file mode 100644 index 0000000000..80b47d2723 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +components/
\ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/Chart.yaml b/kubernetes/cps/components/cps-temporal/Chart.yaml new file mode 100644 index 0000000000..ab4bfe7e42 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +description: ONAP Configuration Persistance Service (CPS) - Temporal +name: cps-temporal +version: 8.0.0 diff --git a/kubernetes/cps/components/cps-temporal/requirements.yaml b/kubernetes/cps/components/cps-temporal/requirements.yaml new file mode 100644 index 0000000000..b2293db9af --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/requirements.yaml @@ -0,0 +1,34 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: common + version: ~8.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: '@local' + - name: timescaledb + version: ~8.x-0 + repository: '@local' + - name: readinessCheck + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml new file mode 100644 index 0000000000..6654b26556 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml @@ -0,0 +1,47 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +spring: + datasource: + url: jdbc:postgresql://{{ .Values.timescaledb.service.name }}:5432/{{ .Values.timescaledb.config.pgDatabase }} + username: ${DB_USERNAME} + password: ${DB_PASSWORD} + kafka: + bootstrap-servers: [{{ .Values.config.kafka.service }}:{{ .Values.config.kafka.port }}] + security: + protocol: {{ .Values.config.kafka.protocol }} + consumer: + group-id: {{ .Values.config.kafka.consumerGroupId }} + +security: + auth: + username: ${APP_USERNAME} + password: ${APP_PASSWORD} + +app: + listener: + data-updated: + topic: {{ .Values.config.kafka.listenerTopic }} + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} + +# Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/cps-temporal/resources/config/logback.xml b/kubernetes/cps/components/cps-temporal/resources/config/logback.xml new file mode 100644 index 0000000000..a64a58664b --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/resources/config/logback.xml @@ -0,0 +1,44 @@ +<!-- + ============LICENSE_START======================================================= + Copyright (C) 2020 Bell Canada. + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + SPDX-License-Identifier: Apache-2.0 + ============LICENSE_END========================================================= +--> + +<configuration> + + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern>%d - %highlight(%-5level) [%-20.20thread] %cyan(%logger{36}) - %msg%n</pattern> + </encoder> + </appender> + + <!-- Logger for cps classes --> + <logger name="org.onap.cps" level="info"/> + + <!-- Logger for sql statements. Set to info to disable, debug to enable --> + <logger name="org.hibernate.SQL" level="info"/> + + <!-- Logger for sql bindings. Set to info to disable, to trace to enable --> + <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="info"/> + + <!-- Logger for hibernate statistics. Set to warn to disable, to info to enable --> + <logger name="org.hibernate.engine.internal.StatisticalLoggingSessionEventListener" level="warn"/> + + <root level="info"> + <appender-ref ref="STDOUT" /> + </root> + +</configuration>
\ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/templates/configmap.yaml b/kubernetes/cps/components/cps-temporal/templates/configmap.yaml new file mode 100644 index 0000000000..6d9e30fe16 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | nindent 2 }} diff --git a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml new file mode 100644 index 0000000000..806e65a865 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml @@ -0,0 +1,113 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + minReadySeconds: {{ index .Values.minReadySeconds }} + strategy: + type: {{ index .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ index .Values.updateStrategy.maxSurge }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim}} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + - name: {{ include "common.name" . }}-update-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + - name: APP_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }} + - name: APP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }} + volumeMounts: + - mountPath: /config-input + name: init-data-input + - mountPath: /config + name: init-data + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SPRING_PROFILES_ACTIVE + value: {{ .Values.config.spring.profile }} + resources: {{ include "common.resources" . | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /app/resources/application-helm.yml + subPath: application-helm.yml + name: init-data + - mountPath: /app/resources/logback.xml + subPath: logback.xml + name: init-data + - mountPath: /tmp + name: init-temp + volumes: + - name: init-data-input + configMap: + name: {{ include "common.fullname" . }} + - name: init-data + emptyDir: + medium: Memory + - name: init-temp + emptyDir: {} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" + diff --git a/kubernetes/cps/components/cps-temporal/templates/ingress.yaml b/kubernetes/cps/components/cps-temporal/templates/ingress.yaml new file mode 100644 index 0000000000..0dc4d1ae47 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/ingress.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/secrets.yaml b/kubernetes/cps/components/cps-temporal/templates/secrets.yaml new file mode 100644 index 0000000000..2a492061a3 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/secrets.yaml @@ -0,0 +1,22 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/service.yaml b/kubernetes/cps/components/cps-temporal/templates/service.yaml new file mode 100644 index 0000000000..c205ff4889 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/serviceMonitor.yaml b/kubernetes/cps/components/cps-temporal/templates/serviceMonitor.yaml new file mode 100644 index 0000000000..a49a662aed --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/serviceMonitor.yaml @@ -0,0 +1,23 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{- if .Values.prometheus.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }}
\ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/values.yaml b/kubernetes/cps/components/cps-temporal/values.yaml new file mode 100644 index 0000000000..6874fa2ff0 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/values.yaml @@ -0,0 +1,185 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +passwordStrengthOverride: basic +global: + ingress: + virtualhost: + baseurl: "simpledemo.temporal.onap.org" + +secrets: + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-cps-temporal-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.timescaledb.config.pgUserExternalSecret) .) (hasSuffix "cps-temporal-pg-user-creds" .Values.timescaledb.config.pgUserExternalSecret) }}' + login: '{{ .Values.timescaledb.config.pgUserName }}' + password: '{{ .Values.timescaledb.config.pgUserPassword }}' + passwordPolicy: generate + - uid: app-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' + login: '{{ .Values.config.appUserName }}' + password: '{{ .Values.config.appUserPassword }}' + passwordPolicy: generate + +image: onap/cps-temporal:1.0.0 +containerPort: &svc_port 8080 +managementPort: &mgt_port 8081 + +prometheus: + enabled: true + +service: + type: ClusterIP + name: cps-temporal + ports: + - name: http + port: *svc_port + targetPort: *svc_port + - name: management + port: *mgt_port + targetPort: *mgt_port + +metrics: + serviceMonitor: + enabled: true + port: management + ## specify target port if name is not given to the port in the service definition + ## + # targetPort: 8080 + path: /manage/prometheus + interval: 60s + basicAuth: + enabled: false + +pullPolicy: IfNotPresent +# flag to enable debugging - application support required +debugEnabled: false +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# default number of instances +replicaCount: 1 +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 1 + memory: 1Gi + large: + limits: + cpu: 4 + memory: 4Gi + requests: + cpu: 2 + memory: 2Gi + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 20 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + path: /manage/health + port: *mgt_port + +readiness: + initialDelaySeconds: 15 + periodSeconds: 15 + path: /manage/health + port: *mgt_port + +ingress: + enabled: true + service: + - baseaddr: "cps-temporal" + path: "/" + name: "cps-temporal" + port: *svc_port + +serviceAccount: + nameOverride: cps-temporal + roles: + - read + +securityContext: + user_id: 100 + group_id: 655533 + +################################################################# +# Application configuration defaults. +################################################################# + +config: + # REST API basic authentication credentials (passsword is generated if not provided) + appUserName: cpstemporal + spring: + profile: helm + #appUserPassword: + +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + + kafka: + service: message-router-kafka + port: 9092 + listenerTopic: cps.cfg-state-events + consumerGroupId: cps-temporal-group + protocol: PLAINTEXT + +logging: + level: INFO + path: /tmp + +timescaledb: + nameOverride: cps-temporal-db + container: + name: cps-temporal-db + name: cpstemporaldb + service: + name: cps-temporal-db + persistence: + mountSubPath: cps-temporal/data + mountInitPath: cps-temporal + config: + pgUserName: cpstemporaldb + pgDatabase: cpstemporaldb + pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: cps-temporal-db + +readinessCheck: + wait_for: + - cps-temporal-db + +minReadySeconds: 10 +updateStrategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1
\ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/.helmignore b/kubernetes/cps/components/ncmp-dmi-plugin/.helmignore new file mode 100644 index 0000000000..80b47d2723 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +components/
\ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml new file mode 100644 index 0000000000..e99111d859 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +description: ONAP Configuration Persistance Service (CPS) - NCMP-DMI-Plugin +name: ncmp-dmi-plugin +version: 8.0.0 diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/requirements.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/requirements.yaml new file mode 100644 index 0000000000..d1fbdd3182 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/requirements.yaml @@ -0,0 +1,31 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: common + version: ~8.x-0 + repository: '@local' + - name: readinessCheck + version: ~8.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml new file mode 100644 index 0000000000..d388823f9e --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml @@ -0,0 +1,57 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +server: + port: 8080 + +cps-core: + baseUrl: http://${CPS_CORE_HOST:cps}:${CPS_CORE_PORT:8080} + dmiRegistrationUrl : /cps-ncmp/api/ncmp-dmi/v1/ch + auth: + username: ${CPS_CORE_USERNAME} + password: ${CPS_CORE_PASSWORD} + +sdnc: + baseUrl: http://${SDNC_HOST:sdnc}:${SDNC_PORT:8181} + topologyId: ${SDNC_TOPOLOGY_ID:topology-netconf} + auth: + username: ${SDNC_USERNAME} + password: ${SDNC_PASSWORD} + +security: + # comma-separated uri patterns which do not require authorization + permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/v3/api-docs + auth: + username: ${DMI_PLUGIN_USERNAME} + password: ${DMI_PLUGIN_PASSWORD} + +logging: + level: + org: + springframework: {{ .Values.logging.level }} + onap: + cps: {{ .Values.logging.cps }} + + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} + +# Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/logback.xml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/logback.xml new file mode 100644 index 0000000000..2a62c86e77 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/logback.xml @@ -0,0 +1,36 @@ +<!-- + ============LICENSE_START======================================================= + Copyright (C) 2021 Nordix Foundation + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + SPDX-License-Identifier: Apache-2.0 + ============LICENSE_END========================================================= +--> + +<configuration scan="true" scanPeriod="30 seconds" debug="false"> + + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern>%d - %highlight(%-5level) [%-20.20thread] %cyan(%logger{36}) - %msg%n</pattern> + </encoder> + </appender> + <appender name="AsyncSysOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="STDOUT" /> + </appender> + + <root level="INFO"> + <appender-ref ref="AsyncSysOut" /> + </root> + +</configuration> + diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/NOTES.txt b/kubernetes/cps/components/ncmp-dmi-plugin/templates/NOTES.txt new file mode 100644 index 0000000000..66f5302a11 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/NOTES.txt @@ -0,0 +1,39 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + export SERVICE_PORT=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.spec.ports[0].port}') + echo http://$SERVICE_IP:$SERVICE_PORT +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export POD_PORT=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:$POD_PORT +{{- end }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/configmap.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/configmap.yaml new file mode 100644 index 0000000000..7e8a0058ec --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | nindent 2 }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml new file mode 100644 index 0000000000..d2fd5c9c49 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml @@ -0,0 +1,119 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + {{- if .Values.prometheus.enabled }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: 'manage/prometheus' + prometheus.io/port: {{ .Values.managementPort | quote }} + {{- end }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim}} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + - name: {{ include "common.name" . }}-update-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DMI_PLUGIN_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "login") | indent 12 }} + - name: DMI_PLUGIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "password") | indent 12 }} + - name: SDNC_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "login") | indent 12 }} + - name: SDNC_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "password") | indent 12 }} + - name: CPS_CORE_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "core-creds" "key" "login") | indent 12 }} + - name: CPS_CORE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "core-creds" "key" "password") | indent 12 }} + volumeMounts: + - mountPath: /config-input + name: init-data-input + - mountPath: /config + name: init-data + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SPRING_PROFILES_ACTIVE + value: {{ .Values.config.spring.profile }} + resources: {{ include "common.resources" . | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /app/resources/application-helm.yml + subPath: application-helm.yml + name: init-data + - mountPath: /app/resources/logback.xml + subPath: logback.xml + name: init-data + - mountPath: /tmp + name: init-temp + volumes: + - name: init-data-input + configMap: + name: {{ include "common.fullname" . }} + - name: init-data + emptyDir: + medium: Memory + - name: init-temp + emptyDir: {} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/ingress.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/ingress.yaml new file mode 100644 index 0000000000..b3d1cafe15 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/ingress.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/secrets.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/secrets.yaml new file mode 100644 index 0000000000..84e279d928 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/service.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/service.yaml new file mode 100644 index 0000000000..4825d55c12 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml new file mode 100644 index 0000000000..245a5d7048 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml @@ -0,0 +1,157 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Secrets. +################################################################# +secrets: + - uid: user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' + login: '{{ .Values.config.appUserName }}' + password: '{{ .Values.config.appUserPassword }}' + passwordPolicy: generate + - uid: sdnc-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.odlCredsExternalSecret) . }}' + login: '{{ .Values.config.sdncUser }}' + password: '{{ .Values.config.sdncPassword }}' + passwordPolicy: required + - uid: core-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.coreCredsExternalSecret) . }}' + login: '{{ .Values.config.coreUser }}' + password: '{{ .Values.config.corePassword }}' + passwordPolicy: generate + +################################################################# +# Global configuration defaults. +################################################################# +global: + ingress: + virtualhost: + baseurl: "simpledemo.onap.org" + +image: onap/ncmp-dmi-plugin:1.0.0 +containerPort: &svc_port 8080 +managementPort: &mgt_port 8081 + +prometheus: + enabled: true + interval: 60s + +service: + type: ClusterIP + name: ncmp-dmi-plugin + ports: + - name: &port http + port: *svc_port + - name: management + port: *mgt_port + targetPort: *mgt_port + +pullPolicy: IfNotPresent +# flag to enable debugging - application support required +debugEnabled: false +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# default number of instances +replicaCount: 1 +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 1 + memory: 1Gi + large: + limits: + cpu: 4 + memory: 4Gi + requests: + cpu: 2 + memory: 2Gi + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 20 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + path: /manage/health + port: *mgt_port + +readiness: + initialDelaySeconds: 15 + periodSeconds: 15 + path: /manage/health + port: *mgt_port + +ingress: + enabled: true + service: + - baseaddr: "ncmp-dmi-plugin" + path: "/" + name: "ncmp-dmi-plugin" + port: *svc_port + +serviceAccount: + nameOverride: ncmp-dmi-plugin + roles: + - read + +securityContext: + user_id: 100 + group_id: 655533 + +################################################################# +# Application configuration defaults. +################################################################# + +config: + + # REST API basic authentication credentials (passsword is generated if not provided) + appUserName: ncmpuser + spring: + profile: helm + #appUserPassword: + + sdncUser: admin + sdncPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + + coreUser: cpsuser + +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format insead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + +logging: + level: INFO + cps: DEBUG + path: /tmp + +readinessCheck: + wait_for: + - cps-postgres diff --git a/kubernetes/cps/requirements.yaml b/kubernetes/cps/requirements.yaml index 9d044dcd13..053723331a 100644 --- a/kubernetes/cps/requirements.yaml +++ b/kubernetes/cps/requirements.yaml @@ -19,4 +19,12 @@ dependencies: - name: cps-core version: ~8.x-0 repository: '@local' - condition: cps-core.enabled
\ No newline at end of file + condition: cps-core.enabled + - name: cps-temporal + version: ~8.x-0 + repository: '@local' + condition: cps-temporal.enabled + - name: ncmp-dmi-plugin + version: ~8.x-0 + repository: '@local' + condition: ncmp-dmi-plugin.enabled
\ No newline at end of file diff --git a/kubernetes/cps/templates/secrets.yaml b/kubernetes/cps/templates/secrets.yaml new file mode 100644 index 0000000000..84e279d928 --- /dev/null +++ b/kubernetes/cps/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/cps/values.yaml b/kubernetes/cps/values.yaml index 87bba7f1da..cda726d0d3 100755 --- a/kubernetes/cps/values.yaml +++ b/kubernetes/cps/values.yaml @@ -15,14 +15,34 @@ ################################################################# # Global configuration defaults. ################################################################# +secrets: + - uid: core-app-user-creds + name: &core-creds-secret '{{ include "common.release" . }}-cps-core-app-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.coreUserExternalSecret) . }}' + login: '{{ .Values.config.coreUserName }}' + password: '{{ .Values.config.coreUserPassword }}' + passwordPolicy: generate + passwordStrengthOverride: basic global: ingress: virtualhost: baseurl: "simpledemo.onap.org" -config: {} +config: + coreUserName: cpsuser # Enable all CPS components by default cps-core: enabled: true + config: + appUserExternalSecret: *core-creds-secret + +cps-temporal: + enabled: true + +ncmp-dmi-plugin: + enabled: true + config: + coreCredsExternalSecret: *core-creds-secret diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml index 838e49e9cc..be7620733b 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml @@ -34,13 +34,13 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.6.0 +image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.6.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -106,6 +106,12 @@ service: plain_port: 8100 port_protocol: http +# Environment variables +applicationEnv: +# Empty path forces DFC to use Consul configuration, which allows app runtime reconfiguration. +# It's a workaround because DMAAP specific env variables are not available in main container. + CBS_CLIENT_CONFIG_PATH: '' + # Initial Application Configuration applicationConfig: dmaap.certificateConfig.keyCert: /opt/app/datafile/etc/cert/cert.p12 diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index 9b943c4fcc..07b10614a8 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -35,13 +35,13 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.9.0 +image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.9.1 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -178,6 +178,7 @@ applicationConfig: applicationEnv: JAVA_OPTS: '-Dlogback.configurationFile=/etc/ONAP/dcae-hv-ves-collector/logback.xml' + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml index d18e8d64eb..5e1a678bdf 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml @@ -54,7 +54,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.pm-mapper:1.7.0 +image: onap/org.onap.dcaegen2.services.pm-mapper:1.7.1 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index 3fa5faf8c5..c7d4c1d82f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -101,8 +101,6 @@ customEnvVars: value: "Basic `echo -n ${AAI_USER}:${AAI_PASSWORD} | base64`" # initial application configuration -# Configuration used for in-app substitution must be defined as $${undefined}{<parameter>} under applicationConfig -# inorder to get ${<parameter>} post envsubst (done part of dcae helm service-common templates) applicationConfig: dmaap.dmaapConsumerConfiguration.dmaapContentType: "application/json" dmaap.dmaapConsumerConfiguration.consumerId: "c12" diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml index fa85c7de60..cceed6289c 100644 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml @@ -41,7 +41,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.0 +image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.1 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -137,7 +137,7 @@ applicationConfig: tca.aai.generic_vnf_path: aai/v11/network/generic-vnfs/generic-vnf tca.aai.node_query_path: aai/v11/search/nodes-query tca.aai.password: ${AAI_PASSWORD} - tca.aai.url: http://aai + tca.aai.url: https://aai:8443 tca.aai.username: ${AAI_USERNAME} tca.policy: '{"domain":"measurementsForVfScaling","metricsPerEventName":[{"eventName":"vFirewallBroadcastPackets","controlLoopSchemaType":"VM","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":300,"direction":"LESS_OR_EQUAL","severity":"MAJOR","closedLoopEventStatus":"ONSET"},{"closedLoopControlName":"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":700,"direction":"GREATER_OR_EQUAL","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]},{"eventName":"vLoadBalancer","controlLoopSchemaType":"VM","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":300,"direction":"GREATER_OR_EQUAL","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]},{"eventName":"Measurement_vGMUX","controlLoopSchemaType":"VNF","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.additionalMeasurements[*].arrayOfFields[0].value","thresholdValue":0,"direction":"EQUAL","severity":"MAJOR","closedLoopEventStatus":"ABATED"},{"closedLoopControlName":"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.additionalMeasurements[*].arrayOfFields[0].value","thresholdValue":0,"direction":"GREATER","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]}]}' tca.processing_batch_size: 10000 diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 34adba7a3c..bfea92aeb9 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -35,7 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application configuration defaults. diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml index a077c0f319..7bde2e99fb 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml @@ -39,7 +39,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.2.0 +image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.3.0 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml index 9ca5258d37..3bb09f0330 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml @@ -104,16 +104,16 @@ mongo: disableNfsProvisioner: true # application image -image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:3.3.3 +image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:3.3.4 default_k8s_location: central # DCAE component images to be deployed via Cloudify Manager # Use to override default setting in blueprints componentImages: - tcagen2: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.0 + tcagen2: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.1 ves: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.10.1 prh: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.7.1 - hv_ves: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.9.0 + hv_ves: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.9.1 # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index 5517269574..e6567d9ac2 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -53,7 +53,7 @@ config: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.deployments.cm-container:4.6.0 +image: onap/org.onap.dcaegen2.deployments.cm-container:4.6.1 pullPolicy: Always # name of shared ConfigMap with kubeconfig for multiple clusters diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml index 90bc0989d0..22c4cdb3b2 100644 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml @@ -35,7 +35,7 @@ config: importCloudify: https://www.getcloudify.org/spec/cloudify/4.5.5/types.yaml importK8S: plugin:k8splugin?version=>=3.5.1,<4.0.0 importPostgres: plugin:pgaas?version=1.3.0 - importClamp: plugin:clamppolicyplugin?version=1.1.0 + importClamp: plugin:clamppolicyplugin?version=1.1.1 importDMaaP: plugin:dmaap?version=>=1.5.1,<2.0.0 useDmaapPlugin: false bpResourcesCpuLimit: 250m diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index 536be7b4a9..2182dde1d6 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -91,7 +91,7 @@ deploy() { # validate params if [ -z "$1" ] || [ -z "$2" ]; then usage - exit 0 + exit 1 fi RELEASE=$1 @@ -123,7 +123,7 @@ deploy() { fi # determine if set-last-applied flag is enabled SET_LAST_APPLIED="false" - if expr"$FLAGS" : ".*--set-last-applied.*" ; then + if expr "$FLAGS" : ".*--set-last-applied.*" ; then FLAGS="$(echo $FLAGS| sed -n 's/--set-last-applied//p')" SET_LAST_APPLIED="true" fi diff --git a/kubernetes/helm/plugins/undeploy/undeploy.sh b/kubernetes/helm/plugins/undeploy/undeploy.sh index 72c64244c0..a3b0e3c623 100755 --- a/kubernetes/helm/plugins/undeploy/undeploy.sh +++ b/kubernetes/helm/plugins/undeploy/undeploy.sh @@ -29,9 +29,9 @@ undeploy() { done } -if [ $# < 1 ]; then +if [ -z "$1" ]; then echo "Error: command 'undeploy' requires a release name" - exit 0 + exit 1 fi case "${1:-"help"}" in diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml index f44faa1059..bbdc3e09cd 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml @@ -25,7 +25,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/holmes/engine-management:1.3.3 +image: onap/holmes/engine-management:9.0.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 ################################################################# diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml index 9e2b656150..4f4849a5a4 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml @@ -25,7 +25,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/holmes/rule-management:1.3.3 +image: onap/holmes/rule-management:9.0.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 ################################################################# diff --git a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml index 0bc24afe86..e8418355d3 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml @@ -56,7 +56,10 @@ spec: description: Path of health check endpoint. type: string certEndpoint: - description: Path of cerfificate signing enpoint. + description: Path of cerfificate signing endpoint. + type: string + updateEndpoint: + description: Path of certificate update endpoint. type: string caName: description: Name of the external CA server configured on CertService API side. diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml index ae4ae81f02..52e35375d3 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml @@ -25,6 +25,7 @@ spec: url: {{ .Values.cmpv2issuer.url }} healthEndpoint: {{ .Values.cmpv2issuer.healthcheckEndpoint }} certEndpoint: {{ .Values.cmpv2issuer.certEndpoint }} + updateEndpoint: {{ .Values.cmpv2issuer.updateEndpoint }} caName: {{ .Values.cmpv2issuer.caName }} certSecretRef: name: {{ .Values.cmpv2issuer.certSecretRef.name }} diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index 38bddfbdc3..2237811465 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -28,7 +28,7 @@ namespace: onap # Deployment configuration deployment: name: oom-certservice-cmpv2issuer - image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.2 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.4.0 proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 # fol local development use IfNotPresent pullPolicy: Always @@ -50,6 +50,7 @@ cmpv2issuer: url: https://oom-cert-service:8443 healthcheckEndpoint: actuator/health certEndpoint: v1/certificate + updateEndpoint: v1/certificate-update caName: RA certSecretRef: name: oom-cert-service-client-tls-secret diff --git a/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json b/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json index 06e1087f60..5a967f0405 100644 --- a/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json +++ b/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json @@ -3,7 +3,7 @@ { "caName": "CLIENT", "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmp", - "issuerDN": "CN=ManagementCA", + "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345", "caMode": "CLIENT", "authentication": { "iak": "${CLIENT_IAK}", @@ -13,7 +13,7 @@ { "caName": "RA", "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA", + "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345", "caMode": "RA", "authentication": { "iak": "${RA_IAK}", @@ -21,4 +21,4 @@ } } ] -}
\ No newline at end of file +} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 2e149683d7..fbd545c12e 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -34,7 +34,7 @@ service: # Deployment configuration repository: "nexus3.onap.org:10001" -image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 +image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.4.0 pullPolicy: Always replicaCount: 1 diff --git a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py index 39448a72c5..ac663da769 100644 --- a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py +++ b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py @@ -128,8 +128,8 @@ GLOBAL_AAF_USERNAME = '{{ .Values.aafUsername }}' GLOBAL_AAF_PASSWORD = '{{ .Values.aafPassword }}' GLOBAL_AAF_AUTHENTICATION = [GLOBAL_AAF_USERNAME, GLOBAL_AAF_PASSWORD] # aai info - everything is from the private oam network (also called onap private network) -GLOBAL_AAI_SERVER_PROTOCOL = "https" -GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" 8443) }}' +GLOBAL_AAI_SERVER_PROTOCOL = '{{ include "common.scheme" . }}' +GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" ( ternary 8443 80 (eq "true" (include "common.needTLS" . )))) }}' GLOBAL_AAI_USERNAME = '{{ .Values.aaiUsername }}' GLOBAL_AAI_PASSWORD = '{{ .Values.aaiPassword}}' GLOBAL_AAI_AUTHENTICATION = [GLOBAL_AAI_USERNAME, GLOBAL_AAI_PASSWORD] diff --git a/kubernetes/uui/components/uui-server/values.yaml b/kubernetes/uui/components/uui-server/values.yaml index 71ad437634..14f5f48f0b 100644 --- a/kubernetes/uui/components/uui-server/values.yaml +++ b/kubernetes/uui/components/uui-server/values.yaml @@ -25,7 +25,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui-server:4.0.1 +image: onap/usecase-ui-server:4.0.3 pullPolicy: Always # application configuration diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index 61a0b5097a..ddac84eca3 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -24,7 +24,7 @@ subChartsOnly: flavor: small # application image -image: onap/usecase-ui:4.0.2 +image: onap/usecase-ui:4.0.3 pullPolicy: Always # application configuration |