diff options
| -rw-r--r-- | kubernetes/common/cassandra/templates/statefulset.yaml | 8 | ||||
| -rw-r--r-- | kubernetes/common/common/templates/_service.tpl | 2 | ||||
| -rw-r--r-- | kubernetes/portal/components/portal-cassandra/templates/deployment.yaml | 10 | ||||
| -rw-r--r-- | kubernetes/portal/components/portal-cassandra/values.yaml | 20 | ||||
| -rw-r--r-- | kubernetes/sdnc/resources/config/conf/org.opendaylight.daexim.cfg | 4 | ||||
| -rw-r--r-- | kubernetes/sdnc/templates/statefulset.yaml | 4 | ||||
| -rw-r--r-- | kubernetes/sdnc/values.yaml | 2 | ||||
| -rw-r--r-- | kubernetes/vid/requirements.yaml | 5 | ||||
| -rw-r--r-- | kubernetes/vid/resources/certs/org.onap.vid.jks | bin | 3597 -> 0 bytes | |||
| -rw-r--r-- | kubernetes/vid/resources/certs/org.onap.vid.trust.jks | bin | 1413 -> 0 bytes | |||
| -rw-r--r-- | kubernetes/vid/templates/deployment.yaml | 29 | ||||
| -rw-r--r-- | kubernetes/vid/templates/secrets.yaml | 15 | ||||
| -rw-r--r-- | kubernetes/vid/values.yaml | 49 |
13 files changed, 108 insertions, 40 deletions
diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 471f88f735..953c89d24d 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -100,6 +100,14 @@ spec: value: {{ default "GossipingPropertyFileSnitch" .Values.config.endpoint_snitch | quote }} - name: CASSANDRA_AUTHENTICATOR value: {{ default "PasswordAuthenticator" .Values.config.authenticator | quote }} + {{- if include "common.onServiceMesh" . }} + - name: CASSANDRA_LISTEN_ADDRESS + value: "127.0.0.1" + - name: CASSANDRA_BROADCAST_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- end }} - name: POD_IP valueFrom: fieldRef: diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index dddd63491d..9c3010c209 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -128,7 +128,7 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent name: {{ $port.name }} {{- end }} {{- if (eq $serviceType "NodePort") }} - nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "portNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} + nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} {{- end }} {{- else }} - port: {{ default $port.port $port.plain_port }} diff --git a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml index 39cd0294c8..20c396fa42 100644 --- a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml +++ b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml @@ -108,11 +108,15 @@ spec: value: rack1 - name: CASSANDRA_ENABLE_RPC value: "true" - {{- if eq "small" .Values.flavor }} + {{- $flavor := include "common.flavor" . }} + {{- $heap := pluck $flavor .Values.heap | first }} + {{- if (hasKey $heap "max") }} - name: MAX_HEAP_SIZE - value: {{ .Values.resources.small.heap.max }} + value: {{ $heap.max }} + {{- end }} + {{- if (hasKey $heap "new") }} - name: HEAP_NEWSIZE - value: {{ .Values.resources.small.heap.new }} + value: {{ $heap.new }} {{- end }} volumeMounts: - mountPath: /etc/localtime diff --git a/kubernetes/portal/components/portal-cassandra/values.yaml b/kubernetes/portal/components/portal-cassandra/values.yaml index c185155f09..b06761a870 100644 --- a/kubernetes/portal/components/portal-cassandra/values.yaml +++ b/kubernetes/portal/components/portal-cassandra/values.yaml @@ -112,14 +112,6 @@ flavor: small # Segregation for Different environment (Small and Large) resources: small: - # Heap size is tightly correlated to RAM limits. - # If limit > 8G, Cassandra should define itself the best value. - # If not, you must set up it in a coherent way with limits set - # Refer to https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/operations/opsTuneJVM.html#Determiningtheheapsize - # for more informations. - heap: - max: 3G - new: 100M limits: cpu: 500m memory: 3.75Gi @@ -134,3 +126,15 @@ resources: cpu: 2 memory: 6Gi unlimited: {} + +heap: + # Heap size is tightly correlated to RAM limits. + # If limit > 8G, Cassandra should define itself the best value. + # If not, you must set up it in a coherent way with limits set + # Refer to https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/operations/opsTuneJVM.html#Determiningtheheapsize + # for more informations. + small: + max: 3G + new: 100M + large: {} + unlimited: {}
\ No newline at end of file diff --git a/kubernetes/sdnc/resources/config/conf/org.opendaylight.daexim.cfg b/kubernetes/sdnc/resources/config/conf/org.opendaylight.daexim.cfg new file mode 100644 index 0000000000..20b794d21f --- /dev/null +++ b/kubernetes/sdnc/resources/config/conf/org.opendaylight.daexim.cfg @@ -0,0 +1,4 @@ +# Daexim directory location +# absolute path or path relative to Karaf home directory +# property substitution (interpolation) currently only supported for "${karaf.home}", no others (hard-coded) -- M. +daexim.dir={{ .Values.persistence.daeximPath }}
\ No newline at end of file diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 51c50e4fec..7441dacd23 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -114,7 +114,6 @@ spec: args: - -c - | - mkdir {{ .Values.persistence.mdsalPath }}/daexim mkdir {{ .Values.persistence.mdsalPath }}/journal mkdir {{ .Values.persistence.mdsalPath }}/snapshots chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }} @@ -264,6 +263,9 @@ spec: - mountPath: {{ .Values.config.odl.etcDir }}/mountpoint-state-provider.properties name: properties subPath: mountpoint-state-provider.properties + - mountPath: {{ .Values.config.odl.etcDir }}/org.opendaylight.daexim.cfg + name: properties + subPath: org.opendaylight.daexim.cfg resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index efc13e92e6..5a4d204c58 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -460,7 +460,7 @@ persistence: mountPath: /dockerdata-nfs mountSubPath: sdnc/mdsal mdsalPath: /opt/opendaylight/mdsal - daeximPath: /opt/opendaylight/daexim + daeximPath: /opt/opendaylight/mdsal/daexim journalPath: /opt/opendaylight/journal snapshotsPath: /opt/opendaylight/snapshots diff --git a/kubernetes/vid/requirements.yaml b/kubernetes/vid/requirements.yaml index c6554cada2..34ad968757 100644 --- a/kubernetes/vid/requirements.yaml +++ b/kubernetes/vid/requirements.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,6 +20,9 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' + - name: certInitializer + version: ~7.x-0 + repository: '@local' - name: mariadb-galera version: ~7.x-0 repository: '@local' @@ -30,4 +34,3 @@ dependencies: - name: repositoryGenerator version: ~7.x-0 repository: '@local' - diff --git a/kubernetes/vid/resources/certs/org.onap.vid.jks b/kubernetes/vid/resources/certs/org.onap.vid.jks Binary files differdeleted file mode 100644 index a05f12d857..0000000000 --- a/kubernetes/vid/resources/certs/org.onap.vid.jks +++ /dev/null diff --git a/kubernetes/vid/resources/certs/org.onap.vid.trust.jks b/kubernetes/vid/resources/certs/org.onap.vid.trust.jks Binary files differdeleted file mode 100644 index 4caf7be652..0000000000 --- a/kubernetes/vid/resources/certs/org.onap.vid.trust.jks +++ /dev/null diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml index 2e74daa730..8872863e42 100644 --- a/kubernetes/vid/templates/deployment.yaml +++ b/kubernetes/vid/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,7 +37,7 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - command: - /app/ready.py args: @@ -55,6 +56,15 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) + /tmp/vid/localize.sh + {{- end }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -100,8 +110,6 @@ spec: value: "{{ .Values.config.roleaccesscentralized }}" - name: VID_CONTACT_US_LINK value: "{{ .Values.config.vidcontactuslink }}" - - name: VID_KEYSTORE_PASSWORD - value: {{ .Values.config.vidkeystorepassword | quote }} - name: VID_UEB_URL_LIST value: message-router.{{ include "common.namespace" . }} - name: VID_MYSQL_HOST @@ -116,9 +124,13 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }} - name: VID_MYSQL_MAXCONNECTIONS value: "{{ .Values.config.vidmysqlmaxconnections }}" - volumeMounts: - - mountPath: /opt/app/vid/etc - name: vid-certs + {{- if .Values.global.aafEnabled }} + - name: VID_KEYSTORE_FILENAME + value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks" + - name: VID_TRUSTSTORE_FILENAME + value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks" + {{- end }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -149,10 +161,7 @@ spec: name: vid-logs - mountPath: /usr/share/filebeat/data name: vid-data-filebeat - volumes: - - name: vid-certs - secret: - secretName: {{ include "common.fullname" . }}-certs + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml index 72934fffd8..670838c6cf 100644 --- a/kubernetes/vid/templates/secrets.yaml +++ b/kubernetes/vid/templates/secrets.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,17 +17,3 @@ */}} {{ include "common.secretFast" . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml index 8e8a17ae84..4510dc6908 100644 --- a/kubernetes/vid/values.yaml +++ b/kubernetes/vid/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,6 +37,53 @@ secrets: login: '{{ .Values.config.db.userName }}' password: '{{ .Values.config.db.userPassword }}' +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: vid-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: vid + fqi: vid@vid.onap.org + public_fqdn: vid.onap.org + fqi_namespace: "org.onap.vid" + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: | + echo "*** retrieving password for keystore and trustore" + export $(/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) + if [ -z "$cadi_keystore_password" ] + then + echo " /!\ certificates retrieval failed" + exit 1 + else + echo "*** changing them into shell safe ones" + export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + export TRUSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + cd {{ .Values.credsPath }} + keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ + -storepass "${cadi_keystore_password_jks}" \ + -keystore {{ .Values.fqi_namespace }}.jks + keytool -storepasswd -new "${TRUSTORE_PASSWD}" \ + -storepass "${cadi_truststore_password}" \ + -keystore {{ .Values.fqi_namespace }}.trust.jks + echo "*** set key password as same password as keystore password" + keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ + -keystore {{ .Values.fqi_namespace }}.jks \ + -keypass "${cadi_keystore_password_jks}" \ + -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} + echo "*** save the generated passwords" + echo "VID_KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop + echo "VID_TRUSTSTORE_PASSWORD=${TRUSTORE_PASSWD}" >> mycreds.prop + echo "*** change ownership of certificates to targeted user" + chown -R 1000 . + fi + subChartsOnly: enabled: true @@ -49,7 +97,6 @@ config: userName: vidadmin # userCredentialsExternalSecret: some secret # userPassword: password - vidkeystorepassword: 'F:.\,csU\&ew8\;tdVitnfo\}O\!g' asdcclientrestauth: "Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU=" asdcclientrestport: "8443" vidaaiport: "8443" |