diff options
44 files changed, 496 insertions, 209 deletions
diff --git a/docs/oom_cloud_setup_guide.rst b/docs/oom_cloud_setup_guide.rst index 8431cf794a..033ba43fe4 100644 --- a/docs/oom_cloud_setup_guide.rst +++ b/docs/oom_cloud_setup_guide.rst @@ -46,9 +46,9 @@ The versions of Kubernetes that are supported by OOM are as follows: .. table:: OOM Software Requirements - ============== =========== ======= ======== ======== - Release Kubernetes Helm kubectl Docker - ============== =========== ======= ======== ======== + ============== =========== ======= ======== ======== ============ + Release Kubernetes Helm kubectl Docker Cert-Manager + ============== =========== ======= ======== ======== ============ amsterdam 1.7.x 2.3.x 1.7.x 1.12.x beijing 1.8.10 2.8.2 1.8.10 17.03.x casablanca 1.11.5 2.9.1 1.11.5 17.03.x @@ -57,7 +57,8 @@ The versions of Kubernetes that are supported by OOM are as follows: frankfurt 1.15.9 2.16.6 1.15.11 18.09.x guilin 1.15.11 2.16.10 1.15.11 18.09.x Honolulu 1.19.9 3.5.2 1.19.9 19.03.x - ============== =========== ======= ======== ======== + Istanbul 1.2.0 + ============== =========== ======= ======== ======== ============ .. note:: Guilin version also supports Kubernetes up to version 1.19.x and should work diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst index 2fedc091d8..d573c94bb0 100644 --- a/docs/oom_quickstart_guide.rst +++ b/docs/oom_quickstart_guide.rst @@ -33,13 +33,19 @@ where <BRANCH> can be an official release tag, such as > cp -R ~/oom/kubernetes/helm/plugins/ ~/.local/share/helm/plugins > helm plugin install https://github.com/chartmuseum/helm-push.git -**Step 3** Install Chartmuseum:: +**Step 3.** Install Chartmuseum:: > curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum > chmod +x ./chartmuseum > mv ./chartmuseum /usr/local/bin -**Step 4.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or +**Step 4.** Install Cert-Manager:: + + > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml + +More details can be found :doc:`here <oom_setup_paas>`. + +**Step 5.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or an override file like `onap-all.yaml`, `onap-vfw.yaml` or `openstack.yaml` file to suit your deployment with items like the OpenStack tenant information. @@ -67,12 +73,6 @@ to suit your deployment with items like the OpenStack tenant information. -.. note:: - If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed. - :doc:`Click here <oom_setup_paas>` to see how to install Cert-Manager. - - - a. Enabling/Disabling Components: Here is an example of the nominal entries that need to be provided. We have different values file available for different contexts. @@ -154,7 +154,7 @@ Example Keystone v3 (required for Rocky and later releases) :language: yaml -**Step 5.** To setup a local Helm server to server up the ONAP charts:: +**Step 6.** To setup a local Helm server to server up the ONAP charts:: > chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 & @@ -163,13 +163,13 @@ follows:: > helm repo add local http://127.0.0.1:8879 -**Step 6.** Verify your Helm repository setup with:: +**Step 7.** Verify your Helm repository setup with:: > helm repo list NAME URL local http://127.0.0.1:8879 -**Step 7.** Build a local Helm repository (from the kubernetes directory):: +**Step 8.** Build a local Helm repository (from the kubernetes directory):: > make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] all ; make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] onap @@ -177,7 +177,7 @@ follows:: Sets the helm binary to be used. The default value use helm from PATH -**Step 8.** Display the onap charts that available to be deployed:: +**Step 9.** Display the onap charts that available to be deployed:: > helm repo update > helm search repo onap @@ -189,7 +189,7 @@ follows:: to your deployment charts or values be sure to use ``make`` to update your local Helm repository. -**Step 9.** Once the repo is setup, installation of ONAP can be done with a +**Step 10.** Once the repo is setup, installation of ONAP can be done with a single command .. note:: @@ -237,7 +237,7 @@ needs. you want to use to deploy VNFs from ONAP and/or additional parameters for the embedded tests. -**Step 10.** Verify ONAP installation +**Step 11.** Verify ONAP installation Use the following to monitor your deployment and determine when ONAP is ready for use:: @@ -251,7 +251,7 @@ for use:: > ~/oom/kubernetes/robot/ete-k8s.sh onap health -**Step 11.** Undeploy ONAP +**Step 12.** Undeploy ONAP :: > helm undeploy dev diff --git a/docs/oom_setup_paas.rst b/docs/oom_setup_paas.rst index 258a4eeadf..845fd473e0 100644 --- a/docs/oom_setup_paas.rst +++ b/docs/oom_setup_paas.rst @@ -9,11 +9,11 @@ .. _oom_setup_paas: -ONAP PaaS set-up (optional) -########################### +ONAP PaaS set-up +################ Starting from Honolulu release, Cert-Manager and Prometheus Stack are a part -of k8s PaaS for ONAP operations and can be optionally installed to provide +of k8s PaaS for ONAP operations and can be installed to provide additional functionality for ONAP engineers. The versions of PaaS compoents that are supported by OOM are as follows: @@ -63,8 +63,8 @@ Installation can be as simple as:: > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml -Prometheus Stack -================ +Prometheus Stack (optional) +=========================== Prometheus is an open-source systems monitoring and alerting toolkit with an active ecosystem. diff --git a/docs/oom_user_guide.rst b/docs/oom_user_guide.rst index 02f5c483b5..3a707e25ea 100644 --- a/docs/oom_user_guide.rst +++ b/docs/oom_user_guide.rst @@ -55,8 +55,8 @@ ONAP with a few simple commands. Pre-requisites -------------- -Your environment must have both the Kubernetes `kubectl` and Helm setup as a -one time activity. +Your environment must have the Kubernetes `kubectl` with Cert-Manager +and Helm setup as a one time activity. Install Kubectl ~~~~~~~~~~~~~~~ @@ -78,6 +78,11 @@ Verify that the Kubernetes config is correct:: At this point you should see Kubernetes pods running. +Install Cert-Manager +~~~~~~~~~~~~~~~~~~~~ +Details on how to install Cert-Manager can be found +:doc:`here <oom_setup_paas>`. + Install Helm ~~~~~~~~~~~~ Helm is used by OOM for package and configuration management. To install Helm, diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat index df2e128407..d29617a4d9 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat @@ -49,6 +49,7 @@ org.onap.clamp|clds.template|dev|*||"{'org.onap.clamp|service'}" org.onap.clamp|clds.template|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" org.onap.clamp|clds.template|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" org.onap.clamp|clds.tosca|dev|*||"{'org.onap.clamp|service'}" +org.onap.clamp|clds.policies|dev|*||"{'org.onap.clamp|service'}" org.onap.clampdemo|access|*|*|ClampDemo Write Access|{'org.onap.clampdemo.admin'} org.onap.clampdemo|access|*|read|ClampDemo Read Access|{'org.onap.clampdemo.owner'} org.onap.clamptest|access|*|*|Onap Write Access|{'org.onap.clamptest.admin'} diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat index ea15da4053..d73a09d4cd 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat @@ -40,7 +40,7 @@ org.onap.clampdemo|admin|Onap Clamp Test Admins|"{'org.onap.clampdemo.access|*| org.onap.clampdemo|owner|onap clamp Test Owners|"{'org.onap.clampdemo.access|*|read'}" org.onap.clamp|owner|AAF Namespace Owners| org.onap.clamp|seeCerts||"{'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}" -org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*'}" +org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*', 'org.onap.clamp|clds.policies|dev|*'}" org.onap.clamptest|admin|Onap Clamp Test Admins|"{'org.onap.clamptest.access|*|*'}" org.onap.clamptest|owner|onap clamp Test Owners|"{'org.onap.clamptest.access|*|read'}" org.onap.cli|admin|AAF Namespace Administrators|"{'org.onap.cli|access|*|*'}" diff --git a/kubernetes/appc/components/appc-cdt/values.yaml b/kubernetes/appc/components/appc-cdt/values.yaml index 3b1ff47116..5765d3482d 100644 --- a/kubernetes/appc/components/appc-cdt/values.yaml +++ b/kubernetes/appc/components/appc-cdt/values.yaml @@ -38,27 +38,17 @@ certInitializer: cadi_longitude: "-72.0" credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving password for keystore" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - cd {{ .Values.credsPath }}; - mkdir -p certs; - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key file" - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - fi + echo "*** transform AAF certs into pem files" + mkdir -p {{ .Values.credsPath }}/certs + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key file" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/key.pem + echo "*** change ownership of certificates to targeted user" + chown -R 1000 {{ .Values.credsPath }} ################################################################# # Application configuration defaults. diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index 2fd6db1360..717ea6679c 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -44,7 +44,7 @@ enable_odl_cluster () { node_index=($(echo ${hm} | awk -F"-" '{print $NF}')) node_list="${node}-0.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}"; - for ((i=1;i<${APPC_REPLICAS};i++)); + for i in $(seq 1 $((${APPC_REPLICAS}-1))); do node_list="${node_list} ${node}-$i.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}" done @@ -65,7 +65,7 @@ DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} # Wait for database to init properly # echo "Waiting for mariadbgalera" -until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null +until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1 do printf "." sleep 1 diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile index c7aba635c1..6442068b2f 100644 --- a/kubernetes/common/Makefile +++ b/kubernetes/common/Makefile @@ -21,7 +21,7 @@ COMMON_CHARTS_DIR := common EXCLUDES := PROCESSED_LAST := cert-wrapper repository-wrapper -PROCESSED_FIRST := repositoryGenerator readinessCheck certInitializer +PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount certInitializer TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST) HELM_BIN := helm diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index ec1ce944c9..cb4153e778 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -58,7 +58,8 @@ done # Prepare truststore output file if [ "$AAF_ENABLED" = "true" ] then - mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME + echo "AAF is enabled, use 'AAF' truststore" + export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} else echo "AAF is disabled, using JRE truststore" cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index 108873b31d..2b9461e50e 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -189,6 +189,8 @@ spec: {{ end }} {{- end -}} +{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}} + {{- define "common.certManager.volumeMounts" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} @@ -217,8 +219,14 @@ spec: sources: - secret: name: {{ $certificatesSecretName }} - {{- if $certificate.keystore }} items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} {{- range $outputType := $certificate.keystore.outputType }} - key: keystore.{{ $outputType }} path: keystore.{{ $outputType }} @@ -248,4 +256,55 @@ spec: {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} {{- end -}} {{ $certsLinkCommand }} -{{- end -}}
\ No newline at end of file +{{- end -}} + +{{/*Using templates below allows only read access to volume mounted at $mountPath*/}} + +{{- define "common.certManager.volumeMountsReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} + {{- range $i, $certificate := $dot.Values.certificates -}} + {{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }} + {{- end -}} +{{- end -}} + +{{- define "common.certManager.volumesReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} + {{- range $i, $certificate := $certificates -}} + {{- $name := include "common.fullname" $dot -}} + {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }} + projected: + sources: + - secret: + name: {{ $certificatesSecretName }} + items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} + {{- range $outputType := $certificate.keystore.outputType }} + - key: keystore.{{ $outputType }} + path: keystore.{{ $outputType }} + - key: truststore.{{ $outputType }} + path: truststore.{{ $outputType }} + {{- end }} + - secret: + name: {{ $certificate.keystore.passwordSecretRef.name }} + items: + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: keystore.pass + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: truststore.pass + {{- end }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index 1be3e3b790..5021c500b0 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -63,7 +63,7 @@ */}} {{- define "common.mariadbService" -}} {{- if .Values.global.mariadbGalera.localCluster -}} - {{- index .Values "mariadb-galera" "service" "name" -}} + {{- index .Values "mariadb-galera" "nameOverride" -}} {{- else -}} {{- .Values.global.mariadbGalera.service -}} {{- end -}} diff --git a/kubernetes/common/roles-wrapper/Chart.yaml b/kubernetes/common/roles-wrapper/Chart.yaml new file mode 100644 index 0000000000..862773fc87 --- /dev/null +++ b/kubernetes/common/roles-wrapper/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Wrapper chart to allow default roles to be shared among onap instances +name: roles-wrapper +version: 8.0.0 diff --git a/kubernetes/common/roles-wrapper/requirements.yaml b/kubernetes/common/roles-wrapper/requirements.yaml new file mode 100644 index 0000000000..b2d51ef925 --- /dev/null +++ b/kubernetes/common/roles-wrapper/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~8.x-0 + repository: 'file://../common' diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml new file mode 100644 index 0000000000..e2a84b4151 --- /dev/null +++ b/kubernetes/common/roles-wrapper/templates/role.yaml @@ -0,0 +1,110 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ printf "%s-%s" (include "common.release" $dot) $role_type }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployment + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/roles-wrapper/values.yaml b/kubernetes/common/roles-wrapper/values.yaml new file mode 100644 index 0000000000..8a53d7d733 --- /dev/null +++ b/kubernetes/common/roles-wrapper/values.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +roles: + - nothing + - read + - create diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml index 2082f8466b..7c272aecda 100644 --- a/kubernetes/common/serviceAccount/templates/role-binding.yaml +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -16,18 +16,24 @@ {{- $dot := . -}} {{- range $role_type := $dot.Values.roles }} +{{/* retrieve the names for generic roles */}} +{{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }} +{{- if not (has $role_type $dot.Values.defaultRoles) }} +{{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. kind: RoleBinding metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} namespace: {{ include "common.namespace" $dot }} subjects: - kind: ServiceAccount - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} roleRef: kind: Role - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ $name }} apiGroup: rbac.authorization.k8s.io {{- end }} + diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 6d12164938..2055885f2a 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -14,96 +14,28 @@ # limitations under the License. */}} -{{- $dot := . -}} +{{- $dot := . -}} {{- range $role_type := $dot.Values.roles }} +{{/* Default roles are already created, just creating specific ones */}} +{{- if not (has $role_type $dot.Values.defaultRoles) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} namespace: {{ include "common.namespace" $dot }} rules: -{{- if eq $role_type "read" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - verbs: - - get - - watch - - list -{{- else }} -{{- if eq $role_type "create" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - - secrets - verbs: - - get - - watch - - list -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - statefulsets - verbs: - - patch -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - deployments - - secrets - verbs: - - create -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods - - persistentvolumeclaims - - secrets - - deployment - verbs: - - delete +{{- if hasKey $dot.Values.new_roles_definitions $role_type }} +{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} +{{- else}} +# if no rules are provided, you're back to 'nothing' role - apiGroups: - - "" # "" indicates the core API group - - apps + - authorization.k8s.io resources: - - pods/exec + - selfsubjectaccessreviews + - selfsubjectrulesreviews verbs: - create -{{- else }} -{{- if hasKey $dot.Values.new_roles_definitions $role_type }} -{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} -{{- else}} -# if you don't match read or create, then you're not allowed to use API -- apiGroups: [] - resources: [] - verbs: [] {{- end }} {{- end }} {{- end }} -{{- end }} diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml index 449bea684c..20bd94f49a 100644 --- a/kubernetes/common/serviceAccount/templates/service-account.yaml +++ b/kubernetes/common/serviceAccount/templates/service-account.yaml @@ -20,5 +20,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} -{{- end }} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} +{{- end }}
\ No newline at end of file diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index afa819421c..22faeb6904 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -12,11 +12,18 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Default roles will be created by roles wrapper +# It won't work if roles wrapper is disabled. roles: - nothing # - read # - create +defaultRoles: + - nothing + - read + - create + new_roles_definitions: {} # few-read: # - apiGroups: diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml index 69d993e9a4..57d1e7848e 100644 --- a/kubernetes/contrib/components/ejbca/values.yaml +++ b/kubernetes/contrib/components/ejbca/values.yaml @@ -54,7 +54,7 @@ mysqlDatabase: &dbName ejbca replicaCount: 1 ejbca: - image: primekey/ejbca-ce:6.15.2.5 + image: primekey/ejbca-ce:7.4.3.2 pullPolicy: Always mariadb-galera: diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 91fefa47b7..5de526288e 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -3,6 +3,7 @@ # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -267,6 +268,7 @@ spec: - mountPath: /opt/app/osaaf name: tls-info {{- end }} + {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -274,7 +276,7 @@ spec: env: {{- if $certDir }} - name: DCAE_CA_CERTPATH - value: {{ $certDir}}/cacert.pem + value: {{ $certDir }}/cacert.pem {{- end }} - name: CONSUL_HOST value: consul-server.onap @@ -322,6 +324,9 @@ spec: {{- if $certDir }} - mountPath: {{ $certDir }} name: tls-info + {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}} + {{- end -}} {{- end }} {{- if $policy }} - name: policy-shared @@ -417,6 +422,9 @@ spec: {{- if $certDir }} - emptyDir: {} name: tls-info + {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{ include "common.certManager.volumesReadOnly" . | nindent 6 }} + {{- end }} {{- end }} {{- if $policy }} - name: policy-shared @@ -426,3 +434,49 @@ spec: imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" {{ end -}} + +{{/* + For internal use + + Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore + and swaps keystore files. +*/}} +{{- define "dcaegen2-services-common._certPostProcessor" -}} + {{- $certDir := default "" .Values.certDirectory . -}} + {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- $cmpv2Certificate := (index .Values.certificates 0) -}} + {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}} + {{- $certType := "pem" -}} + {{- if $cmpv2Certificate.keystore -}} + {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}} + {{- end -}} + {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}} + {{- $truststoresPasswordPaths := ":" -}} + {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}} + {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}} + {{- if not (eq $certType "pem") -}} + {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}} + {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}} + {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}} + {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}} + {{- end }} + - name: cert-post-processor + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + {{- include "common.resources" . | nindent 4 }} + volumeMounts: + - mountPath: {{ $certDir }} + name: tls-info + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }} + env: + - name: TRUSTSTORES_PATHS + value: {{ $truststoresPaths | quote}} + - name: TRUSTSTORES_PASSWORDS_PATHS + value: {{ $truststoresPasswordPaths | quote }} + - name: KEYSTORE_SOURCE_PATHS + value: {{ $keystoreSourcePaths | quote }} + - name: KEYSTORE_DESTINATION_PATHS + value: {{ $keystoreDestinationPaths | quote }} + {{- end }} +{{- end -}} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml index cd69da8346..cbd07dc486 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml @@ -15,4 +15,4 @@ # limitations under the License. # ============LICENSE_END========================================================= # dcaegen2-services-common templates get any values from the scope -# they are passed. There are no locally-defined values.
\ No newline at end of file +# they are passed. There are no locally-defined values. diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml index 639fc2c740..929cdbbc5f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +26,6 @@ dependencies: - name: dcaegen2-services-common version: ~8.x-0 repository: 'file://../../common/dcaegen2-services-common' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml new file mode 100644 index 0000000000..0db2138a4f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ include "certManagerCertificate.certificate" . }} +{{ end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index cec332218d..bb65f37f73 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 ################################################################# # Application configuration defaults. @@ -62,6 +64,24 @@ secrets: password: '{{ .Values.aafCreds.password }}' passwordPolicy: required +# CMPv2 certificate +# It is used only when global parameter cmpv2Enabled is true +# Disabled by default +certificates: + - mountPath: /etc/ves-hv/ssl/external + commonName: dcae-hv-ves-collector + dnsNames: + - dcae-hv-ves-collector + - hv-ves-collector + - hv-ves + keystore: + outputType: + - jks + passwordSecretRef: + name: hv-ves-cmpv2-keystore-password + key: password + create: true + # dependencies readinessCheck: wait_for: diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml index 639fc2c740..929cdbbc5f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +26,6 @@ dependencies: - name: dcaegen2-services-common version: ~8.x-0 repository: 'file://../../common/dcaegen2-services-common' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml new file mode 100644 index 0000000000..0db2138a4f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ include "certManagerCertificate.certificate" . }} +{{ end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 62c640453b..081bcdcc1a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 ################################################################# # Application configuration defaults. @@ -55,6 +57,24 @@ certDirectory: /opt/app/dcae-certificate # and key from AAF and mount them in certDirectory. tlsServer: true +# CMPv2 certificate +# It is used only when global parameter cmpv2Enabled is true +# Disabled by default +certificates: + - mountPath: /opt/app/dcae-certificate/external + commonName: dcae-ves-collector + dnsNames: + - dcae-ves-collector + - ves-collector + - ves + keystore: + outputType: + - jks + passwordSecretRef: + name: ves-cmpv2-keystore-password + key: password + create: true + # dependencies readinessCheck: wait_for: diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml index 51fcd08c4a..4c1c22f766 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml @@ -103,11 +103,11 @@ flavor: small resources: small: limits: - cpu: 0.6 - memory: 1Gi + cpu: 2 + memory: 2Gi requests: - cpu: 0.4 - memory: 600Mib + cpu: 1 + memory: 1Gi large: limits: cpu: 4 diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index a7e394d4ae..0d434ad877 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -54,7 +54,7 @@ generate_overrides() { cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \ | sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES else - SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(cut -d':' -f1 <<<"$START")" + SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)" if [[ -d "$SUBCHART_DIR" ]]; then if [[ -z "$END" ]]; then cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \ @@ -70,7 +70,7 @@ generate_overrides() { resolve_deploy_flags() { flags=($1) n=${#flags[*]} - for (( i = 0; i < n; i++ )); do + i=0 ; while [ "$i" -lt "$n" ]; do PARAM=${flags[i]} if [[ $PARAM = "-f" || \ $PARAM = "--values" || \ @@ -82,6 +82,7 @@ resolve_deploy_flags() { else DEPLOY_FLAGS="$DEPLOY_FLAGS $PARAM" fi + i=$((i+1)) done echo "$DEPLOY_FLAGS" } @@ -96,8 +97,8 @@ deploy() { RELEASE=$1 CHART_URL=$2 FLAGS=${@:3} - CHART_REPO="$(cut -d'/' -f1 <<<"$CHART_URL")" - CHART_NAME="$(cut -d'/' -f2 <<<"$CHART_URL")" + CHART_REPO="$(echo "$CHART_URL" |cut -d'/' -f1)" + CHART_NAME="$(echo "$CHART_URL" |cut -d'/' -f2)" if [[ $HELM_VER = "v3."* ]]; then CACHE_DIR=~/.local/share/helm/plugins/deploy/cache else @@ -146,9 +147,9 @@ deploy() { DEPLOY_FLAGS=$(resolve_deploy_flags "$FLAGS") # determine if upgrading individual subchart or entire parent + subcharts - SUBCHART_RELEASE="$(cut -d'-' -f2 <<<"$RELEASE")" + SUBCHART_RELEASE="$(echo "$RELEASE" |cut -d'-' -f2)" # update specified subchart without parent - RELEASE="$(cut -d'-' -f1 <<<"$RELEASE")" + RELEASE="$(echo "$RELEASE" |cut -d'-' -f1)" if [[ $SUBCHART_RELEASE = $RELEASE ]]; then SUBCHART_RELEASE= fi @@ -255,7 +256,7 @@ deploy() { else array=($(echo "$ALL_HELM_RELEASES" | grep "${RELEASE}-${subchart}")) n=${#array[*]} - for (( i = n-1; i >= 0; i-- )); do + for i in $(seq $(($n-1)) -1 0); do if [[ $HELM_VER = "v3."* ]]; then helm del "${array[i]}" else diff --git a/kubernetes/helm/plugins/undeploy/undeploy.sh b/kubernetes/helm/plugins/undeploy/undeploy.sh index e5c0c12711..1689bf1b48 100755 --- a/kubernetes/helm/plugins/undeploy/undeploy.sh +++ b/kubernetes/helm/plugins/undeploy/undeploy.sh @@ -23,7 +23,7 @@ undeploy() { array=($(helm ls -q --all | grep $RELEASE)) n=${#array[*]} - for (( i = n-1; i >= 0; i-- )) + for i in $(seq $(($n-1)) -1 0) do helm del "${array[i]}" $FLAGS done diff --git a/kubernetes/onap/requirements.yaml b/kubernetes/onap/requirements.yaml index 6034063a0e..fa3efd3b40 100755 --- a/kubernetes/onap/requirements.yaml +++ b/kubernetes/onap/requirements.yaml @@ -169,3 +169,7 @@ dependencies: version: ~8.x-0 repository: '@local' condition: cert-wrapper.enabled + - name: roles-wrapper + version: ~8.x-0 + repository: '@local' + condition: roles-wrapper.enabled diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index ca9ccd48f4..d91284a6c3 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -398,3 +398,5 @@ cert-wrapper: enabled: true repository-wrapper: enabled: true +roles-wrapper: + enabled: true diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index c34ebad982..fd34b1ef28 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -73,7 +73,7 @@ cmpv2issuer: certEndpoint: v1/certificate caName: RA certSecretRef: - name: oom-cert-service-server-tls-secret + name: oom-cert-service-client-tls-secret certRef: tls.crt keyRef: tls.key cacertRef: ca.crt diff --git a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml deleted file mode 100644 index ba12874eb6..0000000000 --- a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* - # Copyright © 2020, Nokia - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. -*/}} - -{{- if .Values.global.offlineDeploymentBuild }} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "common.repository" . }}/{{ .Values.certificateGenerationImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 829d3a01d1..2e149683d7 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -22,7 +22,6 @@ global: # Standard OOM pullPolicy: "Always" repository: "nexus3.onap.org:10001" - offlineDeploymentBuild: false # Service configuration @@ -33,9 +32,6 @@ service: port: 8443 port_protocol: http -# Certificates generation configuration -certificateGenerationImage: onap/integration-java11:7.2.0 - # Deployment configuration repository: "nexus3.onap.org:10001" image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties index 17185cc4bb..a6334668b1 100644 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties @@ -48,22 +48,22 @@ spring.datasource.url=jdbc:mariadb:sequential://{{ .Values.db.service.name }}:{{ spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements #The log folder that will be used in logback.xml file -clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config.json +clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config-pass.json # # Configuration Settings for Policy Engine Components -clamp.config.policy.api.url=https4://policy-api.{{ include "common.namespace" . }}:6969 +clamp.config.policy.api.url=https://policy-api.{{ include "common.namespace" . }}:6969 clamp.config.policy.api.userName=healthcheck clamp.config.policy.api.password=zb!XztG34 -clamp.config.policy.pap.url=https4://policy-pap.{{ include "common.namespace" . }}:6969 +clamp.config.policy.pap.url=https://policy-pap.{{ include "common.namespace" . }}:6969 clamp.config.policy.pap.userName=healthcheck clamp.config.policy.pap.password=zb!XztG34 #DCAE Inventory Url Properties -clamp.config.dcae.inventory.url=https4://inventory.{{ include "common.namespace" . }}:8080 -clamp.config.dcae.dispatcher.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443 +clamp.config.dcae.inventory.url=https://inventory.{{ include "common.namespace" . }}:8080 +clamp.config.dcae.dispatcher.url=https://deployment-handler.{{ include "common.namespace" . }}:8443 #DCAE Deployment Url Properties -clamp.config.dcae.deployment.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443 +clamp.config.dcae.deployment.url=https://deployment-handler.{{ include "common.namespace" . }}:8443 clamp.config.dcae.deployment.userName=none clamp.config.dcae.deployment.password=none diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json index 3adda95c11..6021b21d21 100644 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json @@ -6,7 +6,7 @@ "consumerId": "clamp", "environmentName": "AUTO", "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443", - "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981", + "password": "${SDC_CLIENT_PASSWORD_ENC}", "pollingInterval":30, "pollingTimeout":30, "activateServerTLSAuth":"false", diff --git a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml index 1120f9b2b6..c243e30540 100644 --- a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml @@ -67,6 +67,8 @@ spec: - | {{- if .Values.global.aafEnabled }} export $(grep '^cadi_' {{ .Values.certInitializer.credsPath }}/org.onap.clamp.cred.props | xargs -0) + export SDC_CLIENT_PASSWORD_ENC=`java -jar {{ .Values.certInitializer.credsPath }}/aaf-cadi-aaf-2.1.20-full.jar cadi digest ${SDC_CLIENT_PASSWORD} {{ .Values.certInitializer.credsPath }}/org.onap.clamp.keyfile`; + envsubst < "/opt/policy/clamp/sdc-controllers-config.json" > "/opt/policy/clamp/sdc-controllers-config-pass.json" {{- end }} java -Djava.security.egd=file:/dev/./urandom ${JAVA_RAM_CONFIGURATION} -jar ./policy-clamp-backend.jar ports: @@ -99,6 +101,8 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} - name: MYSQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }} + - name: SDC_CLIENT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 12 }} {{- if ne "unlimited" (include "common.flavor" .) }} - name: JAVA_RAM_CONFIGURATION value: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=75 diff --git a/kubernetes/policy/components/policy-clamp-be/values.yaml b/kubernetes/policy/components/policy-clamp-be/values.yaml index ef0ea7ae4e..71d2517be1 100644 --- a/kubernetes/policy/components/policy-clamp-be/values.yaml +++ b/kubernetes/policy/components/policy-clamp-be/values.yaml @@ -44,10 +44,7 @@ certInitializer: app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local aaf_add_config: > - echo "$cadi_truststore_password" > {{ .Values.credsPath }}/cadi_truststore_password.pwd; - echo "$cadi_key_password" > {{ .Values.credsPath }}/cadi_key_password.pwd; - echo "$cadi_keystore_password" > {{ .Values.credsPath }}/cadi_keystore_password.pwd; - echo "$cadi_keystore_password_p12" > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd; + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; cd {{ .Values.credsPath }}; chmod a+rx *; @@ -58,11 +55,16 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required + - uid: sdc-creds + type: password + externalSecret: '{{ tpl (default "" .Values.sdc.sdcClientExternalSecret) . }}' + password: '{{ .Values.sdc.clientPassword }}' + passwordPolicy: required flavor: small # application image -image: onap/policy-clamp-backend:6.0.2 +image: onap/policy-clamp-backend:6.1.1 pullPolicy: Always # flag to enable debugging - application support required @@ -78,6 +80,9 @@ log: #####dummy values for db user and password to pass lint!!!####### +sdc: + clientPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + db: user: policy_user password: policy_user diff --git a/kubernetes/policy/components/policy-clamp-fe/values.yaml b/kubernetes/policy/components/policy-clamp-fe/values.yaml index c824965955..9712a38e10 100644 --- a/kubernetes/policy/components/policy-clamp-fe/values.yaml +++ b/kubernetes/policy/components/policy-clamp-fe/values.yaml @@ -60,7 +60,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-clamp-frontend:6.0.2 +image: onap/policy-clamp-frontend:6.1.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh index 390241fa1d..c4a21b927f 100644 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh @@ -107,7 +107,7 @@ docker_temp_server_start() { if [ -z "$DATABASE_ALREADY_EXISTS" ]; then extraArgs+=( '--dont-use-mysql-root-password' ) fi - if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then + if echo 'SELECT 1' |docker_process_sql "${extraArgs[@]}" --database=mysql >/dev/null 2>&1; then break fi sleep 1 @@ -263,19 +263,19 @@ docker_setup_db() { # Creates a custom database and user if specified if [ -n "$MYSQL_DATABASE" ]; then mysql_note "Creating database ${MYSQL_DATABASE}" - docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" + echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql fi if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then mysql_note "Creating user ${MYSQL_USER}" - docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" + echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql if [ -n "$MYSQL_DATABASE" ]; then mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}" - docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" + echo "GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" |docker_process_sql --database=mysql fi - docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;" + echo "FLUSH PRIVILEGES ;" |docker_process_sql --database=mysql fi } diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 5c530fea72..af53fd6708 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -93,7 +93,7 @@ spec: memory: 20Mi {{- end }} - name: volume-permissions - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - sh |