diff options
61 files changed, 1109 insertions, 326 deletions
diff --git a/docs/conf.py b/docs/conf.py index 39f5051de4..29c57e6da0 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -54,5 +54,6 @@ def setup(app): linkcheck_ignore = [ + "https://istio-release.storage.googleapis.com/charts", r'http://localhost:\d+/' ] diff --git a/docs/sections/guides/access_guides/oom_access_info.rst b/docs/sections/guides/access_guides/oom_access_info.rst index 2e779105f2..4e9866725e 100644 --- a/docs/sections/guides/access_guides/oom_access_info.rst +++ b/docs/sections/guides/access_guides/oom_access_info.rst @@ -3,19 +3,174 @@ .. http://creativecommons.org/licenses/by/4.0 .. Copyright (C) 2022 Nordix Foundation +.. Links +.. _Kubernetes LoadBalancer: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer +.. _Kubernetes NodePort: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + .. _oom_access_info_guide: OOM Access Info ---------------- +############### .. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png :align: right +Access via NodePort/Loadbalancer +******************************** + +The ONAP deployment created by OOM operates in a private IP network that isn't +publicly accessible (i.e. OpenStack VMs with private internal network) which +blocks access to the ONAP User Interfaces. +To enable direct access to a service from a user's own environment (a laptop etc.) +the application's internal port is exposed through a `Kubernetes NodePort`_ or +`Kubernetes LoadBalancer`_ object. + +Typically, to be able to access the Kubernetes nodes publicly a public address +is assigned. In OpenStack this is a floating IP address. + +Most ONAP applications use the `NodePort` as predefined `service:type`, +which opens allows access to the service through the the IP address of each +Kubernetes node. +When using the `Loadbalancer` as `service:type` `Kubernetes LoadBalancer`_ object +which gets a separate IP address. + +.. note:: + The following example uses the `ONAP Portal`, which is not actively maintained + in Kohn and will be replaced in the future + +When e.g. the `portal-app` chart is deployed a Kubernetes service is created that +instantiates a load balancer. The LB chooses the private interface of one of +the nodes as in the example below (10.0.0.4 is private to the K8s cluster only). +Then to be able to access the portal on port 8989 from outside the K8s & +OpenStack environment, the user needs to assign/get the floating IP address that +corresponds to the private IP as follows:: + + > kubectl -n onap get services|grep "portal-app" + portal-app LoadBalancer 10.43.142.201 10.0.0.4 8989:30215/TCP,8006:30213/TCP,8010:30214/TCP 1d app=portal-app,release=dev + + +In this example, use the 11.0.0.4 private address as a key find the +corresponding public address which in this example is 10.12.6.155. If you're +using OpenStack you'll do the lookup with the horizon GUI or the OpenStack CLI +for your tenant (openstack server list). That IP is then used in your +`/etc/hosts` to map the fixed DNS aliases required by the ONAP Portal as shown +below:: + + 10.12.6.155 portal.api.simpledemo.onap.org + 10.12.6.155 vid.api.simpledemo.onap.org + 10.12.6.155 sdc.api.fe.simpledemo.onap.org + 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org + 10.12.6.155 sdc.dcae.plugin.simpledemo.onap.org + 10.12.6.155 portal-sdk.simpledemo.onap.org + 10.12.6.155 policy.api.simpledemo.onap.org + 10.12.6.155 aai.api.sparky.simpledemo.onap.org + 10.12.6.155 cli.api.simpledemo.onap.org + 10.12.6.155 msb.api.discovery.simpledemo.onap.org + 10.12.6.155 msb.api.simpledemo.onap.org + 10.12.6.155 clamp.api.simpledemo.onap.org + 10.12.6.155 so.api.simpledemo.onap.org + 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org + +Ensure you've disabled any proxy settings the browser you are using to access +the portal and then simply access now the new ssl-encrypted URL: +``https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm`` + +.. note:: + Using the HTTPS based Portal URL the Browser needs to be configured to accept + unsecure credentials. + Additionally when opening an Application inside the Portal, the Browser + might block the content, which requires to disable the blocking and reloading + of the page + +.. note:: + Besides the ONAP Portal the Components can deliver additional user interfaces, + please check the Component specific documentation. + +.. note:: + + | Alternatives Considered: + + - Kubernetes port forwarding was considered but discarded as it would + require the end user to run a script that opens up port forwarding tunnels + to each of the pods that provides a portal application widget. + + - Reverting to a VNC server similar to what was deployed in the Amsterdam + release was also considered but there were many issues with resolution, + lack of volume mount, /etc/hosts dynamic update, file upload that were + a tall order to solve in time for the Beijing release. + + Observations: + + - If you are not using floating IPs in your Kubernetes deployment and + directly attaching a public IP address (i.e. by using your public provider + network) to your K8S Node VMs' network interface, then the output of + 'kubectl -n onap get services | grep "portal-app"' + will show your public IP instead of the private network's IP. Therefore, + you can grab this public IP directly (as compared to trying to find the + floating IP first) and map this IP in /etc/hosts. + Some relevant information regarding accessing OOM from outside the cluster etc +ONAP Nodeports +============== + +NodePorts are used to allow client applications, that run outside of +Kubernetes, access to ONAP components deployed by OOM. +A NodePort maps an externally reachable port to an internal port of an ONAP +microservice. +It should be noted that the use of NodePorts is temporary. +An alternative solution based on Ingress Controller, which initial support is +already in place. It is planned to become a default deployment option in the +London release. + +More information from official Kubernetes documentation about +`Kubernetes NodePort`_. + +The following table lists all the NodePorts used by ONAP. + +.. csv-table:: NodePorts table + :file: ../../resources/csv/nodeports.csv + :widths: 20,20,20,20,20 + :header-rows: 1 + + +This table retrieves information from the ONAP deployment using the following +Kubernetes command: + +.. code-block:: bash + + kubectl get svc -n onap -o go-template='{{range .items}}{{range.spec.ports}}{{if .nodePort}}{{.nodePort}}{{.}}{{"\n"}}{{end}}{{end}}{{end}}' + + +(Optional) Access via Ingress +***************************** + +Using Ingress as access method requires the installation of an Ingress +controller and the configuration of the ONAP deployment to use it. + +For "ONAP on ServiceMesh" you can find the instructions in: + +- :ref:`oom_base_optional_addons` +- :ref:`oom_customize_overrides` + +In the ServiceMesh deployment the Istio IngressGateway is the only access point +for ONAP component interfaces. +Usually the Ingress is accessed via a LoadBalancer IP (<ingress-IP>), +which is used as central address. +All APIs/UIs are provided via separate URLs which are routed to the component service. +To use these URLs they need to be resolvable via DNS or via /etc/hosts. + +The domain name is usually defined in the `global` section of the ONAP helm-charts, +`virtualhost.baseurl` (here "simpledemo.onap.org") whereas the hostname of +the service (e.g. "sdc-fe-ui") is defined in the component's chart. + +.. code-block:: none -.. toctree:: - :maxdepth: 1 + <ingress-IP> kiali.simpledemo.onap.org + <ingress-IP> cds-ui.simpledemo.onap.org + <ingress-IP> sdc-fe-ui.simpledemo.onap.org + ... - oom_ingress_access.rst +To access e.g. the SDC UI now the new ssl-encrypted URL: +``https://sdc-fe-ui.simpledemo.onap.org/sdc1`` diff --git a/docs/sections/guides/access_guides/oom_ingress_access.rst b/docs/sections/guides/access_guides/oom_ingress_access.rst deleted file mode 100644 index 0c64375098..0000000000 --- a/docs/sections/guides/access_guides/oom_ingress_access.rst +++ /dev/null @@ -1,18 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright (C) 2022 Nordix Foundation - -.. Links - - -.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png - :align: right - -.. _oom_ingress_access: - - -Ingress access to OOM -##################### - -TBD diff --git a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst index 3acb8b6ee6..a49543cc0c 100644 --- a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst +++ b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst @@ -32,7 +32,7 @@ Users can customize the override files to suit their required deployment. Enabling/Disabling Components ------------------------------ +***************************** Here is an example of the nominal entries that need to be provided. Different values files are available for different contexts. @@ -43,6 +43,68 @@ Different values files are available for different contexts. | -Some other heading ------------------- -adva
\ No newline at end of file +(Optional) "ONAP on Service Mesh" +********************************* + +To enable "ONAP on Service Mesh" both "ServiceMesh" and "Ingress" +configuration entries need to be configured before deployment. + +Global settings relevant for ServiceMesh: + +.. code-block:: yaml + + global: + ingress: + # generally enable ingress for ONAP components + enabled: false + # enable all component's Ingress interfaces + enable_all: false + # default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + virtualhost: + baseurl: "simpledemo.onap.org" + # All http requests via ingress will be redirected on Ingress controller + # only valid for Istio Gateway (ServiceMesh enabled) + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # only valid for Istio Gateway (ServiceMesh enabled) + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + # only valid for Istio Gateway (ServiceMesh enabled) + namespace: istio-ingress + ... + serviceMesh: + enabled: true + tls: true + # be aware that linkerd is not well tested + engine: "istio" # valid value: istio or linkerd + aafEnabled: false + cmpv2Enabled: false + tlsEnabled: false + msbEnabled: false + +ServiceMesh settings: + +- enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment) +- tls: true → enables mTLS encryption in Sidecar communication +- engine: istio → sets the SM engine (currently only Istio is supported) +- aafEnabled: false → disables AAF usage for TLS interfaces +- tlsEnabled: false → disables creation of TLS in component services +- cmpv2Enabled: false → disable cmpv2 feature +- msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend) + +Ingress settings: + +- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled) +- enable_all: true → enables Ingress configuration in each component +- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components, + resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride +- config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443) +- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret +- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate + +.. note:: + For "ONAP on Istio" an example override file (`onap-all-ingress-istio.yaml`) + can be found in the `oom/kubernetes/onap/resources/overrides/` directory. diff --git a/docs/sections/guides/infra_guides/oom_base_optional_addons.rst b/docs/sections/guides/infra_guides/oom_base_optional_addons.rst index 4b4fbf7883..5f81a363e9 100644 --- a/docs/sections/guides/infra_guides/oom_base_optional_addons.rst +++ b/docs/sections/guides/infra_guides/oom_base_optional_addons.rst @@ -5,6 +5,10 @@ .. Links .. _Prometheus stack README: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#readme +.. _ONAP Next Generation Security & Logging Structure: https://wiki.onap.org/pages/viewpage.action?pageId=103417456 +.. _Istio best practices: https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prod/namespaces/ +.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ +.. _Kiali setup guide: https://kiali.io/docs/installation/installation-guide/example-install/ .. _oom_base_optional_addons: @@ -39,3 +43,140 @@ To install the prometheus stack, execute the following: - To install prometheus, execute the following, replacing the <recommended-pm-version> with the version defined in the :ref:`versions_table` table:: > helm install prometheus prometheus-community/kube-prometheus-stack --namespace=prometheus --create-namespace --version=<recommended-pm-version> + +ONAP on Service Mesh +******************** + +.. warning:: + "ONAP on Service Mesh" is not fully supported in "Kohn". Full support is + planned for London release to support the + `ONAP Next Generation Security & Logging Structure`_ + +.. figure:: ../../resources/images/servicemesh/ServiceMesh.png + :align: center + +ONAP is currenty planned to support Istio as default ServiceMesh platform. +Therefor the following instructions describe the setup of Istio and required tools. +Used `Istio best practices`_ and `Istio setup guide`_ + +Istio Platform Installation +=========================== + +Install Istio Basic Platform +---------------------------- + +- Configure the Helm repository:: + + > helm repo add istio https://istio-release.storage.googleapis.com/charts + + > helm repo update + +- Create a namespace for "mesh-level" configurations:: + + > kubectl create namespace istio-config + +- Create a namespace istio-system for Istio components:: + + > kubectl create namespace istio-system + +- Install the Istio Base chart which contains cluster-wide resources used by the + Istio control plane, replacing the <recommended-istio-version> with the version + defined in the :ref:`versions_table` table:: + + > helm upgrade -i istio-base istio/base -n istio-system --version <recommended-istio-version> + +- Install the Istio Base Istio Discovery chart which deploys the istiod service, replacing the + <recommended-istio-version> with the version defined in the :ref:`versions_table` table + (enable the variable to enforce the (sidecar) proxy startup before the container start):: + + > helm upgrade -i istiod istio/istiod -n istio-system --version <recommended-istio-version> + --wait --set global.proxy.holdApplicationUntilProxyStarts=true --set meshConfig.rootNamespace=istio-config + +Add an EnvoyFilter for HTTP header case +--------------------------------------- + +When handling HTTP/1.1, Envoy will normalize the header keys to be all lowercase. +While this is compliant with the HTTP/1.1 spec, in practice this can result in issues +when migrating existing systems that might rely on specific header casing. +In our case a problem was detected in the SDC client implementation, which relies on +uppercase header values. To solve this problem in general we add a EnvoyFilter to keep +the uppercase header in the istio-config namespace to apply for all namespaces, but +set the context to SIDECAR_INBOUND to avoid problems in the connection between Istio-Gateway and Services + +- Create a EnvoyFilter file (e.g. envoyfilter-case.yaml) + + .. collapse:: envoyfilter-case.yaml + + .. include:: ../../resources/yaml/envoyfilter-case.yaml + :code: yaml + +- Apply the change to Istio:: + + > kubectl apply -f envoyfilter-case.yaml + +Install Istio Gateway +--------------------- + +- Create a namespace istio-ingress for the Istio Ingress gateway + and enable istio-injection:: + + > kubectl create namespace istio-ingress + + > kubectl label namespace istio-ingress istio-injection=enabled + +- Install the Istio Gateway chart,replacing the + <recommended-istio-version> with the version defined in + the :ref:`versions_table` table:: + + > helm upgrade -i istio-ingressgateway istio/gateway -n istio-ingress + --version <recommended-istio-version> --wait + +Kiali Installation +================== + +Kiali is used to visualize the Network traffic in a ServiceMesh enabled cluster +For setup the kiali operator is used, see `Kiali setup guide`_ + +- Install kiali-operator namespace:: + + > kubectl create namespace kiali-operator + + > kubectl label namespace kiali-operator istio-injection=enabled + +- Install the kiali-operator:: + + > helm repo add kiali https://kiali.org/helm-charts + + > helm repo update kiali + + > helm install --namespace kiali-operator kiali/kiali-operator + +- Create Kiali CR file (e.g. kiali.yaml) + + .. collapse:: kiali.yaml + + .. include:: ../../resources/yaml/kiali.yaml + :code: yaml + +- Install kiali:: + + > kubectl apply -f kiali.yaml + +- Create Ingress gateway entry for the kiali web interface + using the configured Ingress <base-url> (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: kiali-ingress.yaml + + .. include:: ../../resources/yaml/kiali-ingress.yaml + :code: yaml + +- Add the Ingress entry for Kiali:: + + > kubectl -n istio-system apply -f kiali-ingress.yaml + + +Jaeger Installation +=================== + +To be done...
\ No newline at end of file diff --git a/docs/sections/guides/infra_guides/oom_infra_setup.rst b/docs/sections/guides/infra_guides/oom_infra_setup.rst index f9668de458..ed7b05a103 100644 --- a/docs/sections/guides/infra_guides/oom_infra_setup.rst +++ b/docs/sections/guides/infra_guides/oom_infra_setup.rst @@ -52,14 +52,23 @@ The versions of software that are supported by OOM are as follows: .. _versions_table: -.. table:: OOM Software Requirements - - ============== =========== ======= ======== ======== ============ ================= ======= - Release Kubernetes Helm kubectl Docker Cert-Manager Prometheus Stack Strimzi - ============== =========== ======= ======== ======== ============ ================= ======= - Jakarta 1.22.4 3.6.3 1.22.4 20.10.x 1.8.0 35.x 0.28.0 - Kohn 1.23.8 3.8.2 1.23.8 20.10.x 1.8.0 35.x 0.32.0 - ============== =========== ======= ======== ======== ============ ================= ======= +.. table:: OOM Software Requirements (base) + + ============== =========== ======= ======== ======== ============ ======= + Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi + ============== =========== ======= ======== ======== ============ ======= + Jakarta 1.22.4 3.6.3 1.22.4 20.10.x 1.8.0 0.28.0 + Kohn 1.23.8 3.8.2 1.23.8 20.10.x 1.8.0 0.32.0 + ============== =========== ======= ======== ======== ============ ======= + +.. table:: OOM Software Requirements (optional) + + ============== ================= ====== + Release Prometheus Stack Istio + ============== ================= ====== + Jakarta 35.x --- + Kohn 35.x 1.15.1 + ============== ================= ====== .. toctree:: diff --git a/docs/sections/guides/user_guides/oom_user_guide.rst b/docs/sections/guides/user_guides/oom_user_guide.rst index c0f4f6ef73..449d5de3fa 100644 --- a/docs/sections/guides/user_guides/oom_user_guide.rst +++ b/docs/sections/guides/user_guides/oom_user_guide.rst @@ -234,88 +234,6 @@ can be modified, for example the `so`'s `liveness` probe could be disabled <...> -Accessing the ONAP Portal using OOM and a Kubernetes Cluster ------------------------------------------------------------- - -The ONAP deployment created by OOM operates in a private IP network that isn't -publicly accessible (i.e. OpenStack VMs with private internal network) which -blocks access to the ONAP Portal. To enable direct access to this Portal from a -user's own environment (a laptop etc.) the portal application's port 8989 is -exposed through a `Kubernetes LoadBalancer`_ object. - -Typically, to be able to access the Kubernetes nodes publicly a public address -is assigned. In OpenStack this is a floating IP address. - -When the `portal-app` chart is deployed a Kubernetes service is created that -instantiates a load balancer. The LB chooses the private interface of one of -the nodes as in the example below (10.0.0.4 is private to the K8s cluster only). -Then to be able to access the portal on port 8989 from outside the K8s & -OpenStack environment, the user needs to assign/get the floating IP address that -corresponds to the private IP as follows:: - - > kubectl -n onap get services|grep "portal-app" - portal-app LoadBalancer 10.43.142.201 10.0.0.4 8989:30215/TCP,8006:30213/TCP,8010:30214/TCP 1d app=portal-app,release=dev - - -In this example, use the 11.0.0.4 private address as a key find the -corresponding public address which in this example is 10.12.6.155. If you're -using OpenStack you'll do the lookup with the horizon GUI or the OpenStack CLI -for your tenant (openstack server list). That IP is then used in your -`/etc/hosts` to map the fixed DNS aliases required by the ONAP Portal as shown -below:: - - 10.12.6.155 portal.api.simpledemo.onap.org - 10.12.6.155 vid.api.simpledemo.onap.org - 10.12.6.155 sdc.api.fe.simpledemo.onap.org - 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org - 10.12.6.155 sdc.dcae.plugin.simpledemo.onap.org - 10.12.6.155 portal-sdk.simpledemo.onap.org - 10.12.6.155 policy.api.simpledemo.onap.org - 10.12.6.155 aai.api.sparky.simpledemo.onap.org - 10.12.6.155 cli.api.simpledemo.onap.org - 10.12.6.155 msb.api.discovery.simpledemo.onap.org - 10.12.6.155 msb.api.simpledemo.onap.org - 10.12.6.155 clamp.api.simpledemo.onap.org - 10.12.6.155 so.api.simpledemo.onap.org - 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org - -Ensure you've disabled any proxy settings the browser you are using to access -the portal and then simply access now the new ssl-encrypted URL: -``https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm`` - -.. note:: - Using the HTTPS based Portal URL the Browser needs to be configured to accept - unsecure credentials. - Additionally when opening an Application inside the Portal, the Browser - might block the content, which requires to disable the blocking and reloading - of the page - -.. note:: - Besides the ONAP Portal the Components can deliver additional user interfaces, - please check the Component specific documentation. - -.. note:: - - | Alternatives Considered: - - - Kubernetes port forwarding was considered but discarded as it would - require the end user to run a script that opens up port forwarding tunnels - to each of the pods that provides a portal application widget. - - - Reverting to a VNC server similar to what was deployed in the Amsterdam - release was also considered but there were many issues with resolution, - lack of volume mount, /etc/hosts dynamic update, file upload that were - a tall order to solve in time for the Beijing release. - - Observations: - - - If you are not using floating IPs in your Kubernetes deployment and - directly attaching a public IP address (i.e. by using your public provider - network) to your K8S Node VMs' network interface, then the output of - 'kubectl -n onap get services | grep "portal-app"' - will show your public IP instead of the private network's IP. Therefore, - you can grab this public IP directly (as compared to trying to find the - floating IP first) and map this IP in /etc/hosts. .. figure:: ../../resources/images/oom_logo/oomLogoV2-Monitor.png :align: right diff --git a/docs/sections/resources/csv/nodeports.csv b/docs/sections/resources/csv/nodeports.csv new file mode 100644 index 0000000000..b1c6fb5333 --- /dev/null +++ b/docs/sections/resources/csv/nodeports.csv @@ -0,0 +1,62 @@ +NodePort,Component,Service name,targetPort,Port +30200,VID,vid,8443,8443 +30201,SDNC,sdnc-portal,8443,8443 +30203,SDNC,sdnc-dgbuilder,3100,3000 +30204,SDC,sdc-be-external,8443,8443 +30207,SDC,sdc-fe,9443,9443 +30209,ROBOT,robot,443,443 +30210,AAI,aai-modelloader,8080,8080 +30211,APPC,appc,9191,9090 +30212,PORTAL,portal-sdk,8443,8443 +30218,POLICY,pap,9091,9091 +30219,POLICY,pap,8443,8443 +30220,AAI,aai-sparky-be,8000,8000 +30222,DCAE,xdcae-hv-ves-collector,6061,6061 +30225,PORTAL,portal-app,8443,8443 +30226,DMAAP,message-router-external,3905,3905 +30228,APPC,appc-dgbuilder,3100,3000 +30229,AAI,aai-modelloader,8443,8443 +30230,APPC,appc,8443,8443 +30231,APPC,appc,1830,1830 +30233,AAI,aai,8443,8443 +30234,POMBA*),pomba-kibana,5601,5601 +30242,DMAAP,dmaap-bc,8443,8443 +30248,OOF,oof-osdf,8699,8698 +30249,POMBA*),pomba-data-router,9502,9502 +30251,AAF,aaf-gui,8200,8200 +30253,LOG*),log-kibana,5601,5601 +30254,LOG*),log-es,9200,9200 +30255,LOG*),log-ls,5044,5044 +30256,SDC,sdc-wfd-fe,8443,8443 +30257,SDC,sdc-wfd-be,8443,8443 +30258,CLAMP,clamp-external,2443,2443 +30260,CLI,cli,443,443 +30264,DCAE,sdc-dcae-fe,9444,9444 +30266,DCAE,sdc-dcae-dt,9446,9446 +30267,SDNC,sdnc,8443,8443 +30269,DMAAP,dmaapr-prov,443,8443 +30271,CLI,cli,9090,9090 +30274,EXTAPI,nbi,8443,8443 +30275,OOF,oof-has-api,8091,8091 +30277,SO,so,8080,8080 +30279,AAI,aai-babel,9516,9516 +30283,MSB,msb-iag,443,443 +30284,MSB,msb-eag,443,443 +30288,SNIRO*),sniro-emulator,9999,80 +30289,APPC,appc-cdt,18080,18080 +30290,CLAMP,cdash-kibana,5601,5601 +30297,VNFSDK,refrepo,8703,8703 +30299,POMBA*),pomba-networkdiscovery,8443,9531 +30398,UUI,uui,8443,8443 +30399,UUI,uui-server,8082,8082 +30406,SO,so-vnfm-adapter,9092,9092 +30407,MUSIC,music,8443,8443 +30417,DCAE,xdcae-ves-collector,8443,8443 +30418,DCAE,dashboard,8443,8443 +30420,NETBOX,netbox-nginx,8080,8080 +30478,AWX,awx-web,8080,80 +30490,DMAAP,message-router-kafka-0,9091,9091 +30491,DMAAP,message-router-kafka-1,9091,9091 +30492,DMAAP,message-router-kafka-2,9091,9091 +30494,DMAAP,dmaap-dr-node-external,8443,8443 +30497,CDS,cds-ui,3000,3000
\ No newline at end of file diff --git a/docs/sections/resources/images/servicemesh/ServiceMesh.png b/docs/sections/resources/images/servicemesh/ServiceMesh.png Binary files differnew file mode 100644 index 0000000000..7448ff0dc2 --- /dev/null +++ b/docs/sections/resources/images/servicemesh/ServiceMesh.png diff --git a/docs/sections/resources/yaml/envoyfilter-case.yaml b/docs/sections/resources/yaml/envoyfilter-case.yaml new file mode 100644 index 0000000000..c919319ecc --- /dev/null +++ b/docs/sections/resources/yaml/envoyfilter-case.yaml @@ -0,0 +1,40 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: header-casing + namespace: istio-config +spec: + configPatches: + - applyTo: CLUSTER + match: + context: SIDECAR_INBOUND + patch: + operation: MERGE + value: + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + use_downstream_protocol_config: + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: MERGE + value: + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig
\ No newline at end of file diff --git a/docs/sections/resources/yaml/kiali-ingress.yaml b/docs/sections/resources/yaml/kiali-ingress.yaml new file mode 100644 index 0000000000..44f806203a --- /dev/null +++ b/docs/sections/resources/yaml/kiali-ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: kiali-gateway +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - kiali.simpledemo.onap.org + port: + name: http + number: 80 + protocol: HTTP +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: kiali-service +spec: + hosts: + - kiali.simpledemo.onap.org + gateways: + - kiali-gateway + http: + - route: + - destination: + port: + number: 20001 + host: kiali
\ No newline at end of file diff --git a/docs/sections/resources/yaml/kiali.yaml b/docs/sections/resources/yaml/kiali.yaml new file mode 100644 index 0000000000..71d86ce265 --- /dev/null +++ b/docs/sections/resources/yaml/kiali.yaml @@ -0,0 +1,24 @@ +apiVersion: kiali.io/v1alpha1 +kind: Kiali +metadata: + name: kiali + namespace: istio-system + annotations: + ansible.operator-sdk/verbosity: "1" +spec: + auth: + strategy: anonymous + istio_component_namespaces: + prometheus: monitoring + external_services: + grafana: + in_cluster_url: http://prometheus-stack-grafana.monitoring + prometheus: + url: http://prometheus-stack-kube-prom-prometheus.monitoring:9090 + tracing: + in_cluster_url: http://istio-query.observability:16686 + deployment: + accessible_namespaces: ["**"] + view_only_mode: false + server: + web_root: "/kiali"
\ No newline at end of file diff --git a/kubernetes/README.md b/kubernetes/README.md index 9d8d4cc9ab..696ede70c0 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -1,5 +1,8 @@ ## **Quick Start Guide** +> **WARNING**: This README is no longer maintained and will be deprecated. +> Please refer to the official OOM guide here - [OOM Guide](https://docs.onap.org/projects/onap-oom/en/latest/sections/oom_project_description.html) + This is a quick start guide describing how to deploy ONAP on Kubernetes using Helm. diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties index 681da5d069..bc53b4b764 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties +++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties @@ -30,14 +30,13 @@ ml.distribution.KEYSTORE_PASSWORD= ml.distribution.KEYSTORE_FILE= ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp {{ end }} -ml.distribution.CONSUMER_GROUP=aai-ml-group -ml.distribution.CONSUMER_ID=aai-ml +ml.distribution.CONSUMER_GROUP={{ .Values.config.kafka.sdcTopic.consumerGroup }} +ml.distribution.CONSUMER_ID={{ .Values.config.kafka.sdcTopic.clientId }} ml.distribution.ENVIRONMENT_NAME=AUTO ml.distribution.POLLING_INTERVAL=30 ml.distribution.POLLING_TIMEOUT=20 ml.distribution.USER=aai ml.distribution.ARTIFACT_TYPES=MODEL_QUERY_SPEC,TOSCA_CSAR -ml.distribution.MSG_BUS_ADDRESSES=message-router.{{.Release.Namespace}} # Model Loader AAI REST Client Configuration {{ if ( include "common.needTLS" .) }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml b/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml new file mode 100644 index 0000000000..d7e37e215a --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml @@ -0,0 +1,37 @@ +{{/* + # Copyright © 2022 Nordix Foundation + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + */}} + +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.global.aaiSdcListenerKafkaUser }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: {{ .Values.config.kafka.saslMechanism | lower }} + authorization: + type: {{ .Values.config.kafka.authType }} + acls: + - resource: + type: group + name: {{ .Values.config.kafka.sdcTopic.consumerGroup }} + operation: All + - resource: + type: topic + patternType: prefix + name: {{ .Values.config.kafka.sdcTopic.pattern }} + operation: All diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index 8e481b9656..d3136d8dda 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -102,6 +102,12 @@ spec: env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ + - name: SECURITY_PROTOCOL + value: {{ .Values.config.kafka.securityProtocol }} + - name: SASL_MECHANISM + value: {{ .Values.config.kafka.saslMechanism }} + - name: SASL_JAAS_CONFIG + value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }} volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime diff --git a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml b/kubernetes/aai/components/aai-modelloader/templates/secret.yaml index d6013c832e..70b0857938 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/secret.yaml @@ -27,3 +27,5 @@ metadata: type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} +--- +{{ include "common.secretFast" . }}
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index 1188f9b645..09bb32dd43 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -18,6 +18,18 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 + aaiSdcListenerKafkaUser: aai-sdc-list-user +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: aai-sdc-kafka-secret + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate ################################################################# # Certificate configuration @@ -56,13 +68,23 @@ certInitializer: chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} # application image -image: onap/model-loader:1.11.0 +image: onap/model-loader:1.12.0 pullPolicy: Always restartPolicy: Always flavor: small flavorOverride: small + # application configuration -config: {} +config: + someConfig: blah + kafka: + securityProtocol: SASL_PLAINTEXT + saslMechanism: SCRAM-SHA-512 + authType: simple + sdcTopic: + pattern: SDC-DIST + consumerGroup: aai + clientId: aai-model-loader # default number of instances replicaCount: 1 diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties index 8bd4494a2b..7c82d1f90d 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties @@ -25,6 +25,6 @@ resources.trust-store-password=${TRUSTSTORE_PASSWORD} resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 resources.client-cert-password=${KEYSTORE_PASSWORD} {{ else }} -resources.port=8080 +resources.port=80 resources.authType=HTTP_NOAUTH {{ end }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index a724129018..31ea946d9b 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -147,18 +147,19 @@ spec: subPath: logback.xml ports: - containerPort: {{ .Values.service.internalPort }} + - containerPort: {{ .Values.service.internalPlainPort }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} resources: diff --git a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml index 457b3576a0..9e3ffd6f56 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml @@ -25,16 +25,13 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: - type: {{ .Values.service.type }} ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} + - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} + port: {{ .Values.service.externalPort }} + targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + {{- if eq .Values.service.type "NodePort" }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ ternary "s" "" (eq "true" (include "common.needTLS" .)) }} - {{- end }} + {{- end }} + type: {{ .Values.service.type }} selector: app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index ee3c5c41d9..29953b4b66 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -119,7 +119,9 @@ readiness: service: type: NodePort portName: http + externalPort: 8000 internalPort: 8000 + internalPlainPort: 9517 nodePort: 20 ingress: diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index 0ba461c4c7..d382b80ba0 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -277,12 +277,16 @@ global: # global defaults # since when this is enabled, it prints a lot of information to console enabled: false + aaiSdcListenerKafkaUser: aai-sdc-list-user + aai-babel: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' aai-graphadmin: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' aai-modelloader: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.aaiSdcListenerKafkaUser }}' aai-resources: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' aai-schema-service: diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index 4fc2e4b1c9..d8a944712a 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -14,13 +14,56 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} +{{/* + Create the hostname as concatination <baseaddr>.<baseurl> + - baseaddr: from component values: ingress.service.baseaddr + - baseurl: from values: global.ingress.virtualhost.baseurl + which van be overwritten in the component via: ingress.baseurlOverride +*/}} {{- define "ingress.config.host" -}} {{- $dot := default . .dot -}} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} {{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}} +{{- $burl := include "common.ingress._overrideIfDefined" (dict "currVal" $burl "parent" (default (dict) $dot.Values.ingress) "var" "baseurlOverride") -}} {{ printf "%s.%s" $baseaddr $burl }} {{- end -}} +{{/* + Helper function to add the tls route +*/}} +{{- define "ingress.config.tls" -}} +{{- $dot := default . .dot -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.ssl }} +{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + tls: +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.tls }} + credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} +{{- else }} + credentialName: "ingress-tls-secret" +{{- end }} +{{- else }} + credentialName: "ingress-tls-secret" +{{- end }} + mode: SIMPLE + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Helper function to add the route to the service +*/}} {{- define "ingress.config.port" -}} {{- $dot := default . .dot -}} {{ range .Values.ingress.service }} @@ -44,9 +87,11 @@ {{- end }} {{- end -}} +{{/* + Helper function to add the route to the service +*/}} {{- define "istio.config.route" -}} {{- $dot := default . .dot -}} -{{ range .Values.ingress.service }} http: - route: - destination: @@ -66,8 +111,10 @@ {{- end }} host: {{ .name }} {{- end -}} -{{- end -}} +{{/* + Helper function to add ssl annotations +*/}} {{- define "ingress.config.annotations.ssl" -}} {{- if .Values.ingress.config -}} {{- if .Values.ingress.config.ssl -}} @@ -85,6 +132,9 @@ nginx.ingress.kubernetes.io/ssl-redirect: "false" {{- end -}} +{{/* + Helper function to add annotations +*/}} {{- define "ingress.config.annotations" -}} {{- if .Values.ingress -}} {{- if .Values.ingress.annotations -}} @@ -94,6 +144,9 @@ nginx.ingress.kubernetes.io/ssl-redirect: "false" {{ include "ingress.config.annotations.ssl" . | indent 4 | trim }} {{- end -}} +{{/* + Helper function to check the existance of an override value +*/}} {{- define "common.ingress._overrideIfDefined" -}} {{- $currValue := .currVal }} {{- $parent := .parent }} @@ -109,20 +162,38 @@ nginx.ingress.kubernetes.io/ssl-redirect: "false" {{- end -}} {{- end -}} -{{- define "common.ingress" -}} +{{/* + Helper function to check, if Ingress is enabled +*/}} +{{- define "common.ingress._enabled" -}} {{- $dot := default . .dot -}} -{{- if .Values.ingress -}} - {{- $ingressEnabled := default false .Values.ingress.enabled -}} - {{- $ingressEnabled := include "common.ingress._overrideIfDefined" (dict "currVal" $ingressEnabled "parent" (default (dict) .Values.global.ingress) "var" "enabled") }} - {{- $ingressEnabled := include "common.ingress._overrideIfDefined" (dict "currVal" $ingressEnabled "parent" .Values.ingress "var" "enabledOverride") }} -{{- if $ingressEnabled }} -{{- if (include "common.onServiceMesh" .) }} -{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} - {{- $dot := default . .dot -}} +{{- if $dot.Values.ingress -}} +{{- if $dot.Values.global.ingress -}} +{{- if (default false $dot.Values.global.ingress.enabled) -}} +{{- if (default false $dot.Values.global.ingress.enable_all) -}} +true +{{- else -}} +{{- if $dot.Values.ingress.enabled -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Create Istio Ingress resources per defined service +*/}} +{{- define "common.istioIngress" -}} +{{- $dot := default . .dot -}} +{{ range $dot.Values.ingress.service }} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +--- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: - name: {{ include "common.fullname" . }}-gateway + name: {{ $baseaddr }}-gateway spec: selector: istio: ingressgateway # use Istio default gateway implementation @@ -132,80 +203,87 @@ spec: name: http protocol: HTTP hosts: - {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} -{{- if .Values.global.ingress.config }} -{{- if .Values.global.ingress.config.ssl }} -{{- if eq .Values.global.ingress.config.ssl "redirect" }} - tls: - httpsRedirect: true - - port: - number: 443 - name: https - protocol: HTTPS - tls: -{{- if .Values.global.ingress.config }} -{{- if .Values.global.ingress.config.tls }} - credentialName: {{ default "ingress-tls-secret" .Values.global.ingress.config.tls.secret }} -{{- else }} - credentialName: "ingress-tls-secret" -{{- end }} -{{- else }} - credentialName: "ingress-tls-secret" -{{- end }} - mode: SIMPLE - hosts: - {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} + {{ include "ingress.config.tls" (dict "dot" $dot "baseaddr" $baseaddr) }} --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: - name: {{ include "common.fullname" . }}-service + name: {{ $baseaddr }}-service spec: hosts: - {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} gateways: - - {{ include "common.fullname" . }}-gateway + - {{ $baseaddr }}-gateway {{ include "istio.config.route" . | trim }} +{{- end -}} {{- end -}} -{{- else -}} + +{{/* + Create default Ingress resource +*/}} +{{- define "common.nginxIngress" -}} +{{- $dot := default . .dot -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ include "common.fullname" . }}-ingress + name: {{ include "common.fullname" $dot }}-ingress annotations: - {{ include "ingress.config.annotations" . }} + {{ include "ingress.config.annotations" $dot }} labels: - app: {{ .Chart.Name }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + app: {{ $dot.Chart.Name }} + chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} + release: {{ include "common.release" $dot }} + heritage: {{ $dot.Release.Service }} spec: rules: - {{ include "ingress.config.port" . | trim }} -{{- if .Values.ingress.tls }} + {{ include "ingress.config.port" $dot | trim }} +{{- if $dot.Values.ingress.tls }} tls: -{{ toYaml .Values.ingress.tls | indent 4 }} +{{ toYaml $dot.Values.ingress.tls | indent 4 }} {{- end -}} -{{- if .Values.ingress.config -}} -{{- if .Values.ingress.config.tls -}} +{{- if $dot.Values.ingress.config -}} +{{- if $dot.Values.ingress.config.tls -}} tls: - hosts: - {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} + {{- range $dot.Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} - secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }} -{{- end -}} -{{- end -}} -{{- end -}} + {{- end }} + secretName: {{ required "secret" (tpl (default "" $dot.Values.ingress.config.tls.secret) $dot) }} +{{- end -}} {{- end -}} {{- end -}} + +{{/* + Create ingress template + Will create ingress template depending on the following values: + - .Values.global.ingress.enabled : enables Ingress globally + - .Values.global.ingress.enable_all : override default Ingress for all charts + - .Values.ingress.enabled : sets Ingress per chart basis + + | global.ingress.enabled | global.ingress.enable_all |ingress.enabled | result | + |------------------------|---------------------------|----------------|------------| + | false | any | any | no ingress | + | true | false | false | no ingress | + | true | true | any | ingress | + | true | false | true | ingress | + + If ServiceMesh (Istio) is enabled the respective resources are created: + - Gateway + - VirtualService + + If ServiceMesh is disabled the standard Ingress resource is creates: + - Ingress +*/}} +{{- define "common.ingress" -}} +{{- $dot := default . .dot -}} +{{- if (include "common.ingress._enabled" (dict "dot" $dot)) }} +{{- if (include "common.onServiceMesh" .) }} +{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} +{{ include "common.istioIngress" (dict "dot" $dot) }} +{{- end -}} +{{- else -}} +{{ include "common.nginxIngress" (dict "dot" $dot) }} +{{- end -}} +{{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 379992eae8..7b88af02aa 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -242,7 +242,7 @@ spec: {{- $labels := default (dict) .labels -}} {{- $matchLabels := default (dict) .matchLabels -}} {{- if and (include "common.onServiceMesh" $dot) (eq $serviceType "NodePort") }} -{{- $serviceType = "ClusterIP" }} +{{- $serviceType = "ClusterIP" }} {{- end }} {{- if (and (include "common.needTLS" $dot) $both_tls_and_plain) }} diff --git a/kubernetes/dmaap/Chart.yaml b/kubernetes/dmaap/Chart.yaml index 25fa15a2cf..8d84a97ba2 100644 --- a/kubernetes/dmaap/Chart.yaml +++ b/kubernetes/dmaap/Chart.yaml @@ -24,10 +24,6 @@ dependencies: - name: common version: ~12.x-0 repository: '@local' - - name: dmaap-strimzi - version: ~12.x-0 - repository: 'file://components/dmaap-strimzi' - condition: dmaap-strimzi.enabled - name: message-router version: ~12.x-0 repository: 'file://components/message-router' diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties index 3acea02bff..a9b0a012a4 100755 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties +++ b/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties @@ -28,9 +28,9 @@ ## Items below are passed through to Kafka's producer and consumer ## configurations (after removing "kafka.") ## if you want to change request.required.acks it can take this one value -kafka.metadata.broker.list={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}:{{ .Values.global.kafkaInternalPort }} -config.zk.servers=127.0.0.1:{{ .Values.global.zkTunnelService.internalPort }} #kafka.request.required.acks=-1 +kafka.metadata.broker.list={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +config.zk.servers=127.0.0.1:{{ .Values.global.zkTunnelService.internalPort }} consumer.timeout.ms=100 zookeeper.connection.timeout.ms=6000 zookeeper.session.timeout.ms=20000 diff --git a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml index 0fba655a69..904c160c70 100644 --- a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml @@ -150,7 +150,7 @@ spec: - name: JAASLOGIN {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "mr-kafka-admin-secret" "key" "sasl.jaas.config") | indent 12 }} - name: SASLMECH - value: {{ .Values.global.saslMechanism }} + value: scram-sha-512 - name: enableCadi value: "{{ .Values.global.aafEnabled }}" - name: useZkTopicStore diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml index f9904e67c8..80460ba570 100644 --- a/kubernetes/dmaap/components/message-router/values.yaml +++ b/kubernetes/dmaap/components/message-router/values.yaml @@ -19,15 +19,16 @@ ################################################################# global: nodePortPrefix: 302 - kafkaBootstrap: strimzi-kafka-bootstrap - saslMechanism: scram-sha-512 - kafkaInternalPort: 9092 zkTunnelService: type: ClusterIP name: zk-tunnel-svc portName: tcp-zk-tunnel internalPort: 2181 +zookeeper: + entrance: + image: scholzj/zoo-entrance:latest + ################################################################# # AAF part ################################################################# @@ -71,10 +72,6 @@ certInitializer: image: onap/dmaap/dmaap-mr:1.4.3 pullPolicy: Always -zookeeper: - entrance: - image: scholzj/zoo-entrance:latest - secrets: - uid: mr-kafka-admin-secret externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' diff --git a/kubernetes/dmaap/values.yaml b/kubernetes/dmaap/values.yaml index cf65674ffd..1cb537b5f4 100644 --- a/kubernetes/dmaap/values.yaml +++ b/kubernetes/dmaap/values.yaml @@ -38,10 +38,7 @@ global: aafEnabled: true #Strimzi config - kafkaBootstrap: strimzi-kafka-bootstrap kafkaStrimziAdminUser: strimzi-kafka-admin - kafkaInternalPort: 9092 - saslMechanism: scram-sha-512 #Component overrides message-router: diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json index cf818798d4..4a08322634 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json +++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json @@ -27,15 +27,11 @@ "sdcConfiguration":{ "parameterClassName":"org.onap.policy.distribution.reception.handling.sdc.SdcReceptionHandlerConfigurationParameterGroup", "parameters":{ - "asdcAddress": "sdc-be.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }}", - "messageBusAddress": [ - "message-router.{{ include "common.namespace" . }}" - ], + "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }}", "user": "multicloud", "password": "Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U", "pollingInterval":20, "pollingTimeout":30, - "consumerId": "multicloud-k8s-id", "artifactTypes": [ "TOSCA_CSAR", "HEAT", @@ -48,13 +44,13 @@ "CLOUD_TECHNOLOGY_SPECIFIC_ARTIFACT", "HELM" ], - "consumerGroup": "multicloud-k8s-group", + "consumerGroup": "{{ .Values.config.kafka.sdcTopic.consumerGroup }}", + "consumerId": "{{ .Values.config.kafka.sdcTopic.clientId }}", "environmentName": "AUTO", "keystorePath": "null", "keystorePassword": "null", "activeserverTlsAuth": false, "isFilterinEmptyResources": true, - "isUseHttpsWithDmaap": false, "isUseHttpsWithSDC": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }}, "httpsproxyHost": "null", "httpproxyHost": "null", diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml index c9912ffd17..45494e1730 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml @@ -86,6 +86,13 @@ spec: subPath: config.json - mountPath: /data name: artifact-data + env: + - name: SECURITY_PROTOCOL + value: {{ .Values.config.kafka.securityProtocol }} + - name: SASL_MECHANISM + value: {{ .Values.config.kafka.saslMechanism }} + - name: SASL_JAAS_CONFIG + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "multicloud-k8s-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml new file mode 100644 index 0000000000..7600facb08 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml @@ -0,0 +1,36 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.global.multicloudK8sKafkaUser }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: {{ .Values.config.kafka.saslMechanism | lower }} + authorization: + type: {{ .Values.config.kafka.authType }} + acls: + - resource: + type: group + name: {{ .Values.config.kafka.sdcTopic.consumerGroup }} + operation: All + - resource: + type: topic + patternType: prefix + name: {{ .Values.config.kafka.sdcTopic.pattern }} + operation: All diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/secret.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/secret.yaml new file mode 100644 index 0000000000..bb5091f01a --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/values.yaml b/kubernetes/multicloud/components/multicloud-k8s/values.yaml index 36cb701a9b..cae151ae58 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/values.yaml @@ -18,7 +18,20 @@ global: nodePortPrefixExt: 304 persistence: {} - artifactImage: onap/multicloud/framework-artifactbroker:1.8.1 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 + multicloudK8sKafkaUser: mc-k8s-sdc-list-kafka-user + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: multicloud-k8s-sdc-kafka-secret + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate ################################################################# # Application configuration defaults. @@ -27,6 +40,17 @@ global: image: onap/multicloud/k8s:0.10.1 pullPolicy: Always +config: + someConfig: blah + kafka: + securityProtocol: SASL_PLAINTEXT + saslMechanism: SCRAM-SHA-512 + authType: simple + sdcTopic: + pattern: SDC-DIST + consumerGroup: multicloud + clientId: multicloud-k8s + # flag to enable debugging - application support required debugEnabled: false diff --git a/kubernetes/multicloud/components/multicloud-starlingx/values.yaml b/kubernetes/multicloud/components/multicloud-starlingx/values.yaml index 1232c3b79a..1fe7775aed 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/values.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/values.yaml @@ -17,7 +17,7 @@ ################################################################# global: nodePortPrefixExt: 304 - artifactImage: onap/multicloud/framework-artifactbroker:1.8.1 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 ################################################################# # Application configuration defaults. diff --git a/kubernetes/multicloud/components/multicloud-windriver/values.yaml b/kubernetes/multicloud/components/multicloud-windriver/values.yaml index 33802937cd..a328daedc6 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/values.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/values.yaml @@ -18,7 +18,7 @@ ################################################################# global: nodePortPrefix: 302 - artifactImage: onap/multicloud/framework-artifactbroker:1.8.1 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 persistence: {} ################################################################# diff --git a/kubernetes/multicloud/values.yaml b/kubernetes/multicloud/values.yaml index 9ea62aa98f..21e6a61cf5 100644 --- a/kubernetes/multicloud/values.yaml +++ b/kubernetes/multicloud/values.yaml @@ -18,11 +18,12 @@ ################################################################# global: nodePortPrefix: 302 - artifactImage: onap/multicloud/framework-artifactbroker:1.8.1 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 prometheus: enabled: false persistence: {} centralizedLoggingEnabled: true + multicloudK8sKafkaUser: mc-k8s-sdc-list-kafka-user ################################################################# # Application configuration defaults. @@ -39,6 +40,8 @@ multicloud-fcaps: logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' multicloud-k8s: enabled: true + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.multicloudK8sKafkaUser }}' multicloud-pike: enabled: true logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' diff --git a/kubernetes/onap/resources/environments/core-onap.yaml b/kubernetes/onap/resources/environments/core-onap.yaml index abf2cd1dfa..8a4bb706d9 100644 --- a/kubernetes/onap/resources/environments/core-onap.yaml +++ b/kubernetes/onap/resources/environments/core-onap.yaml @@ -16,7 +16,7 @@ # This override file is used to deploy a core configuration. It is based on # minimal-onap.yaml and Orange accomplishments [1][2][3]. # It includes the following components: -# AAI, DMAAP, SDC, SDNC, SO (+ Cassandra) +# AAI, DMAAP Message Router, SDC, SDNC, SO (+ Cassandra), STRIMZI Kafka # # Minimal resources are also reviewed for the various containers # AAI: no override => to be fixed @@ -75,6 +75,14 @@ holmes: enabled: false dmaap: enabled: true + message-router: + enabled: true + dmaap-bc: + enabled: false + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false log: enabled: false mariadb-galera: @@ -126,6 +134,16 @@ so: openStackKeyStoneUrl: "$OPENSTACK_KEYSTONE_URL" openStackServiceTenantName: "$OPENSTACK_TENANT_NAME" openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD" +strimzi: + enabled: true + replicaCount: 2 + persistence: + kafka: + size: 1Gi + zookeeper: + size: 500Mbi + strimzi-kafka-bridge: + enabled: false uui: enabled: false vid: diff --git a/kubernetes/onap/resources/environments/dev.yaml b/kubernetes/onap/resources/environments/dev.yaml index e2971f70cc..2caad2d530 100644 --- a/kubernetes/onap/resources/environments/dev.yaml +++ b/kubernetes/onap/resources/environments/dev.yaml @@ -137,6 +137,8 @@ so: mariadb: config: mariadbRootPassword: password +strimzi: + enabled: false uui: enabled: false vfc: diff --git a/kubernetes/onap/resources/environments/disable-allcharts.yaml b/kubernetes/onap/resources/environments/disable-allcharts.yaml index 092dc1ab9b..43aa4c8c05 100644 --- a/kubernetes/onap/resources/environments/disable-allcharts.yaml +++ b/kubernetes/onap/resources/environments/disable-allcharts.yaml @@ -77,6 +77,8 @@ sdnc: enabled: false so: enabled: false +strimzi: + enabled: false uui: enabled: false vfc: diff --git a/kubernetes/onap/resources/environments/minimal-onap.yaml b/kubernetes/onap/resources/environments/minimal-onap.yaml index 12cccfb9e8..7bfa258e5a 100644 --- a/kubernetes/onap/resources/environments/minimal-onap.yaml +++ b/kubernetes/onap/resources/environments/minimal-onap.yaml @@ -16,7 +16,7 @@ # This override file is used to deploy a minimal configuration to # onboard and deploy a VNF. # It includes the following components: -# A&AI, Cassandra, DMAAP, Portal, Robot, SDC, SDNC, SO, VID +# A&AI, Cassandra, DMAAP Message Router, Portal, Robot, SDC, SDNC, SO, STRIMZI Kafka, VID # # Minimal resources are also reviewed for the various containers # A&AI: no override => to be fixed @@ -70,6 +70,14 @@ holmes: enabled: false dmaap: enabled: true + message-router: + enabled: true + dmaap-bc: + enabled: false + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false log: enabled: false mariadb-galera: @@ -170,6 +178,16 @@ so: openStackKeyStoneUrl: "$OPENSTACK_KEYSTONE_URL" openStackServiceTenantName: "$OPENSTACK_TENANT_NAME" openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD" +strimzi: + enabled: true + replicaCount: 1 + persistence: + kafka: + size: 1Gi + zookeeper: + size: 500Mbi + strimzi-kafka-bridge: + enabled: false uui: enabled: false vid: diff --git a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml index 6686e160e5..506dd4f7fe 100644 --- a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml +++ b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml @@ -102,6 +102,14 @@ holmes: enabled: false dmaap: enabled: true + message-router: + enabled: true + dmaap-bc: + enabled: false + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false log: enabled: true sniro-emulator: @@ -161,6 +169,10 @@ so: openStackServiceTenantName: "service" openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" +strimzi: + enabled: true + strimzi-kafka-bridge: + enabled: false uui: enabled: true vfc: diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml index 3f2854efd7..c78ac8abd2 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml @@ -19,6 +19,8 @@ global: ingress: enabled: true + # enable all component's Ingress interfaces + enable_all: true # All http requests via ingress will be redirected config: ssl: "redirect" @@ -112,6 +114,14 @@ holmes: enabled: true dmaap: enabled: true + message-router: + enabled: true + dmaap-bc: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true oof: enabled: true msb: @@ -134,6 +144,8 @@ so: enabled: true strimzi: enabled: true + strimzi-kafka-bridge: + enabled: true uui: enabled: true vfc: diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml index 54e2cf3c4f..9a090c1a41 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml @@ -19,6 +19,7 @@ global: ingress: enabled: true + enable_all: true addTestingComponents: &testing true centralizedLoggingEnabled: ¢ralizedLogging false cassandra: @@ -61,6 +62,14 @@ holmes: enabled: true dmaap: enabled: true + message-router: + enabled: true + dmaap-bc: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true oof: enabled: true msb: @@ -83,6 +92,8 @@ so: enabled: true strimzi: enabled: true + strimzi-kafka-bridge: + enabled: true uui: enabled: true vfc: diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml index 849b55f0a9..aeac83f7ef 100644 --- a/kubernetes/onap/resources/overrides/onap-all.yaml +++ b/kubernetes/onap/resources/overrides/onap-all.yaml @@ -99,6 +99,14 @@ holmes: enabled: true dmaap: enabled: true + message-router: + enabled: true + dmaap-bc: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true oof: enabled: true msb: @@ -121,6 +129,8 @@ so: enabled: true strimzi: enabled: true + strimzi-kafka-bridge: + enabled: true uui: enabled: true vfc: diff --git a/kubernetes/onap/resources/overrides/onap-vfw.yaml b/kubernetes/onap/resources/overrides/onap-vfw.yaml index 053f56e00f..fc0c94de24 100644 --- a/kubernetes/onap/resources/overrides/onap-vfw.yaml +++ b/kubernetes/onap/resources/overrides/onap-vfw.yaml @@ -37,6 +37,14 @@ holmes: enabled: true dmaap: enabled: true + message-router: + enabled: true + dmaap-bc: + enabled: false + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false log: enabled: true oof: @@ -57,5 +65,7 @@ so: enabled: true strimzi: enabled: true + strimzi-kafka-bridge: + enabled: false vid: enabled: true diff --git a/kubernetes/onap/resources/overrides/sm-onap.yaml b/kubernetes/onap/resources/overrides/sm-onap.yaml index b4d928b089..1d3b2eb5c9 100644 --- a/kubernetes/onap/resources/overrides/sm-onap.yaml +++ b/kubernetes/onap/resources/overrides/sm-onap.yaml @@ -20,7 +20,8 @@ # # Minimal resources are also reviewed for the various containers # AAI: no override => to be fixed -# DMAAP: no override # SO: no override +# DMAAP: no override +# SO: no override # SDC: new values # SDNC: no override # @@ -82,6 +83,16 @@ cps: enabled: false dcaegen2-services: enabled: false +dmaap: + enabled: true + message-router: + enabled: true + dmaap-bc: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true holmes: enabled: false log: @@ -137,6 +148,8 @@ so: openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD" strimzi: enabled: true + strimzi-kafka-bridge: + enabled: true uui: enabled: false vid: @@ -147,7 +160,4 @@ vnfsdk: enabled: false cds: enabled: true -dmaap: - enabled: true - dmaap-bc: - enabled: false + diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 8a6af16c17..bdbf5ab323 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -146,9 +146,26 @@ global: # Global ingress configuration ingress: + # generally enable ingress for ONAP components enabled: false + # enable all component's Ingress interfaces + enable_all: false + # default Ingress base URL + # can be overwritten in component vy setting ingress.baseurlOverride virtualhost: baseurl: "simpledemo.onap.org" + # All http requests via ingress will be redirected on Ingress controller + # only valid for Istio Gateway (ServiceMesh enabled) + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # only valid for Istio Gateway (ServiceMesh enabled) + # tls: + # secret: 'my-ingress-cert' + + # optional: Namespace of the Istio IngressGateway + # only valid for Istio Gateway (ServiceMesh enabled) + namespace: istio-ingress # Global Service Mesh configuration # POC Mode, don't use it in production @@ -303,9 +320,17 @@ holmes: enabled: false dmaap: enabled: false + message-router: + enabled: false + dmaap-bc: + enabled: false + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false # Today, "logging" chart that perform the central part of logging must also be # enabled in order to make it work. So `logging.enabled` must have the same -# value than centralizedLoggingEnabled +# value as centralizedLoggingEnabled log: enabled: *centralizedLogging sniro-emulator: @@ -370,8 +395,22 @@ so: # server: # monitoring: # password: demo123456! + strimzi: enabled: false + # Kafka replication & disk storage should be dimensioned + # according to each given system use case. + replicaCount: 3 + persistence: + kafka: + size: 10Gi + zookeeper: + size: 1Gi + # Strimzi kafka bridge is an optional http api towards + # kafka provided by https://strimzi.io/docs/bridge/latest/ + strimzi-kafka-bridge: + enabled: false + uui: enabled: false vfc: @@ -386,7 +425,6 @@ platform: enabled: false a1policymanagement: enabled: false - cert-wrapper: enabled: true repository-wrapper: diff --git a/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml b/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml index 348609b8da..dc9a4f2dad 100644 --- a/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml @@ -9,6 +9,9 @@ server: keyStorePassword: ${KEYSTORE_PASSWORD} trustStore: ${TRUSTSTORE} trustStorePassword: ${TRUSTSTORE_PASSWORD} + {{- else }} + ssl: + enabled: false {{- end }} tomcat: max-threads: 50 diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml index 57201cff30..4ef20e19d2 100644 --- a/kubernetes/strimzi/Chart.yaml +++ b/kubernetes/strimzi/Chart.yaml @@ -13,16 +13,13 @@ # limitations under the License. apiVersion: v2 -description: ONAP Strimzi kafka +description: ONAP Strimzi Kafka name: strimzi version: 12.0.0 dependencies: - name: common version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator version: ~12.x-0 @@ -30,4 +27,8 @@ dependencies: - name: serviceAccount version: ~12.x-0 repository: '@local' + - name: strimzi-kafka-bridge + version: ~12.x-0 + repository: 'file://components/strimzi-kafka-bridge' + condition: strimzi-kafka-bridge.enabled diff --git a/kubernetes/dmaap/components/dmaap-strimzi/.helmignore b/kubernetes/strimzi/components/strimzi-kafka-bridge/.helmignore index 0f976e9ff3..0f976e9ff3 100644 --- a/kubernetes/dmaap/components/dmaap-strimzi/.helmignore +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/.helmignore diff --git a/kubernetes/dmaap/components/dmaap-strimzi/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml index ec11510b09..8c290b2cec 100644 --- a/kubernetes/dmaap/components/dmaap-strimzi/Chart.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml @@ -13,20 +13,11 @@ # limitations under the License. apiVersion: v2 -description: ONAP Dmaap Strimzi Kafka Bridge -name: dmaap-strimzi +description: ONAP Strimzi Kafka Bridge +name: strimzi-kafka-bridge version: 12.0.0 dependencies: - name: common version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-strimzi/Makefile b/kubernetes/strimzi/components/strimzi-kafka-bridge/Makefile index ef273d0e9b..ef273d0e9b 100644 --- a/kubernetes/dmaap/components/dmaap-strimzi/Makefile +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Makefile diff --git a/kubernetes/dmaap/components/dmaap-strimzi/templates/dmaap-strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml index 8dd7eb97cb..3abb04af10 100644 --- a/kubernetes/dmaap/components/dmaap-strimzi/templates/dmaap-strimzi-kb.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml @@ -15,23 +15,16 @@ */}} apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaBridge -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - replicas: {{ .Values.kafkaBridgeReplicaCount }} - enableMetrics: false - bootstrapServers: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}:{{ .Values.global.kafkaInternalPort }} + replicas: {{ .Values.replicaCount }} + bootstrapServers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:{{ .Values.config.kafkaInternalPort }} authentication: - type: {{ .Values.global.saslMechanism }} - username: {{ .Values.global.kafkaStrimziAdminUser }} + type: {{ .Values.config.saslMechanism }} + username: {{ .Values.config.strimziKafkaAdminUser }} passwordSecret: - secretName: {{ .Values.global.kafkaStrimziAdminUser }} + secretName: {{ .Values.config.strimziKafkaAdminUser }} password: password + enableMetrics: {{ .Values.config.enableMetrics }} http: - port: {{ .Values.kafkaBridgePort }} + port: {{ .Values.config.port }} diff --git a/kubernetes/dmaap/components/dmaap-strimzi/values.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml index 8e8802d8c5..8a4c4cdc6c 100644 --- a/kubernetes/dmaap/components/dmaap-strimzi/values.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml @@ -16,22 +16,20 @@ # Global configuration defaults. ################################################################# global: - kafkaBootstrap: strimzi-kafka-bootstrap - kafkaStrimziAdminUser: strimzi-kafka-admin - kafkaInternalPort: 9092 - saslMechanism: scram-sha-512 ################################################################# # Application configuration defaults. ################################################################# -kafkaBridgeReplicaCount: 1 -kafkaBridgePort: 8080 +replicaCount: 1 +config: + port: 8080 + enableMetrics: false + # The following config should be set/overridden + # from parent chart kubernetes/strimzi/values.yaml + saslMechanism: parentValue + kafkaInternalPort: parentValue + strimziKafkaAdminUser: parentValue -ingress: - enabled: false - -#Pods Service Account -serviceAccount: - nameOverride: dmaap-strimzi - roles: - - read +# nameOverride is required to avoid duplication +# in pod and service names ie ...-bridge-bridge-{random hex} +nameOverride: strimzi-kafka diff --git a/kubernetes/strimzi/templates/pv-kafka.yaml b/kubernetes/strimzi/templates/pv-kafka.yaml index 616f03e788..efd4902562 100644 --- a/kubernetes/strimzi/templates/pv-kafka.yaml +++ b/kubernetes/strimzi/templates/pv-kafka.yaml @@ -13,4 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ include "common.replicaPV" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistenceKafka) }} +{{ include "common.replicaPV" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }} diff --git a/kubernetes/strimzi/templates/pv-zk.yaml b/kubernetes/strimzi/templates/pv-zk.yaml index 60f4ca6e79..2c5a8e3678 100644 --- a/kubernetes/strimzi/templates/pv-zk.yaml +++ b/kubernetes/strimzi/templates/pv-zk.yaml @@ -13,5 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - -{{ include "common.replicaPV" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistenceZk) }} +{{ include "common.replicaPV" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }} diff --git a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml index 2653c6799c..c1bf4b8b14 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml @@ -16,14 +16,14 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: - name: {{ .Values.kafkaStrimziAdminUser }} + name: {{ .Values.config.strimziKafkaAdminUser }} labels: strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: - type: {{ .Values.saslMechanism }} + type: {{ .Values.config.saslMechanism }} authorization: - type: simple + type: {{ .Values.config.authType }} acls: - resource: type: group diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index 03ee56a7a4..b35485f11c 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -15,25 +15,18 @@ */}} apiVersion: kafka.strimzi.io/v1beta2 kind: Kafka -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: kafka: - version: {{ .Values.version }} + version: {{ .Values.config.kafkaVersion }} replicas: {{ .Values.replicaCount }} listeners: - name: plain - port: {{ .Values.kafkaInternalPort }} + port: {{ .Values.config.kafkaInternalPort }} type: internal tls: false authentication: - type: {{ .Values.saslMechanism }} + type: {{ .Values.config.saslMechanism }} - name: tls port: 9093 type: internal @@ -57,9 +50,9 @@ spec: - broker: 2 nodePort: {{ .Values.global.nodePortPrefixExt }}92 authorization: - type: simple + type: {{ .Values.config.authType }} superUsers: - - {{ .Values.kafkaStrimziAdminUser }} + - {{ .Values.config.strimziKafkaAdminUser }} template: pod: securityContext: @@ -67,21 +60,21 @@ spec: fsGroup: 0 config: default.replication.factor: {{ .Values.replicaCount }} - min.insync.replicas: {{ .Values.replicaCount }} + min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} offsets.topic.replication.factor: {{ .Values.replicaCount }} + num.partitions: {{ mul .Values.replicaCount 2 }} transaction.state.log.replication.factor: {{ .Values.replicaCount }} - num.partitions: {{ .Values.numPartitions }} - transaction.state.log.min.isr: {{ .Values.replicaCount }} - log.message.format.version: {{ .Values.version }} - inter.broker.protocol.version: {{ .Values.version }} + transaction.state.log.min.isr: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} + log.message.format.version: {{ .Values.config.kafkaVersion }} + inter.broker.protocol.version: {{ .Values.config.kafkaVersion }} storage: type: jbod volumes: - id: 0 type: persistent-claim - size: {{ .Values.persistenceKafka.size }} + size: {{ .Values.persistence.kafka.size }} deleteClaim: true - class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistenceKafka) }} + class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }} zookeeper: template: pod: @@ -97,9 +90,9 @@ spec: {{- end }} storage: type: persistent-claim - size: {{ .Values.persistenceZk.size }} + size: {{ .Values.persistence.zookeeper.size }} deleteClaim: true - class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistenceZk) }} + class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }} entityOperator: topicOperator: {} userOperator: {} diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml index 99ccde5040..e6da1d55db 100644 --- a/kubernetes/strimzi/values.yaml +++ b/kubernetes/strimzi/values.yaml @@ -19,35 +19,49 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - ################################################################# # Application configuration defaults. ################################################################# replicaCount: 3 -numPartitions: 10 -kafkaInternalPort: 9092 -saslMechanism: scram-sha-512 -version: 3.2.3 -kafkaStrimziAdminUser: strimzi-kafka-admin -persistence: {} +config: + kafkaVersion: 3.2.3 + authType: simple + saslMechanism: &saslMech scram-sha-512 + kafkaInternalPort: &plainPort 9092 + strimziKafkaAdminUser: &adminUser strimzi-kafka-admin -persistenceKafka: - enabled: true - size: 2Gi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountPath: /dockerdata-nfs - mountSubPath: strimzi-kafka/kafka -persistenceZk: - enabled: true - size: 2Gi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce +persistence: + enabled: &pvenabled true mountPath: /dockerdata-nfs - mountSubPath: strimzi-kafka/zk + kafka: + enabled: *pvenabled + # default values of 2Gi for dev env. + # Production values should be dimensioned according to requirements. ie >= 10Gi + size: 2Gi + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountPath: /dockerdata-nfs + mountSubPath: strimzi-kafka/kafka + zookeeper: + enabled: *pvenabled + size: 1Gi + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountPath: /dockerdata-nfs + mountSubPath: strimzi-kafka/zk #Pods Service Account serviceAccount: nameOverride: strimzi-kafka roles: - read + +###################### +# Component overrides +###################### +strimzi-kafka-bridge: + enabled: true + config: + saslMechanism: *saslMech + kafkaInternalPort: *plainPort + strimziKafkaAdminUser: *adminUser
\ No newline at end of file |