summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docs/oom_cloud_setup_guide.rst9
-rw-r--r--docs/oom_quickstart_guide.rst30
-rw-r--r--docs/oom_setup_paas.rst10
-rw-r--r--docs/oom_user_guide.rst9
-rw-r--r--kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat1
-rw-r--r--kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat2
-rw-r--r--kubernetes/appc/components/appc-cdt/values.yaml32
-rwxr-xr-xkubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh4
-rw-r--r--kubernetes/common/Makefile2
-rwxr-xr-xkubernetes/common/cert-wrapper/resources/import-custom-certs.sh3
-rw-r--r--kubernetes/common/certManagerCertificate/templates/_certificate.tpl63
-rw-r--r--kubernetes/common/common/templates/_mariadb.tpl2
-rw-r--r--kubernetes/common/roles-wrapper/Chart.yaml18
-rw-r--r--kubernetes/common/roles-wrapper/requirements.yaml18
-rw-r--r--kubernetes/common/roles-wrapper/templates/role.yaml110
-rw-r--r--kubernetes/common/roles-wrapper/values.yaml18
-rw-r--r--kubernetes/common/serviceAccount/templates/role-binding.yaml12
-rw-r--r--kubernetes/common/serviceAccount/templates/role.yaml90
-rw-r--r--kubernetes/common/serviceAccount/templates/service-account.yaml4
-rw-r--r--kubernetes/common/serviceAccount/values.yaml7
-rw-r--r--kubernetes/contrib/components/ejbca/values.yaml2
-rw-r--r--kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl56
-rw-r--r--kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml2
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml4
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml19
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml20
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml4
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml19
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml20
-rw-r--r--kubernetes/dcaegen2/components/dcae-dashboard/values.yaml8
-rwxr-xr-xkubernetes/helm/plugins/deploy/deploy.sh15
-rwxr-xr-xkubernetes/helm/plugins/undeploy/undeploy.sh2
-rwxr-xr-xkubernetes/onap/requirements.yaml4
-rwxr-xr-xkubernetes/onap/values.yaml2
-rw-r--r--kubernetes/platform/components/cmpv2-cert-provider/values.yaml2
-rw-r--r--kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml31
-rw-r--r--kubernetes/platform/components/oom-cert-service/values.yaml4
-rw-r--r--kubernetes/policy/components/policy-clamp-be/resources/config/application.properties12
-rw-r--r--kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json2
-rw-r--r--kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml4
-rw-r--r--kubernetes/policy/components/policy-clamp-be/values.yaml15
-rw-r--r--kubernetes/policy/components/policy-clamp-fe/values.yaml2
-rw-r--r--kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh10
-rw-r--r--kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml2
44 files changed, 496 insertions, 209 deletions
diff --git a/docs/oom_cloud_setup_guide.rst b/docs/oom_cloud_setup_guide.rst
index 8431cf794a..033ba43fe4 100644
--- a/docs/oom_cloud_setup_guide.rst
+++ b/docs/oom_cloud_setup_guide.rst
@@ -46,9 +46,9 @@ The versions of Kubernetes that are supported by OOM are as follows:
.. table:: OOM Software Requirements
- ============== =========== ======= ======== ========
- Release Kubernetes Helm kubectl Docker
- ============== =========== ======= ======== ========
+ ============== =========== ======= ======== ======== ============
+ Release Kubernetes Helm kubectl Docker Cert-Manager
+ ============== =========== ======= ======== ======== ============
amsterdam 1.7.x 2.3.x 1.7.x 1.12.x
beijing 1.8.10 2.8.2 1.8.10 17.03.x
casablanca 1.11.5 2.9.1 1.11.5 17.03.x
@@ -57,7 +57,8 @@ The versions of Kubernetes that are supported by OOM are as follows:
frankfurt 1.15.9 2.16.6 1.15.11 18.09.x
guilin 1.15.11 2.16.10 1.15.11 18.09.x
Honolulu 1.19.9 3.5.2 1.19.9 19.03.x
- ============== =========== ======= ======== ========
+ Istanbul 1.2.0
+ ============== =========== ======= ======== ======== ============
.. note::
Guilin version also supports Kubernetes up to version 1.19.x and should work
diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst
index 2fedc091d8..d573c94bb0 100644
--- a/docs/oom_quickstart_guide.rst
+++ b/docs/oom_quickstart_guide.rst
@@ -33,13 +33,19 @@ where <BRANCH> can be an official release tag, such as
> cp -R ~/oom/kubernetes/helm/plugins/ ~/.local/share/helm/plugins
> helm plugin install https://github.com/chartmuseum/helm-push.git
-**Step 3** Install Chartmuseum::
+**Step 3.** Install Chartmuseum::
> curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum
> chmod +x ./chartmuseum
> mv ./chartmuseum /usr/local/bin
-**Step 4.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or
+**Step 4.** Install Cert-Manager::
+
+ > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
+
+More details can be found :doc:`here <oom_setup_paas>`.
+
+**Step 5.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or
an override file like `onap-all.yaml`, `onap-vfw.yaml` or `openstack.yaml` file
to suit your deployment with items like the OpenStack tenant information.
@@ -67,12 +73,6 @@ to suit your deployment with items like the OpenStack tenant information.
-.. note::
- If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed.
- :doc:`Click here <oom_setup_paas>` to see how to install Cert-Manager.
-
-
-
a. Enabling/Disabling Components:
Here is an example of the nominal entries that need to be provided.
We have different values file available for different contexts.
@@ -154,7 +154,7 @@ Example Keystone v3 (required for Rocky and later releases)
:language: yaml
-**Step 5.** To setup a local Helm server to server up the ONAP charts::
+**Step 6.** To setup a local Helm server to server up the ONAP charts::
> chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 &
@@ -163,13 +163,13 @@ follows::
> helm repo add local http://127.0.0.1:8879
-**Step 6.** Verify your Helm repository setup with::
+**Step 7.** Verify your Helm repository setup with::
> helm repo list
NAME URL
local http://127.0.0.1:8879
-**Step 7.** Build a local Helm repository (from the kubernetes directory)::
+**Step 8.** Build a local Helm repository (from the kubernetes directory)::
> make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] all ; make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] onap
@@ -177,7 +177,7 @@ follows::
Sets the helm binary to be used. The default value use helm from PATH
-**Step 8.** Display the onap charts that available to be deployed::
+**Step 9.** Display the onap charts that available to be deployed::
> helm repo update
> helm search repo onap
@@ -189,7 +189,7 @@ follows::
to your deployment charts or values be sure to use ``make`` to update your
local Helm repository.
-**Step 9.** Once the repo is setup, installation of ONAP can be done with a
+**Step 10.** Once the repo is setup, installation of ONAP can be done with a
single command
.. note::
@@ -237,7 +237,7 @@ needs.
you want to use to deploy VNFs from ONAP and/or additional parameters for the
embedded tests.
-**Step 10.** Verify ONAP installation
+**Step 11.** Verify ONAP installation
Use the following to monitor your deployment and determine when ONAP is ready
for use::
@@ -251,7 +251,7 @@ for use::
> ~/oom/kubernetes/robot/ete-k8s.sh onap health
-**Step 11.** Undeploy ONAP
+**Step 12.** Undeploy ONAP
::
> helm undeploy dev
diff --git a/docs/oom_setup_paas.rst b/docs/oom_setup_paas.rst
index 258a4eeadf..845fd473e0 100644
--- a/docs/oom_setup_paas.rst
+++ b/docs/oom_setup_paas.rst
@@ -9,11 +9,11 @@
.. _oom_setup_paas:
-ONAP PaaS set-up (optional)
-###########################
+ONAP PaaS set-up
+################
Starting from Honolulu release, Cert-Manager and Prometheus Stack are a part
-of k8s PaaS for ONAP operations and can be optionally installed to provide
+of k8s PaaS for ONAP operations and can be installed to provide
additional functionality for ONAP engineers.
The versions of PaaS compoents that are supported by OOM are as follows:
@@ -63,8 +63,8 @@ Installation can be as simple as::
> kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
-Prometheus Stack
-================
+Prometheus Stack (optional)
+===========================
Prometheus is an open-source systems monitoring and alerting toolkit with
an active ecosystem.
diff --git a/docs/oom_user_guide.rst b/docs/oom_user_guide.rst
index 02f5c483b5..3a707e25ea 100644
--- a/docs/oom_user_guide.rst
+++ b/docs/oom_user_guide.rst
@@ -55,8 +55,8 @@ ONAP with a few simple commands.
Pre-requisites
--------------
-Your environment must have both the Kubernetes `kubectl` and Helm setup as a
-one time activity.
+Your environment must have the Kubernetes `kubectl` with Cert-Manager
+and Helm setup as a one time activity.
Install Kubectl
~~~~~~~~~~~~~~~
@@ -78,6 +78,11 @@ Verify that the Kubernetes config is correct::
At this point you should see Kubernetes pods running.
+Install Cert-Manager
+~~~~~~~~~~~~~~~~~~~~
+Details on how to install Cert-Manager can be found
+:doc:`here <oom_setup_paas>`.
+
Install Helm
~~~~~~~~~~~~
Helm is used by OOM for package and configuration management. To install Helm,
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat
index df2e128407..d29617a4d9 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat
@@ -49,6 +49,7 @@ org.onap.clamp|clds.template|dev|*||"{'org.onap.clamp|service'}"
org.onap.clamp|clds.template|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}"
org.onap.clamp|clds.template|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}"
org.onap.clamp|clds.tosca|dev|*||"{'org.onap.clamp|service'}"
+org.onap.clamp|clds.policies|dev|*||"{'org.onap.clamp|service'}"
org.onap.clampdemo|access|*|*|ClampDemo Write Access|{'org.onap.clampdemo.admin'}
org.onap.clampdemo|access|*|read|ClampDemo Read Access|{'org.onap.clampdemo.owner'}
org.onap.clamptest|access|*|*|Onap Write Access|{'org.onap.clamptest.admin'}
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat
index ea15da4053..d73a09d4cd 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat
@@ -40,7 +40,7 @@ org.onap.clampdemo|admin|Onap Clamp Test Admins|"{'org.onap.clampdemo.access|*|
org.onap.clampdemo|owner|onap clamp Test Owners|"{'org.onap.clampdemo.access|*|read'}"
org.onap.clamp|owner|AAF Namespace Owners|
org.onap.clamp|seeCerts||"{'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}"
-org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*'}"
+org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*', 'org.onap.clamp|clds.policies|dev|*'}"
org.onap.clamptest|admin|Onap Clamp Test Admins|"{'org.onap.clamptest.access|*|*'}"
org.onap.clamptest|owner|onap clamp Test Owners|"{'org.onap.clamptest.access|*|read'}"
org.onap.cli|admin|AAF Namespace Administrators|"{'org.onap.cli|access|*|*'}"
diff --git a/kubernetes/appc/components/appc-cdt/values.yaml b/kubernetes/appc/components/appc-cdt/values.yaml
index 3b1ff47116..5765d3482d 100644
--- a/kubernetes/appc/components/appc-cdt/values.yaml
+++ b/kubernetes/appc/components/appc-cdt/values.yaml
@@ -38,27 +38,17 @@ certInitializer:
cadi_longitude: "-72.0"
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving password for keystore"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- cd {{ .Values.credsPath }};
- mkdir -p certs;
- echo "*** transform AAF certs into pem files"
- mkdir -p {{ .Values.credsPath }}/certs
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key file"
- cp {{ .Values.fqi_namespace }}.key certs/key.pem;
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
- fi
+ echo "*** transform AAF certs into pem files"
+ mkdir -p {{ .Values.credsPath }}/certs
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key file"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/key.pem
+ echo "*** change ownership of certificates to targeted user"
+ chown -R 1000 {{ .Values.credsPath }}
#################################################################
# Application configuration defaults.
diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
index 2fd6db1360..717ea6679c 100755
--- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
+++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh
@@ -44,7 +44,7 @@ enable_odl_cluster () {
node_index=($(echo ${hm} | awk -F"-" '{print $NF}'))
node_list="${node}-0.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}";
- for ((i=1;i<${APPC_REPLICAS};i++));
+ for i in $(seq 1 $((${APPC_REPLICAS}-1)));
do
node_list="${node_list} ${node}-$i.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}"
done
@@ -65,7 +65,7 @@ DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim}
# Wait for database to init properly
#
echo "Waiting for mariadbgalera"
-until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null
+until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1
do
printf "."
sleep 1
diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile
index c7aba635c1..6442068b2f 100644
--- a/kubernetes/common/Makefile
+++ b/kubernetes/common/Makefile
@@ -21,7 +21,7 @@ COMMON_CHARTS_DIR := common
EXCLUDES :=
PROCESSED_LAST := cert-wrapper repository-wrapper
-PROCESSED_FIRST := repositoryGenerator readinessCheck certInitializer
+PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount certInitializer
TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST)
HELM_BIN := helm
diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh
index ec1ce944c9..cb4153e778 100755
--- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh
+++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh
@@ -58,7 +58,8 @@ done
# Prepare truststore output file
if [ "$AAF_ENABLED" = "true" ]
then
- mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME
+ echo "AAF is enabled, use 'AAF' truststore"
+ export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE}
else
echo "AAF is disabled, using JRE truststore"
cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME
diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
index 108873b31d..2b9461e50e 100644
--- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
+++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
@@ -189,6 +189,8 @@ spec:
{{ end }}
{{- end -}}
+{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}}
+
{{- define "common.certManager.volumeMounts" -}}
{{- $dot := default . .dot -}}
{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
@@ -217,8 +219,14 @@ spec:
sources:
- secret:
name: {{ $certificatesSecretName }}
- {{- if $certificate.keystore }}
items:
+ - key: tls.key
+ path: key.pem
+ - key: tls.crt
+ path: cert.pem
+ - key: ca.crt
+ path: cacert.pem
+ {{- if $certificate.keystore }}
{{- range $outputType := $certificate.keystore.outputType }}
- key: keystore.{{ $outputType }}
path: keystore.{{ $outputType }}
@@ -248,4 +256,55 @@ spec:
{{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}}
{{- end -}}
{{ $certsLinkCommand }}
-{{- end -}} \ No newline at end of file
+{{- end -}}
+
+{{/*Using templates below allows only read access to volume mounted at $mountPath*/}}
+
+{{- define "common.certManager.volumeMountsReadOnly" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+ {{- range $i, $certificate := $dot.Values.certificates -}}
+ {{- $mountPath := $certificate.mountPath -}}
+- mountPath: {{ $mountPath }}
+ name: certmanager-certs-volume-{{ $i }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certManager.volumesReadOnly" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+ {{- range $i, $certificate := $certificates -}}
+ {{- $name := include "common.fullname" $dot -}}
+ {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+- name: certmanager-certs-volume-{{ $i }}
+ projected:
+ sources:
+ - secret:
+ name: {{ $certificatesSecretName }}
+ items:
+ - key: tls.key
+ path: key.pem
+ - key: tls.crt
+ path: cert.pem
+ - key: ca.crt
+ path: cacert.pem
+ {{- if $certificate.keystore }}
+ {{- range $outputType := $certificate.keystore.outputType }}
+ - key: keystore.{{ $outputType }}
+ path: keystore.{{ $outputType }}
+ - key: truststore.{{ $outputType }}
+ path: truststore.{{ $outputType }}
+ {{- end }}
+ - secret:
+ name: {{ $certificate.keystore.passwordSecretRef.name }}
+ items:
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: keystore.pass
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: truststore.pass
+ {{- end }}
+ {{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl
index 1be3e3b790..5021c500b0 100644
--- a/kubernetes/common/common/templates/_mariadb.tpl
+++ b/kubernetes/common/common/templates/_mariadb.tpl
@@ -63,7 +63,7 @@
*/}}
{{- define "common.mariadbService" -}}
{{- if .Values.global.mariadbGalera.localCluster -}}
- {{- index .Values "mariadb-galera" "service" "name" -}}
+ {{- index .Values "mariadb-galera" "nameOverride" -}}
{{- else -}}
{{- .Values.global.mariadbGalera.service -}}
{{- end -}}
diff --git a/kubernetes/common/roles-wrapper/Chart.yaml b/kubernetes/common/roles-wrapper/Chart.yaml
new file mode 100644
index 0000000000..862773fc87
--- /dev/null
+++ b/kubernetes/common/roles-wrapper/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: Wrapper chart to allow default roles to be shared among onap instances
+name: roles-wrapper
+version: 8.0.0
diff --git a/kubernetes/common/roles-wrapper/requirements.yaml b/kubernetes/common/roles-wrapper/requirements.yaml
new file mode 100644
index 0000000000..b2d51ef925
--- /dev/null
+++ b/kubernetes/common/roles-wrapper/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~8.x-0
+ repository: 'file://../common'
diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml
new file mode 100644
index 0000000000..e2a84b4151
--- /dev/null
+++ b/kubernetes/common/roles-wrapper/templates/role.yaml
@@ -0,0 +1,110 @@
+{{/*
+# Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- $dot := . -}}
+{{- range $role_type := $dot.Values.roles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ printf "%s-%s" (include "common.release" $dot) $role_type }}
+ namespace: {{ include "common.namespace" $dot }}
+rules:
+{{- if eq $role_type "read" }}
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ - batch
+ - extensions
+ resources:
+ - pods
+ - deployments
+ - jobs
+ - jobs/status
+ - statefulsets
+ - replicasets
+ - replicasets/status
+ - daemonsets
+ verbs:
+ - get
+ - watch
+ - list
+{{- else }}
+{{- if eq $role_type "create" }}
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ - batch
+ - extensions
+ resources:
+ - pods
+ - deployments
+ - jobs
+ - jobs/status
+ - statefulsets
+ - replicasets
+ - replicasets/status
+ - daemonsets
+ - secrets
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - patch
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - deployments
+ - secrets
+ verbs:
+ - create
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - pods
+ - persistentvolumeclaims
+ - secrets
+ - deployment
+ verbs:
+ - delete
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - pods/exec
+ verbs:
+ - create
+{{- else }}
+# if you don't match read or create, then you're not allowed to use API
+# except to see basic information about yourself
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - selfsubjectaccessreviews
+ - selfsubjectrulesreviews
+ verbs:
+ - create
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/common/roles-wrapper/values.yaml b/kubernetes/common/roles-wrapper/values.yaml
new file mode 100644
index 0000000000..8a53d7d733
--- /dev/null
+++ b/kubernetes/common/roles-wrapper/values.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+roles:
+ - nothing
+ - read
+ - create
diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml
index 2082f8466b..7c272aecda 100644
--- a/kubernetes/common/serviceAccount/templates/role-binding.yaml
+++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml
@@ -16,18 +16,24 @@
{{- $dot := . -}}
{{- range $role_type := $dot.Values.roles }}
+{{/* retrieve the names for generic roles */}}
+{{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }}
+{{- if not (has $role_type $dot.Values.defaultRoles) }}
+{{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
+{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: RoleBinding
metadata:
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
namespace: {{ include "common.namespace" $dot }}
subjects:
- kind: ServiceAccount
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
roleRef:
kind: Role
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ $name }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
+
diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml
index 6d12164938..2055885f2a 100644
--- a/kubernetes/common/serviceAccount/templates/role.yaml
+++ b/kubernetes/common/serviceAccount/templates/role.yaml
@@ -14,96 +14,28 @@
# limitations under the License.
*/}}
-{{- $dot := . -}}
+{{- $dot := . -}}
{{- range $role_type := $dot.Values.roles }}
+{{/* Default roles are already created, just creating specific ones */}}
+{{- if not (has $role_type $dot.Values.defaultRoles) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
namespace: {{ include "common.namespace" $dot }}
rules:
-{{- if eq $role_type "read" }}
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- - batch
- - extensions
- resources:
- - pods
- - deployments
- - jobs
- - jobs/status
- - statefulsets
- - replicasets
- - replicasets/status
- - daemonsets
- verbs:
- - get
- - watch
- - list
-{{- else }}
-{{- if eq $role_type "create" }}
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- - batch
- - extensions
- resources:
- - pods
- - deployments
- - jobs
- - jobs/status
- - statefulsets
- - replicasets
- - replicasets/status
- - daemonsets
- - secrets
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - statefulsets
- verbs:
- - patch
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - deployments
- - secrets
- verbs:
- - create
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - pods
- - persistentvolumeclaims
- - secrets
- - deployment
- verbs:
- - delete
+{{- if hasKey $dot.Values.new_roles_definitions $role_type }}
+{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }}
+{{- else}}
+# if no rules are provided, you're back to 'nothing' role
- apiGroups:
- - "" # "" indicates the core API group
- - apps
+ - authorization.k8s.io
resources:
- - pods/exec
+ - selfsubjectaccessreviews
+ - selfsubjectrulesreviews
verbs:
- create
-{{- else }}
-{{- if hasKey $dot.Values.new_roles_definitions $role_type }}
-{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }}
-{{- else}}
-# if you don't match read or create, then you're not allowed to use API
-- apiGroups: []
- resources: []
- verbs: []
{{- end }}
{{- end }}
{{- end }}
-{{- end }}
diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml
index 449bea684c..20bd94f49a 100644
--- a/kubernetes/common/serviceAccount/templates/service-account.yaml
+++ b/kubernetes/common/serviceAccount/templates/service-account.yaml
@@ -20,5 +20,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
-{{- end }}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml
index afa819421c..22faeb6904 100644
--- a/kubernetes/common/serviceAccount/values.yaml
+++ b/kubernetes/common/serviceAccount/values.yaml
@@ -12,11 +12,18 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+# Default roles will be created by roles wrapper
+# It won't work if roles wrapper is disabled.
roles:
- nothing
# - read
# - create
+defaultRoles:
+ - nothing
+ - read
+ - create
+
new_roles_definitions: {}
# few-read:
# - apiGroups:
diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml
index 69d993e9a4..57d1e7848e 100644
--- a/kubernetes/contrib/components/ejbca/values.yaml
+++ b/kubernetes/contrib/components/ejbca/values.yaml
@@ -54,7 +54,7 @@ mysqlDatabase: &dbName ejbca
replicaCount: 1
ejbca:
- image: primekey/ejbca-ce:6.15.2.5
+ image: primekey/ejbca-ce:7.4.3.2
pullPolicy: Always
mariadb-galera:
diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
index 91fefa47b7..5de526288e 100644
--- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
@@ -3,6 +3,7 @@
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -267,6 +268,7 @@ spec:
- mountPath: /opt/app/osaaf
name: tls-info
{{- end }}
+ {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }}
containers:
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -274,7 +276,7 @@ spec:
env:
{{- if $certDir }}
- name: DCAE_CA_CERTPATH
- value: {{ $certDir}}/cacert.pem
+ value: {{ $certDir }}/cacert.pem
{{- end }}
- name: CONSUL_HOST
value: consul-server.onap
@@ -322,6 +324,9 @@ spec:
{{- if $certDir }}
- mountPath: {{ $certDir }}
name: tls-info
+ {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}}
+ {{- end -}}
{{- end }}
{{- if $policy }}
- name: policy-shared
@@ -417,6 +422,9 @@ spec:
{{- if $certDir }}
- emptyDir: {}
name: tls-info
+ {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{ include "common.certManager.volumesReadOnly" . | nindent 6 }}
+ {{- end }}
{{- end }}
{{- if $policy }}
- name: policy-shared
@@ -426,3 +434,49 @@ spec:
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
{{ end -}}
+
+{{/*
+ For internal use
+
+ Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore
+ and swaps keystore files.
+*/}}
+{{- define "dcaegen2-services-common._certPostProcessor" -}}
+ {{- $certDir := default "" .Values.certDirectory . -}}
+ {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{- $cmpv2Certificate := (index .Values.certificates 0) -}}
+ {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}}
+ {{- $certType := "pem" -}}
+ {{- if $cmpv2Certificate.keystore -}}
+ {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}}
+ {{- end -}}
+ {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}}
+ {{- $truststoresPasswordPaths := ":" -}}
+ {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}}
+ {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}}
+ {{- if not (eq $certType "pem") -}}
+ {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}}
+ {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}}
+ {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}}
+ {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}}
+ {{- end }}
+ - name: cert-post-processor
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources:
+ {{- include "common.resources" . | nindent 4 }}
+ volumeMounts:
+ - mountPath: {{ $certDir }}
+ name: tls-info
+ {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }}
+ env:
+ - name: TRUSTSTORES_PATHS
+ value: {{ $truststoresPaths | quote}}
+ - name: TRUSTSTORES_PASSWORDS_PATHS
+ value: {{ $truststoresPasswordPaths | quote }}
+ - name: KEYSTORE_SOURCE_PATHS
+ value: {{ $keystoreSourcePaths | quote }}
+ - name: KEYSTORE_DESTINATION_PATHS
+ value: {{ $keystoreDestinationPaths | quote }}
+ {{- end }}
+{{- end -}}
diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml
index cd69da8346..cbd07dc486 100644
--- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml
@@ -15,4 +15,4 @@
# limitations under the License.
# ============LICENSE_END=========================================================
# dcaegen2-services-common templates get any values from the scope
-# they are passed. There are no locally-defined values. \ No newline at end of file
+# they are passed. There are no locally-defined values.
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml
index 639fc2c740..929cdbbc5f 100644
--- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml
@@ -1,4 +1,5 @@
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,3 +26,6 @@ dependencies:
- name: dcaegen2-services-common
version: ~8.x-0
repository: 'file://../../common/dcaegen2-services-common'
+ - name: certManagerCertificate
+ version: ~8.x-0
+ repository: '@local'
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml
new file mode 100644
index 0000000000..0db2138a4f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml
@@ -0,0 +1,19 @@
+{{/*
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }}
+{{ include "certManagerCertificate.certificate" . }}
+{{ end }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
index cec332218d..bb65f37f73 100644
--- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
@@ -1,6 +1,7 @@
#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -34,6 +35,7 @@ filebeatConfig:
#################################################################
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
#################################################################
# Application configuration defaults.
@@ -62,6 +64,24 @@ secrets:
password: '{{ .Values.aafCreds.password }}'
passwordPolicy: required
+# CMPv2 certificate
+# It is used only when global parameter cmpv2Enabled is true
+# Disabled by default
+certificates:
+ - mountPath: /etc/ves-hv/ssl/external
+ commonName: dcae-hv-ves-collector
+ dnsNames:
+ - dcae-hv-ves-collector
+ - hv-ves-collector
+ - hv-ves
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: hv-ves-cmpv2-keystore-password
+ key: password
+ create: true
+
# dependencies
readinessCheck:
wait_for:
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml
index 639fc2c740..929cdbbc5f 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml
@@ -1,4 +1,5 @@
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,3 +26,6 @@ dependencies:
- name: dcaegen2-services-common
version: ~8.x-0
repository: 'file://../../common/dcaegen2-services-common'
+ - name: certManagerCertificate
+ version: ~8.x-0
+ repository: '@local'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml
new file mode 100644
index 0000000000..0db2138a4f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml
@@ -0,0 +1,19 @@
+{{/*
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }}
+{{ include "certManagerCertificate.certificate" . }}
+{{ end }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
index 62c640453b..081bcdcc1a 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
@@ -1,6 +1,7 @@
#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -34,6 +35,7 @@ filebeatConfig:
#################################################################
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
#################################################################
# Application configuration defaults.
@@ -55,6 +57,24 @@ certDirectory: /opt/app/dcae-certificate
# and key from AAF and mount them in certDirectory.
tlsServer: true
+# CMPv2 certificate
+# It is used only when global parameter cmpv2Enabled is true
+# Disabled by default
+certificates:
+ - mountPath: /opt/app/dcae-certificate/external
+ commonName: dcae-ves-collector
+ dnsNames:
+ - dcae-ves-collector
+ - ves-collector
+ - ves
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: ves-cmpv2-keystore-password
+ key: password
+ create: true
+
# dependencies
readinessCheck:
wait_for:
diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
index 51fcd08c4a..4c1c22f766 100644
--- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
@@ -103,11 +103,11 @@ flavor: small
resources:
small:
limits:
- cpu: 0.6
- memory: 1Gi
+ cpu: 2
+ memory: 2Gi
requests:
- cpu: 0.4
- memory: 600Mib
+ cpu: 1
+ memory: 1Gi
large:
limits:
cpu: 4
diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh
index a7e394d4ae..0d434ad877 100755
--- a/kubernetes/helm/plugins/deploy/deploy.sh
+++ b/kubernetes/helm/plugins/deploy/deploy.sh
@@ -54,7 +54,7 @@ generate_overrides() {
cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \
| sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES
else
- SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(cut -d':' -f1 <<<"$START")"
+ SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)"
if [[ -d "$SUBCHART_DIR" ]]; then
if [[ -z "$END" ]]; then
cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \
@@ -70,7 +70,7 @@ generate_overrides() {
resolve_deploy_flags() {
flags=($1)
n=${#flags[*]}
- for (( i = 0; i < n; i++ )); do
+ i=0 ; while [ "$i" -lt "$n" ]; do
PARAM=${flags[i]}
if [[ $PARAM = "-f" || \
$PARAM = "--values" || \
@@ -82,6 +82,7 @@ resolve_deploy_flags() {
else
DEPLOY_FLAGS="$DEPLOY_FLAGS $PARAM"
fi
+ i=$((i+1))
done
echo "$DEPLOY_FLAGS"
}
@@ -96,8 +97,8 @@ deploy() {
RELEASE=$1
CHART_URL=$2
FLAGS=${@:3}
- CHART_REPO="$(cut -d'/' -f1 <<<"$CHART_URL")"
- CHART_NAME="$(cut -d'/' -f2 <<<"$CHART_URL")"
+ CHART_REPO="$(echo "$CHART_URL" |cut -d'/' -f1)"
+ CHART_NAME="$(echo "$CHART_URL" |cut -d'/' -f2)"
if [[ $HELM_VER = "v3."* ]]; then
CACHE_DIR=~/.local/share/helm/plugins/deploy/cache
else
@@ -146,9 +147,9 @@ deploy() {
DEPLOY_FLAGS=$(resolve_deploy_flags "$FLAGS")
# determine if upgrading individual subchart or entire parent + subcharts
- SUBCHART_RELEASE="$(cut -d'-' -f2 <<<"$RELEASE")"
+ SUBCHART_RELEASE="$(echo "$RELEASE" |cut -d'-' -f2)"
# update specified subchart without parent
- RELEASE="$(cut -d'-' -f1 <<<"$RELEASE")"
+ RELEASE="$(echo "$RELEASE" |cut -d'-' -f1)"
if [[ $SUBCHART_RELEASE = $RELEASE ]]; then
SUBCHART_RELEASE=
fi
@@ -255,7 +256,7 @@ deploy() {
else
array=($(echo "$ALL_HELM_RELEASES" | grep "${RELEASE}-${subchart}"))
n=${#array[*]}
- for (( i = n-1; i >= 0; i-- )); do
+ for i in $(seq $(($n-1)) -1 0); do
if [[ $HELM_VER = "v3."* ]]; then
helm del "${array[i]}"
else
diff --git a/kubernetes/helm/plugins/undeploy/undeploy.sh b/kubernetes/helm/plugins/undeploy/undeploy.sh
index e5c0c12711..1689bf1b48 100755
--- a/kubernetes/helm/plugins/undeploy/undeploy.sh
+++ b/kubernetes/helm/plugins/undeploy/undeploy.sh
@@ -23,7 +23,7 @@ undeploy() {
array=($(helm ls -q --all | grep $RELEASE))
n=${#array[*]}
- for (( i = n-1; i >= 0; i-- ))
+ for i in $(seq $(($n-1)) -1 0)
do
helm del "${array[i]}" $FLAGS
done
diff --git a/kubernetes/onap/requirements.yaml b/kubernetes/onap/requirements.yaml
index 6034063a0e..fa3efd3b40 100755
--- a/kubernetes/onap/requirements.yaml
+++ b/kubernetes/onap/requirements.yaml
@@ -169,3 +169,7 @@ dependencies:
version: ~8.x-0
repository: '@local'
condition: cert-wrapper.enabled
+ - name: roles-wrapper
+ version: ~8.x-0
+ repository: '@local'
+ condition: roles-wrapper.enabled
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index ca9ccd48f4..d91284a6c3 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -398,3 +398,5 @@ cert-wrapper:
enabled: true
repository-wrapper:
enabled: true
+roles-wrapper:
+ enabled: true
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
index c34ebad982..fd34b1ef28 100644
--- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
+++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
@@ -73,7 +73,7 @@ cmpv2issuer:
certEndpoint: v1/certificate
caName: RA
certSecretRef:
- name: oom-cert-service-server-tls-secret
+ name: oom-cert-service-client-tls-secret
certRef: tls.crt
keyRef: tls.key
cacertRef: ca.crt
diff --git a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml
deleted file mode 100644
index ba12874eb6..0000000000
--- a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-{{/*
- # Copyright © 2020, Nokia
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-*/}}
-
-{{- if .Values.global.offlineDeploymentBuild }}
-apiVersion: apps/v1
-kind: Deployment
-metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
-spec:
- replicas: {{ .Values.replicaCount }}
- selector: {{- include "common.selectors" . | nindent 4 }}
- template:
- metadata: {{- include "common.templateMetadata" . | nindent 6 }}
- spec:
- containers:
- - name: {{ include "common.name" . }}
- image: {{ include "common.repository" . }}/{{ .Values.certificateGenerationImage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-{{ end -}}
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index 829d3a01d1..2e149683d7 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -22,7 +22,6 @@ global:
# Standard OOM
pullPolicy: "Always"
repository: "nexus3.onap.org:10001"
- offlineDeploymentBuild: false
# Service configuration
@@ -33,9 +32,6 @@ service:
port: 8443
port_protocol: http
-# Certificates generation configuration
-certificateGenerationImage: onap/integration-java11:7.2.0
-
# Deployment configuration
repository: "nexus3.onap.org:10001"
image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3
diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties
index 17185cc4bb..a6334668b1 100644
--- a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties
+++ b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties
@@ -48,22 +48,22 @@ spring.datasource.url=jdbc:mariadb:sequential://{{ .Values.db.service.name }}:{{
spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements
#The log folder that will be used in logback.xml file
-clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config.json
+clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config-pass.json
#
# Configuration Settings for Policy Engine Components
-clamp.config.policy.api.url=https4://policy-api.{{ include "common.namespace" . }}:6969
+clamp.config.policy.api.url=https://policy-api.{{ include "common.namespace" . }}:6969
clamp.config.policy.api.userName=healthcheck
clamp.config.policy.api.password=zb!XztG34
-clamp.config.policy.pap.url=https4://policy-pap.{{ include "common.namespace" . }}:6969
+clamp.config.policy.pap.url=https://policy-pap.{{ include "common.namespace" . }}:6969
clamp.config.policy.pap.userName=healthcheck
clamp.config.policy.pap.password=zb!XztG34
#DCAE Inventory Url Properties
-clamp.config.dcae.inventory.url=https4://inventory.{{ include "common.namespace" . }}:8080
-clamp.config.dcae.dispatcher.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443
+clamp.config.dcae.inventory.url=https://inventory.{{ include "common.namespace" . }}:8080
+clamp.config.dcae.dispatcher.url=https://deployment-handler.{{ include "common.namespace" . }}:8443
#DCAE Deployment Url Properties
-clamp.config.dcae.deployment.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443
+clamp.config.dcae.deployment.url=https://deployment-handler.{{ include "common.namespace" . }}:8443
clamp.config.dcae.deployment.userName=none
clamp.config.dcae.deployment.password=none
diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json
index 3adda95c11..6021b21d21 100644
--- a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json
+++ b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json
@@ -6,7 +6,7 @@
"consumerId": "clamp",
"environmentName": "AUTO",
"sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443",
- "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
+ "password": "${SDC_CLIENT_PASSWORD_ENC}",
"pollingInterval":30,
"pollingTimeout":30,
"activateServerTLSAuth":"false",
diff --git a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml
index 1120f9b2b6..c243e30540 100644
--- a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml
@@ -67,6 +67,8 @@ spec:
- |
{{- if .Values.global.aafEnabled }}
export $(grep '^cadi_' {{ .Values.certInitializer.credsPath }}/org.onap.clamp.cred.props | xargs -0)
+ export SDC_CLIENT_PASSWORD_ENC=`java -jar {{ .Values.certInitializer.credsPath }}/aaf-cadi-aaf-2.1.20-full.jar cadi digest ${SDC_CLIENT_PASSWORD} {{ .Values.certInitializer.credsPath }}/org.onap.clamp.keyfile`;
+ envsubst < "/opt/policy/clamp/sdc-controllers-config.json" > "/opt/policy/clamp/sdc-controllers-config-pass.json"
{{- end }}
java -Djava.security.egd=file:/dev/./urandom ${JAVA_RAM_CONFIGURATION} -jar ./policy-clamp-backend.jar
ports:
@@ -99,6 +101,8 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }}
- name: MYSQL_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }}
+ - name: SDC_CLIENT_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 12 }}
{{- if ne "unlimited" (include "common.flavor" .) }}
- name: JAVA_RAM_CONFIGURATION
value: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=75
diff --git a/kubernetes/policy/components/policy-clamp-be/values.yaml b/kubernetes/policy/components/policy-clamp-be/values.yaml
index ef0ea7ae4e..71d2517be1 100644
--- a/kubernetes/policy/components/policy-clamp-be/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-be/values.yaml
@@ -44,10 +44,7 @@ certInitializer:
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: >
- echo "$cadi_truststore_password" > {{ .Values.credsPath }}/cadi_truststore_password.pwd;
- echo "$cadi_key_password" > {{ .Values.credsPath }}/cadi_key_password.pwd;
- echo "$cadi_keystore_password" > {{ .Values.credsPath }}/cadi_keystore_password.pwd;
- echo "$cadi_keystore_password_p12" > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd;
+ /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop;
cd {{ .Values.credsPath }};
chmod a+rx *;
@@ -58,11 +55,16 @@ secrets:
login: '{{ .Values.db.user }}'
password: '{{ .Values.db.password }}'
passwordPolicy: required
+ - uid: sdc-creds
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.sdc.sdcClientExternalSecret) . }}'
+ password: '{{ .Values.sdc.clientPassword }}'
+ passwordPolicy: required
flavor: small
# application image
-image: onap/policy-clamp-backend:6.0.2
+image: onap/policy-clamp-backend:6.1.1
pullPolicy: Always
# flag to enable debugging - application support required
@@ -78,6 +80,9 @@ log:
#####dummy values for db user and password to pass lint!!!#######
+sdc:
+ clientPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+
db:
user: policy_user
password: policy_user
diff --git a/kubernetes/policy/components/policy-clamp-fe/values.yaml b/kubernetes/policy/components/policy-clamp-fe/values.yaml
index c824965955..9712a38e10 100644
--- a/kubernetes/policy/components/policy-clamp-fe/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-fe/values.yaml
@@ -60,7 +60,7 @@ subChartsOnly:
flavor: small
# application image
-image: onap/policy-clamp-frontend:6.0.2
+image: onap/policy-clamp-frontend:6.1.1
pullPolicy: Always
# flag to enable debugging - application support required
diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
index 390241fa1d..c4a21b927f 100644
--- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
+++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
@@ -107,7 +107,7 @@ docker_temp_server_start() {
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
extraArgs+=( '--dont-use-mysql-root-password' )
fi
- if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
+ if echo 'SELECT 1' |docker_process_sql "${extraArgs[@]}" --database=mysql >/dev/null 2>&1; then
break
fi
sleep 1
@@ -263,19 +263,19 @@ docker_setup_db() {
# Creates a custom database and user if specified
if [ -n "$MYSQL_DATABASE" ]; then
mysql_note "Creating database ${MYSQL_DATABASE}"
- docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;"
+ echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql
fi
if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
mysql_note "Creating user ${MYSQL_USER}"
- docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;"
+ echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql
if [ -n "$MYSQL_DATABASE" ]; then
mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
- docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;"
+ echo "GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" |docker_process_sql --database=mysql
fi
- docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;"
+ echo "FLUSH PRIVILEGES ;" |docker_process_sql --database=mysql
fi
}
diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml
index 5c530fea72..af53fd6708 100644
--- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml
+++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml
@@ -93,7 +93,7 @@ spec:
memory: 20Mi
{{- end }}
- name: volume-permissions
- image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
+ image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- sh