diff options
390 files changed, 9340 insertions, 4990 deletions
diff --git a/.gitmodules b/.gitmodules index 08d7aea901..ddad6f6c9a 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,11 +1,11 @@ [submodule "kubernetes/aai"] - path = kubernetes/aai - url = ../aai/oom - branch = master - ignore = dirty + path = kubernetes/aai + url = ../aai/oom + branch = frankfurt + ignore = dirty [submodule "kubernetes/robot"] - path = kubernetes/robot - url = ../testsuite/oom - branch = . - ignore = dirty -
\ No newline at end of file + path = kubernetes/robot + url = ../testsuite/oom + branch = frankfurt + ignore = dirty + diff --git a/docs/cluster.yml b/docs/cluster.yml index d4962d3478..0757e15a28 100644 --- a/docs/cluster.yml +++ b/docs/cluster.yml @@ -144,7 +144,7 @@ ssh_agent_auth: false authorization: mode: rbac ignore_docker_version: false -kubernetes_version: "v1.13.5-rancher1-2" +kubernetes_version: "v1.15.11-rancher1-2" private_registries: - url: nexus3.onap.org:10001 user: docker diff --git a/docs/index.rst b/docs/index.rst index c8048d142e..c933a726fb 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -16,3 +16,4 @@ OOM Documentation Repository oom_cloud_setup_guide.rst release-notes.rst oom_setup_kubernetes_rancher.rst + oom_setup_ingress_controller.rst diff --git a/docs/oom_cloud_setup_guide.rst b/docs/oom_cloud_setup_guide.rst index 9b3e53467c..2c6eb9a5f8 100644 --- a/docs/oom_cloud_setup_guide.rst +++ b/docs/oom_cloud_setup_guide.rst @@ -54,7 +54,7 @@ The versions of Kubernetes that are supported by OOM are as follows: casablanca 1.11.5 2.9.1 1.11.5 17.03.x dublin 1.13.5 2.12.3 1.13.5 18.09.5 el alto 1.15.2 2.14.2 1.15.2 18.09.x - frankfurt 1.15.9 2.16.3 1.15.9 18.09.x + frankfurt 1.15.9 2.16.6 1.15.11 18.09.x ============== =========== ====== ======== ======== Minimum Hardware Configuration diff --git a/docs/oom_hardcoded_certificates.rst b/docs/oom_hardcoded_certificates.rst index 7706f2cd2d..9cf11c5b26 100644 --- a/docs/oom_hardcoded_certificates.rst +++ b/docs/oom_hardcoded_certificates.rst @@ -30,6 +30,12 @@ Here's the list of these certificates: +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ | APPC | Yes | No | No | kubernetes/appc/resources/config/certs/org.onap.appc.p12 | +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ + | certInitializer | Yes | No | No | kubernetes/common/certInitializer/resources | + +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ + | MSB | Yes | No? | Yes | kubernetes/msb/resources/config/certificates | + +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ + | MUSIC | Yes | No? | No? | kubernetes/common/music/charts/music/resources/keys/ | + +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ | SDC | Yes | No? | No? | kubernetes/sdc/resources/cert | +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ | SO | Yes | No? | Yes | kubernetes/so/resources/config/certificates | diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst index 565c43f467..364f14e923 100644 --- a/docs/oom_quickstart_guide.rst +++ b/docs/oom_quickstart_guide.rst @@ -193,6 +193,10 @@ All override files may be customized (or replaced by other overrides) as per nee `onap-all.yaml` Enables the modules in the ONAP deployment. As ONAP is very modular, it is possible to customize ONAP and disable some components through this configuration file. +`onap-all-ingress-nginx-vhost.yaml` + Alternative version of the `onap-all.yaml` but with global ingress controller enabled. It requires the cluster configured with the nginx ingress controller and load balancer. + Please use this file instad `onap-all.yaml` if you want to use experimental ingress controller feature. + `environment.yaml` Includes configuration values specific to the deployment environment. diff --git a/docs/oom_setup_ingress_controller.rst b/docs/oom_setup_ingress_controller.rst new file mode 100644 index 0000000000..a4abc2b390 --- /dev/null +++ b/docs/oom_setup_ingress_controller.rst @@ -0,0 +1,159 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2020, Samsung Electronics + +.. Links +.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements +.. _kubectl Cheat Sheet: https://kubernetes.io/docs/reference/kubectl/cheatsheet/ +.. _Kubernetes documentation for emptyDir: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir +.. _metallb Metal Load Balancer installation: https://metallb.universe.tf/installation/ +.. _http://cd.onap.info:30223/mso/logging/debug: http://cd.onap.info:30223/mso/logging/debug +.. _Onboarding and Distributing a Vendor Software Product: https://wiki.onap.org/pages/viewpage.action?pageId=1018474 +.. _README.md: https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/README.md + +.. figure:: oomLogoV2-medium.png + :align: right + +.. _onap-on-kubernetes-with-rancher: + + +Ingress controller setup on HA Kubernetes Cluster +################################################# + +This guide provides instruction how to setup experimental ingress controller feature. +For this, we are hosting our cluster on OpenStack VMs and using the Rancher Kubernetes Engine (RKE) +to deploy and manage our Kubernetes Cluster and ingress controller + +.. contents:: + :depth: 1 + :local: +.. + +The result at the end of this tutorial will be: + +#. Customization of the cluster.yaml file for ingress controller support + +#. Installation and configuration test DNS server for ingress host resolution on testing machines + +#. Instalation and configuration MLB (Metal Load Balancer) required for exposing ingress service + +#. Instalation and configuration NGINX ingress controller + +#. Additional info howto deploy onap with services exposed via Ingress controller + +Customize cluster.yml file +=========================== +Before setup cluster for ingress purposes DNS cluster IP and ingress provider should be configured and follwing: + +.. code-block:: yaml + <...> + restore: + restore: false + snapshot_name: "" + ingress: + provider: none + dns: + provider: coredns + upstreamnameservers: + - <custer_dns_ip>:31555 + +Where the <cluster_dns_ip> should be set to the same IP as the CONTROLPANE node. + +For external load balacer purposes minimum one of the worker node should be configured with external IP +address accessible outside the cluster. It can be done using the following example node configuration: + +.. code-block:: yaml + <...> + - address: <external_ip> + internal_address: <internal_ip> + port: "22" + role: + - worker + hostname_override: "onap-worker-0" + user: ubuntu + ssh_key_path: "~/.ssh/id_rsa" + <...> + +Where the <external_ip> is external worker node IP address, and <internal_ip> is internal node IP address if it is required + + + +DNS server configuration and instalation +======================== +DNS server deployed on the Kubernetes cluster makes it easy to use services exposed through ingress controller because it +resolves all subdomain related to the onap cluster to the load balancer IP. +Testing ONAP cluster requires a lot of entries on the target machines in the /etc/hosts. +Adding many entries into the configuration files on testing machines is quite problematic and error prone. +The better wait is to create central DNS server with entries for all virtual host pointed to simpledemo.onap.org and add custom DNS server as a target DNS server for testing machines and/or as external DNS for kubernetes cluster. + +DNS server has automatic instalation and configuration script, so instalation is quite easy:: + + > cd kubernetes/contrib/dns-server-for-vhost-ingress-testing + + > ./deploy\_dns.sh + +After DNS deploy you need to setup DNS entry on the target testing machine. +Because DNS listen on non standard port configuration require iptables rules +on the target machine. Please follow the configuation proposed by the deploy scripts +Example output depends on the IP address and example output looks like bellow:: + + + DNS server already deployed: + 1. You can add the DNS server to the target machine using following commands: + sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 + sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 + sudo sysctl -w net.ipv4.conf.all.route_localnet=1 + sudo sysctl -w net.ipv4.ip_forward=1 + 2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine + + +MetalLB Load Balancer instalation and configuration +==================================================== + +By default pure Kubernetes cluster requires external load balancer if we want to expose +external port using LoadBalancer settings. For this purpose MetalLB can be used. +Before installing the MetalLB you need to ensure that at least one worker has assigned IP acessible outside the cluster. + +MetalLB Load balanancer can be easily installed using automatic install script:: + + > cd kubernetes/contrib/metallb-loadbalancer-inst + + > ./install-metallb-on-cluster.sh + + +Configuration NGINX ingress controller +======================================= + +After installation DNS server and ingress controller we can install and configure ingress controller. +It can be done using the following commands:: + + > cd kubernetes/contrib/ingress-nginx-post-inst + + > kubectl apply -f nginx_ingress_cluster_config.yaml + + > kubectl apply -f nginx_ingress_enable_optional_load_balacer_service.yaml + +After deploy NGINX ingress controller you can ensure that the ingress port is exposed as load balancer service +with external IP address:: + + > kubectl get svc -n ingress-nginx + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + default-http-backend ClusterIP 10.10.10.10 <none> 80/TCP 25h + ingress-nginx LoadBalancer 10.10.10.11 10.12.13.14 80:31308/TCP,443:30314/TCP 24h + + +ONAP with ingress exposed services +===================================== +If you want to deploy onap with services exposed through ingress controller you can use full onap deploy script:: + > onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml + +Ingress also can be enabled on any onap setup override using following code: + +.. code-block:: yaml + <...> + #ingress virtualhost based configuration + global: + <...> + ingress: + enabled: true + diff --git a/docs/oom_setup_kubernetes_rancher.rst b/docs/oom_setup_kubernetes_rancher.rst index 1b5d6d1985..428fa59a4e 100644 --- a/docs/oom_setup_kubernetes_rancher.rst +++ b/docs/oom_setup_kubernetes_rancher.rst @@ -267,16 +267,12 @@ Configure Rancher Kubernetes Engine (RKE) Install RKE ----------- Download and install RKE on a VM, desktop or laptop. -Binaries can be found here for Linux and Mac: https://github.com/rancher/rke/releases/tag/v0.2.1 +Binaries can be found here for Linux and Mac: https://github.com/rancher/rke/releases/tag/v1.0.6 RKE requires a *cluster.yml* as input. An example file is show below that describes a Kubernetes cluster that will be mapped onto the OpenStack VMs created earlier in this guide. -Example: **cluster.yml** - -.. image:: images/rke/rke_1.png - Click :download:`cluster.yml <cluster.yml>` to download the configuration file. @@ -341,8 +337,8 @@ Install Kubectl Download and install kubectl. Binaries can be found here for Linux and Mac: -https://storage.googleapis.com/kubernetes-release/release/v1.15.2/bin/linux/amd64/kubectl -https://storage.googleapis.com/kubernetes-release/release/v1.15.2/bin/darwin/amd64/kubectl +https://storage.googleapis.com/kubernetes-release/release/v1.15.11/bin/linux/amd64/kubectl +https://storage.googleapis.com/kubernetes-release/release/v1.15.11/bin/darwin/amd64/kubectl You only need to install kubectl where you'll launch kubernetes command. This can be any machines of the kubernetes cluster or a machine that has IP access @@ -388,9 +384,9 @@ Install Helm Example Helm client install on Linux:: - > wget http://storage.googleapis.com/kubernetes-helm/helm-v2.14.2-linux-amd64.tar.gz + > wget https://get.helm.sh/helm-v2.16.6-linux-amd64.tar.gz - > tar -zxvf helm-v2.14.2-linux-amd64.tar.gz + > tar -zxvf helm-v2.16.6-linux-amd64.tar.gz > sudo mv linux-amd64/helm /usr/local/bin/helm diff --git a/docs/oom_user_guide.rst b/docs/oom_user_guide.rst index b0c5d6e49e..7340ddf7fd 100644 --- a/docs/oom_user_guide.rst +++ b/docs/oom_user_guide.rst @@ -404,6 +404,7 @@ below:: 10.12.6.155 msb.api.simpledemo.onap.org 10.12.6.155 clamp.api.simpledemo.onap.org 10.12.6.155 so.api.simpledemo.onap.org + 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org Ensure you've disabled any proxy settings the browser you are using to access the portal and then simply access now the new ssl-encrypted URL: diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 899ad2c11b..41e42b5cc4 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -5,14 +5,66 @@ .. reserved. .. _release_notes: -.. Links -.. _release-notes-label: - ONAP Operations Manager Release Notes ===================================== +Version 6.0.0 (Frankfurt Release) +--------------------------------- + +:Release Date: 2020-xx-xx + +Summary +------- + +The focus of this release is to strengthen the foundation of OOM installer. +A list of issues resolved in this release can be found here: https://jira.onap.org/projects/OOM/versions/10826 + +**Software Requirements** + +* Upgraded to Kubernetes 1.15.x and Helm 2.16.x + +**Hardcoded Password removal** + +* All mariadb galera password are not hardcoded + +**New Features** + +* Ingress deployment is getting more and more usable +* Use of dynamic Persistent Volume is available + +**Bug Fixes** + +**Known Issues** + +The following known issues will be addressed in a future release: + +* [`OOM-2075 <https://jira.onap.org/browse/OOM-2075>`_] - https://jira.onap.org/browse/OOM-2075 + +**Security Notes** + +*Fixed Security Issues* + +* In default deployment OOM (consul-server-ui) exposes HTTP port 30270 outside of cluster. [`OJSI-134 <https://jira.onap.org/browse/OJSI-134>`_] +* CVE-2019-12127 - OOM exposes unprotected API/UI on port 30270 [`OJSI-202 <https://jira.onap.org/browse/OJSI-202>`_] + +*Known Security Issues* + +* Hard coded password used for all oom deployments [`OJSI-188 <https://jira.onap.org/browse/OJSI-188>`_] + +*Known Vulnerabilities in Used Modules* + +OOM code has been formally scanned during build time using NexusIQ and no +Critical vulnerability was found. + +Quick Links: + + - `OOM project page <https://wiki.onap.org/display/DW/ONAP+Operations+Manager+Project>`_ + + - `Passing Badge information for OOM <https://bestpractices.coreinfrastructure.org/en/projects/1631>`_ + + Version 5.0.1 (El Alto Release) ----------------------------------- +------------------------------- :Release Date: 2019-10-10 @@ -62,22 +114,6 @@ Quick Links: - `Passing Badge information for OOM <https://bestpractices.coreinfrastructure.org/en/projects/1631>`_ -Version 6.0.0 (Frankfurt) ----------------------------------- - -:Release Date: 2020-05-14 - -Summary -------- - -**Software Requirements** - -* Upgraded to Kubernetes 1.15.x and Helm 2.16.x - -**Hardcoded Password removal** - -* All mariadb galera password are not hardcoded - Version 5.0.0 (El Alto Early Drop) ---------------------------------- diff --git a/kubernetes/Makefile b/kubernetes/Makefile index 7150f10c1f..ee9e8d980b 100644 --- a/kubernetes/Makefile +++ b/kubernetes/Makefile @@ -28,9 +28,9 @@ endif SUBMODS := robot aai EXCLUDES := config oneclick readiness test dist helm $(PARENT_CHART) dcae $(SUBMODS) -HELM_CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) $(PARENT_CHART) +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) $(PARENT_CHART) -.PHONY: $(EXCLUDES) $(HELM_CHARTS) $(SUBMODS) +.PHONY: $(EXCLUDES) $(HELM_CHARTS) all: $(COMMON_CHARTS_DIR) $(SUBMODS) $(HELM_CHARTS) plugins diff --git a/kubernetes/aaf/charts/aaf-cass/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-cass/templates/deployment.yaml index eb785e2d9b..309a9f38c6 100644 --- a/kubernetes/aaf/charts/aaf-cass/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-cass/templates/deployment.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,23 +13,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - replicas: {{ .Values.global.aaf.cass.replicas }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - name: fix-permission @@ -37,47 +29,38 @@ spec: args: - -c - | - chmod -R 775 /opt/app/aaf/status chown -R 1000:1000 /opt/app/aaf/status - chmod -R 775 /var/lib/cassandra chown -R 1000:1000 /var/lib/cassandra image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - - mountPath: /opt/app/aaf/status - name: aaf-status-vol - mountPath: /var/lib/cassandra name: aaf-cass-vol + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 30m + memory: 100Mi containers: - name: {{ include "common.name" . }} - image: {{ .Values.global.repository }}/{{.Values.global.aaf.cass.image}} + image: {{ include "common.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} # installing with cmd "onap" will not only initialize the DB, but add ONAP bootstrap data as well command: ["/bin/bash","/opt/app/aaf/cass_init/cmd.sh","onap"] - lifecycle: - preStop: - exec: - command: ["/bin/sh","-c","rm /opt/app/aaf/status/aaf-cass"] - ports: - - name: storage - containerPort: {{.Values.global.aaf.cass.storage_port}} - - name: ssl-storage - containerPort: {{.Values.global.aaf.cass.ssl_storage_port}} - - name: native-trans - containerPort: {{.Values.global.aaf.cass.native_trans_port}} - - name: rpc - containerPort: {{.Values.global.aaf.cass.rpc_port}} + ports: {{ include "common.containerPorts" . | nindent 10 }} env: - name: CASSANDRA_CLUSTER_NAME - value: {{.Values.global.aaf.cass.cluster_name}} + value: {{ .Values.config.cluster_name }} - name: CASSANDRA_DC - value: {{.Values.global.aaf.cass.dc}} + value: {{ .Values.config.dc }} - name: CQLSH value: "/opt/cassandra/bin/cqlsh" - name: HEAP_NEWSIZE - value: {{.Values.global.aaf.cass.heap_new_size}} + value: {{ .Values.config.heap_new_size }} - name: MAX_HEAP_SIZE - value: {{.Values.global.aaf.cass.max_heap_size}} + value: {{ .Values.config.max_heap_size }} - name: MY_POD_NAME valueFrom: fieldRef: @@ -93,44 +76,36 @@ spec: volumeMounts: - mountPath: /var/lib/cassandra name: aaf-cass-vol - - mountPath: /opt/app/aaf/status - name: aaf-status-vol - mountPath: /etc/localtime name: localtime readOnly: true {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{.Values.global.aaf.cass.native_trans_port}} + port: tcp-cql initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{.Values.global.aaf.cass.native_trans_port}} + port: tcp-cql initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} volumes: - name: localtime hostPath: path: /etc/localtime - - name: aaf-status-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-status - name: aaf-cass-vol {{- if .Values.persistence.enabled }} persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-data + claimName: {{ include "common.fullname" . }} {{- else }} emptyDir: {} {{- end }} diff --git a/kubernetes/aaf/charts/aaf-cass/templates/pv.yaml b/kubernetes/aaf/charts/aaf-cass/templates/pv.yaml index 0f0a30585b..187e9b75de 100644 --- a/kubernetes/aaf/charts/aaf-cass/templates/pv.yaml +++ b/kubernetes/aaf/charts/aaf-cass/templates/pv.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,27 +15,4 @@ # limitations under the License. */}} -{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: {{ include "common.release" . }} - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} - storageClassName: "{{ include "common.fullname" . }}-data" -{{- end -}} -{{- end -}} +{{ include "common.PV" . }} diff --git a/kubernetes/aaf/charts/aaf-cass/templates/pvc.yaml b/kubernetes/aaf/charts/aaf-cass/templates/pvc.yaml index 3cc43560e4..e56c98751c 100644 --- a/kubernetes/aaf/charts/aaf-cass/templates/pvc.yaml +++ b/kubernetes/aaf/charts/aaf-cass/templates/pvc.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,26 +15,4 @@ # limitations under the License. */}} -{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" .}}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} +{{ include "common.PVC" . }} diff --git a/kubernetes/aaf/charts/aaf-cass/templates/service.yaml b/kubernetes/aaf/charts/aaf-cass/templates/service.yaml index d5c615f55d..8f80ee12a2 100644 --- a/kubernetes/aaf/charts/aaf-cass/templates/service.yaml +++ b/kubernetes/aaf/charts/aaf-cass/templates/service.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,38 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -# annotations: -# service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: {{ .Values.service.type }} - ports: - - name: storage - protocol: TCP - port: {{.Values.global.aaf.cass.storage_port}} - containerPort: {{.Values.global.aaf.cass.storage_port}} - - name: ssl-storage - protocol: TCP - port: {{.Values.global.aaf.cass.ssl_storage_port}} - containerPort: {{.Values.global.aaf.cass.ssl_storage_port}} - - name: native-trans - protocol: TCP - port: {{.Values.global.aaf.cass.native_trans_port}} - containerPort: {{.Values.global.aaf.cass.native_trans_port}} - - name: rpc - protocol: TCP - port: {{.Values.global.aaf.cass.rpc_port}} - containerPort: {{.Values.global.aaf.cass.rpc_port}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None +{{ include "common.service" . }} diff --git a/kubernetes/aaf/charts/aaf-cass/values.yaml b/kubernetes/aaf/charts/aaf-cass/values.yaml index 9f6ec565f4..3d9f21e297 100644 --- a/kubernetes/aaf/charts/aaf-cass/values.yaml +++ b/kubernetes/aaf/charts/aaf-cass/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T +# Modifications © 2020 AT&T, Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +19,7 @@ flavor: small # Application configuration defaults. ################################################################# # application configuration -config: {} +replicaCount: 1 nodeSelector: {} @@ -32,6 +32,15 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: tcp-cql + +image: onap/aaf/aaf_cass:2.1.20 + +config: + cluster_name: osaaf + heap_new_size: 512M + max_heap_size: 1024M + dc: dc1 readiness: initialDelaySeconds: 5 @@ -40,39 +49,36 @@ readiness: service: name: aaf-cass type: ClusterIP - portName: aaf-cass - #targetPort - internalPort: 7000 - #port - externalPort: 7000 - - internalPort2: 7001 - externalPort2: 7001 - internalPort3: 9042 - externalPort3: 9042 - internalPort4: 9160 - externalPort4: 9160 + ports: + - name: tcp-intra + port: 7000 + - name: tls + port: 7001 + - name: tcp-cql + port: 9042 + - name: tcp-thrift + port: 9160 ingress: enabled: false # Configure resource requests and limits resources: - small: - limits: - cpu: 2100m - memory: 1792Mi - requests: - cpu: 30m - memory: 1280Mi - large: - limits: - cpu: 4 - memory: 12000Mi - requests: - cpu: 40m - memory: 9000Mi - unlimited: {} + small: + limits: + cpu: 2100m + memory: 1792Mi + requests: + cpu: 30m + memory: 1280Mi + large: + limits: + cpu: 4 + memory: 12000Mi + requests: + cpu: 40m + memory: 9000Mi + unlimited: {} persistence: enabled: true diff --git a/kubernetes/aaf/charts/aaf-cm/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-cm/templates/deployment.yaml index b823acd3d5..5074c8bc08 100644 --- a/kubernetes/aaf/charts/aaf-cm/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-cm/templates/deployment.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,128 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -spec: - replicas: {{ .Values.global.aaf.cm.replicas }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /opt/app/aaf/status - chown -R 1000:1000 /opt/app/aaf/status - chmod -R 775 /opt/app/osaaf - chown -R 1000:1000 /opt/app/osaaf - image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/aaf/status - name: aaf-status-vol - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - name: {{ include "common.name" . }}-config-container - image: {{ .Values.global.repository }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c","cd /opt/app/aaf_config && bin/pod_wait.sh config aaf-service aaf-locate remove && bin/agent.sh"] - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:{{.Values.global.aaf.locate.internal_port}}" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "{{.Values.global.aaf.cass.fqdn}}.{{ .Release.Namespace }}" -# - name: CASSANDRA_USER -# value: "" -# - name: CASSANDRA_PASSWORD -# value: "" -# - name: CASSANDRA_PORT -# value: "" - containers: - - name: {{ include "common.name" . }} - command: ["/bin/bash","-c","cd /opt/app/aaf && /bin/bash bin/pod_wait.sh aaf-cm aaf-locate && exec bin/cm"] - image: {{ .Values.global.repository }}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.global.aaf.cm.internal_port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.global.aaf.cm.internal_port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-status - - name: aaf-config-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" +{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/charts/aaf-cm/templates/service.yaml b/kubernetes/aaf/charts/aaf-cm/templates/service.yaml index 28462f2edf..e54c4f3057 100644 --- a/kubernetes/aaf/charts/aaf-cm/templates/service.yaml +++ b/kubernetes/aaf/charts/aaf-cm/templates/service.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Orange +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,22 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.global.aaf.cm.internal_port }} - nodePort: {{ .Values.global.aaf.cm.public_port }} - name: aaf-cm - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: "NodePort" +{{ include "common.service" . }} diff --git a/kubernetes/aaf/charts/aaf-cm/values.yaml b/kubernetes/aaf/charts/aaf-cm/values.yaml index befbdc191d..c391369db6 100644 --- a/kubernetes/aaf/charts/aaf-cm/values.yaml +++ b/kubernetes/aaf/charts/aaf-cm/values.yaml @@ -19,6 +19,13 @@ flavor: small # Application configuration defaults. ################################################################# # application image +replicaCount: 1 + +binary: cm + +sequence_order: + - service + - locate nodeSelector: {} @@ -26,24 +33,25 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 120 + initialDelaySeconds: 30 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: api readiness: initialDelaySeconds: 5 periodSeconds: 10 + port: api service: name: aaf-cm type: ClusterIP - portName: aaf-cm - #targetPort - internalPort: 8150 - #port - externalPort: 8150 + ports: + - name: api + protocol: http + port: 8150 ingress: enabled: false @@ -52,22 +60,22 @@ ingress: name: "aaf-cm" port: 8150 config: - ssl: "none" + ssl: "redirect" # Configure resource requests and limits resources: - small: - limits: - cpu: 400m - memory: 300Mi - requests: - cpu: 1m - memory: 200Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 600Mi - unlimited: {} + small: + limits: + cpu: 400m + memory: 300Mi + requests: + cpu: 1m + memory: 200Mi + large: + limits: + cpu: 400m + memory: 1Gi + requests: + cpu: 40m + memory: 600Mi + unlimited: {} diff --git a/kubernetes/aaf/charts/aaf-fs/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-fs/templates/deployment.yaml index 2e8e41e637..c36750809c 100644 --- a/kubernetes/aaf/charts/aaf-fs/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-fs/templates/deployment.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Orange +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,128 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -spec: - replicas: {{ .Values.global.aaf.fs.replicas }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /opt/app/aaf/status - chown -R 1000:1000 /opt/app/aaf/status - chmod -R 775 /opt/app/osaaf - chown -R 1000:1000 /opt/app/osaaf - image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - mountPath: /opt/app/aaf/status - name: aaf-status-vol - - name: {{ include "common.name" . }}-config-container - image: {{ .Values.global.repository }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c","cd /opt/app/aaf_config && bin/pod_wait.sh config aaf-service aaf-locate remove && bin/agent.sh"] - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:{{.Values.global.aaf.locate.internal_port}}" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "{{.Values.global.aaf.cass.fqdn}}.{{ .Release.Namespace }}" -# - name: CASSANDRA_USER -# value: "" -# - name: CASSANDRA_PASSWORD -# value: "" -# - name: CASSANDRA_PORT -# value: "" - containers: - - name: {{ include "common.name" . }} - command: ["/bin/bash","-c","cd /opt/app/aaf && /bin/bash bin/pod_wait.sh aaf-fs aaf-locate && exec bin/fs"] - image: {{ .Values.global.repository }}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-status - - name: aaf-config-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" +{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/charts/aaf-fs/templates/service.yaml b/kubernetes/aaf/charts/aaf-fs/templates/service.yaml index b81635f74d..e54c4f3057 100644 --- a/kubernetes/aaf/charts/aaf-fs/templates/service.yaml +++ b/kubernetes/aaf/charts/aaf-fs/templates/service.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Orange +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,22 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.global.aaf.fs.internal_port }} - nodePort: {{ .Values.global.aaf.fs.public_port }} - name: aaf-hello - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: "NodePort" +{{ include "common.service" . }} diff --git a/kubernetes/aaf/charts/aaf-fs/values.yaml b/kubernetes/aaf/charts/aaf-fs/values.yaml index 4b12bd0deb..6ddc07278b 100644 --- a/kubernetes/aaf/charts/aaf-fs/values.yaml +++ b/kubernetes/aaf/charts/aaf-fs/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T +# Modifications © 2020 AT&T, Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,6 +21,13 @@ flavor: small # application image pullPolicy: Always +replicaCount: 1 + +binary: fs + +sequence_order: + - service + - locate nodeSelector: {} @@ -33,19 +40,20 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: api readiness: initialDelaySeconds: 5 periodSeconds: 10 + port: api service: name: aaf-fs type: ClusterIP - portName: aaf-fs - #targetPort - internalPort: 8096 - #port - externalPort: 8096 + ports: + - name: api + port: 8096 + protocol: http ingress: enabled: false @@ -58,18 +66,18 @@ ingress: # Configure resource requests and limits resources: - small: - limits: - cpu: 200m - memory: 110Mi - requests: - cpu: 1m - memory: 80Mi - large: - limits: - cpu: 500m - memory: 700Mi - requests: - cpu: 100m - memory: 400Mi - unlimited: {} + small: + limits: + cpu: 200m + memory: 110Mi + requests: + cpu: 1m + memory: 80Mi + large: + limits: + cpu: 500m + memory: 700Mi + requests: + cpu: 100m + memory: 400Mi + unlimited: {} diff --git a/kubernetes/aaf/charts/aaf-gui/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-gui/templates/deployment.yaml index cbf68aad37..c36750809c 100644 --- a/kubernetes/aaf/charts/aaf-gui/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-gui/templates/deployment.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Orange +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,128 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -spec: - replicas: {{ .Values.global.aaf.gui.replicas }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /opt/app/aaf/status - chown -R 1000:1000 /opt/app/aaf/status - chmod -R 775 /opt/app/osaaf - chown -R 1000:1000 /opt/app/osaaf - image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - mountPath: /opt/app/aaf/status - name: aaf-status-vol - - name: {{ include "common.name" . }}-config-container - image: {{ .Values.global.repository }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c","cd /opt/app/aaf_config && bin/pod_wait.sh config aaf-service aaf-locate remove && bin/agent.sh"] - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:{{.Values.global.aaf.locate.internal_port}}" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "{{.Values.global.aaf.cass.fqdn}}.{{ .Release.Namespace }}" -# - name: CASSANDRA_USER -# value: "" -# - name: CASSANDRA_PASSWORD -# value: "" -# - name: CASSANDRA_PORT -# value: "" - containers: - - name: {{ include "common.name" . }} - command: ["/bin/bash","-c","cd /opt/app/aaf && /bin/bash bin/pod_wait.sh aaf-gui aaf-locate && exec bin/gui"] - image: {{ .Values.global.repository }}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.global.aaf.gui.internal_port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.global.aaf.gui.internal_port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-status - - name: aaf-config-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" +{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/charts/aaf-gui/templates/service.yaml b/kubernetes/aaf/charts/aaf-gui/templates/service.yaml index 7dc4468598..e54c4f3057 100644 --- a/kubernetes/aaf/charts/aaf-gui/templates/service.yaml +++ b/kubernetes/aaf/charts/aaf-gui/templates/service.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Orange +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,22 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.global.aaf.gui.internal_port }} - nodePort: {{ .Values.global.aaf.gui.public_port }} - name: aaf-gui - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: "NodePort" +{{ include "common.service" . }} diff --git a/kubernetes/aaf/charts/aaf-gui/values.yaml b/kubernetes/aaf/charts/aaf-gui/values.yaml index bc013d07f7..f418fd5b41 100644 --- a/kubernetes/aaf/charts/aaf-gui/values.yaml +++ b/kubernetes/aaf/charts/aaf-gui/values.yaml @@ -20,6 +20,13 @@ flavor: small # application image pullPolicy: Always +replicaCount: 1 + +binary: gui + +sequence_order: + - service + - locate nodeSelector: {} @@ -27,25 +34,26 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 120 + initialDelaySeconds: 30 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: gui readiness: initialDelaySeconds: 5 periodSeconds: 10 + port: gui service: name: aaf-gui type: NodePort - portName: aaf-gui - #targetPort - internalPort: 8200 - #port - externalPort: 8200 - nodePort: 51 + ports: + - name: gui + protocol: http + port: 8200 + nodePort: 51 ingress: enabled: false @@ -54,22 +62,22 @@ ingress: name: "aaf-gui" port: 8200 config: - ssl: "none" + ssl: "redirect" # Configure resource requests and limits resources: - small: - limits: - cpu: 200m - memory: 280Mi - requests: - cpu: 1m - memory: 170Mi - large: - limits: - cpu: 200m - memory: 1Gi - requests: - cpu: 100m - memory: 500Mi - unlimited: {} + small: + limits: + cpu: 200m + memory: 280Mi + requests: + cpu: 1m + memory: 170Mi + large: + limits: + cpu: 200m + memory: 1Gi + requests: + cpu: 100m + memory: 500Mi + unlimited: {} diff --git a/kubernetes/aaf/charts/aaf-hello/templates/aaf-hello-pv.yaml b/kubernetes/aaf/charts/aaf-hello/templates/aaf-hello-pv.yaml deleted file mode 100644 index d2b4f0c76f..0000000000 --- a/kubernetes/aaf/charts/aaf-hello/templates/aaf-hello-pv.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if ne 0 (int .Values.global.aaf.hello.replicas) }} -{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -######### -## ============LICENSE_START==================================================== -## org.onap.aaf -## =========================================================================== -## Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -## =========================================================================== -## Licensed under the Apache License, Version 2.0 (the "License"); -## you may not use this file except in compliance with the License. -## You may obtain a copy of the License at -## -## http://www.apache.org/licenses/LICENSE-2.0 -## -## Unless required by applicable law or agreed to in writing, software -## distributed under the License is distributed on an "AS IS" BASIS, -## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -## See the License for the specific language governing permissions and -## limitations under the License. -## ============LICENSE_END==================================================== -## - -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.release" . }}-aaf-hello-pv - namespace: {{ include "common.namespace" . }} - labels: - app: {{ .Chart.Name }}-hello - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: {{ include "common.release" . }} - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} - storageClassName: "{{ include "common.fullname" . }}-data" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/charts/aaf-hello/templates/aaf-hello-pvc.yaml b/kubernetes/aaf/charts/aaf-hello/templates/aaf-hello-pvc.yaml deleted file mode 100644 index fc148f63d6..0000000000 --- a/kubernetes/aaf/charts/aaf-hello/templates/aaf-hello-pvc.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if ne 0 (int .Values.global.aaf.hello.replicas) }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -######### -## ============LICENSE_START==================================================== -## org.onap.aaf -## =========================================================================== -## Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -## =========================================================================== -## Licensed under the Apache License, Version 2.0 (the "License"); -## you may not use this file except in compliance with the License. -## You may obtain a copy of the License at -## -## http://www.apache.org/licenses/LICENSE-2.0 -## -## Unless required by applicable law or agreed to in writing, software -## distributed under the License is distributed on an "AS IS" BASIS, -## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -## See the License for the specific language governing permissions and -## limitations under the License. -## ============LICENSE_END==================================================== -## -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.release" . }}-aaf-hello-pvc - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.config.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.config.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/charts/aaf-hello/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-hello/templates/deployment.yaml index 1e120bd0ad..891b829f43 100644 --- a/kubernetes/aaf/charts/aaf-hello/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-hello/templates/deployment.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,112 +12,49 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment -metadata: - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - replicas: {{ .Values.global.aaf.hello.replicas }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-hello-vol - {{- if and .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-hello-pvc - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: fix-permission - command: ["/bin/sh","-c","chmod -R 775 /opt/app/osaaf/local && chown -R 1000:1000 /opt/app/osaaf"] - image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: "/opt/app/osaaf/local" - name: aaf-hello-vol - - name: {{ include "common.name" . }}-config-container - image: {{ .Values.global.repository }}/{{.Values.aaf_init.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c","cd /opt/app/aaf_config && bin/agent.sh"] -# command: ["bash","-c","cd /opt/app/aaf_config && echo Sleeping && sleep 480"] -# command: ["bash","-c","chown 1000:1000 /opt/app/osaaf && cd /opt/app/aaf_config && sleep 480"] - volumeMounts: - - mountPath: "/opt/app/osaaf/local" - name: aaf-hello-vol - env: - - name: APP_FQI - value: "{{ .Values.aaf_init.fqi }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:{{.Values.global.aaf.locate.internal_port}}" - - name: aaf_locator_container - value: "oom" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" -# This should the APP's FQDN to be put in Locator -# This MUST match what is entered for AAF Certificate Artifacts - - name: aaf_locator_fqdn - value: "{{.Values.aaf_init.fqdn}}" -# Hello specific. Clients don't don't need this, unless Registering with AAF Locator -# This should be the APP's PUBLIC FQDN, if applicable - - name: aaf_locator_public_fqdn - value: "{{.Values.aaf_init.locator_public_fqdn}}" - - name: LATITUDE - value: "{{ .Values.aaf_init.cadi_latitude }}" - - name: LONGITUDE - value: "{{ .Values.aaf_init.cadi_longitude }}" -# Note: We want to put this in Secrets or at LEAST ConfigMaps - - name: "DEPLOY_FQI" - value: "deployer@people.osaaf.org" -# Note: want to put this on Nodes, evenutally - - name: "DEPLOY_PASSWORD" - value: "demo123456!" + initContainers: {{ include "common.aaf-config" (dict "aafRoot" .Values.aaf_init "dot" .) | nindent 6 }} # CONTAINER Definition containers: - name: {{ include "common.name" . }} command: ["bash","-c","cd /opt/app/aaf && if [ ! -d /opt/app/osaaf/etc ]; then cp -Rf etc logs /opt/app/osaaf; fi && exec bin/hello"] - image: {{ .Values.global.repository }}/{{.Values.service.image }} + image: {{ .Values.global.repository }}/{{.Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: "/opt/app/osaaf/local" - name: aaf-hello-vol + ports: {{ include "common.containerPorts" . | nindent 10 }} + volumeMounts: {{ include "common.aaf-config-volume-mountpath" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.port }} + port: {{ .Values.liveness.port }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} + {{- end }} readinessProbe: tcpSocket: - port: {{ .Values.service.port }} + port: {{ .Values.readiness.port }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} + volumes: {{ include "common.aaf-config-volumes" (dict "aafRoot" .Values.aaf_init "dot" .) | nindent 6 }} + - name: localtime + hostPath: + path: /etc/localtime + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/charts/aaf-hello/templates/secret.yaml b/kubernetes/aaf/charts/aaf-hello/templates/secret.yaml new file mode 100644 index 0000000000..f8c32e0670 --- /dev/null +++ b/kubernetes/aaf/charts/aaf-hello/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/aaf/charts/aaf-hello/templates/service.yaml b/kubernetes/aaf/charts/aaf-hello/templates/service.yaml index 5ba4f68be9..8f80ee12a2 100644 --- a/kubernetes/aaf/charts/aaf-hello/templates/service.yaml +++ b/kubernetes/aaf/charts/aaf-hello/templates/service.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,22 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.service.port }} - nodePort: {{ .Values.service.public_port }} - name: aaf-hello - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: "NodePort" +{{ include "common.service" . }} diff --git a/kubernetes/aaf/charts/aaf-hello/values.yaml b/kubernetes/aaf/charts/aaf-hello/values.yaml index 0400dcc1fd..aeb659082d 100644 --- a/kubernetes/aaf/charts/aaf-hello/values.yaml +++ b/kubernetes/aaf/charts/aaf-hello/values.yaml @@ -12,6 +12,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +global: + aafEnabled: true flavor: small @@ -22,47 +24,58 @@ flavor: small aaf_init: # You might want this in your own app. For AAF, we store in global # replicas: 1 - image: onap/aaf/aaf_agent:2.1.20 - fqi: "aaf@aaf.osaaf.org" + fqi: aaf@aaf.osaaf.org # This MUST match what is put in AAF's "Artifact" for Certificates - fqdn: "aaf-hello" + fqdn: aaf-hello # What is put in Locator for External Access - locator_public_fqdn: "aaf.osaaf.org" - app_ns: "org.osaaf.aaf" - deploy_fqi: "deployer@people.osaaf.org" + public_fqdn: aaf.osaaf.org cadi_latitude: "38.0" cadi_longitude: "-72.0" + credsPath: /opt/app/osaaf/local + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + secret_uid: &aaf_secret_uid nbi-aaf-deploy-creds + permission_user: 1000 + permission_group: 999 -service: - image: onap/aaf/aaf_hello:2.1.20 - port: "8130" - public_port: "31119" +replicaCount: 0 -persistence: - enabled: false - #existingClaim: - # You will want "Reatan" in non-Hello Example. - volumeReclaimPolicy: Delete - accessMode: ReadWriteMany - size: 40M - mountPath: /dockerdata-nfs - mountSubPath: aaf/hello +image: onap/aaf/aaf_hello:2.1.20 + +service: + name: aaf-hello + type: ClusterIP + ports: + - name: api + protocol: http + port: 8130 nodeSelector: {} affinity: {} +secrets: + - uid: *aaf_secret_uid + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aaf_init.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aaf_init.aafDeployFqi }}' + password: '{{ .Values.aaf_init.aafDeployPass }}' + passwordPolicy: required + # probe configuration parameters liveness: - initialDelaySeconds: 120 + initialDelaySeconds: 30 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: api readiness: initialDelaySeconds: 5 periodSeconds: 10 + port: api ingress: enabled: false @@ -75,18 +88,18 @@ ingress: # Configure resource requests and limits resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 10m - memory: 200Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 20m - memory: 500Mi - unlimited: {} + small: + limits: + cpu: 200m + memory: 500Mi + requests: + cpu: 10m + memory: 200Mi + large: + limits: + cpu: 400m + memory: 1Gi + requests: + cpu: 20m + memory: 500Mi + unlimited: {} diff --git a/kubernetes/aaf/charts/aaf-locate/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-locate/templates/deployment.yaml index cc7f19176f..5074c8bc08 100644 --- a/kubernetes/aaf/charts/aaf-locate/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-locate/templates/deployment.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,128 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -spec: - replicas: {{ .Values.global.aaf.locate.replicas }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /opt/app/aaf/status - chown -R 1000:1000 /opt/app/aaf/status - chmod -R 775 /opt/app/osaaf - chown -R 1000:1000 /opt/app/osaaf - image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/aaf/status - name: aaf-status-vol - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - name: {{ include "common.name" . }}-config-container - image: {{ .Values.global.repository }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c","cd /opt/app/aaf_config && bin/pod_wait.sh config aaf-service remove && bin/agent.sh"] - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:{{.Values.global.aaf.locate.internal_port}}" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "{{.Values.global.aaf.cass.fqdn}}.{{ .Release.Namespace }}" -# - name: CASSANDRA_USER -# value: "" -# - name: CASSANDRA_PASSWORD -# value: "" -# - name: CASSANDRA_PORT -# value: "" - containers: - - name: {{ include "common.name" . }} - command: ["/bin/bash","-c","cd /opt/app/aaf && /bin/bash bin/pod_wait.sh aaf-locate aaf-service && exec bin/locate"] - image: {{ .Values.global.repository }}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.global.aaf.locate.internal_port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.global.aaf.locate.internal_port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-status - - name: aaf-config-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" +{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/charts/aaf-locate/templates/ingress.yaml b/kubernetes/aaf/charts/aaf-locate/templates/ingress.yaml index 40b4bba0ce..1b33c1f8d1 100644 --- a/kubernetes/aaf/charts/aaf-locate/templates/ingress.yaml +++ b/kubernetes/aaf/charts/aaf-locate/templates/ingress.yaml @@ -1,4 +1,2 @@ {{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/charts/aaf-locate/templates/service.yaml b/kubernetes/aaf/charts/aaf-locate/templates/service.yaml index 8aead90d29..e54c4f3057 100644 --- a/kubernetes/aaf/charts/aaf-locate/templates/service.yaml +++ b/kubernetes/aaf/charts/aaf-locate/templates/service.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Orange +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,22 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.global.aaf.locate.internal_port }} - nodePort: {{ .Values.global.aaf.locate.public_port }} - name: aaf-locate - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: "NodePort" +{{ include "common.service" . }} diff --git a/kubernetes/aaf/charts/aaf-locate/values.yaml b/kubernetes/aaf/charts/aaf-locate/values.yaml index 2083f1af3d..01a5ab158a 100644 --- a/kubernetes/aaf/charts/aaf-locate/values.yaml +++ b/kubernetes/aaf/charts/aaf-locate/values.yaml @@ -18,6 +18,12 @@ flavor: small # Application configuration defaults. ################################################################# # application image +replicaCount: 1 + +binary: locate + +sequence_order: + - service nodeSelector: {} @@ -25,24 +31,25 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 120 + initialDelaySeconds: 30 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: api readiness: initialDelaySeconds: 5 periodSeconds: 10 + port: api service: name: aaf-locate type: ClusterIP - portName: aaf-locate - #targetPort - internalPort: 8095 - #port - externalPort: 31111 + ports: + - name: api + protocol: http + port: 8095 ingress: enabled: false @@ -51,13 +58,13 @@ ingress: name: "aaf-locate" port: 8095 config: - ssl: "none" + ssl: "redirect" # Configure resource requests and limits resources: small: limits: - cpu: 100m + cpu: 500m memory: 320Mi requests: cpu: 1m diff --git a/kubernetes/aaf/charts/aaf-oauth/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-oauth/templates/deployment.yaml index 6ce3abd241..5074c8bc08 100644 --- a/kubernetes/aaf/charts/aaf-oauth/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-oauth/templates/deployment.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,128 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -spec: - replicas: {{ .Values.global.aaf.oauth.replicas }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /opt/app/aaf/status - chown -R 1000:1000 /opt/app/aaf/status - chmod -R 775 /opt/app/osaaf - chown -R 1000:1000 /opt/app/osaaf - image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/aaf/status - name: aaf-status-vol - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - name: {{ include "common.name" . }}-config-container - image: {{ .Values.global.repository }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c","cd /opt/app/aaf_config && bin/pod_wait.sh config aaf-service remove && bin/agent.sh"] - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:{{.Values.global.aaf.locate.internal_port}}" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "{{.Values.global.aaf.cass.fqdn}}.{{ .Release.Namespace }}" -# - name: CASSANDRA_USER -# value: "" -# - name: CASSANDRA_PASSWORD -# value: "" -# - name: CASSANDRA_PORT -# value: "" - containers: - - name: {{ include "common.name" . }} - command: ["/bin/bash","-c","cd /opt/app/aaf && /bin/bash bin/pod_wait.sh aaf-oauth aaf-service && exec bin/oauth"] - image: {{ .Values.global.repository }}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.global.aaf.oauth.internal_port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.global.aaf.oauth.internal_port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-status - - name: aaf-config-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" +{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/charts/aaf-oauth/templates/ingress.yaml b/kubernetes/aaf/charts/aaf-oauth/templates/ingress.yaml new file mode 100644 index 0000000000..1b33c1f8d1 --- /dev/null +++ b/kubernetes/aaf/charts/aaf-oauth/templates/ingress.yaml @@ -0,0 +1,2 @@ + +{{ include "common.ingress" . }} diff --git a/kubernetes/aaf/charts/aaf-oauth/templates/service.yaml b/kubernetes/aaf/charts/aaf-oauth/templates/service.yaml index 52c2d10568..e54c4f3057 100644 --- a/kubernetes/aaf/charts/aaf-oauth/templates/service.yaml +++ b/kubernetes/aaf/charts/aaf-oauth/templates/service.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Orange +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,22 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.global.aaf.oauth.internal_port }} - nodePort: {{ .Values.global.aaf.oauth.public_port }} - name: aaf-oauth - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: "NodePort" +{{ include "common.service" . }} diff --git a/kubernetes/aaf/charts/aaf-oauth/values.yaml b/kubernetes/aaf/charts/aaf-oauth/values.yaml index deadf2976f..7604b86393 100644 --- a/kubernetes/aaf/charts/aaf-oauth/values.yaml +++ b/kubernetes/aaf/charts/aaf-oauth/values.yaml @@ -19,30 +19,40 @@ flavor: small # Application configuration defaults. ################################################################# # application image + +replicaCount: 1 + +binary: oauth + +sequence_order: + - service + - locate + nodeSelector: {} affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 120 + initialDelaySeconds: 30 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: api readiness: initialDelaySeconds: 5 periodSeconds: 10 + port: api service: name: aaf-oauth type: ClusterIP - portName: aaf-oauth - #targetPort - internalPort: 8140 - #port - externalPort: 8140 + ports: + - name: api + protocol: http + port: 8140 ingress: enabled: false @@ -51,22 +61,22 @@ ingress: name: "aaf-oauth" port: 8140 config: - ssl: "none" + ssl: "redirect" # Configure resource requests and limits resources: - small: - limits: - cpu: 40m - memory: 320Mi - requests: - cpu: 1m - memory: 210Mi - large: - limits: - cpu: 400m - memory: 600Mi - requests: - cpu: 40m - memory: 200Mi - unlimited: {} + small: + limits: + cpu: 40m + memory: 320Mi + requests: + cpu: 1m + memory: 210Mi + large: + limits: + cpu: 400m + memory: 600Mi + requests: + cpu: 40m + memory: 200Mi + unlimited: {} diff --git a/kubernetes/aaf/charts/aaf-service/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-service/templates/deployment.yaml index 555f4ac815..5074c8bc08 100644 --- a/kubernetes/aaf/charts/aaf-service/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-service/templates/deployment.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,135 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -spec: - replicas: {{ .Values.global.aaf.service.replicas }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /opt/app/aaf/status - chown -R 1000:1000 /opt/app/aaf/status - chmod -R 775 /opt/app/osaaf - chown -R 1000:1000 /opt/app/osaaf - image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/aaf/status - name: aaf-status-vol - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - name: {{ include "common.name" . }}-config-container - image: {{ .Values.global.repository }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c","cd /opt/app/aaf_config && bin/pod_wait.sh config nc aaf-cass.{{ .Release.Namespace }} 9042 sleep 15 remove && bin/agent.sh"] - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:{{.Values.global.aaf.locate.internal_port}}" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "{{.Values.global.aaf.cass.fqdn}}.{{ .Release.Namespace }}" -# - name: CASSANDRA_USER -# value: "" -# - name: CASSANDRA_PASSWORD -# value: "" -# - name: CASSANDRA_PORT -# value: "" - containers: - - name: {{ include "common.name" . }} - command: ["/bin/bash","-c","cd /opt/app/aaf && bin/pod_wait.sh aaf-service aaf-cass && exec bin/service"] - image: {{.Values.global.repository}}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: cm_always_ignore_ips - value: "true" - lifecycle: - preStop: - exec: - command: ["/bin/sh","-c","rm /opt/app/aaf/status/aaf-service* && echo $HOSTNAME >> aaf-service.hosts"] - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: "/opt/app/aaf/status" - name: aaf-status-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.global.aaf.service.internal_port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.global.aaf.service.internal_port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-status - - name: aaf-config-vol - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" +{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/charts/aaf-service/templates/service.yaml b/kubernetes/aaf/charts/aaf-service/templates/service.yaml index e02c685549..e54c4f3057 100644 --- a/kubernetes/aaf/charts/aaf-service/templates/service.yaml +++ b/kubernetes/aaf/charts/aaf-service/templates/service.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Orange +# Modifications © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,22 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.global.aaf.service.internal_port }} - nodePort: {{ .Values.global.aaf.service.public_port }} - name: aaf-service - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: "NodePort" +{{ include "common.service" . }} diff --git a/kubernetes/aaf/charts/aaf-service/values.yaml b/kubernetes/aaf/charts/aaf-service/values.yaml index 5f3c1878dd..c2d96032cc 100644 --- a/kubernetes/aaf/charts/aaf-service/values.yaml +++ b/kubernetes/aaf/charts/aaf-service/values.yaml @@ -20,30 +20,38 @@ flavor: small ################################################################# # application image +replicaCount: 1 + +binary: service + +sequence_order: + - cass + nodeSelector: {} affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 120 + initialDelaySeconds: 30 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: api readiness: initialDelaySeconds: 5 periodSeconds: 10 + port: api service: name: aaf-service - type: NodePort - portName: aaf-service - #targetPort - internalPort: 8100 - #port - externalPort: 31110 + type: ClusterIP + ports: + - name: api + port: 8100 + protocol: http ingress: enabled: false @@ -52,22 +60,22 @@ ingress: name: "aaf-service" port: 8100 config: - ssl: "none" + ssl: "redirect" # Configure resource requests and limits resources: - small: - limits: - cpu: 250m - memory: 360Mi - requests: - cpu: 10m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 300Mi - unlimited: {} + small: + limits: + cpu: 250m + memory: 360Mi + requests: + cpu: 10m + memory: 250Mi + large: + limits: + cpu: 400m + memory: 1Gi + requests: + cpu: 40m + memory: 300Mi + unlimited: {} diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/configmap.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/configmap.yaml index 5ade9a81d6..8d1faf7e32 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/configmap.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/configmap.yaml @@ -18,15 +18,8 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} -{{- end -}}
\ No newline at end of file +{{- end -}} diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/job.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/job.yaml index c816b16914..23fe79d716 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/job.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/job.yaml @@ -18,21 +18,11 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 2 template: - metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: restartPolicy: Never containers: @@ -58,19 +48,17 @@ spec: - name: {{ include "common.fullname" . }}-tpmconfig mountPath: "/abrmd/cred/" readOnly: true - resources: -{{ toYaml .Values.resources | indent 10 }} - nodeSelector: - {{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} + resources: {{ toYaml .Values.resources | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end -}} {{- if .Values.global.tpm.enabled }} {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} volumes: - name: {{ include "common.fullname" . }}-data persistentVolumeClaim: diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/statefulset.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/statefulset.yaml index 0beda0fefc..c624ccfc4d 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/statefulset.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/statefulset.yaml @@ -16,24 +16,15 @@ {{- if and .Values.global.tpm.enabled .Values.global.abrmd.enabled -}} -apiVersion: apps/v1beta1 +apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} serviceName: template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" @@ -50,6 +41,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi containers: - image: "{{ include "common.repository" . }}/{{ .Values.image }}" name: {{ include "common.name" . }} @@ -66,8 +64,7 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true - resources: -{{ toYaml .Values.resources | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} nodeSelector: {{- if .Values.nodeSelector }} {{ toYaml .Values.nodeSelector | indent 8 }} @@ -76,8 +73,7 @@ spec: {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} volumes: - name: localtime diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/configmap.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/configmap.yaml index dc5176127a..99176fcdf6 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/configmap.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/configmap.yaml @@ -18,15 +18,8 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} -{{- end -}}
\ No newline at end of file +{{- end -}} diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/job.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/job.yaml index 3d248eef51..fb48c7df4a 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/job.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/job.yaml @@ -18,22 +18,12 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: replicas: {{ .Values.replicaCount }} serviceName: template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: restartPolicy: Never initContainers: @@ -52,6 +42,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{ else }} - image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -69,6 +66,13 @@ spec: readOnly: true - name: {{ include "common.fullname" . }}-data mountPath: /distcenter/data + resources: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- end }} containers: - image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -82,15 +86,12 @@ spec: readOnly: true - name: {{ include "common.fullname" . }}-data mountPath: /distcenter/data - resources: -{{ toYaml .Values.resources | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} volumes: - name: localtime @@ -98,7 +99,7 @@ spec: path: /etc/localtime - name: {{ include "common.fullname" . }}-data persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-data + claimName: {{ include "common.release" . }}-aaf-sshsm imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pv.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pv.yaml index 00005a58b1..bf0ef74be2 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pv.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pv.yaml @@ -15,28 +15,5 @@ */}} {{- if .Values.global.distcenter.enabled -}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} +{{ include "common.PV" . }} {{- end -}} diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pvc.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pvc.yaml index ede08205b5..a13b7f353b 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pvc.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pvc.yaml @@ -15,27 +15,5 @@ */}} {{- if .Values.global.distcenter.enabled -}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} +{{ include "common.PVC" . }} {{- end -}} diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-testca/templates/job.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-testca/templates/job.yaml index a67760c368..a64f483d74 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-testca/templates/job.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-testca/templates/job.yaml @@ -18,22 +18,11 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: replicas: {{ .Values.replicaCount }} - serviceName: template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: restartPolicy: Never initContainers: @@ -51,6 +40,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- if .Values.global.tpm.enabled }} - image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -66,6 +62,13 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-dbus mountPath: /var/run/dbus + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- end }} containers: - image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -98,8 +101,7 @@ spec: - name: {{ include "common.fullname" . }}-secrets mountPath: /testca/secrets readOnly: true - resources: -{{ toYaml .Values.resources | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} nodeSelector: {{- if .Values.nodeSelector }} {{ toYaml .Values.nodeSelector | indent 8 }} @@ -108,8 +110,7 @@ spec: {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} volumes: - name: localtime @@ -117,7 +118,7 @@ spec: path: /etc/localtime - name: {{ include "common.fullname" . }}-data persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-data + claimName: {{ include "common.release" . }}-aaf-sshsm - name: {{ include "common.fullname" . }}-dbus persistentVolumeClaim: claimName: {{ include "common.release" . }}-aaf-sshsm-dbus diff --git a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-testca/values.yaml b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-testca/values.yaml index 3f7782c604..dd04c93bd7 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-testca/values.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/charts/aaf-sshsm-testca/values.yaml @@ -46,8 +46,8 @@ flavor: small resources: small: limits: - cpu: 20m - memory: 50Mi + cpu: 50m + memory: 100Mi requests: cpu: 10m memory: 10Mi diff --git a/kubernetes/aaf/charts/aaf-sshsm/templates/pv-data.yaml b/kubernetes/aaf/charts/aaf-sshsm/templates/pv-data.yaml index 3b50792473..b566b11458 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/templates/pv-data.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/templates/pv-data.yaml @@ -14,27 +14,4 @@ # limitations under the License. */}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }}-data -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.dataMountSubPath }} -{{- end -}} -{{- end -}} +{{ include "common.PV" (dict "dot" . "persistenceInfos" .Values.persistence.data) }} diff --git a/kubernetes/aaf/charts/aaf-sshsm/templates/pv-dbus.yaml b/kubernetes/aaf/charts/aaf-sshsm/templates/pv-dbus.yaml index e76baa2d36..b3e7f9fabd 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/templates/pv-dbus.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/templates/pv-dbus.yaml @@ -14,27 +14,4 @@ # limitations under the License. */}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-dbus - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }}-dbus -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-dbus" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.dbusMountSubPath }} -{{- end -}} -{{- end -}} +{{ include "common.PV" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }} diff --git a/kubernetes/aaf/charts/aaf-sshsm/templates/pvc-data.yaml b/kubernetes/aaf/charts/aaf-sshsm/templates/pvc-data.yaml index 2a5fc98bfa..b8971cc03c 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/templates/pvc-data.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/templates/pvc-data.yaml @@ -14,26 +14,4 @@ # limitations under the License. */}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} +{{ include "common.PVC" (dict "dot" . "persistenceInfos" .Values.persistence.data) }} diff --git a/kubernetes/aaf/charts/aaf-sshsm/templates/pvc-dbus.yaml b/kubernetes/aaf/charts/aaf-sshsm/templates/pvc-dbus.yaml index cf223670b5..7297d6f81d 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/templates/pvc-dbus.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/templates/pvc-dbus.yaml @@ -14,30 +14,4 @@ # limitations under the License. */}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-dbus - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- if eq "True" (include "common.needPV" .) }} - storageClassName: "{{ include "common.fullname" . }}-dbus" -{{- else }} - storageClassName: {{ include "common.storageClass" . }} -{{- end }} -{{- end -}} +{{ include "common.PVC" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }} diff --git a/kubernetes/aaf/charts/aaf-sshsm/values.yaml b/kubernetes/aaf/charts/aaf-sshsm/values.yaml index 55d38a094c..5600213e11 100644 --- a/kubernetes/aaf/charts/aaf-sshsm/values.yaml +++ b/kubernetes/aaf/charts/aaf-sshsm/values.yaml @@ -32,12 +32,20 @@ global: persistence: enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Mi - mountPath: /dockerdata-nfs - dataMountSubPath: sshsm/data - dbusMountSubPath: sshsm/dbus + data: + enabled: true + size: 10Mi + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountSubPath: sshsm/data + dbus: + enabled: true + size: 10Mi + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountSubPath: sshsm/dbus + + # Configure resource requests and limits resources: diff --git a/kubernetes/aaf/templates/_deployment.tpl b/kubernetes/aaf/templates/_deployment.tpl new file mode 100644 index 0000000000..bf6931a8e3 --- /dev/null +++ b/kubernetes/aaf/templates/_deployment.tpl @@ -0,0 +1,67 @@ +{*/ +# Copyright © 2020 AT&T, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/} + +{{- define "aaf.deployment" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: {{ include "aaf.initContainers" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + workingDir: /opt/app/aaf + command: ["bin/{{ .Values.binary }}"] + image: {{ include "common.repository" . }}/{{.Values.global.aaf.image}} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + volumeMounts: + - mountPath: "/opt/app/osaaf" + name: aaf-config-vol + - mountPath: /etc/localtime + name: localtime + readOnly: true + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{.Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} + {{- end }} + volumes: + - name: localtime + hostPath: + path: /etc/localtime + - name: aaf-config-vol + emptyDir: {} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" +{{- end -}} diff --git a/kubernetes/aaf/templates/_initContainers.tpl b/kubernetes/aaf/templates/_initContainers.tpl new file mode 100644 index 0000000000..43c511fd6d --- /dev/null +++ b/kubernetes/aaf/templates/_initContainers.tpl @@ -0,0 +1,122 @@ +{*/ +# Copyright © 2020 AT&T, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/} + +{{- define "aaf.permissionFixer" -}} +- name: fix-permission + command: + - /bin/sh + args: + - -c + - | + chown -R 1000:1000 /opt/app/aaf + chown -R 1000:1000 /opt/app/osaaf + image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /opt/app/osaaf + name: aaf-config-vol + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi +{{- end -}} + +{{- define "aaf.podConfiguration" }} +- name: {{ include "common.name" . }}-config-container + image: {{ .Values.global.repository }}/{{.Values.global.aaf.config.image}} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/bash + args: + - -c + - | + cd /opt/app/aaf_config + bin/agent.sh + volumeMounts: + - mountPath: "/opt/app/osaaf" + name: aaf-config-vol + env: + - name: aaf_env + value: "{{ .Values.global.aaf.aaf_env }}" + - name: cadi_latitude + value: "{{ .Values.global.aaf.cadi_latitude }}" + - name: cadi_longitude + value: "{{ .Values.global.aaf.cadi_longitude }}" + - name: cadi_x509_issuers + value: "{{ .Values.global.aaf.cadi_x509_issuers }}" + - name: aaf_locate_url + value: "https://aaf-locate.{{ .Release.Namespace}}:8095" + - name: aaf_locator_container + value: "oom" + - name: aaf_release + value: "{{ .Values.global.aaf.aaf_release }}" + - name: aaf_locator_container_ns + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: aaf_locator_public_fqdn + value: "{{.Values.global.aaf.public_fqdn}}" + - name: aaf_locator_name + value: "{{.Values.global.aaf.aaf_locator_name}}" + - name: aaf_locator_name_oom + value: "{{.Values.global.aaf.aaf_locator_name_oom}}" + - name: cm_always_ignore_ips + value: "true" + - name: CASSANDRA_CLUSTER + value: "aaf-cass.{{ .Release.Namespace }}" + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi +{{- end -}} + +{{- define "aaf.initContainers" -}} +initContainers: +{{ include "aaf.permissionFixer" . }} +{{- if .Values.sequence_order }} +- name: {{ include "common.name" . }}-aaf-readiness + command: + - /root/ready.py + args: + {{- range $container := .Values.sequence_order }} + - --container-name + - aaf-{{ $container}} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi +{{- end }} +{{ include "aaf.podConfiguration" . }} +{{- end }} diff --git a/kubernetes/aaf/templates/pv-config.yaml b/kubernetes/aaf/templates/pv-config.yaml deleted file mode 100644 index 5ed3e62aeb..0000000000 --- a/kubernetes/aaf/templates/pv-config.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }}-config - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.config.size}} - accessModes: - - {{ .Values.persistence.config.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.config.volumeReclaimPolicy }} - hostPath: - path: {{ .Values.persistence.config.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.config.mountSubPath }} - storageClassName: "{{ include "common.fullname" . }}-config" -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/templates/pv-status.yaml b/kubernetes/aaf/templates/pv-status.yaml deleted file mode 100644 index d8f5980b9b..0000000000 --- a/kubernetes/aaf/templates/pv-status.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-status - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }}-status - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.status.size}} - accessModes: - - {{ .Values.persistence.status.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.status.volumeReclaimPolicy }} - hostPath: - path: {{ .Values.persistence.status.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.status.mountSubPath }} - storageClassName: "{{ include "common.fullname" . }}-status" -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/templates/pvc-config.yaml b/kubernetes/aaf/templates/pvc-config.yaml deleted file mode 100644 index dc71dceff1..0000000000 --- a/kubernetes/aaf/templates/pvc-config.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.release" . }}-aaf-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.config.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.config.size }} -{{- if eq "True" (include "common.needPV" .) }} - storageClassName: "{{ include "common.fullname" . }}-config" -{{- else }} - storageClassName: {{ include "common.storageClass" . }} -{{- end }} -{{- end -}} diff --git a/kubernetes/aaf/templates/pvc-status.yaml b/kubernetes/aaf/templates/pvc-status.yaml deleted file mode 100644 index 3cda088fba..0000000000 --- a/kubernetes/aaf/templates/pvc-status.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.release" . }}-aaf-status - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.status.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.status.size }} -{{- if eq "True" (include "common.needPV" .) }} - storageClassName: "{{ include "common.fullname" . }}-status" -{{- else }} - storageClassName: {{ include "common.storageClass" . }} -{{- end }} -{{- end -}} diff --git a/kubernetes/aaf/values.yaml b/kubernetes/aaf/values.yaml index 8eaead5e4b..bedf243639 100644 --- a/kubernetes/aaf/values.yaml +++ b/kubernetes/aaf/values.yaml @@ -29,7 +29,7 @@ global: loggingImage: beats/filebeat:5.5.0 # BusyBox image busyboxRepository: registry.hub.docker.com - busyboxImage: library/busybox:latest + busyboxImage: library/busybox:1.31 persistence: enabled: true # Standard OOM @@ -58,50 +58,19 @@ global: config: image: onap/aaf/aaf_config:2.1.20 - cass: - replicas: 1 - image: onap/aaf/aaf_cass:2.1.20 - fqdn: "aaf-cass" - cluster_name: "osaaf" - heap_new_size: "512M" - max_heap_size: "1024M" - storage_port: 7000 - ssl_storage_port: 7001 - native_trans_port: 9042 - rpc_port: 9160 - dc: "dc1" + service: - replicas: 1 fqdn: "aaf-service" internal_port: 8100 public_port: 31110 locate: - replicas: 1 fqdn: "aaf-locate" internal_port: 8095 public_port: 31111 oauth: - replicas: 1 - fqdn: "aaf0oauth" + fqdn: "aaf-oauth" internal_port: 8140 public_port: 31112 - gui: - replicas: 1 - fqdn: "aaf-gui" - internal_port: 8200 - public_port: 31113 - cm: - replicas: 1 - fqdn: "aaf-cm" - internal_port: 8150 - public_port: 31114 - fs: - replicas: 1 - fqdn: "aaf-fs" - internal_port: 8096 - public_port: 31115 - hello: - replicas: 0 # Note: as hello is a sample app, find values in charts/aaf-hello/values.yaml @@ -131,36 +100,13 @@ readiness: ingress: enabled: false - -## Persist data to a persitent volume -persistence: - enabled: true + service: + - baseaddr: "aaf.api" + name: "aaf-service" + port: 8100 config: - #existingClaim: - volumeReclaimPolicy: Delete - accessMode: ReadWriteMany - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: "config" - logs: - #existingClaim: - volumeReclaimPolicy: Retain - accessMode: ReadWriteMany - size: 2Gi - mountPath: "/mnt/data/aaf/logs" - status: - volumeReclaimPolicy: Delete - accessMode: ReadWriteMany - size: 2M - mountPath: /dockerdata-nfs - mountSubPath: "status" - cass: - #existingClaim: - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Gi - mountPath: /dockerdata-nfs - mountSubPath: "cass" + ssl: "none" +persistence: {} resources: {} diff --git a/kubernetes/aai b/kubernetes/aai -Subproject 0c4cd899d53538202c23030ab278984897aede9 +Subproject d687fd0c9efe31e93287da11e3e390984a5fb6c diff --git a/kubernetes/appc/charts/appc-cdt/values.yaml b/kubernetes/appc/charts/appc-cdt/values.yaml index 118d19c1b3..bd99bcac15 100644 --- a/kubernetes/appc/charts/appc-cdt/values.yaml +++ b/kubernetes/appc/charts/appc-cdt/values.yaml @@ -65,7 +65,7 @@ ingress: name: "appc-cdt" port: 18080 config: - ssl: "none" + ssl: "redirect" # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties index 978dead538..542645683e 100644 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties @@ -34,7 +34,7 @@ appc.demo.threads.poolsize.max=2 appc.demo.provider.user={{.Values.config.odlUser}} appc.demo.provider.pass={{.Values.config.odlPassword}} appc.demo.provider.url=http://localhost:8181/restconf/operations/appc-provider -appc.provider.vfodl.url=http://{{.Values.config.odlUser|urlquery}}:{{.Values.config.odlPassword|urlquery}}@{{.Values.service.name}}:{{.Values.service.externalPort}}/restconf/config/network-topology:network-topology/topology/topology-netconf/node/NODE_NAME/yang-ext:mount/stream-count:stream-count/streams/ +appc.provider.vfodl.url=http://{{.Values.config.odlUser|urlquery}}:{{.Values.config.odlPassword|urlquery}}@localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/NODE_NAME/yang-ext:mount/stream-count:stream-count/streams/ # The properties right below are needed to properly call the Master DG to serve demo purposes appc.service.logic.module.name=APPC diff --git a/kubernetes/appc/resources/config/log/filebeat/log4j/filebeat.yml b/kubernetes/appc/resources/config/log/filebeat/filebeat.yml index 85293c8275..85293c8275 100644 --- a/kubernetes/appc/resources/config/log/filebeat/log4j/filebeat.yml +++ b/kubernetes/appc/resources/config/log/filebeat/filebeat.yml diff --git a/kubernetes/appc/templates/configmap.yaml b/kubernetes/appc/templates/configmap.yaml index 72dc6172dc..fe206a9322 100644 --- a/kubernetes/appc/templates/configmap.yaml +++ b/kubernetes/appc/templates/configmap.yaml @@ -119,19 +119,6 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-filebeat - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/filebeat/log4j/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: name: {{ include "common.fullname" . }}-logging-cfg namespace: {{ include "common.namespace" . }} labels: @@ -141,3 +128,5 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} + +{{ include "common.log.configMap" . }} diff --git a/kubernetes/appc/templates/statefulset.yaml b/kubernetes/appc/templates/statefulset.yaml index 5fd34ece79..3480e638aa 100644 --- a/kubernetes/appc/templates/statefulset.yaml +++ b/kubernetes/appc/templates/statefulset.yaml @@ -185,7 +185,7 @@ spec: subPath: installSdncDb.sh - mountPath: {{ .Values.persistence.mdsalPath }} name: {{ include "common.fullname" . }}-data - - mountPath: /var/log/onap + - mountPath: {{ .Values.log.path }} name: logs - mountPath: /opt/onap/appc/data/org.ops4j.pax.logging.cfg name: log-config @@ -208,17 +208,7 @@ spec: {{- end }} # side car containers - - name: filebeat-onap - image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /usr/share/filebeat/filebeat.yml - name: filebeat-conf - subPath: filebeat.yml - - mountPath: /var/log/onap - name: logs - - mountPath: /usr/share/filebeat/data - name: data-filebeat + {{ include "common.log.sidecar" . | nindent 8 }} volumes: - name: keyfile-certs secret: @@ -229,16 +219,12 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: filebeat-conf - configMap: - name: {{ include "common.fullname" . }}-filebeat - name: log-config configMap: name: {{ include "common.fullname" . }}-logging-cfg - name: logs emptyDir: {} - - name: data-filebeat - emptyDir: {} + {{ include "common.log.volumes" . | nindent 8 }} - name: onap-appc-data-properties-input configMap: name: {{ include "common.fullname" . }}-onap-appc-data-properties diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index fb8230b128..45a9b4cfa1 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -20,6 +20,7 @@ global: nodePortPrefix: 302 readinessRepository: oomk8s readinessImage: readiness-check:2.0.0 + centralizedLoggingEnabled: false loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 # envsusbt @@ -62,6 +63,10 @@ pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false +# log configuration +log: + path: /var/log/onap + # application configuration config: # dbRootPassExternalSecret: some secret @@ -71,14 +76,14 @@ config: # It seems that the DB name is hardcoded. dbName: appcctl userName: appcctl - password: appcctl + # password: appcctl # userCredsExternalSecret: some secret sdncdb: # Warning: changing this config option may not work. # It seems that the DB name is hardcoded. dbName: sdnctl userName: sdnctl - password: gamma + # password: gamma # userCredsExternalSecret: some secret odlUid: 100 odlGid: 101 @@ -138,6 +143,15 @@ dgbuilder: service: name: appc-dgbuilder + ingress: + enabled: false + service: + - baseaddr: "appc-dgbuilder" + name: "appc-dgbuilder" + port: 3000 + config: + ssl: "redirect" + #passing value to cdt chart. value of nodePort3 will be same as appc.service.nodePort3. appc-cdt: nodePort3: 11 @@ -202,7 +216,7 @@ persistence: ingress: enabled: false service: - - baseaddr: appc + - baseaddr: "appc.api" name: "appc" port: 8443 config: diff --git a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties index eee61e7e90..05ac61cf57 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties @@ -53,9 +53,9 @@ blueprintsprocessor.db.hibernateDialect=org.hibernate.dialect.MySQL5InnoDBDialec # processor-db endpoint blueprintsprocessor.db.processor-db.type=maria-db -blueprintsprocessor.db.processor-db.url=jdbc:mysql://{{.Values.config.cdsDB.dbServer}}:{{.Values.config.cdsDB.dbPort}}/{{.Values.config.cdsDB.dbName}} -blueprintsprocessor.db.processor-db.username=root -blueprintsprocessor.db.processor-db.password=${CDS_DB_ROOT_PASSWORD} +blueprintsprocessor.db.processor-db.url=jdbc:mysql://{{ .Values.config.sdncDB.dbService }}:{{ .Values.config.sdncDB.dbPort }}/{{.Values.config.sdncDB.dbName}} +blueprintsprocessor.db.processor-db.username=${SDNC_DB_USERNAME} +blueprintsprocessor.db.processor-db.password=${SDNC_DB_PASSWORD} # Python executor blueprints.processor.functions.python.executor.executionPath=/opt/app/onap/scripts/jython/ccsdk_blueprints @@ -81,6 +81,7 @@ blueprintprocessor.resourceResolution.enabled=true blueprintprocessor.netconfExecutor.enabled=true blueprintprocessor.restConfExecutor.enabled=true blueprintprocessor.remoteScriptCommand.enabled=true +blueprintsprocessor.remote-script-command.response.log.enabled=false # Command executor blueprintsprocessor.grpcclient.remote-python.type=token-auth @@ -117,6 +118,9 @@ blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 # Self Service Response Kafka Message Producer blueprintsprocessor.messageproducer.self-service-api.bootstrapServers=message-router-kafka:9092 +# Kafka Audit Service Configurations +blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable=false + # Executor Options blueprintsprocessor.resourceResolution.enabled=true blueprintsprocessor.netconfExecutor.enabled=true diff --git a/kubernetes/cds/charts/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/charts/cds-blueprints-processor/templates/deployment.yaml index ab7245e56a..161cf28d27 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/charts/cds-blueprints-processor/templates/deployment.yaml @@ -48,15 +48,16 @@ spec: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst '${CDS_DB_USERNAME},${CDS_DB_PASSWORD},${CDS_DB_ROOT_PASSWORD}' <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst '${CDS_DB_USERNAME},${CDS_DB_PASSWORD},${SDNC_DB_USERNAME},${SDNC_DB_PASSWORD}' <${PFILE} >/config/${PFILE}; done" env: - name: CDS_DB_USERNAME {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-db-user-creds" "key" "login") | indent 10}} - name: CDS_DB_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-db-user-creds" "key" "password") | indent 10}} - - name: CDS_DB_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-db-root-pass" "key" "password") | indent 10}} - + - name: SDNC_DB_USERNAME + value: root + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-db-root-pass" "key" "password") | indent 10}} volumeMounts: - mountPath: /config-input/application.properties name: {{ include "common.fullname" . }}-config @@ -85,6 +86,17 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + - name: fix-permission + command: + - chown + - -R + - 100:101 + - /opt/app/onap/blueprints/deploy + image: busybox:latest + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: {{ .Values.persistence.deployedBlueprint }} + name: {{ include "common.fullname" . }}-blueprints containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" diff --git a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml index 6cd3c2b554..a14dbad99b 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml @@ -51,10 +51,10 @@ secrets: login: '{{ .Values.config.cdsDB.dbUser }}' password: '{{ .Values.config.cdsDB.dbPassword }}' passwordPolicy: required - - uid: 'cds-db-root-pass' + - uid: 'sdnc-db-root-pass' type: password - externalSecret: '{{ tpl (default "" .Values.config.cdsDB.dbRootPassExternalSecret) . }}' - password: '{{ .Values.config.cdsDB.dbRootPassword }}' + externalSecret: '{{ tpl (default "" .Values.config.sdncDB.dbRootPassExternalSecret) . }}' + password: '{{ .Values.config.sdncDB.dbRootPass }}' passwordPolicy: required ################################################################# @@ -62,7 +62,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/ccsdk-blueprintsprocessor:0.7.1 +image: onap/ccsdk-blueprintsprocessor:0.7.2 pullPolicy: Always # flag to enable debugging - application support required @@ -72,6 +72,12 @@ debugEnabled: false config: appConfigDir: /opt/app/onap/config useScriptCompileCache: true + sdncDB: + dbService: mariadb-galera + dbPort: 3306 + dbName: sdnctl + #dbRootPass: Custom root password + dbRootPassExternalSecret: '{{ include "common.mariadb.secret.rootPassSecretName" ( dict "dot" . "chartName" .Values.config.sdncDB.dbService ) }}' cdsDB: dbServer: cds-db dbPort: 3306 diff --git a/kubernetes/cds/charts/cds-command-executor/values.yaml b/kubernetes/cds/charts/cds-command-executor/values.yaml index 3f9fb87e13..2bc84bd299 100755 --- a/kubernetes/cds/charts/cds-command-executor/values.yaml +++ b/kubernetes/cds/charts/cds-command-executor/values.yaml @@ -40,7 +40,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/ccsdk-commandexecutor:0.7.1 +image: onap/ccsdk-commandexecutor:0.7.2 pullPolicy: Always # application configuration diff --git a/kubernetes/cds/charts/cds-py-executor/Chart.yaml b/kubernetes/cds/charts/cds-py-executor/Chart.yaml new file mode 100755 index 0000000000..41b43c34a3 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright (c) 2020 Bell Canada, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: ONAP CDS Py Executor +name: cds-py-executor +version: 6.0.0
\ No newline at end of file diff --git a/kubernetes/cds/charts/cds-py-executor/requirements.yaml b/kubernetes/cds/charts/cds-py-executor/requirements.yaml new file mode 100755 index 0000000000..676fe8f6b2 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright (c) 2020 Bell Canada, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~6.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml b/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml new file mode 100755 index 0000000000..f9c3377dd8 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml @@ -0,0 +1,90 @@ +# Copyright (c) 2020 Bell Canada, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - name: {{ include "common.name" . }} + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + command: + - bash + args: + - '-c' + - 'AUTH_TOKEN=`echo -n $API_USERNAME:$API_PASSWORD | base64` /opt/app/onap/python/start.sh' + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{- include "common.containerPorts" . | nindent 12 }} + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + env: + - name: APP_PORT + value: {{ .Values.config.appPort }} + - name: AUTH_TYPE + value: {{ .Values.config.authType }} + - name: API_USERNAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "api-credentials" "key" "login") | nindent 12 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "api-credentials" "key" "password") | nindent 12 }} + - name: LOG_FILE + value: {{ .Values.config.logFile }} + - name: ARTIFACT_MANAGER_PORT + value: {{ .Values.config.artifactManagerPort }} + - name: ARTIFACT_MANAGER_SERVER_LOG_FILE + value: {{ .Values.config.artifactManagerLogFile }} + volumeMounts: + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: {{ .Values.persistence.deployedBlueprint }} + name: {{ include "common.fullname" . }}-blueprints + resources: +{{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | nindent 10 }} + {{- end }} + volumes: + - name: localtime + hostPath: + path: /etc/localtime + # Py executor shares the blueprintsprocessor storage (for now) to + # share uploaded CBA files. In the future it will be deprecated + # when all parts of the CDS will make use of Artifact Manager + - name: {{ include "common.fullname" . }}-blueprints + persistentVolumeClaim: + claimName: {{ include "common.release" . }}-cds-blueprints + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml b/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml new file mode 100644 index 0000000000..c36607b172 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright (c) 2020 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }}
\ No newline at end of file diff --git a/kubernetes/cds/charts/cds-py-executor/templates/service.yaml b/kubernetes/cds/charts/cds-py-executor/templates/service.yaml new file mode 100755 index 0000000000..1267791b6c --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/templates/service.yaml @@ -0,0 +1,15 @@ +# Copyright (c) 2020 Bell Canada, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.service" . }}
\ No newline at end of file diff --git a/kubernetes/cds/charts/cds-py-executor/values.yaml b/kubernetes/cds/charts/cds-py-executor/values.yaml new file mode 100755 index 0000000000..206ae10a75 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/values.yaml @@ -0,0 +1,120 @@ +# Copyright (c) 2020 Bell Canada, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific lan`guage governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image repositories + repository: nexus3.onap.org:10001 + + # readiness check + readinessRepository: oomk8s + readinessImage: readiness-check:2.0.0 + + # image pull policy + pullPolicy: Always + + persistence: + mountPath: /dockerdata-nfs + +################################################################# +# Application configuration defaults. +################################################################# +# application image +repository: nexus3.onap.org:10001 +image: onap/ccsdk-py-executor:0.7.2 +pullPolicy: Always + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + port: 50052 + initialDelaySeconds: 20 + periodSeconds: 20 + timeoutSeconds: 20 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + port: 50052 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 20 + +service: + type: ClusterIP + ports: + - port: 50052 + name: executor-grpc + - port: 50053 + name: manager-grpc + +secrets: + - uid: api-credentials + externalSecret: '{{ tpl (default "" .Values.config.authCredentialsExternalSecret) . }}' + type: basicAuth + login: '{{ .Values.config.apiUsername }}' + password: '{{ .Values.config.apiPassword }}' + passwordPolicy: required + +config: + # the api credentials below are used to authenticate communication with blueprint + # processor API. Py executor in this context is a client of the blueprint processor + apiUsername: ccsdkapps + apiPassword: ccsdkapps + env: + appPort: 50052 + authType: tls-auth + logFile: /dev/stdout + artifactManagerPort: 50053 + artifactManagerLogFile: /dev/stdout + +persistence: + enabled: true + mountSubPath: cds/blueprints/deploy + deployedBlueprint: /opt/app/onap/blueprints/deploy + +ingress: + enabled: false + +flavor: small + +resources: + small: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 1Gi + large: + limits: + cpu: 4 + memory: 8Gi + requests: + cpu: 2 + memory: 4Gi + unlimited: {} diff --git a/kubernetes/cds/charts/cds-sdc-listener/values.yaml b/kubernetes/cds/charts/cds-sdc-listener/values.yaml index b9c329a124..c784a82ba1 100644 --- a/kubernetes/cds/charts/cds-sdc-listener/values.yaml +++ b/kubernetes/cds/charts/cds-sdc-listener/values.yaml @@ -37,7 +37,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/ccsdk-sdclistener:0.7.1 +image: onap/ccsdk-sdclistener:0.7.2 name: sdc-listener pullPolicy: Always diff --git a/kubernetes/cds/charts/cds-ui/templates/deployment.yaml b/kubernetes/cds/charts/cds-ui/templates/deployment.yaml index 79cffd16da..d7aad4d0c3 100644 --- a/kubernetes/cds/charts/cds-ui/templates/deployment.yaml +++ b/kubernetes/cds/charts/cds-ui/templates/deployment.yaml @@ -85,31 +85,9 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - # side car containers - # - name: filebeat-onap - # image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" - # imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - # volumeMounts: - # - mountPath: /usr/share/filebeat/filebeat.yml - # name: filebeat-conf - # subPath: filebeat.yml - # - mountPath: /home/esr/works/logs - # name: esr-server-logs - # - mountPath: /usr/share/filebeat/data - # name: esr-server-filebeat volumes: - name: localtime hostPath: path: /etc/localtime - # - name: filebeat-conf - # configMap: - # name: {{ include "common.fullname" . }}-esr-filebeat - # - name: esr-server-logs - # emptyDir: {} - # - name: esr-server-filebeat - # emptyDir: {} - # - name: esrserver-log - # configMap: - # name: {{ include "common.fullname" . }}-esr-esrserver-log imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/cds/charts/cds-ui/values.yaml b/kubernetes/cds/charts/cds-ui/values.yaml index 5810f39672..d084307bbb 100644 --- a/kubernetes/cds/charts/cds-ui/values.yaml +++ b/kubernetes/cds/charts/cds-ui/values.yaml @@ -28,7 +28,7 @@ subChartsOnly: # application image repository: nexus3.onap.org:10001 -image: onap/ccsdk-cds-ui-server:0.7.1 +image: onap/ccsdk-cds-ui-server:0.7.2 pullPolicy: Always # application configuration @@ -88,9 +88,9 @@ ingress: service: - baseaddr: "cdsui" name: "cds-ui" - port: 8080 - config: - ssl: "none" + port: 3000 + config: + ssl: "redirect" # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index 1ead35e234..d04c22beb0 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -38,11 +38,6 @@ secrets: externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "cds-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' login: '{{ index .Values "mariadb-galera" "config" "userName" }}' password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' - - name: &dbRootPasswordSecretName '{{ include "common.release" . }}-cds-db-root-pass' - uid: 'cds-db-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "mariadbRootPasswordExternalSecret")) .) (hasSuffix "cds-db-root-pass" (index .Values "mariadb-galera" "config" "mariadbRootPasswordExternalSecret"))}}' - password: '{{ index .Values "mariadb-galera" "config" "mariadbRootPassword" }}' ################################################################# # Application configuration defaults. @@ -86,7 +81,6 @@ mariadb-galera: userName: sdnctl # userPassword: sdnctl userCredentialsExternalSecret: *dbUserSecretName - mariadbRootPasswordExternalSecret: *dbRootPasswordSecretName mysqlDatabase: &mysqlDbName sdnctl nameOverride: &dbServer cds-db service: @@ -104,7 +98,6 @@ cds-blueprints-processor: dbPort: 3306 dbName: *mysqlDbName dbCredsExternalSecret: *dbUserSecretName - dbRootPassExternalSecret: *dbRootPasswordSecretName #Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/clamp/charts/clamp-backend/templates/configmap.yaml b/kubernetes/clamp/charts/clamp-backend/templates/configmap.yaml index 0011c6a6d4..f66312c741 100644 --- a/kubernetes/clamp/charts/clamp-backend/templates/configmap.yaml +++ b/kubernetes/clamp/charts/clamp-backend/templates/configmap.yaml @@ -26,16 +26,5 @@ metadata: data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} spring_application_json: {{ tpl .Values.config.springApplicationJson . | quote }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-clamp-filebeat-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/filebeat/*").AsConfig . | indent 2 }} + +{{ include "common.log.configMap" . }} diff --git a/kubernetes/clamp/charts/clamp-backend/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-backend/templates/deployment.yaml index bdae07a261..5e473bc12e 100644 --- a/kubernetes/clamp/charts/clamp-backend/templates/deployment.yaml +++ b/kubernetes/clamp/charts/clamp-backend/templates/deployment.yaml @@ -48,17 +48,8 @@ spec: name: {{ include "common.name" . }}-readiness containers: # side car containers - - name: {{ include "common.name" . }}-filebeat-onap - image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-filebeat-conf - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - - name: {{ include "common.fullname" . }}-data-filebeat - mountPath: /usr/share/filebeat/data - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/onap + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} + # main container - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -81,17 +72,23 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/onap + - name: logs + mountPath: {{ .Values.log.path }} - mountPath: /opt/clamp/sdc-controllers-config.json name: {{ include "common.fullname" . }}-config subPath: sdc-controllers-config.json env: - - name: SPRING_APPLICATION_JSON - valueFrom: - configMapKeyRef: - name: {{ template "common.fullname" . }} - key: spring_application_json + - name: MYSQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: MYSQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: MYSQL_DATABASE + value: {{ tpl .Values.db.databaseName .}} + - name: SPRING_APPLICATION_JSON + valueFrom: + configMapKeyRef: + name: {{ template "common.fullname" . }} + key: spring_application_json resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -109,12 +106,8 @@ spec: items: - key: sdc-controllers-config.json path: sdc-controllers-config.json - - name: {{ include "common.fullname" . }}-filebeat-conf - configMap: - name: {{ include "common.release" . }}-clamp-filebeat-configmap - - name: {{ include "common.fullname" . }}-data-filebeat - emptyDir: {} - - name: {{ include "common.fullname" . }}-logs + - name: logs emptyDir: {} + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/clamp/charts/clamp-backend/templates/secrets.yaml b/kubernetes/clamp/charts/clamp-backend/templates/secrets.yaml new file mode 100644 index 0000000000..57f88ce32d --- /dev/null +++ b/kubernetes/clamp/charts/clamp-backend/templates/secrets.yaml @@ -0,0 +1,16 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/clamp/charts/clamp-backend/values.yaml b/kubernetes/clamp/charts/clamp-backend/values.yaml index 18888547c3..f354ad14a7 100644 --- a/kubernetes/clamp/charts/clamp-backend/values.yaml +++ b/kubernetes/clamp/charts/clamp-backend/values.yaml @@ -23,19 +23,34 @@ global: # global defaults readinessImage: readiness-check:2.0.0 persistence: {} +secrets: + - uid: db-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' + login: '{{ .Values.db.user }}' + password: '{{ .Values.db.password }}' + passwordPolicy: required + flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/clamp-backend:5.0.3 +image: onap/clamp-backend:5.0.6 pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false +# log configuration +log: + path: /var/log/onap + ################################################################# # Application configuration defaults. ################################################################# + +db: {} + config: log: logstashServiceName: log-ls @@ -43,8 +58,10 @@ config: mysqlPassword: strong_pitchou dataRootDir: /dockerdata-nfs springApplicationJson: > - { - "spring.datasource.cldsdb.url": "jdbc:mariadb:sequential://clampdb.{{ include "common.namespace" . }}:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3", + { + "spring.datasource.username": "${MYSQL_USER}", + "spring.datasource.password": "${MYSQL_PASSWORD}", + "spring.datasource.url": "jdbc:mariadb:sequential://clampdb.{{ include "common.namespace" . }}:3306/${MYSQL_DATABASE}?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3", "spring.profiles.active": "clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,legacy-operational-policy,default-dictionary-elements", "clamp.config.files.sdcController": "file:/opt/clamp/sdc-controllers-config.json", "clamp.config.dcae.inventory.url": "https4://inventory.{{ include "common.namespace" . }}:8080", @@ -59,7 +76,7 @@ config: "clamp.config.policy.pap.userName": "healthcheck", "clamp.config.policy.pap.password": "zb!XztG34", "clamp.config.cadi.aafLocateUrl": "https://aaf-locate.{{ include "common.namespace" . }}:8095" - } + } # default number of instances replicaCount: 1 diff --git a/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml b/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml index e4deab0e15..1eb20fce89 100644 --- a/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml +++ b/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml @@ -87,7 +87,7 @@ discovery.zen.minimum_master_nodes: 1 discovery.seed_hosts: [] # # Breaking change in 7.0 # # https://www.elastic.co/guide/en/elasticsearch/reference/7.0/breaking-changes-7.0.html#breaking_70_discovery_changes -cluster.initial_master_nodes: +cluster.initial_master_nodes: - cldash-es-node1 # - docker-test-node-1 # ---------------------------------- Various ----------------------------------- @@ -125,4 +125,4 @@ opendistro_security.check_snapshot_restore_write_privileges: true opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] cluster.routing.allocation.disk.threshold_enabled: false node.max_local_storage_nodes: 3 -######## End OpenDistro for Elasticsearch Security Demo Configuration ########
\ No newline at end of file +######## End OpenDistro for Elasticsearch Security Demo Configuration ######## diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/templates/ingress.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/templates/ingress.yaml new file mode 100644 index 0000000000..0cd8cfbd36 --- /dev/null +++ b/kubernetes/clamp/charts/clamp-dash-kibana/templates/ingress.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.ingress" . }} diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml index 8e640a4b3a..96a30f9e5f 100644 --- a/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml +++ b/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml @@ -87,6 +87,12 @@ service: nodePort: 90 ingress: enabled: false + service: + - baseaddr: "cdash-kibana" + name: "cdash-kibana" + port: 5601 + config: + ssl: "redirect" #resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf index 4b05910c02..c005fcca3e 100644 --- a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf +++ b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf @@ -59,7 +59,7 @@ filter { if [http_request_failure] or [@metadata][code] != 200 { mutate { - add_tag => [ "error" ] + add_tag => [ "error" ] } } @@ -195,7 +195,7 @@ filter { clones => [ "event-cl-aggs" ] add_tag => [ "event-cl-aggs" ] } - + if "event-cl-aggs" in [@metadata][request][tags]{ # # we only need a few fields for aggregations; remove all fields from clone except : @@ -204,7 +204,7 @@ filter { prune { whitelist_names => ["^@.*$","^topic$","^type$","^tags$","^flagFinalFailure$","^flagAbated$","^locationState$","^locationCity$","^vmName$","^vnfName$","^vnfType$","^requestID$","^closedLoopAlarmStart$","^closedLoopControlName$","^closedLoopAlarmEnd$","^target$","^target_type$","^triggerSourceName$","^policyScope$","^policyName$","^policyVersion$"] } - + } } } diff --git a/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bootstrap-database.sh b/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bootstrap-database.sh deleted file mode 100755 index 224a813db9..0000000000 --- a/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bootstrap-database.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -### -# ============LICENSE_START======================================================= -# ONAP CLAMP -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END============================================ -# =================================================================== -# -### - -mysql -uroot -p$MYSQL_ROOT_PASSWORD -f < /docker-entrypoint-initdb.d/bulkload/create-db.sql -## New model creation -mysql -uroot -p$MYSQL_ROOT_PASSWORD -f cldsdb4 < /docker-entrypoint-initdb.d/bulkload/create-tables.sql diff --git a/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bulkload/create-db.sql b/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bulkload/create-db.sql deleted file mode 100644 index ea4d97c1b5..0000000000 --- a/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bulkload/create-db.sql +++ /dev/null @@ -1,11 +0,0 @@ -# -# Create CLDS database objects (tables, etc.) -# -# -CREATE DATABASE `cldsdb4`; -USE `cldsdb4`; -DROP USER 'clds'; -CREATE USER 'clds'; -GRANT ALL on cldsdb4.* to 'clds' identified by 'sidnnd83K' with GRANT OPTION; -FLUSH PRIVILEGES; - diff --git a/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bulkload/create-tables.sql b/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/create-tables.sql index 1f153bce04..1f153bce04 100644 --- a/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bulkload/create-tables.sql +++ b/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/create-tables.sql diff --git a/kubernetes/clamp/charts/mariadb/templates/configmap.yaml b/kubernetes/clamp/charts/mariadb/templates/configmap.yaml index 705c38fa19..522c5f9bf8 100644 --- a/kubernetes/clamp/charts/mariadb/templates/configmap.yaml +++ b/kubernetes/clamp/charts/mariadb/templates/configmap.yaml @@ -17,19 +17,6 @@ apiVersion: v1 kind: ConfigMap metadata: - name: clamp-entrypoint-initdb-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/mariadb/docker-entrypoint-initdb.d/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: name: clamp-entrypoint-bulkload-configmap namespace: {{ include "common.namespace" . }} labels: @@ -38,7 +25,7 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/mariadb/docker-entrypoint-initdb.d/bulkload/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/mariadb/docker-entrypoint-initdb.d/*").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/clamp/charts/mariadb/templates/deployment.yaml b/kubernetes/clamp/charts/mariadb/templates/deployment.yaml index be46f89433..7d22930b6a 100644 --- a/kubernetes/clamp/charts/mariadb/templates/deployment.yaml +++ b/kubernetes/clamp/charts/mariadb/templates/deployment.yaml @@ -52,19 +52,19 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password + - name: MYSQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: MYSQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 12 }} + - name: MYSQL_DATABASE + value: {{ tpl .Values.db.databaseName .}} volumeMounts: - - mountPath: /docker-entrypoint-initdb.d/bootstrap-database.sh - name: docker-entrypoint-initdb - subPath: bootstrap-database.sh - mountPath: /etc/localtime name: localtime readOnly: true - - mountPath: /docker-entrypoint-initdb.d/bulkload/ + - mountPath: /docker-entrypoint-initdb.d/ name: docker-entrypoint-bulkload - mountPath: /etc/mysql/conf.d/conf1/ name: clamp-mariadb-conf @@ -88,9 +88,6 @@ spec: {{- else }} emptyDir: {} {{- end }} - - name: docker-entrypoint-initdb - configMap: - name: clamp-entrypoint-initdb-configmap - name: docker-entrypoint-bulkload configMap: name: clamp-entrypoint-bulkload-configmap diff --git a/kubernetes/clamp/charts/mariadb/templates/secrets.yaml b/kubernetes/clamp/charts/mariadb/templates/secrets.yaml index 8f3a21752d..57f88ce32d 100644 --- a/kubernetes/clamp/charts/mariadb/templates/secrets.yaml +++ b/kubernetes/clamp/charts/mariadb/templates/secrets.yaml @@ -13,16 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.mysqlPassword | b64enc | quote }} +{{ include "common.secretFast" . }} diff --git a/kubernetes/clamp/charts/mariadb/values.yaml b/kubernetes/clamp/charts/mariadb/values.yaml index 8bf6100563..df651dd9ea 100644 --- a/kubernetes/clamp/charts/mariadb/values.yaml +++ b/kubernetes/clamp/charts/mariadb/values.yaml @@ -20,18 +20,27 @@ global: # global defaults nodePortPrefix: 302 persistence: {} - # application image repository: nexus3.onap.org:10001 image: mariadb:10.3.12 pullPolicy: Always flavor: small - ################################################################# -# Application configuration defaults. +# Secrets metaconfig ################################################################# -config: - mysqlPassword: strong_pitchou +secrets: + - uid: db-root-pass + type: password + externalSecret: '{{ tpl (default "" .Values.db.rootCredsExternalSecret) . }}' + password: '{{ .Values.db.rootPass }}' + - uid: db-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' + login: '{{ .Values.db.user }}' + password: '{{ .Values.db.password }}' + +# Application configuration +db: {} # default number of instances replicaCount: 1 diff --git a/kubernetes/clamp/resources/config/log/filebeat/filebeat.yml b/kubernetes/clamp/resources/config/log/filebeat/filebeat.yml new file mode 100644 index 0000000000..dab2e44f5e --- /dev/null +++ b/kubernetes/clamp/resources/config/log/filebeat/filebeat.yml @@ -0,0 +1,53 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +filebeat.prospectors: +#it is mandatory, in our case it's log +- input_type: log + #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. + paths: + - /var/log/onap/*/*/*/*.log + - /var/log/onap/*/*/*.log + - /var/log/onap/*/*.log + #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive + ignore_older: 48h + # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit + clean_inactive: 96h + +# Name of the registry file. If a relative path is used, it is considered relative to the +# data path. Else full qualified file name. +#filebeat.registry_file: ${path.data}/registry + + +output.logstash: + #List of logstash server ip addresses with port number. + #But, in our case, this will be the loadbalancer IP address. + #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. + hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"] + #If enable will do load balancing among availabe Logstash, automatically. + loadbalance: true + + #The list of root certificates for server verifications. + #If certificate_authorities is empty or not set, the trusted + #certificate authorities of the host system are used. + #ssl.certificate_authorities: $ssl.certificate_authorities + + #The path to the certificate for SSL client authentication. If the certificate is not specified, + #client authentication is not available. + #ssl.certificate: $ssl.certificate + + #The client certificate key used for client authentication. + #ssl.key: $ssl.key + + #The passphrase used to decrypt an encrypted key stored in the configured key file + #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/clamp/templates/configmap.yaml b/kubernetes/clamp/templates/configmap.yaml index 4278a6e6d3..3fce850140 100644 --- a/kubernetes/clamp/templates/configmap.yaml +++ b/kubernetes/clamp/templates/configmap.yaml @@ -25,3 +25,5 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} + +{{ include "common.log.configMap" . }} diff --git a/kubernetes/clamp/templates/deployment.yaml b/kubernetes/clamp/templates/deployment.yaml index e4ac4723da..e8a7cc25cd 100644 --- a/kubernetes/clamp/templates/deployment.yaml +++ b/kubernetes/clamp/templates/deployment.yaml @@ -48,17 +48,8 @@ spec: name: {{ include "common.name" . }}-readiness containers: # side car containers - - name: {{ include "common.name" . }}-filebeat-onap - image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-filebeat-conf - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - - name: {{ include "common.fullname" . }}-data-filebeat - mountPath: /usr/share/filebeat/data - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/nginx/ + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} + # main container - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -79,8 +70,8 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/nginx/ + - name: logs + mountPath: {{ .Values.log.path }} - mountPath: /etc/nginx/conf.d/default.conf name: {{ include "common.fullname" . }}-config subPath: default.conf @@ -101,13 +92,8 @@ spec: items: - key: default.conf path: default.conf - - name: {{ include "common.fullname" . }}-filebeat-conf - configMap: - name: {{ include "common.release" . }}-clamp-filebeat-configmap - - name: {{ include "common.fullname" . }}-data-filebeat - emptyDir: {} - - name: {{ include "common.fullname" . }}-logs + - name: logs emptyDir: {} + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/clamp/templates/secrets.yaml b/kubernetes/clamp/templates/secrets.yaml new file mode 100644 index 0000000000..57f88ce32d --- /dev/null +++ b/kubernetes/clamp/templates/secrets.yaml @@ -0,0 +1,16 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/clamp/values.yaml b/kubernetes/clamp/values.yaml index 47eca67f91..9446ca8eb3 100644 --- a/kubernetes/clamp/values.yaml +++ b/kubernetes/clamp/values.yaml @@ -22,6 +22,34 @@ global: # global defaults readinessImage: readiness-check:2.0.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + centralizedLoggingEnabled: false + +secrets: + - uid: db-root-pass + name: &dbRootPass '{{ include "common.release" . }}-clamp-db-root-pass' + type: password + password: '{{ .Values.db.rootPass }}' + - uid: db-secret + name: &dbUserPass '{{ include "common.release" . }}-clamp-db-user-pass' + type: basicAuth + login: '{{ .Values.db.user }}' + password: '{{ .Values.db.password }}' + +db: + user: clds +# password: sidnnd83K + databaseName: &dbName cldsdb4 +# rootPass: emrys user: testos + +clamp-backend: + db: + userCredsExternalSecret: *dbUserPass + databaseName: *dbName +mariadb: + db: + rootCredsExternalSecret: *dbRootPass + userCredsExternalSecret: *dbUserPass + databaseName: *dbName subChartsOnly: enabled: true @@ -30,12 +58,16 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/clamp-frontend:5.0.3 +image: onap/clamp-frontend:5.0.6 pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false +# log configuration +log: + path: /var/log/nginx/ + ################################################################# # Application configuration defaults. ################################################################# @@ -84,7 +116,7 @@ service: ingress: enabled: false service: - - baseaddr: "clamp" + - baseaddr: "clamp.api" name: "clamp" port: 2443 config: diff --git a/kubernetes/cli/values.yaml b/kubernetes/cli/values.yaml index fba076d47d..e5484dff5b 100644 --- a/kubernetes/cli/values.yaml +++ b/kubernetes/cli/values.yaml @@ -64,14 +64,14 @@ service: ingress: enabled: false service: - - baseaddr: "cli" + - baseaddr: "cli.api" name: "cli" port: 443 - - baseaddr: "cli2" + - baseaddr: "cli2.api" name: cli port: 9090 config: - ssl: "none" + ssl: "redirect" # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile index 5bd503e0ff..941c2f84df 100644 --- a/kubernetes/common/Makefile +++ b/kubernetes/common/Makefile @@ -20,7 +20,7 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets COMMON_CHARTS_DIR := common EXCLUDES := -HELM_CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -49,4 +49,4 @@ clean: @rm -f *tgz */charts/*tgz @rm -rf $(PACKAGE_DIR) %: - @:
\ No newline at end of file + @: diff --git a/kubernetes/common/cassandra/requirements.yaml b/kubernetes/common/cassandra/requirements.yaml index bab2c4befc..90e6621aa3 100644 --- a/kubernetes/common/cassandra/requirements.yaml +++ b/kubernetes/common/cassandra/requirements.yaml @@ -16,4 +16,4 @@ dependencies: - name: common version: ~6.x-0 - repository: '@local' + repository: 'file://../common' diff --git a/kubernetes/common/certInitializer/Chart.yaml b/kubernetes/common/certInitializer/Chart.yaml new file mode 100644 index 0000000000..3b20045b1f --- /dev/null +++ b/kubernetes/common/certInitializer/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Template used to obtain certificates in onap +name: certInitializer +version: 6.0.0 diff --git a/kubernetes/common/music/charts/music-tomcat/requirements.yaml b/kubernetes/common/certInitializer/requirements.yaml index 7aed47bc52..237f1d1354 100755..100644 --- a/kubernetes/common/music/charts/music-tomcat/requirements.yaml +++ b/kubernetes/common/certInitializer/requirements.yaml @@ -1,4 +1,4 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# Copyright © 2018 Amdocs, Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,8 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. - dependencies: - name: common version: ~6.x-0 - repository: '@local'
\ No newline at end of file + repository: 'file://../common' diff --git a/kubernetes/common/certInitializer/resources/truststoreONAP.p12.b64 b/kubernetes/common/certInitializer/resources/truststoreONAP.p12.b64 new file mode 100644 index 0000000000..71b6782c58 --- /dev/null +++ b/kubernetes/common/certInitializer/resources/truststoreONAP.p12.b64 @@ -0,0 +1,30 @@ +MIIGFAIBAzCCBdoGCSqGSIb3DQEHAaCCBcsEggXHMIIFwzCCBb8GCSqGSIb3DQEHBqCCBbAw +ggWsAgEAMIIFpQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIIYleh/TibnoCAggAgIIF +eGle/QhuHZkU5OjTo1L4MUbBFMGEu2hFNjqzYC3fuvfSIdMUxVZ1vQspIPNiPs1+WZ/lB9vZ +vBkQZ6AyBNTqZlHk5vv1tNyLksZCMRWlPLB/GF8becTuawuC2+IJajmuN5aLG9Fsx9G+bKQ6 +fO/VUq4urhuOEhKtft2wVUrQON0GnDcUemj/OLE6jMWrNlrxVdCqqII8xs5yGr/qfIRtpIVx +NZOAJdlKGZcc47wIG+lXHDeibH4rtObOLSk6mY9bjQ7Omp6HsshOaFDsx/ZWiG1+H7ZRDSSK +v5qWpr5xEhBM66TufMi0Tn8XNUsjkKCar25acH1odQQIQLhpFcqDyKaqFQM/60fvH4CTQ1SA +7vhpfUx9y7t2cEIg8lDEhhOUSRIVr+iw0zhoknPxJLfPuhRDzVKm8KxADCVjVR29K9nBgIrF +IVQ4gW0RRmCcHqBPVoakWs0BdTzhMwWtnxTLkpSLZoMkoi/8wfw7SDhaV4G6qXXqvDVaWbwR +nqpZWeQBRDSqOEmsPuLzq2J1Ls/v9J5ZQpeqyyYinGCjUUlC+fE6nhCrNsHeWTOlmBUyh/kA +WDAx1LgctqTwgIpPrJzkjPCfIuJyO7lhHFyBK8j/8NwMUgA5zBismhtQ3kQ3GBmTCm1cFkdz +AR4cV30244Oe3GmJG8ZUWiTjIuq2Eo4ISUR1h50uXlCja9n9n964wPJkNJyHyUa5cqz/EAkM +vzeL0VNW7Jpym3gRxNLqYILFBjZnhC7R9RhHciHYwIEEMj9WywDE6hDZqFReI6N3ZQNIWnHt +Je6e1YFwduGWnQFnL33XZi7ZqVY9Pr7mwu9c/LaCUuwDwy2rtAY50cnpp9CfbIp3oD33sfNe +LMmCcEkRvl/BNMtifnWnsaiCCoUZxLe6d8JWudu4r8M+bdoIkqoIUSyhuIsjjKnYAE/wmZvy +nphgC9tN1g5rY5CxqEQXyGvaD/lRgxpchKqwFFF89dEU27llLPneRSiIpth/pnip104N7H/+ +I5RaHNfaiNTUGLJSqmewCPCKritGJogqaBCj8oiI8uGovQZEYd8kgaDao8FCrpOFaHFhlUxd +fltyOZImAQ4cLEywj9VZFz/AriV+FZWe0VS1A6pBCknwZJBBJPKSQ4fAoDwAWmQsiHRE6h/N +OcD9zh4XqnCgy2f07SOPBf8AnLoe9XJXVm5T6xG8ZwfrmtDYk9Ze2VTxFJsolcaz/58JqSe3 +2mc3nuQqhZEzP7bWoD68ekykfbm2qJcC82fxYKkooNJ1T/Aagh+Vxsc8t/ubAEAKzz4fXZY5 +hO2zuk3AIn6WkwKZwoHfuCXXH1o3vlGsQx59N2kvifNUZf5ZzSbHIB8Hefckh0W9FMYE99de +lKdv5H4BSIiZ4v7r/0AkiV0M6WJOdogkEBIBcE81URAI6uwBuq2vUMyhIlekvmGlfV1+70jR +T22rjPiaswc8+GqDoI1kRrEwHHYT8O2JLBkSBv9A6LkCJPNt2bepPnJM7OyShQ0srmwdZOpY +0YcDZwbWVQNPZqtvZJl860mMisXO9MRIBS1udkL2SgzWYNpgGJN/vaRgjQiDyN9B4x8a+5sx +7fCLzmcxHeP7eYBkmH4guPCRr8VZboQanShKje3iS6ukKI15aD9FnzGn3TwrMyLTqzvBZSct +yM5Ew7cwUe67OKAXATaLc3AK5OBAqyLGMsi5Q1C8Hd/zqu6tQ/aRUpqfocRIIVrO+zEVfPfA +DOTtA7y6FHY00J2WwOkmZ9CkUWURFadA1+w3oIvlAxMDTfvEstOfvIs5TJalPRjsQYFW2875 +9IQ01SN7jFYKGWzGfsdtDrEJC3157J9Kjy56QUNgYKVaYe0V26Olwir3mAGH4dSaQMVsMDEw +ITAJBgUrDgMCGgUABBTxE9oEHuqG7KvR83sl8JdO+A6MxAQIwdEAxeLiamcCAggA + diff --git a/kubernetes/common/certInitializer/resources/truststoreONAPall.jks.b64 b/kubernetes/common/certInitializer/resources/truststoreONAPall.jks.b64 new file mode 100644 index 0000000000..17b051268f --- /dev/null +++ b/kubernetes/common/certInitializer/resources/truststoreONAPall.jks.b64 @@ -0,0 +1,2186 @@ +/u3+7QAAAAIAAABrAAAAAgAYdmVyaXNpZ25jbGFzczJnMmNhIFtqZGtdAAABVsJJxYQABVgu +NTA5AAADBzCCAwMwggJsAhEAuS9gzIifoXpGCbhbcGyKrzANBgkqhkiG9w0BAQUFADCBwTEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQLEzNDbGFzcyAy +IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIxOjA4BgNVBAsT +MShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAd +BgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmswHhcNOTgwNTE4MDAwMDAwWhcNMjgwODAx +MjM1OTU5WjCBwTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYD +VQQLEzNDbGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g +RzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQg +dXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmswgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAKeIASF0LOcaA/CY4Zc8DyEI8Zzbl+ma/MIEBhO+X1LIzB4sElYs +uAFpLMyZH62wlq55BPITOcF7mLoILOjChBMsqmnpCfTHqQKkQsIjT0rY8A6i+zFsyeZvmScH +9eb0THiebetGhvq5hslU8rLEr9RGHFrJFTD/DWz1LQ5tzn93AgMBAAEwDQYJKoZIhvcNAQEF +BQADgYEAci75f9HxcfvEnvbFXlGKQJi4aPibHIPY4p29/+2h5mbqLwn0ytfqpSuV9iRghk1E +LoOlxC2g0654aW9y2myuCPBjkjfmu8QwF613zEk1qs/Yj9G+txiWR3NqVCI0ZC22FptZW7RR +WTqzCxT0Et9noPStMmResUZyJ4wSe8VEtK4AAAACABlkaWdpY2VydGFzc3VyZWRpZGczIFtq +ZGtdAAABVsJI3zgABVguNTA5AAACSjCCAkYwggHNoAMCAQICEAuhWvod36C1SUSvzSSgbOww +CgYIKoZIzj0EAwMwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG +A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBS +b290IEczMB4XDTEzMDgwMTEyMDAwMFoXDTM4MDExNTEyMDAwMFowZTELMAkGA1UEBhMCVVMx +FTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIG +A1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IEczMHYwEAYHKoZIzj0CAQYFK4EEACID +YgAEGee8rERl7c24P1j7jbFXqUQtBRXy7wv/EHSftWJSX2Z+H+XcG0V5C8zGUwqdjV0C2alZ +3gJa9pUqDo04SopJxrzGAzgHX1Xafglu4n9e0EUgD1l2ENagJPAt3jbybCk5o0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUy9C9qeGYBVGhTTeig3nO +jR0q5IQwCgYIKoZIzj0EAwMDZwAwZAIwJaSBRQJrEkt1dE/II+Nw8nVy3nyJ8M+RcmGeXhCS +WVa5g8cQ5zjpWCY2fdXkNIY5AjB8NlPwMOViYzqZ4rajO5s0+h7aEJJxXpETp92kbpLMMtb1 +IWbHL+qWY2plRZKVAbQAAAACAB12ZXJpc2lnbnVuaXZlcnNhbHJvb3RjYSBbamRrXQAAAVbC +SX1uAAVYLjUwOQAABL0wggS5MIIDoaADAgECAhBAGsRkIbMTIQMOu+QSGsUdMA0GCSqGSIb3 +DQEBCwUAMIG9MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV +BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWdu +LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVu +aXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA4MDQwMjAwMDAwMFoX +DTM3MTIwMTIzNTk1OVowgb0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j +LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDIwMDgg +VmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE4MDYGA1UEAxMvVmVy +aVNpZ24gVW5pdmVyc2FsIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHYTdesQE022LXFZv/WFqMIyPWYI6R15CYg3rmWBk4 +jMX25WSFtKJx++29udrNTQC0yC1zpcdpcZUfOTyyRAec6A76TUrEId8pYY8yImGCxYcfbox8 +XxYgUUTRcE9X6uMc48x57ljYDsKzRZPALOeaFyt7ADd6QTN44TPi8xAaf4csvvb190Li5b+H +YolfAEvfxd3kdUQyQToecW5pywt1RgjRytIrldDP+7lAa2SMV038ExF5hO1eVPY0nwgB8xAl +BhdK2vEdemZrmGBmpNnv0i6C8fDvCepEyRVq4gNuM9Osn1UAx/YIapS5X9zgM/GEYPlbJxG0 +/Bbyu1ZqgCWNAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +bQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XT +GoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5n +aWYwHQYDVR0OBBYEFLZ3+mlIR59TEtXC6gcydgfRlwcZMA0GCSqGSIb3DQEBCwUAA4IBAQBK ++PiwA+YsZ3vklHdjzG5M+X0ODdzIuTW5cE9j+iT6bIOMR507Y/Oa+XYylZGxd7ysmr6x5DEh +xoGVVloOscLUsaZZrPFjy7hMHVmQSu+QFigfWq4Q+4FQOAxszPE9w/Vj47PjIckkOen9FWZG +9BsR0E1zo31G+T3tqF9i1PE/+OB0VysYnYG0xCjalJelcOusHb4HEfDV293ljPDVMrCD5lfi +j7++oaq/PR211Djq17BcOk9qP4/AZmxjqunZpBb0gdGVFA59zZU02dKPcHOBe5x+vZhh2EWH +mJDF64YwxjW/8P/DVYiDS+8FkgZx8riYk7fszYJh8TjmT5eYKlqNAAAAAgAbZGlnaWNlcnR0 +cnVzdGVkcm9vdGc0IFtqZGtdAAABVsJJT9kABVguNTA5AAAFlDCCBZAwggN4oAMCAQICEAWb +G1eejiEy4jkHvad3dVwwDQYJKoZIhvcNAQEMBQAwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoT +DERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGln +aUNlcnQgVHJ1c3RlZCBSb290IEc0MB4XDTEzMDgwMTEyMDAwMFoXDTM4MDExNTEyMDAwMFow +YjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRp +Z2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgVHJ1c3RlZCBSb290IEc0MIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv+aQc2jeu+RdSjwwIjBpM+zCpyUuySE98orYWcLh +Kac9WKt2ms2uexuEDcQwH/MbpDgW61bGl20dq7J58soR0uRf1gU8Ug9SH8aeFaV+vp+pVxZZ +VXKvaJNwwrK6dZlqczKU0RBEEC7fgvMHhOZ0O21x4i0MG+4g1ckgHWMpLc7sXk7Ik/ghYZs0 +6wXGXuxbGrzryc/NrDRAX7F6Zu53yEioZldXn1RYjgwrt0+nMNlW7sp7XeOtyU9e5TXnMcva +k17cjo+A2raRmECQecN4x7axxLVqGDgDEI3Y1DekLgV9iPWCPhCRcKtVgkEy19sEcypukQF8 +IUzUvK4bA3VdeGbZOjFEmjNAvwjXWkmkwuapoGfdpCe8oU85tRFYF/ckXEaPZPfBaYh2mHY9 +WV1CdoeJl2l6SPDgohIbZpp0yt5LHucOY67m1O+SkjqePdwA5EUlibaaRBkrfsCUtNJhbesz +2cXfSwQAzH0clcOP9yGyshG3u3/y1YxwLEFgqrFjGESVGnZifvaAsPvoZKYz0YkH4b235kOk +GLimdwHhD5QMIR2yVCkliWzlDlJRR3S+Jqy2QXXeeqxfjT/JvNNBERJb5RBQ6zHFynIWIgnf +fEx1P2PsIV/EIFFrb7GrhotPwtZFX50g/KEexcCPorF+CiaZ9eRpL5gdLfXZqbId5RsCAwEA +AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFOzX44LS +cV1kTN8uZz/nupiuHA9PMA0GCSqGSIb3DQEBDAUAA4ICAQC7Ydl9qWy+F8SRG8OhogCN42Ro +D1bPd65w+f2aSpm5yXhcDAxf5OYUKVYLNkldRGPgrZyWGGYbIw09eelta9ZU+NI8wUNArh1Q +9VL8kDu7mJlpa8fBp6hopCfcnfknrjCFufZnTTo+j1k5IlNE68hdA8rtUHp9YiEKgMhzZtGg +BWBf6KW0p6+o9201nHxaitaiOJnzeIv0TdIgC94E7oybR4FyDcAUMu8wWS6u4HHyVuRql2+S +UG2WjWh6mrI2FHoG8iS5CRFQ1wixuIl6hCNhQinlo82iIEHX0Zxk2eomoYsU10wZslBBcT0/ +TXAjhgxK3IHSzDKUhA0ICZccT8DuayB0MNLgOTQQhSEVAQjoVTLecUnZKBdQTea+TdF1rNDK ++0G4Q6Wq08MFRE8sNpvi+uJFuCNTbAZvZ1V/RrVMP24oWnkm0qSoYpfSHuLtSou8G/1HSg3f +Z2Z+sltB0Dvk9Dv0BGPp78JUAFGgiirJznjM1eqHBBizzq9JiK/zkpm2s+ZhD9KFAOdQGuQb +lZ0ZobmcsZuxAB7v0A9PQmzJCrzuQ/o6caXITSalNf2JXbyFYh0y0qArVO2aV8Hb+hDPGbeL +ShuPAbYnlVPotoltW7xo1CPoi1GiVvnwpoCg1h6zvA8PU3UpquoTd+TejIEhrQcQRxGthz0H +0XW8z/NmfgAAAAIAGHZlcmlzaWduY2xhc3MxZzNjYSBbamRrXQAAAVbCSfnFAAVYLjUwOQAA +BB4wggQaMIIDAgIRAItbdVaEVIULAM+vOEjOsaQwDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNV +BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 +c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0 +aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJp +bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTk5MTAwMTAwMDAwMFoXDTM2 +MDcxNjIzNTk1OVowgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf +MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVy +aVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNp +Z24gQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcz +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3YTUubT5p9jzBHic3j3cbBMW2Xrd +JFFmwMcmWQ2sBgjClNEzH/CDNR9uG8jeqm4VTlQn78RtGuwL4w7wRKVXx0BYHqNHH3HsYPZt +lMgYOe3+QhhW3+RMSRB4TgF2NWMSNt1mvAEENqNVaNWiNgmsqyEmVAatP8oU4KzKrQYdleL4 +nfHgYP/Cf3UrTMza/oeZIeq6/j5U19JZeNs8bs+gEwAauCeh5L5nlsqgxbOc3cl1nuswml+j +zdmueBk/I+lc2ym9rVXIG1SMY/bopurHNxJcoykeAtnbHzu01w9WR4EVBEqvgyfRxViIwd32 +qqejGNpoqm0RUeG/ZWuflnbRPQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCrZo3Xs7rHmrbm +VdAF8Z8xjVqq2apGJg9x7aWtU1ZiAUcqROn+P3QLE5u59E0bstFfsrbSiFyzn83L1KfZYJWE +OvjBNx1hyuewxeWR2lSmrDGBrpfezQisuMCXgH9ucqTnaROVZR/Ekzz9eY8E1D5P6veezs1n +fE9lAv+RhVRzx/8294Yt7NBeT/8Rn3IG1rga8UwNJmXiRIAex5/j3egK2uylIIBpaKFPfuFr +zwdB+oOOvDjdsC4RsWuyQsyavPlIInlKGQ+yHD4gdNlqw77yKHgTVnlPbVDqG7C1V7E3Zlgj +89wP3wqHxO+GBdU4FGCZo0veBpZxLPLbth+k7z/uAAAAAgAXaWRlbnRydXN0cHVibGljY2Eg +W2pka10AAAFWwkjoQQAFWC41MDkAAAVqMIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAA +AjANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSow +KAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1 +MzMyWhcNMzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0 +MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTyP4o7ekosMSqMjbCpwzFr +qHd2hCa2rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGyRBb06tD6Hi9e28tzQa68ALBK +K0CyrOE7S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlSbdsHyo+1W/CD80/HLaXIrcuVIKQxKFdY +WuSNG5qrng0M8gozOSI5Cpcu81N3uURF/YTLNiCBWS2ab21ISGHKTN9T0a9SvESfqy9rg3Lv +dYDaBjMbXcjaY8ZNzaxmMc3R3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoSmJxZ +ZoY+rfGwyj4GD3vwEUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFn +ol57plzy9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9V +GxyhLrXHFub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ2fjXctsc +vG29ZV/viDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsVWaFHVCkugyhfHMKi +q3IXAAaOReyL4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gDW/3FKqD2cyOEEBsB5wIDAQAB +o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU43Hgntin +QtnbcZFrlJPrw6PRFKMwDQYJKoZIhvcNAQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiH +VIyqZJnYWv6IAcVYpZmxI1Qjt2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4J +aj0z8yGa5hV+rVHVDRDtfULAj+7AmgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0f +b7iAaJg9TaDKQGXSc3z1i9kKlT/YPyNtGtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8G +lwmEKYBhHfpe/3OsoOOJuBxxFcbeMX8S3OFtm6/n6J91eEyrRjuazr8FGF1NFTwWmhlQBJqy +mm9li1JfPFgEKCXAZmExfrngdbkaqIHWchezxQMxNRF4eKLg6TCMf4DfWN88uieW4oA0beOY +02QnrEh+KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4Mhn5+bl53B/N66+rDt0b20XkeucC +4pVd/GnwU2lhlXV5C15V5jgclKlZM57IcXR5f1GJtshquDDIajjDbp7hNxbqBWJMWxJH7ae0 +s1hWx0nzfxJoCTFx8G34Tkf71oXuxVhAGaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dx +VJCO2SCdUyt/q4/i6jC8UDfv8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLat +t8o+Ae+cAAAAAgAadXRudXNlcmZpcnN0b2JqZWN0Y2EgW2pka10AAAFWwkkumAAFWC41MDkA +AARqMIIEZjCCA06gAwIBAgIQRL4Mi1AAJLQR0zYt4LNfGzANBgkqhkiG9w0BAQUFADCBlTEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwG +A1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0 +cnVzdC5jb20xHTAbBgNVBAMTFFVUTi1VU0VSRmlyc3QtT2JqZWN0MB4XDTk5MDcwOTE4MzEy +MFoXDTE5MDcwOTE4NDAzNlowgZUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UE +BxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8G +A1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR0wGwYDVQQDExRVVE4tVVNFUkZpcnN0 +LU9iamVjdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6qgT+jo2F4qjEAVZUR +nicPHxzfOpuCaDDASmEd8S8O+r5596Uj71VRloTN2+O5bj4x2AogZ8f02b+U60cEPgLOKqJd +hwQJ9jCdGIqXsqoc/EHSoTbL+z2RuufZcDX65OeQw5ujm9M89RKZd7G3CeBo5hy485RjiGpq +/gt2yb70IuRnuasaXnfBhQfdDWy/7gbHd2pBnqcP1/vulBe3/IW+pKvEHDHd17bR5PDv3xaP +slKT16HUiaEHLr/hARJCHhrh2JU022R5KP+6LhHC5ehbkkj7RwvCbNqtMoNB86XlQXD9ZZBt ++vpRxPm9lisZBCzTbafc8H9vg2XiaquHhnUCAwEAAaOBrzCBrDALBgNVHQ8EBAMCAcYwDwYD +VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU2u1kdBScFDyr3ZmpvVsoTYs8ydgwQgYDVR0fBDsw +OTA3oDWgM4YxaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmlyc3QtT2JqZWN0 +LmNybDApBgNVHSUEIjAgBggrBgEFBQcDAwYIKwYBBQUHAwgGCisGAQQBgjcKAwQwDQYJKoZI +hvcNAQEFBQADggEBAAgfUrE3RHjb/c652pWWmKpVZIC1WkDdIaXFwfNfLEzIR1pp6ujwNTX0 +0CXzyKakh0q9G7FzCL3Uw8q2NbtZhncxzaeAFK4T7/yxSPlrJSUtUbYsbUXBmMiKVl0+7kNO +PmsnjtA6S4ULX9Ptaqd1y9Fahy85dRNacrACgZ++8A+EVCBibGnU4U3GDZlDAQ0Slox4nb9Q +orFEqmrPF3rPbw/U+CRVX/A0FklmPlBGyWNxODFiuGK581OtbLUrohKqGU8J2l7nk8aOFAj+ +8DCAGKCGhU3IfdeLA/5u1fedFqySLKAj5ZyRUh+U3xeUc8OzwcFxBSAAeL0TUh2oPs0AH8gA +AAACABlnZW90cnVzdHVuaXZlcnNhbGNhIFtqZGtdAAABVsJJG3gABVguNTA5AAAFbDCCBWgw +ggNQoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdl +b1RydXN0IEluYy4xHjAcBgNVBAMTFUdlb1RydXN0IFVuaXZlcnNhbCBDQTAeFw0wNDAzMDQw +NTAwMDBaFw0yOTAzMDQwNTAwMDBaMEUxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVz +dCBJbmMuMR4wHAYDVQQDExVHZW9UcnVzdCBVbml2ZXJzYWwgQ0EwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCmFVWgo8bgH4ydIVDXwb4rW7WknqHZcli9ABtMv2HJFB1FgqvG +HYDWPesQnDqvbST4vHEBngb1fF8ewQ5VyoOaWTCuGcswSJXtIjeN9EqacmY+rZXA4BYA4BAf +KzEO15RU00IzoDQdHkV23U/KGDfshRV6GQj81cec8PKpLhCpkuY9WD2pFmg8L3UhGH8od6Xh +YRe3pun4Hpnbc270CqIhbO7aqoWSZq/2emuC2roiCDUPz0LxNfpq7n4rJcw6EeRtr3Oydh2t +0LJ4ZxqkORxRC2dWg/04XQ3O3fC7K5Yf3nsyUv0du7UGobIhXqXWlWh/8Jme3EUIPufSCQ01 +lN2ATlOX17UJRCBkFhcDAkxTDWje1apyTZNtgg7bnL3PtPNcXVR6aQmW1tsRwY11qLTPOcjO +PLwkfOZiyuG9fae9V2UL5P4l7bZpENwoGka9AR3Ql7XhmDvAN2TWPZTuC+H1KK4LVr9xiyMp +QY6GxUtSe9hxqx+KFaY7g1rXWAFRxkxB2X/YQWdyoijfYIOpnsh7/FNzcln1k3oXdg7O9+Vc +2QtVNKKqW7VqVOcTylfsl230XgYvRYtY1CMWkuQWbihjWTDfUAGcY4kan9sXlIJwN8MknppH +1lrKTqhpiXIfkWzbfp4brccfc90sTxll/X+TQBAu0vDtPJ4uKD5pJjPFewIDAQABo2MwYTAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTauy6qsAy4iCZRdFxtA9PA2I961jAfBgNVHSME +GDAWgBTauy6qsAy4iCZRdFxtA9PA2I961jAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEF +BQADggIBADF45se137iUQMlxxKg17EYdwoXzKFiGsAv8jrI5j0RVq2SEXGmp0Jo4PPrlHzXl +ROOAeZRopLvEnz3hNM0wRotUK5Wl7/c/mYT9NebPMcbcar+n1yMI4Zhew1oIdqmmr3cvt2C9 +REZq75f/c5XBjuiT+/0xt+xXERFFmzDxGog5wU88pwDVx/yrbYAicKUM4F0EKQL7y6CR0XzW +w35Q1Z1YvkE467l1PBXZm8lKg1nA2lP9M7s2GJuFDxXd7i2sdpO52QGNSBCo+/U4hvHbCsa9 +hKMjQd7Wd2+F1IUcUOCuUYq6jT524rnKJ/Jfn+9uWQ0G2CsXpNJ8a7tfFBpIjxpM57NHHI5M +RSsg7kjf590Jjhio2kCNkiYRU2FzXeu958RNKTdh66w5LWcuFtb1AIOFocx/dsR95LdLZu8D +RWBptgxSlpKEXqajtaQ+K9nM2BtHqvJE2k/5A+jwFMs/84Pe0MFU47foCjdNiyBZAzAZoSzI +vREf367JSsXzJ2Zmhqxokf/Z5lMcD4tcaWUKJsgeNMNdUXvXqZwGoTbd1YmUvNnkLQxeCWwI +l3yjPXyT/z+hFKfPtV3r29scxHbfiLm9RQWVG678RmpMr0jjzq4P0n7r5mycT4FqemSsuz7V +58t2LsWnSMFckA/LyD/65jLhjRtvpOaO2PkpSIrOc/4sAAAAAgAaZGlnaWNlcnRnbG9iYWxy +b290ZzMgW2pka10AAAFWwkkPcwAFWC41MDkAAAJDMIICPzCCAcWgAwIBAgIQBVVWvPJepDU1 +w6QP1atFcjAKBggqhkjOPQQDAzBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQg +SW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9i +YWwgUm9vdCBHMzAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYT +AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x +IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYFK4EEACID +YgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FGfp4tn+6OYwwX7Adw +9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPOZ9wj/wMco+I+o0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNp +Yim8S8YwCgYIKoZIzj0EAwMDaAAwZQIxAK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj ++Z4y3maTD/HMsQmP3Wyr+mt/oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqp +isXRAL34VOKa5Vt8sycXAAAAAgAcZGV1dHNjaGV0ZWxla29tcm9vdGNhMiBbamRrXQAAAVbC +SSebAAVYLjUwOQAAA6MwggOfMIICh6ADAgECAgEmMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNV +BAYTAkRFMRwwGgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVT +ZWMgVHJ1c3QgQ2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAe +Fw05OTA3MDkxMjExMDBaFw0xOTA3MDkyMzU5MDBaMHExCzAJBgNVBAYTAkRFMRwwGgYDVQQK +ExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3QgQ2VudGVy +MSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAKsLozXgiykUsRSFrzwQ5DlvNV1Krt3qYY2VSfRvZKMaYGakqUAi +hNnUpeV4kw5oAa25TVw6ztO4qEJA38+juoJZapIbrBya2ggrJSf5aSNH8eDrLHqb9RMC0H40 +fMKePABZq/XaDPUyPCusUNrWw96DlMqoDJkyDghIVltq+9rhWFgBSV9yQTwVBgGOXa2quJO0 +zZ7rp+hqLVI02zrvXHVR2tvzMfnucZgyxFQVRAz5m1Xtrd8YCKCjhopJ7lMFjxlM1d5YeZvS +ahxCq8XVp89oD5bk4WGYdmHIkXzWPgDikVCH4Z0K5q2X0h3GOn3LvNoDNNWOWwH1age3FrZu +Sn8CAwEAAaNCMEAwHQYDVR0OBBYEFDHDeRu69VPXF+CJei0XbAqzK50zMA8GA1UdEwQIMAYB +Af8CAQUwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCUZFmtOWTnKesT/lrD +ixNXyAQk8HR3wGDjZ/vpiaaDv5aCfG7Uwz3vnoBuuym0mHqxO1TrORdHfhqOC/wfMVkxBLLO +F/Msx2I2VeIi2IlVtJhIqmT61hw22ER4WlojOleX9XowT66fakxLK46gA+M+4KnU0nvSs6ji +cjytnv+AWeSbRbT2O7DNORmYMuXqIWGQ5DEhjjSx9y81SoUQ2ueKNyG+WWPg8oWIMVPUVBSF +cHn0LgZ3J3UvH7iK+f7Futg25IPs52W3v2Na80avgZQ31EGM1iPWHs/1aBtEY6Jauqc1WaHl +cAWbDiNXmZQKbbo5YyiGkvMYhNj70c8FVmRXAAAAAgAWZW50cnVzdHJvb3RjYWVjMSBbamRr +XQAAAVbCSWH7AAVYLjUwOQAAAv0wggL5MIICgKADAgECAg0Apot5KQAAAABQ0JH5MAoGCCqG +SM49BAMDMIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE +CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIg +RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMwMQYDVQQDEypFbnRy +dXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBFQzEwHhcNMTIxMjE4MTUyNTM2 +WhcNMzcxMjE4MTU1NTM2WjCBvzELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIElu +Yy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsT +MChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEG +A1UEAxMqRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMHYwEAYH +KoZIzj0CAQYFK4EEACIDYgAEhBPJ0LptQXvibNDrVV9mAhok9FuJaUfjuMJ98fICxZ+g9lvV +iwYZhk9TEG0HJCehoPjVRxlhTH3KkyfqdAzvb5YJ/mPscF02rWd3rsmdfFVEOqJjUR/142LU +qUcHPswgo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +t2PnGt2N6QimVYOk4GpQQWURQkkwCgYIKoZIzj0EAwMDZwAwZAIwYXnY5UJH3xyuU5kXtm8c +feG/EZTRA4h15I2JpIp3Rt5tYe8C9fu138z+Tv/+qeanAjBbmdeFNwa1ewj96yeLSpT54fqn +jiYI6HySaG1z2G8mrCECuJm3JkFbJWCu0Ega7gYAAAACABRzZWNvbXNjcm9vdGNhMSBbamRr +XQAAAVbCSXcNAAVYLjUwOQAAA14wggNaMIICQqADAgECAgEAMA0GCSqGSIb3DQEBBQUAMFAx +CzAJBgNVBAYTAkpQMRgwFgYDVQQKEw9TRUNPTSBUcnVzdC5uZXQxJzAlBgNVBAsTHlNlY3Vy +aXR5IENvbW11bmljYXRpb24gUm9vdENBMTAeFw0wMzA5MzAwNDIwNDlaFw0yMzA5MzAwNDIw +NDlaMFAxCzAJBgNVBAYTAkpQMRgwFgYDVQQKEw9TRUNPTSBUcnVzdC5uZXQxJzAlBgNVBAsT +HlNlY3VyaXR5IENvbW11bmljYXRpb24gUm9vdENBMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALOz/n/TbbHvFnxXpQxtdoovS79k+0zuivDzKXz1/+4q4OnpultkIpqabyw6 +JmlRBZkm3NUcanHGmn0end18bMaMZ2dKPvhxsBknqQkMppW/S4wM+lWYO9joIqFLcTh5rJeS +abOJfuohaAaYFJaH0mE2vG0nVp5X7sDAVv0yz6TZjsIj142o89glrJfkcDj0tjq0nTuXJkOj +obxJWXJMIzCHAVj2Tr4caFZmr81BXcizTSpVRqsf2h7iQD3bzX25koCcN90MlmSd3CL3ZIvf +Yd4VlFIVoH1SyUuoIcnGse3Lw5Vg0Q/wq3D438tNfuzW+qvZvX9U8qXpefrZ1nYkKHMCAwEA +AaM/MD0wHQYDVR0OBBYEFKBzSZlo3IVbZeObKC9Xn70zvAdIMAsGA1UdDwQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBoQKmou+RPXXmzBbUXs2AT68aSXeDR +02r++76bbb/HBW1ZIMQc8LfahFgCY/pIFu9PpQv3SpjyP54brUdrY84IR+tSP3icr02u+NVP +z5qYKhBBOVLE3dmbDu+TAa6yLspoQiRCbLCzOj7N6dpIxBXL6fkHD5JQSYrdMZdfyek3qjtZ +ZZeUMsmznz46YljFSa1iDnGlMqovxol2Q0ATE2c9olQlEMvxOvLZ+ttJVrum/qdBNcPgiGHJ +iMffNhAimFnqsEr7VhZzbqxN9yKhT60dei1FJ+UwwV7y2hPLJUJRlUcDjGwhzHRC7VP/M4uP +D1cBFi/Ppu7JcCIUvf2+bAsDAAAAAgAUZ2xvYmFsc2lnbnIyY2EgW2pka10AAAFWwkmAowAF +WC41MDkAAAO+MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEg +MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNpZ24x +EzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1MDgwMDAwWjBM +MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2ln +bjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPLv4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe ++3t+c4isUoh7SqbKSaZeqKeMWhG8eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTos +vNYSuetZfeLQBoZfXklqtTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnT +lEnLJGKRILzdC9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpR +l4pazq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCBmTAO +BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IHV2ccHsBqBt5Z +tJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9y +b290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgkqhkiG9w0B +AQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4GsJ0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbB +uOmDAGJFtqkIk7mpM0sYmsL4h4hO291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yi +PqFbQfXf5WRDLenVOavSot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG7 +9G+dwfCMNYxdAfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRu +JQ/7TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLgAAAAIA +FGlkZW50cnVzdGRzdHgzIFtqZGtdAAABVsJI1HsABVguNTA5AAADTjCCA0owggIyoAMCAQIC +EESvsIDWoye6iTA5hi74QGswDQYJKoZIhvcNAQEFBQAwPzEkMCIGA1UEChMbRGlnaXRhbCBT +aWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzAeFw0wMDA5MzAy +MTEyMTlaFw0yMTA5MzAxNDAxMTVaMD8xJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRy +dXN0IENvLjEXMBUGA1UEAxMORFNUIFJvb3QgQ0EgWDMwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDfr+mXUAiDV7TMYmX2kILsx9MsazDKW+zZw33HQMEYFIvg6DN2SSrjPyFJ +k6xODq8+SMtl7vzTIQ9l0irZMo+M5fd3sBJ7tZXAiaOpuu1zLnoMBjKDon6KFDDNEaDhKji5 +eQox/VC9gGXft1Fjg8jiiGHqS2GB7FJruaLiSxoon0ijngzaCY4+Fy4e3SDfW8YqiqsuvXCt +xQsaJZB0csV7aqs01jCJ/+VoE3tUC8jWruxanJIePWSzjMbfv8lBcOwWctUm7DhVOUPQ/P0Y +XEDxl+vVmpuNHbraJbnG2N/BFQI6q9pu8T4u9VwInDzWg2nkEJsZKrYpV+PlPZuf8AJdAgMB +AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTEp7Gk +eyxx+tvhS5B1/8QVYIWJEDANBgkqhkiG9w0BAQUFAAOCAQEAoxosmxcAXKke7ihmNzq/g8c/ +S8MJoJUgXePZWUTSPg0+vYpLoHQfzhCCnHQaHX6YGt3LE0uzIETkkenM/H2l22rl/ub94E7d +twA6tXBJr/Ll6wLx0QKLGcuUOl5IxBgeWBlfHgJa8Azxsa2p3FmGi27pkfWGyvq5ZjOqWVvO +4qcWc0fLK8yZsDdIz+NWS/XPDwxyMofG8ES7U3JtQ/UmSJpSZ7dYq/5ndnF42w2iVhQTOSQx +haKoAlowR+HdUAe8AgmQAOtkY2CbFryIyRLm0n2Ri/k9Mo1ltOl8sVd26sW2KDm/FWUcyPZ3 +lmoKjXcL2JELBI4H2ym2Cu6dgjU1EAAAAAIAEWNvbW9kb2VjY2NhIFtqZGtdAAABVsJKBzwA +BVguNTA5AAACjTCCAokwggIPoAMCAQICEB9Hr6piAHBQVEwBnptjmSowCgYIKoZIzj0EAwMw +gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcT +B1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8g +RUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA4MDMwNjAwMDAwMFoXDTM4MDExODIz +NTk1OVowgYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO +BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJD +T01PRE8gRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACID +YgAEA0d7L3XJghWF+3XkkRbUq2KZ9T5SCwbOQQB/l+EKJDwdAQTuPdKNCZcM4HXk+vt3iir1 +A2BLNosWIxatCXH0SvQoULT+iBxuP2wvLwlZW6VbCzOZ4sM9iflqLO+y0wbpo0IwQDAdBgNV +HQ4EFgQUdXGnGUgZvJ2d6kFH35TESHeZ03kwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF +MAMBAf8wCgYIKoZIzj0EAwMDaAAwZQIxAO8DW3qst3gKcreI3/+1RhQJCvqg5n0IxhqHvRio +c70mymAMnc6Zn89cDzDhvhQx6gIwFPSTPEmnM3qQRkezY30Tm063bxg3gFP+3SDgNZo20ccB +uebc3fP/HSw6FlfZkjnWAAAAAgAcYmFsdGltb3JlY29kZXNpZ25pbmdjYSBbamRrXQAAAVbC +STqyAAVYLjUwOQAAA6owggOmMIICjqADAgECAgQCAAC/MA0GCSqGSIb3DQEBBQUAMGcxCzAJ +BgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxLzAt +BgNVBAMTJkJhbHRpbW9yZSBDeWJlclRydXN0IENvZGUgU2lnbmluZyBSb290MB4XDTAwMDUx +NzE0MDEwMFoXDTI1MDUxNzIzNTkwMFowZzELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRp +bW9yZTETMBEGA1UECxMKQ3liZXJUcnVzdDEvMC0GA1UEAxMmQmFsdGltb3JlIEN5YmVyVHJ1 +c3QgQ29kZSBTaWduaW5nIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI +cZoYEo562/ma/EGv2PL0CY6tP/5nNzzaySZQsbE+y+hOcwDystzzxUb7Ce8Yls6n4JyEXSAO +eqCqNov6KLZ4LrPs6EfzBPCQI7Tqr+VTuAX3R10rhvGnpMY7NbbSDVJB1/SSdeGiClBWh76X +C3szhRC5KBjuM+pIEddbkUd2ItTuz13nqE4cnZaR3Zy9dAmocmGqsCE68T0sA1YJ0sHcw7XH +VDer5iaiskZxc8oRiO6852T30BEac0BayEksD7fvkH9ogAQ4CxsPO9T1oLPCjuE0tICZbZ52 +1JIpQLGV0jekZxJ/4GK7rjXFmTaCRLjmeBgzYXGTWy2Nn3iVguttAgMBAAGjWjBYMBMGA1Ud +JQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBTIQTRcFRUE5UDy0auabySSeodCWjASBgNVHRMB +Af8ECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAUnSqlUsi +jMc9lqT+Xfovtbzr8AvpVjgd0W0Nobxoi/DFgKUkNP3ylhgRhqE29TfnVEDVZB/DX3BCay05 +x55SBc7nanLSjXI/R1CDq8eNJcmw46dTFpWmalPqGJ2PeKl3dxr5tJdHWYgnKLXK4S7XPg6i +DbgiRAPj0WOwQTqh9aQt93YeBFSZeDJA1yt8TbqmnLB5bge+jOzu1zhpW8EMVmif/uvR4ciI ++fLNf76FtERnAFA+9CYDZOp3fehePhw3R8jW6qTzNjyXwjlyBZQZJcPXN0EPwR+Hiv2qvumx +ZFfk25Khz+FJ6DsfkRNaw4/ZJVhJgEcPxgOurOO/t8CqKgAAAAIAE2VudHJ1c3QyMDQ4Y2Eg +W2pka10AAAFWwknWHgAFWC41MDkAAAQuMIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0B +AQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5l +dC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChj +KSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp +ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3MjQxNDE1 +MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3LmVudHJ1c3QubmV0 +L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMcKGMp +IDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5uZXQgQ2VydGlm +aWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEArU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18 +EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSr +hRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT +XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/HoZdenoV +ve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH4QIDAQABo0IwQDAO +BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVeSB0RGAvtiJuQij +MfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADubj1abMOdTmXx6eadNl9cZlZD7Bh/KM3xG +Y4+WZiT6QBshJ8rmcnPyT/4xmf3IDExoU8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv +3h8Dj1csHsm7mhpElesYT6YfzX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89 +vqbllRrDtRnDvV5bu/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBC +bJPKVt7+bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er +fF6adulZkMV8gzURZVEAAAACABhhZGR0cnVzdGV4dGVybmFsY2EgW2pka10AAAFWwkm7JgAF +WC41MDkAAAQ6MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJT +RTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRU +UCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUz +MDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRy +dXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UE +AxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALf3GjPm8gAELTngTlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+Vt +UFrWlymUWoCwSXrbLpX9uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYape +FI+eh6FqUNzXmk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+7 +10LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3 +ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0WicCAwEAAaOB +3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYDVR0PBAQDAgEGMA8GA1Ud +EwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6xCZU7wO94CTLVBqhc6RxMG8x +CzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3Qg +RXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJv +b3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZl +j7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w +/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvCNr4T +Dea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0 +cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTY +ghdae9C8x49OhgQAAAACABtnbG9iYWxzaWduZWNjcm9vdGNhcjQgW2pka10AAAFWwkj3UwAF +WC41MDkAAAHlMIIB4TCCAYegAwIBAgIRKjikHJYKBN5CsiilC+g0mAIwCgYIKoZIzj0EAwIw +UDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpHbG9i +YWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoXDTM4MDExOTAz +MTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQK +EwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEuMZ5049sJQ6fLjkZHAOkrprlOQcJFspjsbmG+IpXwVfOQvpzofdlQv8ewQCybnMO +/8ch5RikqtlxP6jUuc6MHaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w +HQYDVR0OBBYEFFSwe61FuOJAf/sKbvu+M8k8o4TVMAoGCCqGSM49BAMCA0gAMEUCIQDckqGg +E6bPA7DmxCGXkPoUVy0D7O48027KqGx2vKLeuwIgJ6iFJzWbVsaj8kfSt24bAgAXqmemFZHe ++pTsewv4n4QAAAACABR1c2VydHJ1c3Ryc2FjYSBbamRrXQAAAVbCSfZpAAVYLjUwOQAABeIw +ggXeMIIDxqADAgECAhAB/W0w/KPKUagbvGQONQMtMA0GCSqGSIb3DQEBDAUAMIGIMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxMLSmVyc2V5IENpdHkxHjAc +BgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMlVVNFUlRydXN0IFJTQSBD +ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDAyMDEwMDAwMDBaFw0zODAxMTgyMzU5NTla +MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxMLSmVyc2V5 +IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMlVVNFUlRy +dXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBAIASZRc2DsPbCLPQrFcNdu3NJ9NMrVCDYeKqIE0JLWQJ3M6Jn8w9qez2z8Hc +8dOx1ns3KBErR9o5xrw6GbRfpr19naNjQrZ28qk7K5H44m/Q7BYgkAk+4uh0yRi0kdRiZNt/ +owbxiBhqkCI8vP4T8IcUe/bkH47U5FHGEWdGCFHLhhRUP7wz/n5snP8WnRi9UY41pqdmyHJn +2yFmsdSbeAPAUDrozPDcvJ5M/q8FljUfV1q3/875PbcstvZU3cjnEjpNrkyKt1yatLcgPcp/ +IjSufjtoZgFE5wFORlObM2D3lL5TN5BzQ/Myw1Pv26r+dE5px2uMYJPexMcM3+EyrsyTO1F4 +lWeL7j1W/gzQaQ8bD/MlJmszbfduR/pzQ+V+DqVmsSl8MoRjVYnEDcGTVDAZE6zTfTen6106 +bDVc20HXEtqpSQvf2ICKCZNijrVmzyWIzYS4sT+kOQ/ZAp7rEkyVfPNrBaleFoPMuGfi6BOd +zFuC00yz7Vv/3uVzrCM7LQC/NVV0CUnYSVgaf5I25lGSDvMmfRxNF7zJ7EMm0L9BX0CpRET0 +medXh55QH1dUqD79dGMvsVBlCeZYQi5DGky08CVHWfoEHpPUJkZKUIGy3r54t/xnFeHJV4Qe +D2PW6WK61l9VLupcxigIBCU5uA4rqfJMlxwHPw1S9e3vL4IPAgMBAAGjQjBAMB0GA1UdDgQW +BBRTeb9aqitKz1SA4dibwJ3ysgNmyzAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQwFAAOCAgEAXNR8Dc/3AX1BmWUMc8VSn8v4z5kGfxvaQxWfngJVV5YU +8VI8J4eUKO0fOgE3onb8U1DAhJvGa066jCFPoo5VYpHzaRXYvIjjxKoL/e+o6UtVKgYgbVV4 +KRnuXzBcSyQRVf8kmm5eKivuC02ff/cBOJQUlUMHCftgqe4cqxKMoJpep5hqWW2LPwj7yNFF +rxgVZJASD3MoLsXiJE78WOzw9EX+IrPrL47S2UVhBcGXb6h2co+LjDavvw0FznGN5qZvH2ym +cWLF2NCDcgzxZxGJDJwTTHI037zVcd+qcd3huWyMPBJdZdq9VxK2Q2v/5d5NZhFRz5mu7Be2 +6HGRjN5J/t01caIVJ5Qcz2HjJrtvo2clIV3m3R0LLmgbO4Kv7INnhdSYUXSxuZmAif9/eBlc +eUpgLpJArkw3KizJx2LIDl33NlvK4CUlAbTdGgecdwA/0NzV7D3U+rs/zIXWb3+pLd+5Avf1 +l5q1NdrDZ7CHSqkoniOO/1wna+GwT/MH7gAu1FmHy1JBler0R9fuZEFVfI1ZApXdYp3Cue5a +KHSEpZu3kMcMB9/1iTZ0MtYowbCwC+CcTMMc1vzjabVHRoEvooKr02NEcMSN/y0zuq2Pe7Vw +iK4+Gc9AKNj8yJC7XZki9VLmWMUfiDFD7ogd18aOPENqHacY3n09FvFi+cqQqP0AAAACAB1k +aWdpY2VydGFzc3VyZWRpZHJvb3RjYSBbamRrXQAAAVbCSMVlAAVYLjUwOQAAA7swggO3MIIC +n6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi +BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0z +MTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX +BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg +Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5 +cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+Y +MjZ2zN7dPKii72r7IfJSYd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nY +Lxj+KA+zp4PWw25EwGE1lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGY +M2wi6YfQMlqiuhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSS +plazvbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQY +MBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUAA4IBAQCiDrzf4u3w43Jz +emSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwSTFjk0z2DSUVYlzVpGqhH6lbGeasS +2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1 +bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/ +N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHS +oyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyAAAAAgAaZGlnaWNlcnRnbG9iYWxyb290 +ZzIgW2pka10AAAFWwkkSawAFWC41MDkAAAOSMIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSx +HQn65TANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQg +SW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9i +YWwgUm9vdCBHMjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYT +AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x +IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI2/Ou8jqJkTx65qsGGmvP +rC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx1x7e/dfgy5SDN67sH0NO3Xss0r0u +pS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQq2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ +8zUtluNJbd134/tJS7SsVQepj5WztCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyM +UNGPHgm+F6HmIcr9g+UQvIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQID +AQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJU +IBiV5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY1Yl9 +PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4NeF22d+mQrvH +RAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NGFdtom/DzMNU+MeKNhJ7j +itralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ918rGOmaFvE7FBcf6IKshPECBV1/MU +ReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTepLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0D +khvld1927jyNxF1WW6LZZm6zNTflMrYAAAACACFhY3RhbGlzYXV0aGVudGljYXRpb25yb290 +Y2EgW2pka10AAAFWwklGyAAFWC41MDkAAAW/MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJ +KoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpB +Y3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNh +dGlvbiBSb290IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjExMjIwMlowazELMAkGA1UE +BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUy +MDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENBMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNvUTufClrJwkg4CsIcoBh/ +kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX4ay8IMKx4INRimlNAJZaby/ARH6j +DuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9KK3giq0itFZljoZUj5NDKd45RnijMCO6zfB9 +E1fAXdKDa0hMxKufgFpbOr3JpyI/gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1f +YVEiVRvjRuPjPdA1YprbrxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+loce +PGX2oxgkg4YQ51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8 +Pu2Fbe8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxeKF+w +6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4Fv6MGn8i1zeQf +1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbnfpb2U8WANFAoWPASUHEX +MLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7jPKxwV2dpAtMK9myGPW1n0sCAwEA +AaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7YnzezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8w +HwYDVR0jBBgwFoAUUtiIOsifeGbtifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqG +SIb3DQEBCwUAA4ICAQALe3KHwGCmSUyIWOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07 +GjLukD0R0i70jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a +2fDzWochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a2hi/a5iB0P2avl4VSM0R +FbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANATIGk0k9jpwlCCRT8AKnC +gHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyXX04fkZT6/iyj2HYauE2y +OE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+OkfcvHlXHo2qN8xcL4dJIEG4aspCJT +QLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7RK4X9p2jIugErsWx0Hbhzlefut8cl8ABMALJ+ +tguLHPPAUJ4lueAI3jZm/zel0btUZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXemOR/qnuOf0GZv +Beyqdn6/axag67XH/JJULysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZ +VEc+NHt4bVaTLnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlgAAAAIAGWRpZ2ljZXJ0 +YXNzdXJlZGlkZzIgW2pka10AAAFWwkjlOQAFWC41MDkAAAOaMIIDljCCAn6gAwIBAgIQC5Mc +OtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM +RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdp +Q2VydCBBc3N1cmVkIElEIFJvb3QgRzIwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAw +WjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu +ZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ5ygvUj82ckmIkzTz+GoeMVSAn61UQbVH +35ao1K+ALbkKz3X9iaV9JPrjIgwrvJUXCzO/GU1BBpAAvQxNEP4HteccbiJVMWWXvdMX0h5i +89vqbFCMP4QMls+3ywPgym2hFEwbid3tALBSfK+RbLE4E9HpEgjAALAcKxHad3A2m67OeYfc +gnDmCXRwVWmvo2ifv922ebPynXApVfSr/5Vh88lAbx3RvpO704gqu52/clpWcTs/1PPRCv4o +76Pu2ZmvA9OPYLfykqGxvYmJHzDNw6YuYjOuFgJ3RFrngQo8p0Quebg/BLxcoIfhG69Rjs3s +LPr4/m3wOnyqi+RnlTGNAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgGGMB0GA1UdDgQWBBTOw0q5mVXyuNtgv6l+vVa1lzan1jANBgkqhkiG9w0BAQsFAAOCAQEA +yqVVjOPIQW5pJ6d1Ee88hjZv0p3GeDgdaZaikmkuOGybfQTUiaWxMTeKySHMq2zNixya1r9I +0jJmwYrA8y8678Dj1JGG0VDjA9tzd29KOVPt3ibHtX2vK0LRdWLjSisCx1BL4GnilmwORGYQ +RI+tBev4eaymG+g3NJ1TyWGqolKvSnAWhsI6yLETcDbYz+70CjTVW0z9B5yiutkBclzzTcHd +DrEcDcRjvq30FPuJ7KJBDkzMyFdA0G4Dqs0MjomZmWzwPDCvON9vvKO+KSAnq3T/EyJ43pdS +VR6DtVQgA+6uwE9W3jfMw3+qBCe703e4YtsXfJwoIhNzbM8m9Yop5wAAAAIAF3N3aXNzY29t +cm9vdGV2Y2EyIFtqZGtdAAABVsJJmWYABVguNTA5AAAF5DCCBeAwggPIoAMCAQICEQDy+mTi +dGPTjf0QHQQfdspYMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAmNoMREwDwYDVQQKEwhT +d2lzc2NvbTElMCMGA1UECxMcRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UE +AxMVU3dpc3Njb20gUm9vdCBFViBDQSAyMB4XDTExMDYyNDA5NDUwOFoXDTMxMDYyNTA4NDUw +OFowZzELMAkGA1UEBhMCY2gxETAPBgNVBAoTCFN3aXNzY29tMSUwIwYDVQQLExxEaWdpdGFs +IENlcnRpZmljYXRlIFNlcnZpY2VzMR4wHAYDVQQDExVTd2lzc2NvbSBSb290IEVWIENBIDIw +ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDE9x0vV+pXbPdwXWOwcVIJYEQoM6N6 +Tgr62Opsi1EWGlWuVCbEzEUHQU8QeX9x0npOPzhOswDGlcpbzcEqg9cnHzEOIxa3JcsctLmA +Ml4anZPx6DxgLKdeVxlYUV68LFYLuNjvi4K0PLjCJKgTx6AhNht6Vykopy6/cSWQ80SDaVCk +5OEbYhmUCaPzw7zv9L3s2xOdz51ICVJnwDcpER770hGnhRh0eeRPhRTrUjfisUXYzA1Df64T +0msrP6fC4qhtdltDn760nbMmhjsff+Xy6GYoFiXQS5c4p+TPCdE2wwu+2jtEWI2+8Z4Jaz7z +Mscrh8bsXpz2h2WtMynEL4nZucvJA537bJRRlxAbhgsaGz/2An571MVRZCid9dOsg4GI03S0 +WZ3B62EzWkXRyznQBmpTYB2v9vtpvGrcAc+9+Y/ZvVvBOl+O2g9LqZudKihrGgp8PKsiC+V3 +LXH2gjWBrvh7gebq/qz0Gpt0XOiPJPZdnUbELNIeKyFqgydnVUqk48gyl2aQctrj1GQuX+Oh +avZg1Oc1zcrEaI3XccjTJDNzsWz5auEo21/GPei+VeY3G+0k2Q8Zj19jGFhQgVFlb/KffmoE +5zQkcbp2S1geGb0VYEWqDBJAAZ0Q4sc4B3IKZcC2uyUp2haeizWLYe3lcVeDtTxxn+NPv34e +gZ9BlwIDAQABo4GGMIGDMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSEEFjAUMBIGB2CFdAFTAgIG +B2CFdAFTAgIwEgYDVR0TAQH/BAgwBgEB/wIBAzAdBgNVHQ4EFgQURdmlgW49iE2NcdJGwW5F +HvPEgJ0wHwYDVR0jBBgwFoAURdmlgW49iE2NcdJGwW5FHvPEgJ0wDQYJKoZIhvcNAQELBQAD +ggIBAJQ6cwafUkswXNT+sVwl+deOb/WHZJ/tFI64BI4oS4+qe445tNlY9nuhNQqhnYr3Y+Xr +vTmC1ON6LW/fEzy6/n5WmAvzVJ/NRE5uPOE+Fb8GJp3k8JC21MKeMC4f78d6xFDH6nvaUMt6 +JssAtFqrtZMfgImEBJWNjX8Jk7/UqKjkY23ZZOS4KVoIv1DhhA9Ve18IIhv1vZkeFPbO9FgQ +grMKPRnBv1urqpnY8jG95Thm3FgFx+1jGi4Kl3yHkyuyiuPx7BjldbYph+fcixp+tNjJ04oX +bH0pRL6KqvV+Oi5oMZO5atqa4NvpLqWEzRwKuEoI+ZzxYSaYk7d7ZuyRXt1RP9tzD60EWAnd +BAKVCj7Tdt+mEB6APejNpGTRM8eSx+JOROMJyU7CXYcOEp6/D8kFEN56o7E88j+lqid5rTF9 +H/38GWnF3bk/fM3GtMIwHn5uktd/YXZaj+uVTbwRbiF8WTeZ0Aa8+QZtMhal2Wmo4dw8gB5g +UdzXVCEeymJ3T/rYj7MrOg14csloQVpHSsKj6xrXCqs8MlXIChGc33TW8EAVHci5j7U2xa/4 +IrjKHfPWthkPn2Flaup0yHyPw09dZYIf2Q2J2nVy++/xR2cTs8jRGYgnJpqZeX8e5Cw/e+7x +3k2LlpfD1T98GyPtpLMdFnJDSyDhWX7C6K0mv6L3AAAAAgAXc3dpc3NzaWduZ29sZGcyY2Eg +W2pka10AAAFWwknSxwAFWC41MDkAAAW+MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqG +SIb3DQEBBQUAMEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNV +BAMTFlN3aXNzU2lnbiBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgz +MDM1WjBFMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT +d2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA +r+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUqt2/876LQwB8CJEoTlo8j +E+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+bbqBHH5CjCA12UNNhPqE21Is +8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c6bM8K8vzARO/Ws/BtQpgvd21mWRTuKCW +s2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqEemA8atufK+ze3gE/bk3lUIbLtK/tREDFylqM2tIr +fKjuvqblCqoOpd8FUrdVxyJdMmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvRAiTy +sybUa9oEVeXBCsdtMDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuend +jIj3o02yMszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69y +FGkOpeUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPiaG59je88 +3WX0XaxR7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxMgI93e2CaHt+28kge +DrpOVG2Y4OGiGqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYw +DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWyV7lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0j +BBgwFoAUWyV7lqRlUX64OfPAeGZe6Drn8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAs +BggrBgEFBQcCARYgaHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcN +AQEFBQADggIBACe645R88a7A3hfm5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5 ++OlgzczOUYrHUDFu4Up+GC9pWbY9ZIEr44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5 +O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOfMke6UiI0HTJ6CVanfCU2qT1L2sCCbwq7EsiH +SycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6mGu6uLftIdxf+u+yvGPUqUfA5hJeVbG4b +wyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxpmo/a77KwPJ+HbBIrZXAVUjEaJM9v +MSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCChdiDyyJkvC24JdVUorgG6q2SpCSgwYa1 +ShNqR88uC1aVVMvOmttqtKay20EIhid392qgQmwLOM7XdVAyksLfKzAiSNDVQTglXaTpXZ/G +lHXQRf0wl0OPkKsKx4ZzYEppLd6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8j +s1WtciVORvnSFu+wZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+AC +OzB2+httQc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJAAAAAgAVZW50cnVzdHJvb3Rj +YWcyIFtqZGtdAAABVsJJAHAABVguNTA5AAAEQjCCBD4wggMmoAMCAQICBEpTjCgwDQYJKoZI +hvcNAQELBQAwgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYD +VQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAw +OSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVu +dHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMB4XDTA5MDcwNzE3MjU1 +NFoXDTMwMTIwNzE3NTU1NFowgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJ +bmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQL +EzAoYykgMjAwOSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw +BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad26jK4lUEaydphTlhy +z/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABFHrDH55q/ElcnHKNoLwqHvWpr +Dl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJxDun3vtUfVe+8OhuwnmyOgtV4lCYFjIT +XC94VsHClLPyWuQnmp8k18bs0JslguPMwsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNf +nD70FyzmaaxOMkxid+q36OW7NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBY +rGQ0EgP4to2UYySkcQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQUanImetAe733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBAHmf +HZbGtnk/Io2H04cDBGBqa5ouWYlzEaxD0fUT/405K8DyvU9wjKkv6hfEC1Se1BuWmDM8qK1i +ogB2q1lpbgYdfsS5RI2YrxLUYdsKGUZH8+v3Y8FABUCl0rf0tZo2v6mIdogEVQQrnId/Gjc8 +fi2lGtjUiV7Kvaw9bNhtr9Xzdg/NO4g4Ip1sk5rEPb+CG2U/pg9dqvzlshXKta3GvD3QhOjq +BnKwTTkyeL8+EZwLpJ2aIfPwmwsweNvB3IdD/rxjmsrFwhzJx43/OxJYCOa2Pex6LE77g5bO +DDxph1RzpHPCk/9REKwVVAHY/AWxiaF/dIOaSdfcTnuKSG+LRfYAAAACABdxdW92YWRpc3Jv +b3RjYTJnMyBbamRrXQAAAVbCSdyOAAVYLjUwOQAABWQwggVgMIIDSKADAgECAhREVzQkW4GJ +mzXyzrgrO1unJvB1KDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQ +UXVvVmFkaXMgTGltaXRlZDEeMBwGA1UEAxMVUXVvVmFkaXMgUm9vdCBDQSAyIEczMB4XDTEy +MDExMjE4NTkzMloXDTQyMDExMjE4NTkzMlowSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1 +b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKGuJbIBGNxXiD9G6/mv4usjceKa0WFmIV+qrydR +5W4bFtQtfVCwU3e9eDpg4mQCm3yGm9Yajq3/HxV/1ZUeEsvmFIQEwd82sxafiuPJ25g0ztgz +FyhG/KfJ8NK01U0Jckn58ofjqdp9oX1rsjolqW1SRKz4vm773KZzkZBhpgMUIPLnh6OIra2g +jP+mCyVSJecWAdXLuDWBDKM78OHh/FpdzoBxbfhJqz47urjXgAH7petbs8VeYCoxoK836CA6 +n6gyLAzMCR3Tno5dvEyY7sUaaHvsU6bpFDWj382AnwxI+xz08b9KuPrVjHFKxx+t/kGas4Nd +8oRW76VXQ84prYyrVb/E+1sB3SMhoVgAjsPQahPtE+MSK4DcZ+aVss0eIm4q+EHU8soUB42K +VRLGafW4hmgvU16w0qohwZjmMONnVcebbqwZqFWmRQbQIzrb62VdKhER8DtPym30NMRx5P8A +WvZcriNghXPx5BCxJa7VkrsTwQzgOdq0OVe1qzWqciE7gzXnMd96IW64Mgh9HTKRFUpics/j +d6G81REbdgFnCOBBC8PrFW74pBnZoquv4idSVisCiiwUJPm/QgK/JsjGj+BuOH1TLeXtmLOV +Y2h/+TX034jFYDWSwHxpHGGVFtDr3guvPgQQRWVYUDivSPJZthbyPA2QAsZwLgGtPBXXAgMB +AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTt5292 +Wr9g7ElbxqV3u3IWcZvEPTANBgkqhkiG9w0BAQsFAAOCAgEAkd+AP0MJfnHC9+uziI/hUbK8 +PXX5KF3IvJmbe12q5crhCvfostOf3WcxfroBqsdqQTuQ1AhcsmBqkPDIzgNi+Yvt+24q3AZN +PCkPiRaKWExID+iEYeo8cqZ35EKuiKNDWHl+rsqlUw2pPXC9IBlhpGw4/EMy4cFH//js8REi +MpacwvZbaZZ7IAxDQZpb9lkZiN5ViDdRC3hcCh6jQv3HnYgPwPJ4AiRUk6+Jh4jJSoAd6tBu +PmEuNrs1DieW/WY0O2Fyc/EWXEcGVEkAelgSsArvhf2xuDN1apMcEuZgXm8df8kfI8uEYZ8e +gkT5X61iVSSaUpjtUeehfpc65i8fEdpTgCyFnqs1ENsiX2rFXpdT8jICCTCjWPANAdVyxrF8 +aXvD9TZFzGFuXkyUxV6u6A5ei7/3zeDtoQ4bM+5UGP4Pvu9+hGtD43CY2111sg1ZB4UVIznW +8d+pJg/WSMezpiL1MzdalUefe7oYFW//1hRkg0nSCmch2w81Y2AoIuOxlYPNhabdLw/nZ1Ju +uy+FfPVKc+fFPsC9IRIFP/y3A0kCW8gl5uJUOPV5h4wdU7JOhXsGOMcs+Piwco0l5XdS9AMc +SKZQX4ggMG7ygkOrPZeE51P7IcFPDyKahrhZKvZHPRmILeiF4Z7shQhqsWw0yR3sSCs7eO1m +xI55aYPef4wAAAACACN1dG51c2VyZmlyc3RjbGllbnRhdXRoZW1haWxjYSBbamRrXQAAAVbC +SOI3AAVYLjUwOQAABKYwggSiMIIDiqADAgECAhBEvgyLUAAktBHTNiUlZ8mJMA0GCSqGSIb3 +DQEBBQUAMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr +ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6 +Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0 +aGVudGljYXRpb24gYW5kIEVtYWlsMB4XDTk5MDcwOTE3Mjg1MFoXDTE5MDcwOTE3MzY1OFow +ga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkx +HjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51 +c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNh +dGlvbiBhbmQgRW1haWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyOYWk8n2r +QTtiRjeuzcFgdbw5ZflKGkeiucxIzGqY1U01GbmkQuXOSeKKLx580jEHx060g2SdLinVomTE +hb2FUTV5pE5okHsceqSSqBfymBXyk8zJpDKVuwxPML2YoAuL5W4bokb6eLyib6tZXqUvz8ra +baov66yhs2qqty5nNYt54R5piOLmRs2gpeq+C852OnoOm+r82idbPXMfIuZIYcZM82mxqC4b +ttQxICy8goqOpA6l14lD/BZarx1x1xFZ2rqHDa/68+HC8KTFZ4zW1lQ63gqkugN3s2XI/R7T +dGKqGMpokx6hhX71R2XL+E1XKHTSNP8wtu72YjAUjCzrAgMBAAGjgbkwgbYwCwYDVR0PBAQD +AgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59MFgG +A1UdHwRRME8wTaBLoEmGR2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0 +LUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kRW1haWwuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMC +BggrBgEFBQcDBDANBgkqhkiG9w0BAQUFAAOCAQEAsW1hXaYaf3yrSuQw/FNvJSTGyu3iMVwr +Du7uYVVvBD7POd7FG0mU5OsgTLTmnlAuctmN9aqjs0raVhxgl4DcgqKtSr2KK/8LCbTG1yAE +ReTNgAG6uituzqrXkv7kr+v0Jh0WKn9sMJU3LzMSrH/dx9ERjFGYstCjkdCt9p+eg5MeHUK4 +Rq9rZvCbf+rjAwLlAlHBqtU1nXJAA4m6MR3FEGhSnt+ihcVcCKZ45lNPsei30xSek6bDZOOs +fnHNvJ/pAxvM++msMcGvfBV0ApnDskemwjJh18dvSCRRJ6HVh1Xye4+YPRae7nW2+NCO8vPG +rihbp/DzNhf8wwXTygNKVAAAAAIAE3NlY3VyZXRydXN0Y2EgW2pka10AAAFWwkjajAAFWC41 +MDkAAAO8MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBI +MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xFzAVBgNV +BAMTDlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIzMTE5NDA1NVowSDEL +MAkGA1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENvcnBvcmF0aW9uMRcwFQYDVQQD +Ew5TZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKukgeWV +zfX2FI7CT8rU4niVWJxB4Q2ZQCQXOZEzZum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6 +pkjGnx29vo6pQT64lO0pGtSO0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgU +XPLIXgGZbf2IzIaowW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPe +Zqx2pHGj7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS +8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjATBgkrBgEE +AYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +QjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC5zZWN1 +cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQAD +ggEBADDtT0rhWDpSclu1pqNlGKa7UTt36Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+ +DCMh/bwQf2AQWnL1mA6s7Ll/3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr +5Fiiu1cprp6poxkmD5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUF +dAvnZyPSCPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR +3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jEAAAACABpjYW1l +cmZpcm1hY2hhbWJlcnNjYSBbamRrXQAAAVbCSeX0AAVYLjUwOQAAB1MwggdPMIIFN6ADAgEC +AgkAo9pCfqSxrtowDQYJKoZIhvcNAQEFBQAwga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpN +YWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJl +c3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEp +MCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwHhcNMDgwODAxMTIy +OTUwWhcNMzgwNzMxMTIyOTUwWjCBrjELMAkGA1UEBhMCRVUxQzBBBgNVBAcTOk1hZHJpZCAo +c2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJmaXJtYS5jb20vYWRkcmVzcykxEjAQ +BgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJmaXJtYSBTLkEuMSkwJwYDVQQD +EyBDaGFtYmVycyBvZiBDb21tZXJjZSBSb290IC0gMjAwODCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAK8Ay3A3K4BaSjpseJR9o38aH/Y11b3byw1Ecj4mspBSumM7KFhvpbNt +lKbz3WQMVfb25/IiIoBe4WLGtinhgWzyv+V9MmpUoDIZWf4fi9c9YIaFJG/jEbN3PiCWNSFr +swjZcC5k94SSU9YOsJCKiuOHjQbTvZAO4pmhG4YO2poKuwthUAZS8Z5/duzLD9AeDc+ZMD0c +xEUQWKzW0+jX5erFAQd31lHmA3+KSKVNaHW56byeThlx9TJLnG1gGQv7zJ113L8mzY+TeDl5 +c14lDspc63cSB8tkQUdyk6tQw+sJdmQ00jm3dhEJDXZFxKmuPWqvtX1lL5RYEOxcfK9+4rYY +2dCbTlpJ36lmC8w8xnh8p5wd486OU74F3mAPa+Ua2z/j4SHJKcHx6wecUhsBRFE8eyXXxOVS +VF0lB8oWILit5EHuegj+mW+DppECsGw2VWrnffWW5sqB1pfxlIPp7bCxaxJpHqz7XanFmOm0 +W1h6vj2iRDpjWdQLJd4bT73lAZ7N0inVnxcZCm+/DJDTCV/Z44o1zHlaTRk3krfEwa2v9Hkk +mrIBC7GvXJbzgDL7XD2Y8aA/St6+r5Qu2VWaF25gnWNsuGPJroFcGDXgkLu+PE83Irl+68+e +dyGmPTiB+0jaMT0r44n10LW9fuBQxBKJsyOaEDGF265v7zgzGHYRAgMBAAGjggFsMIIBaDAS +BgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQWBBT5JKwPsrX4ecD6YIgbxNlNAp4XGTCB4wYD +VR0jBIHbMIHYgBT5JKwPsrX4ecD6YIgbxNlNAp4XGaGBtKSBsTCBrjELMAkGA1UEBhMCRVUx +QzBBBgNVBAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJmaXJt +YS5jb20vYWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJm +aXJtYSBTLkEuMSkwJwYDVQQDEyBDaGFtYmVycyBvZiBDb21tZXJjZSBSb290IC0gMjAwOIIJ +AKPaQn6ksa7aMA4GA1UdDwEB/wQEAwIBBjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEF +BQcCARYcaHR0cDovL3BvbGljeS5jYW1lcmZpcm1hLmNvbTANBgkqhkiG9w0BAQUFAAOCAgEA +kBKvIjXCoznwLt7ptel4fEi+P31Fkl7p2rEZ/BY8n7RbZp5q58O5XYjoD63PIw/eJTpezE+l +wbUtrCTSWAfeos9phGAz6BANE6kj0IXljnumnj1yE3Iz9ap9xmMfCPT+AX8kzyssVAne4itt +ksY5TxbqPH56RtRFakao63WCVqeroHxoEzP2nTDwbyc5JCMqkP2QKTXyk980pcb3+O+MD2JK +fK7T9VT4jbaaVocWgjozq1oiCPeCuuou4EeatLVFowU72dwuRUA76tx/6Dvr0ewm2DWkMMU6 +rFees3alIHv5HkoFYgGmKHVgl5INbj5NN0MNkhWcGCLNUZmgKRo8X4oyM1swx4kvR5gPowPG +9vGs3zLw2YEa5Jy99oAU8NEsuYX12KOxyKUh5RwTl+4Ovd8pqe80U1vT5GoThAa2MgLEUq4i +0tyyIUIa2kDwKcnsCgxc4tC6zEjTNwrMEgqKebA9A39pS/Q0IH2zNOqOS2T1Pv2zI2cVDQS4 +8C3BCVE8smwV8KUj14N05OUuyf6YJ0LGq8aesNBbOKWbUN5+GJi1RTv2ebTo9xp7BoP70Iva +u8e9GKsIbzyAa0A/GRm6ZYrmvtVc0zbX70BSJGA4ZwQx7I/zgsbeuVXzOzGRWty1CBWtdiUK +DXsuh+IMpga8JhBtN53s3XiMfIDF8Nl3SNAAAAACABdnZW90cnVzdHByaW1hcnljYSBbamRr +XQAAAVbCSTGaAAVYLjUwOQAAA4AwggN8MIICZKADAgECAhAYrLVq/Wm2FTpjbK/a+sShMA0G +CSqGSIb3DQEBBQUAMFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEw +LwYDVQQDEyhHZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2 +MTEyNzAwMDAwMFoXDTM2MDcxNjIzNTk1OVowWDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdl +b1RydXN0IEluYy4xMTAvBgNVBAMTKEdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+uBV7/9R8fWetg2R7 +yEJTLd/2hAggYdYBWWqcRBGv73b9lX7OYTC7eoNfAr0BZsruFY1voTCcvaGFnpQ681aIADHP +2O5qlgLZ7QOM+3Vt5+q4VRYFFpr04F6xiMBkhVwVTYjHt7rgdemtBT2dx4lI4LsoyAPhMJNk +XlLAWXAiNVeIivGVCoPXvDFzATTt70Zx4GsCqDVya5ebZuDLHHlf2BoEaB5HAuadYOI2lwHf +zjWS375nx213WTuPndaQFZS8QjQQwTn5sSc+ftaKdcWyr5bTot6b5Ji+feHpga22b/zXDtrg +NLANGnfn4wiY71j6nIS3Nq/C36zS9BAGcHE1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8w +DgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQs1VBBlxWL8I82YVtK+2vZmckzkjANBgkqhkiG +9w0BAQUFAAOCAQEAWnB/LN23NE/1hlGpJr5LuKrxcQ3cYceg6jQeencPBDXoJ49skL+RFiRG +PkpOzisW1QtSHfwfZ6ICRTFPzvP6A6d5nVNq2dpjOviA19OZ4aXhvtRVcZg1Or6T6q6tQrKQ +b+D8IU01YzOJSdabTsrH504JAPfax++ZYpl3tpUiXoqgq/S4eJjKOBmZyXKeeM1LrK8ZoHMS +LfzCQbqBkdoWWjG3+bRxgBJImXJzWllTwWNSM+2nydI5AnD64LFCZimqm1HtMFQiFF/Zqx3B +5JTw+PUr9+rKeEbWuJH9pg0rGhQBPoDwQqCVB15tzcxLpEWNqxLos95a5aB86A8iHVrpWQAA +AAIAGWlkZW50cnVzdGNvbW1lcmNpYWwgW2pka10AAAFWwknvngAFWC41MDkAAAVkMIIFYDCC +A0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV +UzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBS +b290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBKMQswCQYDVQQGEwJV +UzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBS +b290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9R +YYKyqU+PZ4ldhNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYof +WjK9ouuU+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp +S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1bVoE/c40 +yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORiT0/Br4sOdBeo0XKI +anoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCLvYf5jysjCiN2O/cz4ckA82n5 +S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjKVsk9+w8YfYs7wRPCTY/JTw436R+hDmrf +Yi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT +7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNk +K2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqx +C0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQADggIBAA2u +kDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH6oi6mYtQlNeCgN9h +CQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqas6pgghstO8OEPVeK +lh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cndJZ5t+qntozo00Fl7 +2u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzl +VYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUX +feu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU4 +7/rokTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG +4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZmUlO+KWA +2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A7/qxXDgGpRtK4dw4 +LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6HAAAAAgAbdGhhd3RlcHJpbWFyeXJvb3RjYWczIFtq +ZGtdAAABVsJJIX8ABVguNTA5AAAELjCCBCowggMSoAMCAQICEGABl7dGp+q0tJrWSy/3kPsw +DQYJKoZIhvcNAQELBQAwga4xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4x +KDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhj +KSAyMDA4IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MSQwIgYDVQQD +Ext0aGF3dGUgUHJpbWFyeSBSb290IENBIC0gRzMwHhcNMDgwNDAyMDAwMDAwWhcNMzcxMjAx +MjM1OTU5WjCBrjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UE +CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDgg +dGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNVBAMTG3RoYXd0 +ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALK/Jyz729hb3Xh7G553ZoHLPrx8rvOmJ5o0o2gxcTgzYuTzcWZ5sallo6WL1Y9gLT9CzKpr +MsAjyyxB3eTf/GGc4nOyIpURQxhfxLYfV2wKBVgiyDZMOnyl0c+Gr4inRAITdHFzCkJZAvgb +FGtC329fumuCop1b50q9HgFy20t06Dt/f30fBLQmm+C0WqxHPVW417AmUigBMUBm2NkkvfYq +2OwhSVyb9nrpf1U1fpZrjZOTJ8uSu+qsQMCfwviAz130WtzOdIamPmwLU8q9ks4ZBnLmDFw4 +accE1rxszlv292ic3CUVSIih6an4mJzg89UxKGERbGeWjTmZy8JFJDkCAwEAAaNCMEAwDwYD +VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFK1sqpRgnO3k//o+CnQr +YwP3tlm/MA0GCSqGSIb3DQEBCwUAA4IBAQAaQNiVZawJkonGOfQQ5akOZlNdeN76JJG750RR +38YWNArvakRR6isHigN6w+s/CixSFqArQ7klkD9wqTMlbUUaKDsnz6rDKUIb3ztMwDM0W0GI +v2srZa8o77L1w6pmzntW7rfIy2fByZwaGLjEw0kD8WAOUM1GxfN3efe2FeA428cvKKAMP3cm +dNklEtox2hoe3ClBkSI8aae7AvK2XCcDifQG6pvkcoLjoQnB6QAZ0z7UcGu6caaqWK70u+ls +tu+HzJu7/znmVmHTCqfEXExgewV3Jnq/2AdSLGL3cGPZObxvHMJ53HYpr87FLGQEXog2bjHU +QBpiNDY/NQGurGOgAAAAAgAVYnV5cGFzc2NsYXNzM2NhIFtqZGtdAAABVsJJKpsABVguNTA5 +AAAFXTCCBVkwggNBoAMCAQICAQIwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCTk8xHTAb +BgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDMg +Um9vdCBDQTAeFw0xMDEwMjYwODI4NThaFw00MDEwMjYwODI4NThaME4xCzAJBgNVBAYTAk5P +MR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEgMB4GA1UEAwwXQnV5cGFzcyBDbGFz +cyAzIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCl2gqVFlDjlfJe +nXYxBjJ6m/EQdrgAmrVSNs0kR7CfGGS8mvb61XnYkGJMIi/eOD3W4KjpHCzbeBHpjmhRFXLH +8zOH5KBdC1zgVwcqMPXNxDd3KE0Ykea/1VL9cS1wPufGxIrj8CgL9HaYoYuHVbI6E/y3Pic3 +jiLjqE8q72C7Pbc5ww4BR5ldEk/bQ/pXoe35nb4RRyZbE5irXRaKsDccV51F/4iWNr+7ygd7 +b4dj19AyatZdbAzxs2454msxLjkAJxTeOMDsGWaGEuidchYTZFLHqTcc/YIw7YQYHfSuXP9w +EwDrsfUzekvWVfgFjUtpsPWzKDZcFMRRc01rC/E0B9sXOdfcKHtr9Z/zLsFPFyoQ88zK6Ov9 +a6sump8tgm4E1FIBky09hvx+/N/vQh2ma++5IMb3vaCnlf2n5okk2MyMNGziIy/ZEhohuVWR +bwuReRkMrUCIC3DietIO2GhIu4ITORBY6dgqB8YS21jb0jtVEEcFFWdifhhjpkY/CQ5UMl6/ +DWJ6J++A6NvZSwZaN1ol0AgSd9RvCVCXPcgdw9+MRTBWxtNkq2bzwF6WnMPE78N8a4s6eX+z +Sc894omfoDBLhbmclCR5j31rqUVoDyvQ8docy2m4yklibcjQY2LdYA9Yqo+hvAWlZqLPG3ay +hGSxTDlSwDC68IxLArC2twIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRH +uM3/5W/u+LLsL04O+SWwjjxrwzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIB +AAAgI0E1BJDCQGJg7+I1TNc/rOI0kLihb3b6FhakSDcs6ZDC8jz4Cp/YgeW7W9olLKSnVXEk +MvbIC/K8aviTrLIHwl+f28zIiqq+am/hSRDMMdeAu7vI2KIOZFfqovXCqTEV0iBq7PwiASjP +hriAHqnMEaU88hazR5380oAhxMvQR3BBocqDGQgsbfJdd5yKFBPUNhyS8OUGN9ym5pCbOI9c +axtGhkNCXz4BB1NUXWV994pzoZpUWh8pQxQnwoUPtYh7GjuUtx1gp7Wc5ylpV1qbk3pDMBsD +12LIQKaq/GTkSteRUwGoIIhunF9EuctggTTsb9N92khf67SQvC2pHAusHNWiaCCABNb8sY8v +u0oxDUqGHOviNikm9drYxPJ1Yc9+rnZjSnpAZZOH+B6AjIblhtaPDvxTLGDoFmEaoj5De805 +YFRq9fKJJgFog0iiM+jJBJGyETQRPurQQxkfA5OQDP9RPVf0QW7hy6C+68ljzW3M5Pg2qmid +7b1dl3BEDbYONdzhDF27oFGUy34W6xEvo5JFyExx2bzJmVJXRi9Qz701afQ9Fc4GpSwPPvaB +upS7w7u/ZXjShnn/STsagwzw3njsyPJNTBregin4wVra7e7mJ17oRdCdHFGoaKtE49CLauP4 +O7vcTddk8lG+5qqrWukx7ga8c78TYgqfx7mXAAAAAgATdmVyaXNpZ250c2FjYSBbamRrXQAA +AVbCSZyAAAVYLjUwOQAAArQwggKwMIICGaADAgECAhBnyOHo474cvfyRO46mI4dJMA0GCSqG +SIb3DQEBBQUAMIGLMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYD +VQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRUaGF3dGUgQ2Vy +dGlmaWNhdGlvbjEfMB0GA1UEAxMWVGhhd3RlIFRpbWVzdGFtcGluZyBDQTAeFw05NzAxMDEw +MDAwMDBaFw0yMTAxMDEyMzU5NTlaMIGLMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy +biBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQL +ExRUaGF3dGUgQ2VydGlmaWNhdGlvbjEfMB0GA1UEAxMWVGhhd3RlIFRpbWVzdGFtcGluZyBD +QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1itYeGFFhlPqNHtRnO2w5i4YDv7gX6gn +07TJ4HxZThYOc1RgwX/2ny7pOoUkFTzbRwRjw57ElBpa30x689lDHTwQenkl25D+8FHnMNZB +AP2fKN95vpS7nbYU4yOF16lB4EykebArGovy+DuKPkWscZIAtJBBmPtf7fq3Lor4iDcCAwEA +AaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBL6aoXgQX7eQoxn8VB +9FZUq+nC5ZeOGP6RyQw+JmTJoUwnZKe9AZNVcW4XTzncG9xJNRA5I//Km8jPZj/cTBrUgQZC +Uh/hJrEWF7rmcHIxROhOjVvk0/nQ448lZDHnKvgYiDYaUsUNQTUbabcm9RfMwRleS3xc4oOA +kfov+5q3FgAAAAIAGHZlcmlzaWduY2xhc3MzZzRjYSBbamRrXQAAAVbCSVjwAAVYLjUwOQAA +A4gwggOEMIIDCqADAgECAhAvgP4jjA4iD0hnEiiRh6yzMAoGCCqGSM49BAMDMIHKMQswCQYD +VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy +dXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA3IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1 +dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDMgUHVibGljIFBy +aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHNDAeFw0wNzExMDUwMDAwMDBaFw0z +ODAxMTgyMzU5NTlaMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4x +HzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA3IFZl +cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT +aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH +NDB2MBAGByqGSM49AgEGBSuBBAAiA2IABKdWenxS2mSbDi1c2F6skj3+AeYZSj0UA0v6YCcg +2YOJafpUxpoYXlUqZN4G9o1KO60QPGU9kIgEieAwYbOuXQGne958sr7KZWEAhq7aj3vQia1N +HVmaQbG8R4DcnmLD+aOBsjCBrzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjBt +BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMa +hqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdp +ZjAdBgNVHQ4EFgQUsxaR/e6mbuS1LkmPh3iBgOzlsbUwCgYIKoZIzj0EAwMDaAAwZQIwZiEM +GCZgWjh7VkLgp/w2hFGRICx2TUM9xB2EI9Cs1nw1Bs7Nab2QDdtsSEIdDqpCAjEAnD1IOSM5 +WBoVEllqnu/VWbIdUiyZcc3HKd8bKmF7cdHe88DlDTpKqi2n2IYq3S4QAAAAAgAbYmFsdGlt +b3JlY3liZXJ0cnVzdGNhIFtqZGtdAAABVsJJQLYABVguNTA5AAADezCCA3cwggJfoAMCAQIC +BAIAALkwDQYJKoZIhvcNAQEFBQAwWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y +ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVyVHJ1c3Qg +Um9vdDAeFw0wMDA1MTIxODQ2MDBaFw0yNTA1MTIyMzU5MDBaMFoxCzAJBgNVBAYTAklFMRIw +EAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAgBgNVBAMTGUJhbHRp +bW9yZSBDeWJlclRydXN0IFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj +BLsiq5g9V+gmcpq1edQp4uHolYCxsONbjispmmTfoV3tsAkFbdsoLs5iomL+tIjaEus46yGd +wEErAVJ7iHfTHI/HurmItWoJ53PoEUCn0czKYo0t5Y8LplDSqFDDKOr1qyWHipqWHKlnuD8M +1ff5UhMvwhvVcHDwj8ASygbLmuHZyjN6d9b47LnxaERCSBPSwMKkrl5g/ramBfy03QdZAtRZ +GJhj9aVj4JAMfV2yBnrzherr1AOuXoQ+X/8V7Wm8+Tk2cnXPd1JN88mQLLk95ckjUz8fJJgh +XAeZKb3GOuznboY6a5d0YzO9aBgx8HiNdr/8no5dKoanTZDcJxo5AgMBAAGjRTBDMB0GA1Ud +DgQWBBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEDMA4GA1UdDwEB +/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAhQxdjuRvUWhCBaDdu08nJYQDvfdk/S3XMOOk +EBfr2ikptnk/dvYZEyO4EAr5WKTUYXC9BGFqEooX1Qq9xbwwfNbpDCWNhkBP7MyjfjjGNxFP +7d1oMY5M0rMBdO6+dV4HSBp/cP8WXITAeYW4Bf1/vmURow/AArT4Ujc5BNWpMXoYv6Aq9BKZ +96NFguM8XvWdnrXInnwuyKSeTggUS239cG1rGmO9ZOYft87w8p8uuxu38lCIc5LC4uMWjZoy +AquOGN3pEBHufjWrkK8+MJR60DM9p2UP9fyOnmLPR0QsAV27HbUy0kfSOC7Q/oHcMmoete48 +1fzngR0ZwyRC6mM5qQAAAAIAG2d0ZWN5YmVydHJ1c3RnbG9iYWxjYSBbamRrXQAAAVbCSXQD +AAVYLjUwOQAAAl4wggJaMIIBwwICAaUwDQYJKoZIhvcNAQEEBQAwdTELMAkGA1UEBhMCVVMx +GDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3QgU29s +dXRpb25zLCBJbmMuMSMwIQYDVQQDExpHVEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdDAeFw05 +ODA4MTMwMDI5MDBaFw0xODA4MTMyMzU5MDBaMHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9H +VEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5j +LjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3QwgZ8wDQYJKoZIhvcNAQEB +BQADgY0AMIGJAoGBAJUPoLbwUJzoeseIzd0XDi6wlNAbPQ72lMCKlMcGyJCXyLhkGnp+bDxT +4Tcoc2B/spdTB59T+W1YlNKvjW2IZ4Dm7bKVz3IxyqUccrpcAudkQuf5qSzWOg2sjUKqJAE5 +5pw/AYVXDViHRfjThaqTaSaFcEiAPxIVx3m0HwUvO2KZAgMBAAEwDQYJKoZIhvcNAQEEBQAD +gYEAbesbCele2VHbZyJhpCo8SHfjoHym3nOiFAOFPfurDjDFgxYzgRMInns0Tt9AyHTXuX3c +9HZVfZtjVBjp8OrzXLHZi0IeucCVTrr61eJ89Whhv47sBZdfW7DXo4U0xCSnDQ+Vk+/LlNie +H51chW3Hqq5PHyK1zZWtuqfM+asLen8AAAACABpsdXh0cnVzdGdsb2JhbHJvb3RjYSBbamRr +XQAAAVbCScIfAAVYLjUwOQAAA2gwggNkMIICTKADAgECAgILuDANBgkqhkiG9w0BAQsFADBE +MQswCQYDVQQGEwJMVTEWMBQGA1UEChMNTHV4VHJ1c3Qgcy5hLjEdMBsGA1UEAxMUTHV4VHJ1 +c3QgR2xvYmFsIFJvb3QwHhcNMTEwMzE3MDk1MTM3WhcNMjEwMzE3MDk1MTM3WjBEMQswCQYD +VQQGEwJMVTEWMBQGA1UEChMNTHV4VHJ1c3Qgcy5hLjEdMBsGA1UEAxMUTHV4VHJ1c3QgR2xv +YmFsIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyf6dA8CLKDPbrsfHL +DpVXQHWvoD8+zuyqMlfmGbFnQ5haa3yzuPp4nKqmhLJgG4BBzmPNHxcImaT17z4Sx0ywV5pc +eEB4/EWN2pFn3DpRuW1z5rc5jnY6tB8F9WlV+ZPPeIhKvqqb13tHW0YETIIWpjX2/HTf1rSv +2OK1JxF0WaLCZixoCuGYiIg8igV1FOO4rvMIhJtqwT8xGK8npUubpP15Md6YPQ5hyoeYwfiK +MJz6PjPVpcQDB+H3lnQYACc4J9ErqqrhQUWLb/Elwtyil5XHQhQzXXmEI2rnZcBXoNhdqWMB +57Dki+j4xWO45Wx0kD3Hd/wrunnppMYSeKf/AgMBAAGjYDBeMAwGA1UdEwQFMAMBAf8wDgYD +VR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFBcVhYkJLySHbz8dG+TylnmDSBPOMB0GA1UdDgQW +BBQXFYWJCS8kh28/HRvk8pZ5g0gTzjANBgkqhkiG9w0BAQsFAAOCAQEAWvAc0NRQz0F+5rid +fcNw0F42/26Oei/eSBHVNC48t0XCVCWn4cEeN4O2lK62RUgD6pW+65xqtDdcHy7Ta4KBQ1sK +PxFVY6z6fAgCN6A8OQQz/pcyyFLl2SVNsMbuaB9wqnPOVwPcfQoNM/LSWt8KbDvMEVGXGqQh +ooU1AteAItKEsvjAqmi/1euqwwuroXwr9/U7h+FUV+wFJO95Qk7zi2if5G7LgpnJzCrcU8If +cIOrIQ9WtEj/3wcis4z5HaYE3y0DNrndb/4xiGb/bG1ENK8Idz4m0nL0u0dWkzyYY+Ezu5kj +krWDeegdn2etYtaJ1vb8J94yJ8uE2neFIaESIQAAAAIACm9uYXB0ZXN0Y2EAAAFi1TGi6wAF +WC41MDkAAAVCMIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAM +BgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUxNDE1 +MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQsw +CQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMA5pkgRs7NhGG4e +w5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7XGie7RYDQK9NmAFF3gruE+6X7wvJ +iChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUnH8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRC +XijMt5e9h8XoZY/fKkKcZZUsWNCMpTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWi +YPqT6o8EvGcgjNqjlZx7NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6 +jIfBkv8PZbXg2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPz +DIZYwYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDdApcU +itz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqMP3UWYQyqDXSx +lUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6aFXftS/G4ZVIVZ/LfT1i +s4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DYPdAQOCoajfSvFjqslQ/cPRi/MRCu +079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0GA1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rt +STAfBgNVHSMEGDAWgBRTVTPyS+vQUbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4G +A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq +/kawNd6IbiMzL87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsg +bmi97j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBxc94Z +c3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvfjySF5FCNET94 +oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2RtOXDt93ifY1uhoEtEyk +n4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25hPsBTkZA5hpa/rA+mKv6Af4VBViYr +8cz4dZCsFChuioVebe9ighrfjB//qKepFjPFCyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyi +mUcTtTMv42bfYD88RKakqSFXE9G+Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHw +dmC36BhoghzR1jpX751AcZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4 +mr8WIcSE3mtRZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LX +aRwXdYYAAAACABh2ZXJpc2lnbmNsYXNzM2cyY2EgW2pka10AAAFWwklq1AAFWC41MDkAAAMG +MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYT +AlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg +UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5 +OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQLExZW +ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4XDTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVow +gcExCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh +c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYD +VQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 +MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4pO0M8RcPO/mn+SXX +wc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg013gfqLptQ5GVj0VXXn7F+8qk +BOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFFN +zb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSkU01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzo +KQm5EWR0zLVznxxIqbxhAe7iF6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcm +eQD2+A2iMzAo1KpYoJ2daZH9AAAAAgAiY2FtZXJmaXJtYWNoYW1iZXJzY29tbWVyY2VjYSBb +amRrXQAAAVbCSUnSAAVYLjUwOQAABMEwggS9MIIDpaADAgECAgEAMA0GCSqGSIb3DQEBBQUA +MH8xCzAJBgNVBAYTAkVVMScwJQYDVQQKEx5BQyBDYW1lcmZpcm1hIFNBIENJRiBBODI3NDMy +ODcxIzAhBgNVBAsTGmh0dHA6Ly93d3cuY2hhbWJlcnNpZ24ub3JnMSIwIAYDVQQDExlDaGFt +YmVycyBvZiBDb21tZXJjZSBSb290MB4XDTAzMDkzMDE2MTM0M1oXDTM3MDkzMDE2MTM0NFow +fzELMAkGA1UEBhMCRVUxJzAlBgNVBAoTHkFDIENhbWVyZmlybWEgU0EgQ0lGIEE4Mjc0MzI4 +NzEjMCEGA1UECxMaaHR0cDovL3d3dy5jaGFtYmVyc2lnbi5vcmcxIjAgBgNVBAMTGUNoYW1i +ZXJzIG9mIENvbW1lcmNlIFJvb3QwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQC3 +NlXlpV0YMODaiVSR/MjHUvgvUNnvsXVzZUd9G1u6dcX8oYgk+i/tyghKOVTEUXq12mDqODyB +ssvxu9mRIz9IAXB1qQUqrR9x88lUPR0GakA+swyF7lwbecJixLg2jjVdAQwjBEc1qptgTqBm +PcsmCpxAofRdmL9xq6UAaCrtg3oPohS11CKzgLA8DFpRaS1YGI/tmZ7xruKV5vZHqNYMD7BY +WNvDZjeem5FUMzfSlBxqSMnJ8qXapQwj9yMOnDJVXnGchAVRmi395k4qNFreykA3ZwxUIVV3 +2goMzJeugNyUNkr0Ps42Ex5T5KxOOgXs265ynDiL0Dk7iQo+d/51AgEDo4IBRDCCAUAwEgYD +VR0TAQH/BAgwBgEB/wIBDDA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNoYW1iZXJz +aWduLm9yZy9jaGFtYmVyc3Jvb3QuY3JsMB0GA1UdDgQWBBTjlPWxTenboSlbV4tNdgZ24dGi +ijAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgAHMCcGA1UdEQQgMB6BHGNoYW1i +ZXJzcm9vdEBjaGFtYmVyc2lnbi5vcmcwJwYDVR0SBCAwHoEcY2hhbWJlcnNyb290QGNoYW1i +ZXJzaWduLm9yZzBYBgNVHSAEUTBPME0GCysGAQQBgYcuCgMBMD4wPAYIKwYBBQUHAgEWMGh0 +dHA6Ly9jcHMuY2hhbWJlcnNpZ24ub3JnL2Nwcy9jaGFtYmVyc3Jvb3QuaHRtbDANBgkqhkiG +9w0BAQUFAAOCAQEADEGXwhqGwCJ8n/uQ8xrRA7HvE/khXwSc2smljSdsloeRvkGQAXKT5x59 +X/aJxl2nQAk9rElFRdwujTBosgm6+8MvzLoL3z93e0Z9OhIkjpaPPAUKb9KUKB1tDMAuiCLV +2M8dE8fwSNfXBafPx0eeOzw0yIBP1BS7/A1Q9/qz7EJfqd1tyPR1z3vBciaxARxcLP16TrQB +xQVXuec8qgXZiOkHRkHO70GBrljfg6Kuytd3H+cAPJ1vjuQyCR1NeDR4NDyUmybtT3HGGXq9 +ICJIWv5LfQO351i+xjJOdB5o3ahoW7M+7mJ92YDoCnV6t+60ZZohkOCq0Ji8OLVzPIv43AAA +AAIAFHNvbmVyYWNsYXNzMmNhIFtqZGtdAAABVsJJllIABVguNTA5AAADJDCCAyAwggIIoAMC +AQICAR0wDQYJKoZIhvcNAQEFBQAwOTELMAkGA1UEBhMCRkkxDzANBgNVBAoTBlNvbmVyYTEZ +MBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTAeFw0wMTA0MDYwNzI5NDBaFw0yMTA0MDYwNzI5 +NDBaMDkxCzAJBgNVBAYTAkZJMQ8wDQYDVQQKEwZTb25lcmExGTAXBgNVBAMTEFNvbmVyYSBD +bGFzczIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQF0o1ncrwDZbHRPoW +N/xIvb1/gC01O+FvqGepvwMcTYxvMkfVQWikEwTBNQyahEP8XB3/ibPoFxjNkV/7iePqv05d +fBsm03V57eaE41flrSnE9Doo56V7hDZps/1edr2jLZnTkE4jKH0YY/FUOyaddluXQrL/rvBO +7N05lU6DBn/nSUDIxQGyVFpmHT38+ek8Cp6BuHDwAYvkI1R8yK74kB4AlnLUVM9hI7zq+50C +ldG2uXE6aQg/D7ThQseI9T+YqKe6HOBxce9YV4FQelxrdEYOgwOYw46obvJ2Mm4ng8Jz89wY +6LST6nVEawRgIHFXh53zvqCQIz2KJOHaIdvDAgMBAAGjMzAxMA8GA1UdEwEB/wQFMAMBAf8w +EQYDVR0OBAoECEqgqliE0148MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAWs6H ++RZyFVdLHdmb56ImMOyTZ9/WLdI0r/c4pc6rFrmrL3w1y6zQD7RMK/yA72uMkV82dvfbsxsZ +6vSyEf1hcUS/KLM6Hb+zQ+ifv9wxCHGwnY3WNEcykMZlJPegSnwEc485bxeMcrW9S8h6+HuD +wyhOnAnqZz+yZwQbwxTa+OdJJJHQHWr6YTnva+chdQYH2BK0ISBwQnGB2jyaNr6mWw1qbJof +kXv5+e9Cuk5OnswMjZTc2UWcXuxCUGOu9F3EsRLcyjuoLp0UWgV1t+zXY+K6NbYECJHo2p2c +9ma1GKwKplQmNDPSG8HUfxo6jguqMm7b/E8ln9kyx5ZacKzfTAAAAAIAHWFmZmlybXRydXN0 +bmV0d29ya2luZ2NhIFtqZGtdAAABVsJI60QABVguNTA5AAADUDCCA0wwggI0oAMCAQICCHxP +BDkc1JktMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1U +cnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgTmV0d29ya2luZzAeFw0xMDAxMjkxNDA4MjRa +Fw0zMDEyMzExNDA4MjRaMEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEf +MB0GA1UEAwwWQWZmaXJtVHJ1c3QgTmV0d29ya2luZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALSEzDMXLmuUbGthUqDro895lEzllICZy1VkRGWPZ2TiBuNcN0n2L5uEhB4t +8mCdME7MhIXiLM8env42qzN3NUTYNZYaPTboeg7Y1UehammL2fy7Oq55WtX01nG7mpAja5q3 +iHSHDB5fuZ4t+qtTK9y7dj6TTAgIjB6iIxzUaq0iupkBLm1ly74kZlUkS0BEsRvX4cKFwN4Q +Pz3tuPzx8SNT3L9ll2/Z+UBxjX29ldTOvqBeJyPe/abQJg4AKes8RvA9YL8/UNLcJkFRnhQ3 +QgSjcFeoG4ftLfp77owK46lmiRnLQfndRDZhz+J3Rsh99vSSgTb92zTxcn7zDBa9tBUCAwEA +AaNCMEAwHQYDVR0OBBYEFAcf0uec2sJuokC0sHpQEFB0xMi9MA8GA1UdEwEB/wQFMAMBAf8w +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCJV7IWeqjC/dbZm5s0wpy0MhRN +p6Tf7L6nvvhD25E3zrQyLlBVGjVOdkNxIO+Td04VcC6Hw8EdbdzLtSfULFbRUlM6RNJzyMQb +BWVaYpKc7kGNMdvnNOpZIdUBetdkuGQ5zcntr+1LA0inoJkBgNxlozauZVlIT4JLyGXxVx3l +WS4KP2zY0fXlCbRsVAAK4BVNh3Vtt1iWWt1t0gCg9JtIvsM3pLo24HyHhZcaFaLeLqJbva8Y ++ZBQzXBZ+CdnR8vHoAc6fdEsXWwZOma1ff2Rb4KxvgiT2xRH8aI3x0WePMd3r2Sok9/2aYOC +YPJJQjTtWgBUhRwWNpIMXPqmrb/bAAAAAgAgdHRlbGVzZWNnbG9iYWxyb290Y2xhc3MzY2Eg +W2pka10AAAFWwklM0gAFWC41MDkAAAPHMIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsF +ADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZp +Y2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQt +VGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwHhcNMDgxMDAxMTAyOTU2WhcNMzMxMDAxMjM1 +OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNl +cnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMM +HFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4t/zN8ELg63iIVl6bmlQdTQyK9tPPcPRStdiT +BONGhnFBSivwKixVA9ZIw+A5OO3yXDw/RLyTPWGrTs0NvvAgJ1gORH8EGoel15YUNpDQSXuh +dfsaa3Ox+M6pCSzyU9XDFES4hqX2iys52qMzVNn6chr3IhUciJFrf2blw2qAsCTz34ZFiP0Z +f3WHHx+xGwpzJFu5ZeAsVMhg02YXP+HMVDNzkQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W +0eDrXltMEnAMbEQgqxHY9Bn20pxSN+f6tsIxO0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGj +QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS1A/d2O2GC +ahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsFAAOCAQEAVj3vlNW92nOyWL6ukK2YJ5f+AbGw +UgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ1GSFS5mvJQQeyUapl96Cshtw +n5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3wW306gmv7PO15wWeph6KU1HWk4HMdJP2udqm +JQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMi +vgkeGj5asuRrDFR6fUNOuImle9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7 +PHi4b6HQDWSieB4pTpPDpFQUWwAAAAIAE3hyYW1wZ2xvYmFsY2EgW2pka10AAAFWwkle/wAF +WC41MDkAAAQ0MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUF +ADCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIG +A1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9i +YWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUz +NzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk +MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBH +bG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbi +m1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt +2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4qEHM +PJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRaJSKNNCyy9mgd +Em3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvryxS3T/dRlAgMBAAGj +gZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMB +Af8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0 +dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEw +DQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc +/Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYg +oyxtqZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9N +mXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9 +aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJ +ybQDJbwAAAACABlnZW90cnVzdHByaW1hcnljYWczIFtqZGtdAAABVsJJzGIABVguNTA5AAAE +AjCCA/4wggLmoAMCAQICEBWsbpQZsnlLQfYnqcMYDx8wDQYJKoZIhvcNAQELBQAwgZgxCzAJ +BgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykgMjAwOCBH +ZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMTLUdlb1Ry +dXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzAeFw0wODA0MDIwMDAw +MDBaFw0zNzEyMDEyMzU5NTlaMIGYMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3Qg +SW5jLjE5MDcGA1UECxMwKGMpIDIwMDggR2VvVHJ1c3QgSW5jLiAtIEZvciBhdXRob3JpemVk +IHVzZSBvbmx5MTYwNAYDVQQDEy1HZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5IC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc4l5iWB0zVzky +M/rry4eMp9RK3QaI6mSOMZilOJAemM8uYyvwRrxEsomhwCgMSXAhlZ9kwKaTEgJlJobGpYnw ++teEoHCvTxqXPwZE1cnrchB95DEo+xxh5igHRHOSImmnA4hsnWPIUtqYJ+cITHA+tMkSwcVn +g10z8wMR7GrQU+LRujZglIC7YWNsWxd+30CUHqsNwiEocIj/1iZsbGAEJU5Vfn3vv5RI3rcd +3XCNBV+IpZvywu7q0UBBbWI4HVYGxQNHUSAZ/HsQCw5irnZVv193vj5JAVM9mCUDdiRaHbTb +iep55bazOz+6TChBfwasao7B0PYFHX3mQobjpdVHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTEecqOoU4DHRzca9sxW5Q+PzB/LTANBgkq +hkiG9w0BAQsFAAOCAQEALcUTz1aAe3p4vZ+uLJnn79rflF4JaafnbmiMvXK+R6kOlxK4SvFk +0znfJTTUwc1OgfAPBMQkszSWxqaqMN9oYXPX+Y6Fie8OXpUoSionjxCOLnyGxAKe2gx3ZQ5E +DZL9/bMWNvoRDR2MDgeJailW93L03RWcdzVmV6sTU9iOwUDF1xMWWnLHt2kBxHqxgwFofY1B +oZQYwSVc/PD+gwKHfA0Nzy4IXEpADT7sgWHmJNvK4A4tB7I+VtyN9UGFB0ibDAvLST997Lf9 +y41niRqr7bseowAICBcqglwxXUaKLQ+Gm3TZRfvUQLF6qmgthrKZIuHBK8ec+PNfqIIS6xkR +LQAAAAIAHWNhbWVyZmlybWFjaGFtYmVyc2lnbmNhIFtqZGtdAAABVsJJ36oABVguNTA5AAAH +TTCCB0kwggUxoAMCAQICCQDJzdPp1X0jzjANBgkqhkiG9w0BAQUFADCBrDELMAkGA1UEBhMC +RVUxQzBBBgNVBAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJm +aXJtYS5jb20vYWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2Ft +ZXJmaXJtYSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDgw +HhcNMDgwODAxMTIzMTQwWhcNMzgwNzMxMTIzMTQwWjCBrDELMAkGA1UEBhMCRVUxQzBBBgNV +BAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJmaXJtYS5jb20v +YWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJmaXJtYSBT +LkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDgwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQDA31bT5DqbdkW0E9v/wbYZizdBGJVSR+sXnSmIjjVs +BjIuR2LzSQS/fUQ2sXHMvVoJc9XZhUT/kVcl3142jnDRXHFDHdna71zS+xu9OrXLraPMRKcN +riEVP7l6W5J12KQSOIkZireA0uIyb1ackdaIEAuzdGSSdGDz9s8YT2CyI9DHO85hS5mPwgzQ +QLKY3A2oTqO5Cq5goK1FUmO6Zr1o4Pm+GqiBux5BeHXTwf4AVbCHVOgnkDUdTDOtl/yXLpiE +vyzJo7/RmBEU7WP4ypiIWBeZ7UUDl348hh6IjL7ykYSPZTTYAEx9tzEXWil6ChgkMKM3tXqp +AX0m1vkOjlnx/RsztSk7FztBtiHd1MA9pZ+fH0NQybu8bHqXmO7NjB/7nFGui3C9J59xwGus +fZBm6NddOg2w1cKN1cidncFt0NC/UeTj+MM4Nq7Wp3Xmr4RDXZOSDGoH3jsdmCLWrME126Og +Jf9ytXYd3m3pLGYsUoTQRZLOHOXlMx3cB1NUo6qCO5o3L9zdoGTp5t29rvxkhR08p8kG3oT/ +a+hrGjzForNC+4sJPl8IUsdixNQFcb/EZOT4oYPoPhKbqB7UNk0vcfaNKPaDqRPSYcGRu0jA +NI9BjEtM22kS/1CUnCCDWXPtfKHy8f3d90nTQ1igVmPKPT3lNVZZ6Q7KIMwrS5MpDwIDAQAB +o4IBajCCAWYwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQUuQnKnB7b02w6a67tVPFb +kwY1Ll4wgeEGA1UdIwSB2TCB1oAUuQnKnB7b02w6a67tVPFbkwY1Ll6hgbKkga8wgawxCzAJ +BgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3 +LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoT +EkFDIENhbWVyZmlybWEgUy5BLjEnMCUGA1UEAxMeR2xvYmFsIENoYW1iZXJzaWduIFJvb3Qg +LSAyMDA4ggkAyc3T6dV9I84wDgYDVR0PAQH/BAQDAgEGMD0GA1UdIAQ2MDQwMgYEVR0gADAq +MCgGCCsGAQUFBwIBFhxodHRwOi8vcG9saWN5LmNhbWVyZmlybWEuY29tMA0GCSqGSIb3DQEB +BQUAA4ICAQCAiH9w3pIo2QWURv+QV6nxL98aDWv6fA4cSSR5J9hGqm8pWVKIcBLq3T31m1NU +b+FgoqgJuezrWXzGNfHcGOnxZ+WvukXgCd7KRA/CFw53kUV6M19flixoi8FHj5ibPcDsy/XV +gpKENdG+NjhWcjFbRy2qF6RjUesKAa1/7HWey6Ef8X8SsbnkZH9n1iMq9Lg5XZjoIafhvT1C +GnSacK9obFBdSc//+w5d5ixH14E6WQC1c2tjIPYxRQg5DvRwfkBwWj/Qa0KpdD0oLwJtdXKV +CY1IY8bGI1eSk141wY35CvcsnWIc9q183aYxHraxx36FJvqkarXaYzDR75M3smYvfQX357dL +mJQ1wNk6KcGdslAzHUqpWqbJA+/t9Oeoboq0V4TrpD/Q7qqqh1tj6JPia6jUuHJ4axvtOeRd +y5uqh9VPTgD+2WqfPDEPKAIBfZjop7CiZJ55+EjyFanM5shE6z94mfJ7cT488ZinxRgSP+a7 +KDNC6UUKfG3yhnkvxYIZfQmJfLJUdoiu3sHzzOFu2zHWk66ZoO8lanOYiVs6LhOIHr/AkpQ0 +G+Mnt4seb0L/5+k3m1AdLaL5Au7LWFg6cbxo46rBrxwoH6LcI2U/gequmdPYMM8TDU8VyYS8 +p0gt+DAjd9hGS3lt9oztOn9gEXj06Zuu1VTAdIDRC0KfwQAAAAIAG3RoYXd0ZXByaW1hcnly +b290Y2FnMiBbamRrXQAAAVbCSSSHAAVYLjUwOQAAAowwggKIMIICDaADAgECAhA1/CZc2YRP +yT0mPVebrtdWMAoGCCqGSM49BAMDMIGEMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl +LCBJbmMuMTgwNgYDVQQLEy8oYykgMjAwNyB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl +ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcyMB4XDTA3 +MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1OVowgYQxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0 +aGF3dGUsIEluYy4xODA2BgNVBAsTLyhjKSAyMDA3IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRo +b3JpemVkIHVzZSBvbmx5MSQwIgYDVQQDExt0aGF3dGUgUHJpbWFyeSBSb290IENBIC0gRzIw +djAQBgcqhkjOPQIBBgUrgQQAIgNiAASi1ZyCe5Wd8VJ4h/6KFr8F5t+jAk8NB8YAUboMAlIt +IqRCOcT+j+rJwb7UTf+fep7isXyaraeGCXOH0eea43qlqm77urNwwGeIojXUo5qx/a3C7zH6 +qLnz+wjGkdH7KZWjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1Ud +DgQWBBSa2AAwAOdrf4UY7ou2zooM+BHhuzAKBggqhkjOPQQDAwNpADBmAjEA3fjgV0dbp+YK +w731gIqXNQ0biTxUhncoyqH0ed615jiw8GVwjH8CVMK//9ihPtnPAjEAxI2U/NxT0tydeBYf +FTMjU1LjWjFdncquvRMpRA0nW6jnaJwS91g/LnICV6OPoRQuAAAAAgAlZXF1aWZheHNlY3Vy +ZWdsb2JhbGVidXNpbmVzc2NhMSBbamRrXQAAAVbCSRhzAAVYLjUwOQAAApYwggKSMIIB+6AD +AgECAgMMNRcwDQYJKoZIhvcNAQEFBQAwWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlm +YXggU2VjdXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l +c3MgQ0EtMTAeFw05OTA2MjEwNDAwMDBaFw0yMDA2MjIwNDAwMDBaMFoxCzAJBgNVBAYTAlVT +MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4IFNlY3Vy +ZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALrn +F5ACZbE0VTxJwlHV36fRN4/R54FzQVJgm52hFyZ4rcex6CaUMrXeM406L9vymnpac5ijXOn7 +inMbXOfDv4Bszan01ivA9/mZqmOisUcCD9TkUToSPGyKWlSEcNvBxZDPckXLqFnAzTOdP6OW +64UzIRw+Hj5gbnacZ4XFyMNhAgMBAAGjZjBkMB8GA1UdIwQYMBaAFL6ooHRyUGtEt8kj2Puo +/7NXa2hsMB0GA1UdDgQWBBS+qKB0clBrRLfJI9j7qP+zV2tobDAPBgNVHRMBAf8EBTADAQH/ +MBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQUFAAOBgQCcszOjP2Ihxhj4bG0RJOx9 +p5kMB33tiBUw0c0K2eYHNUaTStZFJ7gowdhIrCMlc7QYGgsYiq6hiWRtDeFn+uDZ7REja6iW +Ew9vjwoy5FxcmyOvkvSTAmq85obVs7P9yLt8a14rx0NuCPUCa/nSnrotqxsIpzm9CmJYzN+0 +IMUBrQAAAAIAGHZlcmlzaWduY2xhc3MyZzNjYSBbamRrXQAAAVbCSb5mAAVYLjUwOQAABB0w +ggQZMIIDAQIQYXDLSYxfmEUp57Cm2VBbejANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMC +VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO +ZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp +emVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAyIFB1YmxpYyBQcmltYXJ5 +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzMwHhcNOTkxMDAxMDAwMDAwWhcNMzYwNzE2 +MjM1OTU5WjCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD +VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2ln +biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBD +bGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzMwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvCg3C1SzbZ7kt5ZQn3aW+4LBNj7NhVjzW +fMP0zT6Gy6KI4uHYpGnFteK/waZHUF5GOYvVlrq1bxS/EM4nE54FR5sxehPYH9nTAjeLrSxH +8I6BBqcNMAzr9zwPIB3cckbupQLIW8PJVmlMxRjBkXsL1RMAm7zvw0g+RmAghSrVkLbNi6DM +Mt23/UBVslAcVq7MjXdNxyBNpzF272iSipAeCIFWsq1po1LQyxzEIz0fmf5M6BZjjsYIjvYx +9tL65XbdtRySo0nNzQHNaM2pabqj6x0NnKQgpsGgxdFGTBdt0qxmP5aM4ITUNv8iWcX5EWCo +XwR98hr2JUJhD8RKuD6JAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBADQmFTzAjU1DSR296SGS +12act97FuNDkXV92IsAm+YQ6OvmMtfvsYPHozgSwyN2nA48w85jfpOakMd/THAtG3HIgP67u +BTykMz8LOaxweHNLmSvfMMJUsKg7VaH+FijNQr10boDbJ0SnzkRd1BuQmA0eQpSxACwE0HSj +AgUiY2PNg7X7wW1ia2l1/V1wQbn1v3zfvsEycyIhi1iBexWRerrjZEiwf/s2JdqV0PEkFBfd +GIBrRiM5VPWOYgkEHZSQppvmJeJCRaq4kK2+CI+pC0IYlM9yOeGxQ+Aoz7fnWmwTa0mz/+MY +fImLM12sM9en+do6VclYEPmq71q2z0tL3yoAAAACABR1c2VydHJ1c3RlY2NjYSBbamRrXQAA +AVbCSekZAAVYLjUwOQAAApMwggKPMIICFaADAgECAhBci5nFWpTF0nFW3s2JgMwmMAoGCCqG +SM49BAMDMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxML +SmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMl +VVNFUlRydXN0IEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDAyMDEwMDAwMDBa +Fw0zODAxMTgyMzU5NTlaMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEU +MBIGA1UEBxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEu +MCwGA1UEAxMlVVNFUlRydXN0IEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqG +SM49AgEGBSuBBAAiA2IABBqsVFqp+Wgj53rVJG9TxlrYS6vG1bbR5nNxrt2c1gxh/dugiQO4 +BRTsV87uXT/iIbPO99SKeeCjg34tl9BhxPGZ3CWRY6t/MKO0cOLHoTOc878uXFOxX7N9Mn+K +NON5eaNCMEAwHQYDVR0OBBYEFDrhCYbUzxnClnZ0SXbc4DXGY2OaMA4GA1UdDwEB/wQEAwIB +BjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMDA2gAMGUCMDZnoRYI3OSXAEEdTr7hYwHP +O6pCEWSgnZQ5AhF5XHsd+mS57hZCs7+KwgnE7OSxTQIxAOkqYUeMUkpLThhw9tZE1m71g7pt +WL0k2VZI6u/EokaBiGo6RtGpm03JYdrRXVdqGAAAAAIAHmNlcnRwbHVzY2xhc3MzcHByaW1h +cnljYSBbamRrXQAAAVbCSWTqAAVYLjUwOQAAA5kwggOVMIICfaADAgECAhEAv1zbtvIcbsBN +63oCOzboeTANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJGUjERMA8GA1UEChMIQ2VydHBs +dXMxHDAaBgNVBAMTE0NsYXNzIDNQIFByaW1hcnkgQ0EwHhcNOTkwNzA3MTcxMDAwWhcNMTkw +NzA2MjM1OTU5WjA+MQswCQYDVQQGEwJGUjERMA8GA1UEChMIQ2VydHBsdXMxHDAaBgNVBAMT +E0NsYXNzIDNQIFByaW1hcnkgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr +N//rYJtBeGn1SViw3h9xaaYr465Qxqm8k+kgvuTEE4JW7/BDMgnKm3UDj3xP4eBPdp4LrWR6 +FDqanb8vFgtlHKnunLzjGmXLT4XqklZ1ZtZVQO/7zNY4P6sc70KNGYn2t5WGwqcd6fcp8SrZ +ZXn8K/WOyhp3fp7orPlmv0X76BOdX7Zz5X17jvsSdF0fBl6FG6ZeGEQAurzTbtFSDgat6+61 +tMG7vOs4D0gikcdv0rhyO7p/wI1st7xHcyEqhf+s1iiiGdWXajq5rG1F7OZNw9uoXcVdgpis +Slqq5isIDBB0vGL2OkkEZthRHCam2HWfnL+uYFE9XLyiT3uJZ81TAgMBAAGjgY0wgYowDwYD +VR0TBAgwBgEB/wIBCjALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFIbh4YFxv2oS8QryAeTI+0DO +aICJMBEGCWCGSAGG+EIBAQQEAwIAATA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vd3d3LmNl +cnRwbHVzLmNvbS9DUkwvY2xhc3MzUC5jcmwwDQYJKoZIhvcNAQEFBQADggEBACWq4SJAwqSA +PLeiXZmNH3pCNThmFxHfva/8FRGYGTPmBUKEVKhL67Cd2zfaFlJAEXRov+nJshCEtx1EAHkn +HPVYBhcYMjW2MJdjxqY5G8juRhdixS7nCqOaijBjc6oUpU0KqHKT8EkREJB8GH2oIAXEwno1 +uhxaCuAueMiIsc9XAew94gYTNMCo3PqAgAXuBXa9nSvInVBva8VAUIT9XR3mkJwQ06TGuSga +3rX4CnCqzt5QPQOA29iIxUgG5ANz3RbONtblm+p32rKWtWWnBF0jrveTsl6KUWRf2s+MPUFb +3vmj6Sp8RxAf9jI8fnDp36HVLg2xGkW0vBLtKBfpHgIAAAACABlzd2lzc3NpZ25zaWx2ZXJn +MmNhIFtqZGtdAAABVsJI0YEABVguNTA5AAAFwTCCBb0wggOloAMCAQICCE8b1C9Uuy9LMA0G +CSqGSIb3DQEBBQUAMEcxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxITAf +BgNVBAMTGFN3aXNzU2lnbiBTaWx2ZXIgQ0EgLSBHMjAeFw0wNjEwMjUwODMyNDZaFw0zNjEw +MjUwODMyNDZaMEcxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxITAfBgNV +BAMTGFN3aXNzU2lnbiBTaWx2ZXIgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC +AgoCggIBAMTxh3/TeDH3OMn4w5lDvMf3vDfnTnG6S4+lcx1cbpiuA1euODdDLxc9H8jOaBDB +eK4ZAysQ+ix5g/bouWi5VfIERKc5+fwEix7xok0n+WF7urflohO262E+0GzR5vv6Xu0dtJ6g +NVuhksvwSZL+hQoFPubZC+JPu9yVN/yR6TI1ItEfOk4nhZ2wFZQy2mENR01gQq6SR+iDWlBY +6YqLuV2h3N2ZSh82Z7tI5IO2N+tIOq8PZ48XB+gEyu9qMYfUwLb5lHF7Z2S4tpFKQntlLjBq +DPWQ7pXm8s2C7NmhSuz2skvlRYXmbXiTBC6cgm02qcQxZB+Ggwsq9DUKeMlVz0GwR+kwn5m+ +YagGhLkoel842RupOLCDf3PBwztIKoIPIZu4zKg1w4Qbg7M+vqSVaQE6iQB4BNnJ9JkZq1Z+ +W4uGORWRpBAsCTKAYLOTwCq2GAudfo1J8hBKf/nVRi8ZkqOZpyasu4w85g68Rwfcc1HxcGQv +CPm0Rx0wbETqKTeFkmhmvIM4/ns5LtNQ8B/7XmC2qab6J0Hxmxhy8vWEdErJZ8RUrkhk34zR +brAd4QePCB6ZnHHpTNil90cSH3TRUZ6G88KiI0ALc9tLpudzBozBoOnBWaxG+uYv+M9xnEZt +ucQVjTh5A0VI78Rd1wjuhzkihrIND1hD93GpSC796tYfAgMBAAGjgawwgakwDgYDVR0PAQH/ +BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBegzcHkQbY6WzvLRZ29HMKY+oZY +MB8GA1UdIwQYMBaAFBegzcHkQbY6WzvLRZ29HMKY+oZYMEYGA1UdIAQ/MD0wOwYJYIV0AVkB +AwEBMC4wLAYIKwYBBQUHAgEWIGh0dHA6Ly9yZXBvc2l0b3J5LnN3aXNzc2lnbi5jb20vMA0G +CSqGSIb3DQEBBQUAA4ICAQBzxoHgJ9ItD+CVMOKaQX9QLF9fYmGphmppGAx0SdZdhOpBUhhv +WK1QViBqxr0oaViR3JERNak6HbwapWCe2B9/RZFp2X67eHLBBg8qzo+FcGGsoM0LuDkpVoQy +Toa7PcQq2dcfcu7+UaEiQbFxAmMagrBiq15XEh/fy911oMBdeZCMG+BQ5t4x/ph7cF+lkNit ++AK2b9Ng3UBLIsU9rTp6nxoaR5F5M7qC3DJpA5ZuH0vwcf7jZ3Kgsb9ci+T6mSLHhLkbjSOX +P+0l4M9lu/VhBO/dHrJaQSJaoZ9dLOhbyW2pDAx4qmDGVo8BWgxovGkZecQffpcFv8XpJFFe +1NVLU+3ZI1o2A2WjwQOtQTDzRhuFkK9ltdWx5BZbeHUdl3ptWakqj3vew4eJEJlJc3jIPb1R +NXQq1fF+aRsquzu9JbiaWj1yYZBmh+4M1k3UEXQLav4LA/yjVVeJ/krLrlsXBcjyjSMxUzjS +LWo/grmNCGr3XkF0bsMRfgesKWCRPzjKVxANvTAvx6XmQaDargWHmqCkZWxMCQyJurjTucCT +ijD6jeWaaxUBTmeq2mJWPoQIZtLENn2nPhD8iODUgOUAvarzTgajemr5YnLjCU/rmw4BI/Gf +u3zc3GwRlyWy8rRjFNIGKmeMg/XO6gfYmmoe7OQKuypM6wlgOc7KYtgubgAAAAIAGmFmZmly +bXRydXN0cHJlbWl1bWNhIFtqZGtdAAABVsJJ8v0ABVguNTA5AAAFSjCCBUYwggMuoAMCAQIC +CG2MFEaxpgruMA0GCSqGSIb3DQEBDAUAMEExCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZp +cm1UcnVzdDEcMBoGA1UEAwwTQWZmaXJtVHJ1c3QgUHJlbWl1bTAeFw0xMDAxMjkxNDEwMzZa +Fw00MDEyMzExNDEwMzZaMEExCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEc +MBoGA1UEAwwTQWZmaXJtVHJ1c3QgUHJlbWl1bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC +AgoCggIBAMQS36lf/kHd3fWfiuP2rOE8eJq82PB/eqAzKtyNIFuuLW/nk9k2cGpoz45Ro4Vb +ZwSgECRvXSiCwZdX2EgpE7bhvpFN34UMUxiaHiSiT4/wooULy/Qpf9KkWO4mTcmqqHua2fo4 +3kRXFeX4jMjZSOINFicdHsiDhSW3uqpVQcwDIkstkY2L5omvZsfp/yvpPKza0rPD4Wicifh6 +AFbe9FWVbPu6ZN1ii98LdzLrYswmmpu7qmKDTLQGejDIKb/tBk2XuRzEMSvVX7xTEhecmVcp +ZndhITEHLiVJnRjy7vMrcYy1ujkHSXf87y6SkAWNLS93e+9DvzW7mtj5c6cs8tBX7ihOJl+P +kGgJL7j43AbpLpo+UafRIsQKpzhIbLP5/32rhlfjutaFeHe6Q+pIf/bYviNtHr/RNmxYXPHu +pBlUGvUD0nbm4Yy9PLPTSEviyPh/kqh2RpxCZT6kHsEHA1pGLbiX87fVslUh77rcTACX+xSV +JzO/6ENHRtIImRZgO5p+0ubtOOrsAR48SFZJCcdMNwCeiA7Ac+FvZulyRzA+EOULA8maQgBs +xZR+YcSK33+CGgtZxFkyd7O8YGlWOf20Bnss1mQ22b1I7YQffqUijyq4QvSCt9RTkHhOLRr9 +gW9E1zsBdJZC4ADiLmvqxe5yrLu//uqqqPjc9rJ5irZnAgMBAAGjQjBAMB0GA1UdDgQWBBSd +wGemDCLZJvVFq6ZlUhEn2EWsYzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAN +BgkqhkiG9w0BAQwFAAOCAgEAs1dNEGJOOuSs6rgcrzIjyLNJWlGcdiiNeapXRhfV9VL2t0To +CES/GITSC4DNxRL9AFUFYYdB3LUknjzE2Mj7cJ4veJaDIDbefA9pE4ildTaYCKbG36zO41jW +tz7euvPrNEDYooH1eD8v1aX82aLUXgQOF63+QfDlsnL6RIIzQugtWPdWjGI/ukKwnAxcfi5l +JlxTTwCyeH6hDZktjbgdjqLEsP1g0DCkjsgEYqnE7TXeepftDjheki+TcKWpnG+nfRMdfsYI +SLFeZ+tRCCXp5iVrUimRnNI5cwhX3pkGtFudEAbhwgCouBxKAgoU0MFByvuMNSF9gjjyqVSR +GTWTlG1qOsWy0LuJhpPom8kPOqd6uKHweEb6/Dcv5YqE89/+BNmhaKAvJOIJlQbVlcrhJJbr +fPaTBbvtc+kt0XU51+ck29hOX0OPntAUOb9VcEiZVzG0nO5KmAOWMB9gBu4bI/6BYCMaR2KF +pcwZNIBvs6wa45/we0it1QHZZ7apcpPqLWa1srjkPTyy70yM6usHv6s1mlWGvBimtahetINs +a2lA05/c8cNpa7nhbQn08apQdgp6fXoXoVWWQpkxCd1gEY0FMH7mjkbRnRTaxxfkBZaMxCS1 +G88UB7JA+KOeQYa8BNBrlsgqgDT9v+8Go91YxYU9Po/+ningtrgJaBkcGEMAAAACABJnbG9i +YWxzaWduY2EgW2pka10AAAFWwkmJ6wAFWC41MDkAAAN5MIIDdTCCAl2gAwIBAgILBAAAAAAB +FUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNp +Z24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBD +QTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYD +VQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9i +YWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZjc6j +40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6scTHAH +oT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb +Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvy +JBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FG +qkjWZCrXgzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQE +AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzAN +BgkqhkiG9w0BAQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLbl +CKOzyj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38Nf +lNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5p +LGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq +4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJ +KSZp4AAAAAIAFWR0cnVzdGNsYXNzM2NhMiBbamRrXQAAAVbCSTSeAAVYLjUwOQAABDcwggQz +MIIDG6ADAgECAgMJg/MwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCREUxFTATBgNVBAoM +DEQtVHJ1c3QgR21iSDEnMCUGA1UEAwweRC1UUlVTVCBSb290IENsYXNzIDMgQ0EgMiAyMDA5 +MB4XDTA5MTEwNTA4MzU1OFoXDTI5MTEwNTA4MzU1OFowTTELMAkGA1UEBhMCREUxFTATBgNV +BAoMDEQtVHJ1c3QgR21iSDEnMCUGA1UEAwweRC1UUlVTVCBSb290IENsYXNzIDMgQ0EgMiAy +MDA5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07JKz3pH73WbI/o6L9ZQRYk1 +OsZr2/7bAGio4AMRHTdQCJ9NSmiUNbNT0ZRjpyBWr95ReOwqPfNISFA+Ct9GVYsnbcMQTQ2R +UkPYh+BdTja1IcpfOUAEX1t+zKPGK6lAHtk2hNZI85IeNEYgJMGkUY5KGu9QP2ldGX9Fw8cB +j1HJI+hyrrS8Vgl/Esscsa8pkArJVcwP07Qa7Uc1WkrtnHMEIdCqvQwTtQDKJmzEawyUWpWU +2lCa8f+lK2YxpMk4oN8dH7gJLvOn6GdSq5Uf4EY+2KTDylrFMYDoSJqflGn+Gd3Yc3yBypbe +ju2zMgVlhDTm5v1XELVfdr8vsBANxQIDAQABo4IBGjCCARYwDwYDVR0TAQH/BAUwAwEB/zAd +BgNVHQ4EFgQU/doUxJ8w3iG9HkI5/KtjI0ng8YQwDgYDVR0PAQH/BAQDAgEGMIHTBgNVHR8E +gcswgcgwgYCgfqB8hnpsZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1Ql +MjBSb290JTIwQ2xhc3MlMjAzJTIwQ0ElMjAyJTIwMjAwOSxPPUQtVHJ1c3QlMjBHbWJILEM9 +REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDBDoEGgP4Y9aHR0cDovL3d3dy5kLXRydXN0 +Lm5ldC9jcmwvZC10cnVzdF9yb290X2NsYXNzXzNfY2FfMl8yMDA5LmNybDANBgkqhkiG9w0B +AQsFAAOCAQEAf5fbMMjfpJx9IXqAcM4UEmmIFJVgRAGssukwT5tQwmbYfo0wtXAx6eJpx/Nw +2yAVhtAN8L6sAXWEzn6fTb+3YDuc88od4l5o2KOdl+VAYNI2If7QtLgX2nSjf9TfsJgCrG9r +aywlJHKhZe4lWuXmMufy36tJ+vOQaSPbBNnnXFj8ZdSXvsz8LgrMJSo1BPhgkRV1PUH/Ix8Z +yGzrglMEpuRMIk2NjLrOW3PsZFRQbdGcVftpwzbDjLw8haZrCiYN4JOYYK5+xiSXimFfkY5m +kgmHNs2Lmy0+9lHUUNRZKL2D8swoe1OGbdgmiHDX6pHNPrnKwJBuWsZedGXXXP6j4gAAAAIA +HWFmZmlybXRydXN0Y29tbWVyY2lhbGNhIFtqZGtdAAABVsJJei8ABVguNTA5AAADUDCCA0ww +ggI0oAMCAQICCHd3BicmqbF8MA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNVBAYTAlVTMRQwEgYD +VQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgQ29tbWVyY2lhbDAeFw0x +MDAxMjkxNDA2MDZaFw0zMDEyMzExNDA2MDZaMEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtB +ZmZpcm1UcnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgQ29tbWVyY2lhbDCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAPYbT2cHK6EV9QYiyx8BsuNzRQZESSy7SSUU1s7Dt6ss +T8ZBMpRX+hKnWw7ijx8ehhmnqrUtuV8NisKvhTV5Mi27HGI38rFbSj3KzXFf6UK+lOjI3vki +SGTG5avGK22tBfD61QvPmuXwUKSLO0elI1t6evgzP7jvmZfjIMHWKInPlPu5Re3jQBcR1HTw +CzHiKyZqm0xXrqwgPrpFegXzvZtpFa59TiBjxDV2OgcCyTf9x0fu6PF2HXMV8pektch6edlC +qit/XP7OJk+jZoE1r0S6VB4cMDJlneY8k15QTnrjOtRuzBr7+dI3riQqq1cDIigNSXV/tyja +db+O49wOeTECAwEAAaNCMEAwHQYDVR0OBBYEFJ2TxlOLXsqvP58eD+WZlbwk9pSPMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBYrPQEDs3A +Df8K/dS6Fl8pvXtomVhJ0rQdN01/J31GBl1DxoYuPnOyJn1Pk6m2xCqaqyGXFLHejNOriRXY +ayTU8Rau2KRc1H9Rju0YAbGTY728+GGAmp6xzkJw4ql9BiV9J6H+b+yzHiTa40tVGgA7NbQ7 +2dddMP2BE4nywgYr7WfEjslDslxrFYkCvGL8TvK1M6qyb9MKolDj9jvoLkTC22Y4qTNWSPFt +GzONDYw/YDed08ptfjR+DZ9ydosbn3L9UjVBRQKWLxyymnNJIbFJR0VHtO9qNBHJTZrMWbfW +Ap5aTmW1lK4b3ymwFvG/AJ4HOhdktQS1IyGZCpU7l3zvAAAAAgALb2xkYWFpaW50ZXIAAAFi +32LqHgAFWC41MDkAAAWpMIIFpTCCA42gAwIBAgIJAJqx8dKnCZZoMA0GCSqGSIb3DQEBCwUA +MIG9MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkoxEzARBgNVBAcMCkJlZG1pbnN0ZXIxEjAQ +BgNVBAoMCU9wZW5FQ09NUDETMBEGA1UECwwKc2ltcGxlZGVtbzE6MDgGA1UEAwwxT3BlbkVD +T01QIHNpbXBsZWRlbW8gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEnMCUGCSqGSIb3 +DQEJARYYc2ltcGxlZGVtb0BvcGVuZWNvbXAub3JnMB4XDTE2MTEyODIxMTQyNloXDTIxMTEy +NzIxMTQyNlowga0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOSjETMBEGA1UEBwwKQmVkbWlu +c3RlcjESMBAGA1UECgwJT3BlbkVDT01QMRMwEQYDVQQLDApzaW1wbGVkZW1vMSowKAYDVQQD +DCFPcGVuRUNPTVAgc2ltcGxlZGVtbyBTZXJ2ZXIgQ0EgWDExJzAlBgkqhkiG9w0BCQEWGHNp +bXBsZWRlbW9Ab3BlbmVjb21wLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALr4rivKQuRkYNf5Ig40e1nqj6s6LB1vgMOYbKfRziOFpPcUpsHPOhusHowiUsrU1vdFSzPz +6Ej7PjlmNSg2Qka8YCn9kd6QgM7U0KcPJvIucBp+qjifH3EvP0jgDPhDeVRYxzV454dv5kQ9 +uCpswJP7YAnX51dkWeH8nwPUoagt31bOl9LXENSrgxEThxdLYMJnQJWk2CmVotXM4tT1dxyJ +xFUrZ6uJCEAYw5VtlplqihHf8lHy+sWQavtsLz/4dc+sGeXSTfoIvoKvoh3uZ5gEhGV8yfJx +k1veX5y5/AxP80vQ+smWYjTnQL5QQ57y4bciez4XVBmQSWimWtOi4e8CAwEAAaOBtTCBsjAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTqdsYgGNGubdJHq9 +tsaJhM9HE5wwcAYDVR0gBGkwZzBlBgRVHSAAMF0wWwYIKwYBBQUHAgIwTxpNSWYgeW91IHRy +dXN0IHRoaXMgY2VydCB0aGVuIHdlIGhhdmUgYSBicmlkZ2UgdGhhdCB5b3UgbWlnaHQgYmUg +aW50ZXJlc3RlZCBpbi4wDQYJKoZIhvcNAQELBQADggIBAKNNlRqFuE/JgV1BHyYK0xoSXH4a +ZP/7IoHtDVcSaZAOOuFOUrwVMUbzRBebbb6RpFwt/X+NLFUGysd+XNLF7W7lzxKtmFNXn4Op +NkBe0y5O7yurus8rERHzu3jiOSgVo+WzDlGpYSRnG3hI2qPWqD+Puzx/WwI8XUTuzEQQ3gUS +yVFfXHpay3VpYmLZiLJ9WKY5SDw7Ie6Sxrju4Qm1HwnFY8wHZGcs2KMQzorJ1ZNQf523yUTg +hbT0rKaSFaD8zugPtI2ONfFG/QgrkQXo78opzPsHnHwaSxGSiAgeLbwAUCvPNl27zr6k6+7T +cNjV0VUivAs0OG3VEAdgi7UWYB+30KfWwHwEzGmvd4IAGqIqlqLcSVArN5z8JK1B5nfjQn5U +rclU1vK+dnuiKE2X4rKuBTRYRFR/km+mj4koYFPKFHndmJl1uv2OCJK9l5CSIuKWeI1qv8BA +SKqgNdoT/SKBXqxgYlCbo+j4IDjxrxChRO+e5vl9lA7INfRrbljCkUjfLRa+v2q9tWQ3+EQU +wwnSrSfihh2Tj0Tksr6b8dDsvMlCdOKG1B+JPcEXORSFKNXVTEfjqpJG8s16kFAocWt3S6xO +0k1tqbQp+3tWQgW2TGnX0rMZzB6NGRNfWhlYmq2zHgXkiCIZ26Ztgt/LNbwEvN3+VlLoz/Rd ++SKtlrfbAAAAAgAbdGhhd3RlcHJlbWl1bXNlcnZlcmNhIFtqZGtdAAABVsJIy3MABVguNTA5 +AAADOjCCAzYwggKfoAMCAQICEDYSIpbF4zilIKHSX0zXCVQwDQYJKoZIhvcNAQEFBQAwgc4x +CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93 +bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp +b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD +QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05NjA4MDEw +MDAwMDBaFw0yMTAxMDEyMzU5NTlaMIHOMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy +biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5n +IGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSEwHwYDVQQD +ExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIgQ0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2Vy +dmVyQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqB +QWKPOO5JBFXW0O8cG5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn +0LoNkgYUc9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH +jfRCTedAnRw3AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA +ZZCsiA9W2eYwNNQmx9BQ8ZLea9Q5iAkixqZjgwP3mXfYsuUYuF1j89Rz+2ycmXjxS3h9GSTD +KwKE+Lwi2Yoi16D8ceyRhyDxuOyx5VWArD1SyDkOwvDABU/WgnWMvV/S3HaaBRLJr3LD3CV+ +pE2OF6Xgh3/hmlrhYNxkIzxCLk0AAAACABRzZWNvbWV2cm9vdGNhMSBbamRrXQAAAVbCSf1E +AAVYLjUwOQAAA4EwggN9MIICZaADAgECAgEAMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNVBAYT +AkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMSowKAYDVQQLEyFT +ZWN1cml0eSBDb21tdW5pY2F0aW9uIEVWIFJvb3RDQTEwHhcNMDcwNjA2MDIxMjMyWhcNMzcw +NjA2MDIxMjMyWjBgMQswCQYDVQQGEwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVt +cyBDTy4sTFRELjEqMCgGA1UECxMhU2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBFViBSb290Q0Ex +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH/sV5sk4P6cukJ5qYiK+oDg9Qcp +Q+qOCjQ2jRz6p7U5eP+Xdfcv5KprBIREyqbiaI79VVBiD6RxDs4HOC1ChVCtPJZvi9WiDs/e +SYk91mQuOOUebLVXip7vSA7NemkWh0S1kOQGna6hBJdYee8gSoJrjCK/7B8P6YRx7fEO5LgY +E8xWNl3Rmh5RazluYHaINAvzs9Gwncph4mQdwUYHuGPdHjNls44JVVI9tb3/B+utYVUYLKlp +mEqqQMUzFGV0APmR3q8DSMVAVNwPhJBoIMWSltwu5QJFqsBfVPht6knPXWxLr++awlZcxjVW +QmowX8Kr9uI9P7PJEY8xTNefSQIDAQABo0IwQDAdBgNVHQ4EFgQUNUr1Ta8/14I4rKtxZRd1 +jJ1Vk+YwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD +ggEBAKiH6ez4QGddw8Fmx0BLl/yHE5BaxO+gyl+Lt6e38da1ZLeKs7gbzNr7rGaIQc7o/OTb +Hoim7SdQGwIwJEZ5/gSHcJdAc9HAwVcZmmmlJ5mrnWKE9lHBLMkjFdgot6slE7VG4YYC/yaM +xIiSHVb+GWfyVeSAo2ucq3fhUXENINsQmtu9dnkHd5korZpe2rFPRCw1jqWWx/2D8FjGedaY +fKiN/oY+BxaS4XvnHewzdn5CLkqF+ZGJaIQDgaWbmr7jN8VUq1Y7GC1BpAz4QtuZoOByb7td +4RZPUwpk+U70v05UvXhsiOq/nBMkwnBpon8PyDytCMmwmECjKueIg+13j3QAAAACABh2ZXJp +c2lnbmNsYXNzMWcyY2EgW2pka10AAAFWwkoD9QAFWC41MDkAAAMGMIIDAjCCAmsCEEzH6qqY +PnHTkxD4PTqJkZIwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5W +ZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5j +LiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO +ZXR3b3JrMB4XDTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVT +MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMSBQdWJsaWMgUHJp +bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5OCBW +ZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJp +U2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCq0Lq+Fi24 +g9TK0g+8djHKlNgdk4xWArzZbxpvUjZudVYKVdPfQ4chEWWKfo+9Id5rMj8bhDSVBZ1BNeuS +65bdqlk/AVNtmU/t5eIqWpDBucSmFc/IReumXY6cPvBkJHalzasab7bYe1FhbqZ/h8jit+U0 +3EGI6glAvnOSPWvndQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAKlPww3HZ74sy9mozS11534V +njty637rXC0Jh9ZrbWB85a7FkCMMXErQr7Fd88e2CtvgFZMN3QO8x3aKtd1Pw5sTdbgBwObJ +W2uluIncrKTdcu1OofdPvAbT6shkdHvClUGcZXNY8ZCaPGqxmMnEh7zPRW1F4m4iP/68DzFc +6PLZAAAAAgARY29tb2RvYWFhY2EgW2pka10AAAFWwkmpEwAFWC41MDkAAAQ2MIIEMjCCAxqg +AwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRl +ciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGlt +aXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAw +MFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFu +Y2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQx +ITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDF +cCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRP +n2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf04 +9vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7v +n5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cmez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kC +AwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQD +AgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21v +ZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu +Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUFAAOC +AQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1QGE8mTgHj5rCl +7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLzRt0vxuBqw8M0Ayx9lt1a +wg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z8VlIMCFlA2zs6SFz +7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsil2D4kF501KKaU73yqWjgom7C12yxow+ev+to +51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRqAEFQ8TmDn5XpNpaYbgAAAAIAGWdlb3Ry +dXN0cHJpbWFyeWNhZzIgW2pka10AAAFWwknPogAFWC41MDkAAAKyMIICrjCCAjWgAwIBAgIQ +PLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDELMAkGA1UEBhMCVVMxFjAUBgNVBAoT +DUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3Ig +YXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1OVow +gZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg +MjAwNyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMT +LUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjB2MBAGByqG +SM49AgEGBSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcLSo17VDs6bl8VAsBQps8l +L33KSLjHUGMcKiEIfJo22Av+0SbFWDEwKCXzXV2juLaltJLtbCyf691DiaI8S0iRHVDsJt/W +YC69IaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVf +NVdRVfslsq0DafwBo/q+EVXVMAoGCCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HT +RqjySkwCY/tsXzjbLkGTqQ7mndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bW +tsuRBmOiBuczrD6ogRLQy7rQkgu2npaqBA+KAAAAAgAUZ2xvYmFsc2lnbnIzY2EgW2pka10A +AAFWwklt3gAFWC41MDkAAANjMIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcN +AQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkds +b2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 +MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMK +R2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8RgJDx7KKnQRfJMsuS+Fggkbh +UqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ +ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7 +v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+u +IEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEA +AaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o +LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZURUm7lgAJ +QayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMpjjM5RcOO5LlXbKr8 +EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV3XpYKBovHd7NADdB +j+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyrVQ4PkX4268NX +Sb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o +2HLO02JQZR7rkpeDMdmztcpHWD9fAAAAAgAZdGhhd3RlcHJpbWFyeXJvb3RjYSBbamRrXQAA +AVbCSY0HAAVYLjUwOQAABCQwggQgMIIDCKADAgECAhA0TtVXINXt7En0L8432yttMA0GCSqG +SIb3DQEBBQUAMIGpMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYD +VQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykgMjAw +NiB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEfMB0GA1UEAxMWdGhh +d3RlIFByaW1hcnkgUm9vdCBDQTAeFw0wNjExMTcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIGp +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZp +Y2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykgMjAwNiB0aGF3dGUsIElu +Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEfMB0GA1UEAxMWdGhhd3RlIFByaW1hcnkg +Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyg8PuAWdScx6TPnaFZ +cwkQRQwNLG5o8WxbSGhJWTf8CzMZwnd/zBAtlTQc5utNCacc0rjJlzYCt4nUJF8GwMxElJSN +AmJv61rdEY0omlyEkBB6Db10Zi9qOKDi1VRE6x0Hnwe6b+7p/U4LKfU+hKAB8Zyr+Bx+iaTo +odhxZQ2jUXvuvNIiYA25W53fuvxRWwuvmLLpLukE6GKH3ivI107BTGQe3c+HWLpKT8poBx0c +nUrG1S+RzHxxchzFwGfrMv3JklyU2oXAm79TfSsJ9IydkR+XalLL3gk2pHfYe4dQRNU+bilp ++zlJJh4JpYB7QC3r6CeFyf5h/X7mfJcd1Z0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHtbRc+vzst6/TGSGmq280brV0hQMA0GCSqGSIb3 +DQEBBQUAA4IBAQB5EcBLs5G2/PDpZ9QNbkW+VeiT0s4DP+3aJbAdV8seOnagTOxQduhkcgyk +qfG4i9bWh4S7MuVBEcB32bNgnesb1dFuRESppgHsVWIdd7hcjkhJfJw7VxGsrXM3ji94XJBo +R9lgYOb8Bz0iIBfE9xbpxNhy+chzfN8WLxWpPv1qJ7ah61q6mB/V401kCp0TyGG69Tkch7q4 +vXsif/b+rEB55awQbz2PG3l2i8Q3syEYhOU2AOtjIJm56f4zBLtByMEC+URjIJ6BzkLT1j8s +dtNjnFndj6bhDqAuQfculUfPvP0z8/YLYX5+kSuBR8InMO6nEF03j1w5K+QE8HuNVoxoAAAA +AgAVcXVvdmFkaXNyb290Y2EzIFtqZGtdAAABVsJJBmkABVguNTA5AAAGoTCCBp0wggSFoAMC +AQICAgXGMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRp +cyBMaW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDMwHhcNMDYxMTI0MTkxMTIz +WhcNMzExMTI0MTkwNjQ0WjBFMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGlt +aXRlZDEbMBkGA1UEAxMSUXVvVmFkaXMgUm9vdCBDQSAzMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEAzFdCFlSc5pjT003u/u3Hn0M5SmWz6BaINNsNWZF0z5K4BECtAksxq7yN +kWjYIA4aAeIae04XXeKKtz+ZGs3rYavCZaYft7e9t4/8/XCPC6BnvgGiWc9x5g8pdv+xVnlF +Kx+eelTooyk1aKQBTw+kLjfvG7/jjxCocqtYV+dUhsjJ81vaLNpdjm48oz7a+4Ll3fJcsgUz +b4o2ztATTv+/Sgw0TKbDIb1QBFXrsbud+0UeZBXeVQGMAna1y6E/Qmm8L71oQxZWiSo3YZH9 +pq5OwMsUZZQ3S5IG7wTQyJyI2wt7ga+xPSrEZTp4tu7cgLHS05mcOu5rWmuzjbfVzpzCvqVL +Lxaxnmg7Bm+ufZ/43uzMKaeYoyVDL+/xXybhiE34Xm7X2RRuGTNppzuEiZPEU1UToVF4QPi4 +yaLue7pSQoOeFO0FUlpZVqeX/J0/CinY3E+RDhO83pWk34uZvqybM4jvtYGvG8YiU8j2x+6X +FLDFfHhSyPDObndghKbpKnYg7VgBFzCT6RqL4HNj2WqSlElOtK1KhcSjIjD8Ce1oInOmiAxV +IVjF4TqfKt3K4ZDg2XOrbIC46Atkk6CcjBn/s9IM7JEmh4qzouFwjywK5c1taFHr2j8Ff4sy +5hNca/5fQOIiyLS0ZE/Wun1IPqhpDNe7hnHJc7g/O50lS9r/QOsCAwEAAaOCAZUwggGRMA8G +A1UdEwEB/wQFMAMBAf8wgeEGA1UdIASB2TCB1jCB0wYJKwYBBAG+WAADMIHFMIGTBggrBgEF +BQcCAjCBhhqBg0FueSB1c2Ugb2YgdGhpcyBDZXJ0aWZpY2F0ZSBjb25zdGl0dXRlcyBhY2Nl +cHRhbmNlIG9mIHRoZSBRdW9WYWRpcyBSb290IENBIDMgQ2VydGlmaWNhdGUgUG9saWN5IC8g +Q2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQuMC0GCCsGAQUFBwIBFiFodHRwOi8v +d3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9jcHMwCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBTywBPg +gkM+++4vZzKWNVzbuMsC0DBuBgNVHSMEZzBlgBTywBPggkM+++4vZzKWNVzbuMsC0KFJpEcw +RTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1 +b1ZhZGlzIFJvb3QgQ0EgM4ICBcYwDQYJKoZIhvcNAQEFBQADggIBAE+toCxM+sDyb/dmVasj +NO7nKdrDW7awg9nQ0OIh+/NgpztdYFMnopv2CCIq57+gcuWcJGoxsZB6J9uEEYknpndaONe/ +rIb87l2DvAbG0XdrD20kL0t6bKcHlsrjhJ+tiIsdqxaNW2YX2Rb0i4DS3fiydsP8OBOqDN5C +aStu8zzrgCfb9aZEDZ9aVVkL1Q1SSMWun/IvgMXqMlA1EpcuweH/8SOIUTif8mZWducPUZel +UgxNSVGVNj2/oksMEB2GmUyq83IRk+Tq9pvaqF2nTbeeAq5zAMjaIwPo+eoZdGIAlMsiIL6U +p1m1gmq+mXl6qfJKJFL3dP26TuaoHQJusQ2ARMGu0yM3X7uFfCuSLuh+pYvdmeG/J28tXap7 +h/4K3Uv8jvUm5G5wQm4z7DGee5PB5MlpGj3Aa04ibe6rWE3G0EHBK+pPEode60XYbPWYAtOg +2FWKBpkZoqB30TCerMx17oP1sGI5z2xX4kzSkQsOdSgbmr/9GkPxynf7O49huGkoFkIEXnAq +HCHYj+G9I1stdECS2WMZDXPdabxiR7zgdCuy632+QRu1wEbFoSLLX07BKJLeGLrVKii7EYsX +k5iZYJRcI89aJ5deCwUGkzceO2k266meYR2PMtqODNZ0PnsJJNoBd0fEO800jJn1yuElYTOy +WRvibtc3V7YNqRLaAAAAAgAXc3RhcmZpZWxkY2xhc3MyY2EgW2pka10AAAFWwklDvgAFWC41 +MDkAAAQTMIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl +MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp +ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNjI5MTczOTE2WhcN +MzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hu +b2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWt +DBFk385N78gDGIc/oav7PKaf8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1Mv +nsoFAZMej2YcOadN+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSH +o9T5iaU0X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa +K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA1W4TNSNe +35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0GA1UdDgQWBBS/X7fR +zt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fRzt0fhvRbVazc1xDCDqmI56Fs +pGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIElu +Yy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqb +AYcaT1epoXkJKtv3L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA +2IGvd56Deruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl +xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynpVSJYACPq +4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEYWQPJIrSPnNVeKtel +ttQKbfi3QBFGmh95DmK/D5fs4C8fF5QAAAACABdzdGFyZmllbGRyb290ZzJjYSBbamRrXQAA +AVbCSZA1AAVYLjUwOQAAA+EwggPdMIICxaADAgECAgEAMA0GCSqGSIb3DQEBCwUAMIGPMQsw +CQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMG +A1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UEAxMpU3RhcmZpZWxk +IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMDkwOTAxMDAwMDAwWhcNMzcx +MjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcT +ClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAw +BgNVBAMTKVN0YXJmaWVsZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAve3BA/z2j/wCsW9bn0jZnXniorcDYVYYw0e2 +18o9NS6JQ/ehaZveihr9EyCctEl3MilW/bnsjN0i+nLcJ2GX7vZahOxuGbmJLNyEW9V0+2tf +xYmlEFKJRlX0uHUc5n/kVK5L+FVyVwIZ+BdxWeseKAd0xZ1Ivmy09KSw82Q3eZLA7EZef+Ft +U0xir80fC2O7Op37/HkAmGF0zyaCQGPzsnJqGQ2ZytQOdcw3+4uJwVnxYn9fs19lMPint012 +Wh52XjTA6JZWmYqz8H+kzb3cMjF8kc/gXxH4a6pJXNGZlNGi42NbCXa1VmLhS3QdltQm1AgE +WdCYDg7m3vzD7B+Q8QIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB +BjAdBgNVHQ4EFgQUfAwyH6fZMH/EfWijYqihzqsHWycwDQYJKoZIhvcNAQELBQADggEBABFZ ++iVPA2+UmTuaH4KFOdR2BZRe4SiTbWJdCcKgqNSwdTjxNGqd5J+KhiZR5izRxi1ulSBKkgHs +uIpnezHiZy6MlQMmLkOdSjH2DrUMu7fiN38iugCjDntS+2u7O8TTeVFOzZD0ZwcZyDxGeg0B +fcVY523mhTAXmiTEEOAE9+Dyf9SqCv9CHTftlOVkWRIgdzjTMj44gXWWc/poj7HLzh/F7Pqc +fs9+sfEHLbb8v8qkv9CXBUq86hgoApC9VHgJIXHT0X0d2RawqWE90AoAIvzHe8sJZEULO0CB +9318MvWYyliOfSrukFlzZPk2dF4lofVmBS5/ORWpKvtQi46FafQAAAACABZ2ZXJpc2lnbmNs +YXNzM2NhIFtqZGtdAAABVsJJHnsABVguNTA5AAACQDCCAjwwggGlAhA8kTHLH/bQGw6auNBE +vxK+MA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwg +SW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1 +dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yODA4MDIyMzU5NTlaMF8xCzAJBgNVBAYTAlVT +MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp +bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma +AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57GaIMtTpYXn +Pb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAQclKpBRQZ +MghB8MVrCsx+DyEZzeRn3F+pG+bK6HOdItiYbnMDYZHFfLBFQG5EnY2wsZZ0YS0NqUXSpJIq +1pp1l24/U/1FmWAdqCtM+V6nCdh1MNfSZWA9Z9ZIVXVpP5H1SAtHaSJpgpa+ycg4hkp6LHMZ +SGlOa3xlvw/8cM6IkAAAAAIAHWFmZmlybXRydXN0cHJlbWl1bWVjY2NhIFtqZGtdAAABVsJJ +pesABVguNTA5AAACAjCCAf4wggGFoAMCAQICCHSXJYrHP3pUMAoGCCqGSM49BAMDMEUxCzAJ +BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJtVHJ1c3Qg +UHJlbWl1bSBFQ0MwHhcNMTAwMTI5MTQyMDI0WhcNNDAxMjMxMTQyMDI0WjBFMQswCQYDVQQG +EwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1c3QxIDAeBgNVBAMMF0FmZmlybVRydXN0IFByZW1p +dW0gRUNDMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDTBeGxWdA9CheTW3OjySesoVHM1i85wm +XAc95VT6o9bMEur0FF/ojhmrLy5I5qwYQ3is0DfDvbLNLOZH4hrmY7g9Li94xE/b9A+kaExV +cmuVHU4YQpV4zDc8keKbZSspo0IwQDAdBgNVHQ4EFgQUmq8pesARNTUmUTAAw2r+QNWu1jww +DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIwFwnz +h4hQWq/IwEK/R1/1bGqG4MQndOQ4U9cFfxs048Yvs8oJPDed1+e4RvH9oeJxAjBCWYdD1FHf +utMJMlrOiH5XPZxfQmv1By218IKT+VlvrmT6WOWLHuNjvrWBzW8CjHkAAAACABZ2ZXJpc2ln +bmNsYXNzMWNhIFtqZGtdAAABVsJJPbYABVguNTA5AAACQDCCAjwwggGlAhA/aR6BnPCaSvNz +/7lIouTdMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln +biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9u +IEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yODA4MDIyMzU5NTlaMF8xCzAJBgNVBAYT +AlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMg +UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaE +GIeaBpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7 +NsljXMXg1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBYFSk5 +PHej2lwlA3xg+u4JmTwnEHDIDAnms4fPCuIYljVizL+bJ3mJX8nECfTOtR3fKr3l24acaCXl +MHy2iRX+Z9Gt4VCsPHxiS4+6hNcSFRsfyl0PwVKUKhGZ2nvPDDYT1TXcEBlZ6pTBAL91j9n6 +/XYE22K7kGoD2UY12fh8WwAAAAIAFmdlb3RydXN0Z2xvYmFsY2EgW2pka10AAAFWwkmTQgAF +WC41MDkAAANYMIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYT +AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwg +Q0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQGEwJVUzEWMBQG +A1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM ++KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlC +GDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Q +lz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+ +OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKc +eeoWMPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAepho +jYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjANBgkq +hkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57QzxpeR+nBsqTP3UEa +BU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWVYrmm3ok9Nns4d0iXrKYgjy6m +yQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcFPseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/ +IH2uSrW4nOQdtqvmlKXBx4Ot2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0z +X5IJL4hmXXeXxx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm +MwAAAAIAH2VxdWlmYXhzZWN1cmVlYnVzaW5lc3NjYTEgW2pka10AAAFWwkjXiAAFWC41MDkA +AAKHMIICgzCCAeygAwIBAgICWeMwDQYJKoZIhvcNAQEFBQAwUzELMAkGA1UEBhMCVVMxHDAa +BgNVBAoTE0VxdWlmYXggU2VjdXJlIEluYy4xJjAkBgNVBAMTHUVxdWlmYXggU2VjdXJlIGVC +dXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIwMDYyMjA0MDAwMFowUzELMAkGA1UE +BhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2VjdXJlIEluYy4xJjAkBgNVBAMTHUVxdWlmYXgg +U2VjdXJlIGVCdXNpbmVzcyBDQS0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOLxm8 +F7d33pOpX1oNF080GgyY9CLZWdTEaEbwtDXFhQMgxq9FpSFRRUHrFlg2Mm/iUGJk+f1RnKok +2fSdgyqHCiHTEjg0bI0Ablqg2ULuGiGV+VJMVVrFDzhPRvpt+C411h186+LwsHWAyKkTrL6I +7zpuq18qOGICsBJ7/o+mAwIDAQABo2YwZDAfBgNVHSMEGDAWgBRKeDJSEdtZFjZe38EUNkBq +R3xMoTAdBgNVHQ4EFgQUSngyUhHbWRY2Xt/BFDZAakd8TKEwDwYDVR0TAQH/BAUwAwEB/zAR +BglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcNAQEFBQADgYEAHKcbomcF4NP6lEGulFSDWLCy +bLS2r85gp3byARQCjMJC4gA/ObfY02Mvuy0ipZCdw17C6sJCrMtn2/CxO5C4SCVOy/EdUKvV +LTLPgtf1Nt1p4a9DjZ2F8qXmdXis4MAUOjfb6ROctB8qsSs6Rkb5u2NbT0jDQ1wVXl3PFz0M +524AAAACABVzd2lzc2NvbXJvb3RjYTIgW2pka10AAAFWwkkMcAAFWC41MDkAAAXdMIIF2TCC +A8GgAwIBAgIQHp4o6Ejy5e/DfEoeWhhntjANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJj +aDERMA8GA1UEChMIU3dpc3Njb20xJTAjBgNVBAsTHERpZ2l0YWwgQ2VydGlmaWNhdGUgU2Vy +dmljZXMxGzAZBgNVBAMTElN3aXNzY29tIFJvb3QgQ0EgMjAeFw0xMTA2MjQwODM4MTRaFw0z +MTA2MjUwNzM4MTRaMGQxCzAJBgNVBAYTAmNoMREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UE +CxMcRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEbMBkGA1UEAxMSU3dpc3Njb20gUm9v +dCBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlUJOhJ1R5tMJ6HJaI2nb +eHCOFvErjw0DzpPMLgAIe6szjPTpQOYXTKueuEcUMncy3SgM3hhLX3af+Dk7/E6J2HzFZ++r +0rk0X2s682Q2zsKwzxNoysjL67XiPS4h3+os1OD5cJZM/2pYmLcX5BtS5X4HAB1f2uY+lQS3 +aYg5oUFgJWFLlTloYhyxCwWJwDaCFCE/rtuh/bxvHGCGtlOUSbkrRsVPACu/obvLP+DHVxxX +6NZp+MEkUp2IVd3Chy50I9AU/SpHWrumnf2U5NGKpV+GY3aFy6//SSj8gO1MedK75MDvAe5Q +QQg1I3ArqRa0jG6F6bYRzzHdUyYb3y1aSgJA/MTAtukxGggo5WDDH8SQjhBiYEQN7Aq+VRhx +LKX0srwVYv8c474d2h5Xszx+zYIdkeNL6yxSNLCK/RJOlrDrcH+eOfdmQrGrrFLadkBXeyq9 +6G4DsguAhYidDMfCd7Camlf0uPoTXGiTOmekl9AbmbeGMktg2M7v0Ax/lZ9vh0+Hio5fCHyq +W/xavqGRn1V9TrALacywlKinh/LTSlDcX3KwFnUey7QYYpqwpzmqm59m2I2mbJYV4+by+PGD +Ymy7Velhk6M99bFXi08jsJvllGov34zflVEpYKELKeRcVVi3qPyZ7iVNTA6z00yPhOgpD/0Q +VAKFyPnlw4vP5w8CAwEAAaOBhjCBgzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0hBBYwFDASBgdg +hXQBUwIBBgdghXQBUwIBMBIGA1UdEwEB/wQIMAYBAf8CAQcwHQYDVR0OBBYEFE0mICKJS9PV +pAqhb97iEoHF8TwuMB8GA1UdIwQYMBaAFE0mICKJS9PVpAqhb97iEoHF8TwuMA0GCSqGSIb3 +DQEBCwUAA4ICAQAyCrKkG8t9voJXiblqf/P0wS4RfbgZPnm3qKhyN2abGu2sEzsOv2LwnN+e +e6FTSA5BesogpxcbtnjsQJHzQq0Qw1zv/2BZf82Fo4s9SBwlAjxnffUy6S8w5X2lejjQ82Yq +Zh6NM4OKb3xuqFp1mrjX2lhIREeoTPpMSQpKwhI3qEAMw8jh0FcNlzKVxzqfl9NX+Ave5XLz +o9v/tdhZsnPdTSpxsrpJ9csc1fV5yJmz/MFMdOO0vSk3FQQoHt5FRnDsr7p4DooqzgB53MBf +GWcsa0vvaGgLQ+OswWIJ76bdZWGgr4RVSJFSHMYlkSrQwSIjYVmvRRGFHQEkNI/Ps/8XciAT +woCqISxxOQ7Qj1zB09GOInJGTB2Wrk9xseEFKZZZ9LuedT3PDTcNYtsmjGOpI99nBjx8Oto0 +QuFmtEYE3saWmA9LSHokMnWRn6z3aOkquVVlzl1h0ydw2Df+n7mvoC5Wt6NlUe07qxS/TFED +6F+KBZvuim6c779o+sjaC+NCydAXFJy3SuCvkychVSa1ZC+N8f+mQAWFBVzKBxlcCxMoTFh/ +wqXvRdpg065lYZ1Tg3TCrvJcwhbtkj6EPnNgiLx29CzP0H1907he0ZESEOnN3col49XtmS++ +dYFLJPlFRpTJKSFTnCZFqhMX5OfNeOI5wSsSnqaeG8XmDtkx2QAAAAIAEGFvbHJvb3RjYTIg +W2pka10AAAFWwkm0pAAFWC41MDkAAAWoMIIFpDCCA4ygAwIBAgIBATANBgkqhkiG9w0BAQUF +ADBjMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UE +AxMtQW1lcmljYSBPbmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTAy +MDUyODA2MDAwMFoXDTM3MDkyOTE0MDgwMFowYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Ft +ZXJpY2EgT25saW5lIEluYy4xNjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3QgQ2VydGlm +aWNhdGlvbiBBdXRob3JpdHkgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMxB +RR3pPU0Q9oyxQcngXssNt79Hc9PwVU3dxgz6sWYFas14tNwC206B89enfHG8dWOgXeMHDEjs +JcQDIPT/DjsS/5uN4cbVG7RtIuOx238hZK+GvFciKtZHgVdEglZTvYYUAQv8f3SkWq7xuhG1 +m1hagLQ3eAkzfDJHA1zEpYNI9FdWboE2JxhP7JsowtS013wMPgwr38oE18aO6lhOqKSlGBxs +RZijQdEt0sdtjRnxrXm3gT+9BoInLRBYBbV4Bbkv2wxrkJB+FFk4u5QkE+XRnRTf04JNRvCA +OVIyD+OEsnpD8l7eXz8d3eOyG6ChKiMDbi4BFYdcpnV1x5dhvt6G3NRI270qv0pV2uh9UPu0 +gBe4lL8BPeraunzgWGcXuVjgiIZGZ2ydEEdYMtA1fHkqkKJaEBEjNa0vzORKW6fIJ/KD3l67 +Xnfn6KVuY8INXWHQjNJsWiEOyiijzirplcdIz5ZvHZIlyMbGwcEMBawmxNJ10uEqZ8A9W6Wa +6897GqidFEXlD6CaZd4vKL3Ob5Rmg0gp2OpljK+T2WSfVVcmv2/LNzGZo2C7HK2JNDJiuEMh +BnIMoVxtRsX6Kc8w3onccVvdtjc+31D1uAclJuW8tf48ArO3+L5DwYcRlJ4jbBeKuIonDFRH +8KmzwICMoCfrHRnjB453cMor9H124HhnAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYD +VR0OBBYEFE1FwWg4u3OpaaEg5+31IqEjFNeeMB8GA1UdIwQYMBaAFE1FwWg4u3OpaaEg5+31 +IqEjFNeeMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAZ2sGuV9FOypLM7Pm +G2tZTiLMubekJcmnxPBUlgtk87FYT15R/LKXeydlwuXK5w0MJXti4/qftIe3RUavg6WXSIyl +vfEWK5t2LHo1YGwRgJfMqZJS5ivmae2p+DYtLHe/YUjRYwu5W1LtGLBDQiKmsXeu3mnFzccc +obGlHBD7GL4acN3Bkku+KVqdPzW+5X1R+FXgJXUjhx5c3LqdsKyzadsXg8n33gy8CNyRnqjQ +1xU3c6U1uPx+xURABsPr+CKAXEfOAuMRn0T//ZoyzH1kUQ7rVyZ2OuMeIjzCpjbdGe+n/BLz +JsBZMYVMnNjP36TMzCmT/5RtdlwTCJfy7aULTd3oyWgOZtMADjMSW7yV5TKQqLPGbIOtd+6L +fn6xqavT4fG2wLHqiMDn05DpKJKUe2h7lyoKZy2FAjgQ5ANh1NolNscIWC2hp1GvMApJ9aZp +hwctREZ2jirlmjvXGKL8nDgQzMY70rUXOm/9riW99XJZZLF0KjhfGEzfz3EEWjbUvy+ZnOjZ +urGV5gJLIaFb1cFPj65pbVPbAZO1XB4Y3WRayhgoPmMEEf0cjQAPuDffZ4qdZqkCapH/E8ov +XYO8h5Ns3CRRFgQlZvqz2cK6Kb6aSDiCmfS/O0oxGfm/jiEzFMpPVF/7zvuPcX/9XhmgD0uR +uMRUvAawRY8mkaKO/qkAAAACABVlcXVpZmF4c2VjdXJlY2EgW2pka10AAAFWwkkDbQAFWC41 +MDkAAAMkMIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV +UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNh +dGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1MVowTjELMAkGA1UE +BhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRp +ZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6g +mi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6fBeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0B +CezhABRP/PvwDN1Dulsr4R+AcJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLj +UA86iOe/FP3gx7kCAwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQG +EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm +aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgwODIyMTY0 +MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYD +VR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQFMAMBAf8wGgYJKoZIhvZ9B0EA +BA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUAA4GBAFjOKer89961zgK5F7WF0bnj4JXM +JTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IW +UrVnZ9NA2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 +AAAAAgAVZ29kYWRkeWNsYXNzMmNhIFtqZGtdAAABVsJJ7FwABVguNTA5AAAEBDCCBAAwggLo +oAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRoZSBH +byBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3MgMiBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eTAeFw0wNDA2MjkxNzA2MjBaFw0zNDA2MjkxNzA2MjBaMGMxCzAJ +BgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsT +KEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3 +DQEBAQUAA4IBDQAwggEIAoIBAQDendfqVxhJoVvr119Ihuq+3f/k72cc9GVos1dxoF53u+2b +SelwgD1WGGMIb9ryzNA/fwJUIlQQ2LKB1MB1PUt/x3fDPnirGgO1IGsvaiuxxYh+xLsesMHY +RSdvqjdY94cm19gt9qkXtx9yNk6mFz9lmJLbKm5dov6I4Avef+WNFeHryzrV4hKiEy3Yjq9f +Ej2gCAUItlylZTgERZkeo2BgdMVBpXJiG2LFH29fGkK+AlFlqK4jGGr8eAOpTX+Aw/qrWvyh +QKTKGRb+ssjvXnMN7ne9mvZ5mLyxB2eiFQ3doFjGRHsKPmIoX7pBB1NYzxF+OHTF+P+1aZCP +hHTqlxuvAgEDo4HAMIG9MB0GA1UdDgQWBBTSxLDSkdRMEXGzYcs9of7dqGrU4zCBjQYDVR0j +BIGFMIGCgBTSxLDSkdRMEXGzYcs9of7dqGrU46FnpGUwYzELMAkGA1UEBhMCVVMxITAfBgNV +BAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg +MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB +BQUAA4IBAQAyS/Oyyj6R/BLGoQeMjnegMwYUXJAeGPcIpj0KGfmHgBFuaeSWFzD/NJFjcjju +zBwBox2UKKQx9nrEVNf25TFYA6LMzmLblEVztb9FySS11YICrSN5aY24tk3Oz0zKMyPoHIiq +nYtBbhbJIOWJns072nD3fpkmIBRUJatuc4XmmyGdCmyCDqj4wgz6EB5slu+HDcQPYYut7oMr +lfiOkoRyOesg6oPtg82Xbgi8604mtnMr5NP2TP4mceJhEXRK/1cahw91SC7PUWkXoAISYZXV +0UCyEEzuxKwQQ6alngrVlWKaDc+IgsUyDOQrn0XmDZ8onLG5KlpXrTcPrx1/272fAAAAAgAV +Z29kYWRkeXJvb3RnMmNhIFtqZGtdAAABVsJKCpgABVguNTA5AAADyTCCA8UwggKtoAMCAQIC +AQAwDQYJKoZIhvcNAQELBQAwgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMw +EQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE +AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0wOTA5MDEw +MDAwMDBaFw0zNzEyMzEyMzU5NTlaMIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9u +YTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAv +BgNVBAMTKEdvIERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/cWII8fpZNPcbyRij94BJWOkigxOmxSBDATuE +8eaFSZ8n6vaEG06gtNtwmMcyAbEFPgdO7vT6Ty9ZMCLnqxlWa+KAB/zzFnWAOVF75fk1tnRO +qY2CE+S2P6kDg/qivooVan/eC8O2GRQFyurDqASUO0Z8Mg3zAGYiyI1pbTaMERi307IcYLQ4 ++gKMztPdRgfeCj7rXXzIfPuwK1OkkmJpUSUFYRpEgYwsqUOWI9+sOoGaDinFHKnpXR62np4w +CjnO8YiA+0tdzDLshWJDJTQCVicBkbQ7cCo/brHonIgBfZ/U+dtTbWCdvyznWKu4X0b8zsQb +AzwJ60kxXGlGs+BHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG +MB0GA1UdDgQWBBQ6moUHEGcotu/2vQVBbiDBlNoP3jANBgkqhkiG9w0BAQsFAAOCAQEAmdtd +edX5l1lnA2HxfjsGMXUtoSCOT2WHtPemnLzY6S/Q21ruz3SMc7Q4QtoFe/gCdbj9pbHXrvbX +3hPLUxB+ikbRl/q3LisRq5CwJ4D56J9a6Tefq+TfbLOFF5092SRPeZE11l8E64CDq5oCLbUQ +9NiQxwRzQO1yJaCpn+yeq2gSmVfGjxI6CaS9RP0GFTfBm+Qyo+046Nhk8yx+FPwC6p/N/wdo +F9sikDgteo3RVPFp418zyno9ewrjyn9fOeXidbrFdhgzzizwL0yt97Hnzk+oxJtKVAbFf33V +CA/iHP5+F7isXvbUFrJDCQxN9qdrtJmEZcp6iOLiRL5c9+oc9QAAAAIAGHZlcmlzaWduY2xh +c3MzZzVjYSBbamRrXQAAAVbCSVLhAAVYLjUwOQAABNcwggTTMIIDu6ADAgECAhAY2tGeJn3o +u0ohWM3MaztKMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVy +aVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsT +MShjKSAyMDA2IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBD +BgNVBAMTPFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkgLSBHNTAeFw0wNjExMDgwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD +VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy +dXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA2IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1 +dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDMgUHVibGljIFBy +aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHNTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAK8kCAgpejWeYAyq50s7Ttx8vDxFHLsr4P4pAvlXCKNkhRUn9fGtyDGJ +XSLoKqqmQrOP+LlVt7G3S7P+j34HV+zvQ9tmYhVhz2ANpNje+ODDYgg9VBPrScpZVIUm5SuP +G5/r9aGRwjNJ2ENjalJL0o/ocFFN0Ylpe8dw9rPcEnTbe11LVtOWvxV3obD0oiXyrxySZxjl +9AYE75C55ADk3Tq1Gf8CuvQ87uCL6zeL7PTXrPL28D2v3XWRMxkdHEDLdCQZIZPZFP6sKlLH +j9UESeSNY0eIPGmDy/5HvSt+T8WVrg6d1NFDwGdz4xQIfuU/n3O4MwrPXT80h5aK7lPoJRUC +AwEAAaOBsjCBrzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcB +DARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq +1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAdBgNVHQ4E +FgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQEFBQADggEBAJMkSjBfYs/YGpgv +PercmS29d/aleSI47MSnoHgSrWIORXBkxeeXZi2YCX5fr9bMKGXyAaoIGkfe+fl8kloIaSAN +2T5tbjwNbtjmBpFAGLn4we3f20Gq4JYgyc1kFTiByZTuooQpCxNvjtsM3SUC26SLGUTSQXoF +aUpYT2DKfoJqCwKqJRc5tdt/54RlKpWKvYbeXoEWgy0QzN79qIIqbSgfDQvE5ecaJhnh9BFv +ELWV/OdCBTLbzp1RXii2noXTW++lfUVAco63DmsOBvszNUhxuJ0ni8RlXw2GdpxEevaVXPZd +MggzpFS2GD9oXPJCSoU4VINf0egs8qwR1qjtY2oAAAACABVxdW92YWRpc3Jvb3RjYTIgW2pk +a10AAAFWwkkJcwAFWC41MDkAAAW7MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAw +RTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1 +b1ZhZGlzIFJvb3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJ +BgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9WYWRp +cyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCaGMpLlA0ALa8D +KYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxgFyo6dIMzMH1hVBHL7avg +5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55JWpzmM+Yklvc/ulsrHHo1wtZn/qtm +UIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bBrrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeV +ikvfj8ZaCuWw419eaxGrDPmF60Tp+ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQ +Q7dsE/He3fbE+Ik/0XX1ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3Fsvb +zSUr5R/7mp/iUcw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5h +YIizPtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og/zOh +D7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UHoycR7hYQe7xF +SkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuIyV77zGHcizN300QyNQli +BJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQD +AgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwz +JQTU7tD2A8QZRtGUa6FJpEcwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExp +bWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQAD +ggIBAD4KFk2fBluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAX +INzng/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2BlfF/n +JrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5KWWPKjaJW1acv +vFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0HaB0+pUNqQjZRG4T7wlP0Q +ADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozchLsib9D45MY56QSIPMO661V6bYCZ +JPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPRTUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYm +Yjgahwz46P0u05B/B5EqHdZ+XIWDmbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh +8zwc4bmCXF2gw+nYSL0ZohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GB +UzGpn/Z9Yr9y4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t ++Oza8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0uAAAAAgAOY2VydHVtY2EgW2pka10AAAFW +wkj6UwAFWC41MDkAAAMQMIIDDDCCAfSgAwIBAgIDAQAgMA0GCSqGSIb3DQEBBQUAMD4xCzAJ +BgNVBAYTAlBMMRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1 +bSBDQTAeFw0wMjA2MTExMDQ2MzlaFw0yNzA2MTExMDQ2MzlaMD4xCzAJBgNVBAYTAlBMMRsw +GQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBDQTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6xwS7TT3zNJc4YPk/EjG+AanPIW1H4m9LcuwBc +saD8dQPugfCI7iNS6eYVM42sLQnFdvkrOYCJ5JdLkKWoePhzQ3ukYbDYWMzhbGZ+nPMJXlVj +hNWo7/OxLjBos8Q82KxujZlakE403Daaj4GIULdtlkIJ89eVgw1BS7Bqa/j8D35in2fE7SZf +ECYPCE/wpFcozo+47UX2bu4lXapuOb7kky/ZR6By6/qmW6/KUz/iDsaWVhFu9+lmqSbYf5VT +7QqFiLpPKaVCjF62/IUgAKpoC6EahQGcxEZjgoi2IrHu/qpGWX7PNSzVttpd90gzFFS269lv +zs2I1qsb2pY7HVkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOC +AQEAuI3O7+cUus/usESSbLQ5PqKEbq24IXfS1HeCh+YgQYHu4vgRt2PRFze+GXYkHAQaTOs9 +qmdvLdTN/mUxcMUbpgIKumB7bVjCmkn+YzILa+M6wKyrO7Do0wlRjBCDxjTgxSvgGrZgFCds +MneMvLJymM/NzD+5yCRCFNZX/OYmQ6kd5YCQzgNUKD73P9P4Te1qCjqTE5s7FCMTY5w/0Ycn +eeVMUeMBrYVdGjux1XMQpNPyvG5k9VpWkKjHDkx0Dy5xO/fIR/RpbxXyEV6DHpx8Uq79AtoS +qFlnGNu8cN2bsWntgM6JQEhqDjXKKWYVIZQs6GAqm4VKQPNriiTsBhYscwAAAAIAG3N3aXNz +c2lnbnBsYXRpbnVtZzJjYSBbamRrXQAAAVbCSM56AAVYLjUwOQAABcUwggXBMIIDqaADAgEC +AghOsgBnDANdTzANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dp +c3NTaWduIEFHMSMwIQYDVQQDExpTd2lzc1NpZ24gUGxhdGludW0gQ0EgLSBHMjAeFw0wNjEw +MjUwODM2MDBaFw0zNjEwMjUwODM2MDBaMEkxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lz +c1NpZ24gQUcxIzAhBgNVBAMTGlN3aXNzU2lnbiBQbGF0aW51bSBDQSAtIEcyMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyt+iAuLa+PwHFrHeYKrellxkH8cvfs9n+kRC1nZj +la7rr3IgikVHhmJ4htYgOSb0rqP9I+elnLUiIRm3N5MiwFCcgnvU1QREXMu0wp+SviTYe2ci +4mlf5QV41IfZcXAzJVO0hzspkCg2mlVEMGikg5d/DR6cdv8VnWCXAI2KhQPsgL7qLG4QUZLM +ftWjM9jWSd5YKq/2FutLe5Ayl7m6nVjx+FdJBB6iXQZw3XHb+d2LmhuMzz2jTc7LfPa7nKD6 +Cc4jYrLpDR/iciiPn6xoIH1vO6iFMQl/C8foZenjeA4JZzCLNIL7XeDMnYFtYu4IHgQsTpvs +/qlPX/1peO8JH6G0v/rz75AeTAWLHup6kXrD1+X7MLxsGxBYmPcaX9ApMgMTRk1haoVMUnQv +Bh97EeKEl8aZ821/12eDfhNo2HEoWtjO3egQFJr+bSOHbo5acDzVjQkAp6q8sDE3bciEFB5b +vUVjIGtLdIy92zoOwc9aFo+lmPJ2ibITEjsLd3esu+U8KUqScsphGiteTOKDdHf6NUh6hU2N +mlPE33jKl5FIK0UrAfccGqLtGLoKvYP6b7yNV5M71NSmzh7xoLHOq/0rKJpPG9fDctukxL9d +TPXde5Zp7miA5ueYuja3/m7tK70g+GUZ2lUJfiXc/mFicvl+GALvY7TQ+6/lO2OMZ48CAwEA +AaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUK/M +B4cVR284xbRl0d6VqunfnMwwHwYDVR0jBBgwFoAUUK/MB4cVR284xbRl0d6VqunfnMwwRgYD +VR0gBD8wPTA7BglghXQBWQEBAQEwLjAsBggrBgEFBQcCARYgaHR0cDovL3JlcG9zaXRvcnku +c3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAAiFpvUWDPxEGsFj4PlVRgj8cBxC +KJaOt8XBQXVOCXF55W2WykuliGDQMHS4ygjctDCeQAcWa2WVdwGupLc1C4HacRWpdBc4e1jK ++S/7wGV2jVsBuX3egj1kuL4UdKMKVNMslRgXNfVRaz+PopZhOXhrS+WmoPhT31EQk2LngC/i +0eC8jjZGdzPsuPuOmiyJTTERDyaeBLu3BI0L8rn8Wp07FrcvyJir/opQWS6jO/wpXYvBS8ni +ihMdsb+7Qh1S3U7YFF4QxjEH73En9xs5CdyC6ouzlYZe/fXaXTGm4DG2lOZESXTFFuX3HwNh +KMXIyxKgQkv5a4gIjbQyGPN1n8R/AE8FlZyjFwLDs1ObqiA5KStm+p2vXrOS0rWm4Rr5LUFp +gRS0tLXtiT3O+6mdNUJEsRwUc4HPKgE1mjHVLY9thN+ATVfjP8WEddqJxjC764/LIgigrqrx +A2w6S00JpQ5yxlZrIUJOIyUUaK52CnwMB3Bk+Zov9gU5JsYMjxl/Q15u9FsVL9thXeZnLz8I +lPlgtJgx2nTxhJNxTV/7YFjR+8TBbYmiuyAfnXGRyzKbEz0+fZJSNaySlKLTGMJ8x+qvdgUW +3Wcnwn4cByIh80AKGzQHRBPChGqO3xlav3/rHeIaONFcr0eSa4C1MKXJjdirMYEf38JmN9OT +qYWGeWXSAAAAAgAYY2h1bmdod2FlcGtpcm9vdGNhIFtqZGtdAAABVsJJ2VIABVguNTA5AAAF +tDCCBbAwggOYoAMCAQICEBXIvWVHXK+4lwBe5AbSvJ0wDQYJKoZIhvcNAQEFBQAwXjELMAkG +A1UEBhMCVFcxIzAhBgNVBAoMGkNodW5naHdhIFRlbGVjb20gQ28uLCBMdGQuMSowKAYDVQQL +DCFlUEtJIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMjIwMDIzMTI3WhcN +MzQxMjIwMDIzMTI3WjBeMQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNv +bSBDby4sIEx0ZC4xKjAoBgNVBAsMIWVQS0kgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOElD+6N24gzdWfNrR99Ok5tndMv +FPNjdMsBIWo36oRQB0smWwlDbCGeasjVA/VgaY/M8CLkH+f3aiIxtywV8uD+AGpD/4dlxrUa +wadMbSJwIYox8pd0iQkSJhyeytkSopU82ulnvwigZOPWQrdF75f09vXXtUoVAlh9mFhLYLzN +1w2aEzNT0WH5etXXeLOaM/cAhs4dTZQ4r6jseFFwilwQg1Eh9xE9NIZe5UjNl4GCNUwZ7GX2 +a8UFoe5HE9azISeUEArZJDu6vkQTRjA/lzzY19dq7js44yvUlw65G+cHSX83Kvl3eM9U7VtG +naOADpFDwdZbXxS6n6aNJEdAWb9yOLI2bDf/mdFdDlkKq2n3wLIERXpUAK6+U/a15+H4PKMx +0qn+IVJkxaZn8HUHBpQUgVXGJ+QBjxfBanHXvkv7lFh9fhEzsUL3YmwY1s8JaD5/bPYej2Kt +pWPbCacfIkJBHm+Zij7X+T9AenmwpQGS0p09CBWlEAEtszJ2qJUNs3qa+wcQeBFv4Y/Hug8l +GnQq5RyYQZnfIYfolQZqCrNqR3Zl9jrPj2IXGXsKKM0a0oMeIccsv77/YWi3Zxu7eE2Nzmfl +5MGOtyNm4p2QdTSYqTYripqUuZ3szIqx+CWJXFq2L4wfbXkkp1Jow4Q14maNYw4lTdUZsuZ5 +N6cinVQxAgMBAAGjajBoMB0GA1UdDgQWBBQeDPe2Z/LhkiYJRcBVOS53P0JKojAMBgNVHRME +BTADAQH/MDkGBGcqBwAEMTAvMC0CAQAwCQYFKw4DAhoFADAHBgVnKgMAAAQURbDCxwpWfO5b +eAyV+RhTwaYc2BAwDQYJKoZIhvcNAQEFBQADggIBAAmzg1NZAT6VSbnxgbr5diAjtSdgdNRq +mTRebABT2Z/yprEkB0RqKsaljngS6EfZWBsTKl55m58KKmemJT8GaVZzw4pmSPspgVd0Bsqc +6ijoOGcmK/HVtT9lk/g2XY6NjUAghxnq7yfAPbQ5DyV7aFB0VZwMWX1aPUGUJVII4EcsFTEZ +1b8HVca7ErWX9F+DhbpxwdlsgRF2Cgqwv4KX9+o9+vrsLakolDtW3dJRLq7AvQgVjHdSNJbW +m6zTHY5hDzV7m645aQtiYEAgNo+v+zbuLQhKHbi/m1z46qUboHOm2Phu4DMEX2iqJ4ft2cGQ +nO2942o1r2PfqxjZuubpSupQig9hkx7iLRniMJQ1kl0OtgevGYCPR5BRSy5N3YXi0gpSChea +/BqwUALlAaNjNyFMRMSbUZkRDnOcBo9ULqcoXkQ5h1YtN72FRJThDEssnMOShTRhyw+4m0pD +Uv40On246SncdqnIMPgUcYDGHjZIdCJBXIeC6Bhxi0GJROd+WFuouI0T6adsw0ftsxqdYq6N +guqUnt1ZEMOt3eJN4zHVx+zo8rD+kh4WChr82fP4J7bJvh20bGSQf/TkxFvXN65CDt2kGm98 +iFTFFm7hemgu+Dq/DaQ8iTt4p05jgwQhCGeN8oJJ0Fv9sc0Pg4TUPiCF90o9K5z9KgoJTeqB ++BGcAAAAAgAXcXVvdmFkaXNyb290Y2EzZzMgW2pka10AAAFWwknI3wAFWC41MDkAAAVkMIIF +YDCCA0igAwIBAgIULvWbAiin23r/1aOp7r0DoM8Sah0wDQYJKoZIhvcNAQELBQAwSDELMAkG +A1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlz +IFJvb3QgQ0EgMyBHMzAeFw0xMjAxMTIyMDI2MzJaFw00MjAxMTIyMDI2MzJaMEgxCzAJBgNV +BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBS +b290IENBIDMgRzMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzyw4QZ47qFJen +MioKVjZ/aEzHs286IxSR/xl/pcqs7rN2nXrpixurazHb+gtTTK/FpRp5PIpM/6zfJd5O2YIy +C0TeytuMrKNuFoM7pmRLMon7FhY4futD4tN0SsJiCnMK3UmzV9KwCoWdcTzeo8vAMvMBOSBD +GzXRU7Ox7sWTaYI+FrUoRqHe6okJ7UO4BUaKhvVZR74bbwEhELn9qdIoyhA5CcoTNs+cra1A +dHkrAj80//ogaX3T7mH1urPnMNA3I4ZyYUUpSFlob3emLoG+B01vr87ERRORFHAGjx+f+Idp +sQ7vw4kZ6+ocYfx6bIrc1gMLnia6Et3UVDmrJqMz6nWB2i3ND0/kA9HvFZcba5DFApCTZgIh +sUfei5pKgLlVj7WiL8DWM2fafsSntARE60f75li59wzweyuxwHApw0BiLTtIadwjPEjrewl5 +qW3aqDCYz4ByA4imW0aucnl8CAMhZa634RylsSqiMd5mBPfAdOhx3v89WcyWJhKLhZVXGqtr +dQtEPREoPHtht+KPZ0/l7DxMYIBpVzgeAVuNVejH38DMdyM0SXV89pgR6y3e7UEuFAUCf+D+ +IOs15xGsIs5XPd7JMG0QA4XN8f+MFrXBsj6IbGB/kE+V9/YtrQE5BwT6dYB9v0lQ7e/JxHwc +64B+27bQ3RP+ydOc17KXqQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIBBjAdBgNVHQ4EFgQUxhfQvKjqAkPyGwaZXSuQILnXnOQwDQYJKoZIhvcNAQELBQADggIB +ADRh2Va1EodVTd2jNTFGu6QHcrxfYWLopfsLN7E8trP6KZ1/AvWkyaiTt3pxKGmPc+FSkNrV +vjrlt3ZqVoAh313m6Tqe5T72omnHKgqwGEfcIHB9UqM+WXzBusnIFUBhynLWcKzSt/Ac5IYp +8M7vaGPQtSCKFWGafoaYtMnCdvvMujAWzKNhxnQT5WvvoxXqA/4Ti2Tk08HS6IT7SdEQTXlm +66r99I0xHnAUrdzeZxNMgRVhvLfZkXdxGYFgu/BYpbWcC/ePIlUnwEsBbTuZDdQdm2NnL9Du +DcpmvJRPpq3t/O5jrFc/ZSXPsoaP0Aj/uHYUbt7lJ+yreLVTubY/6CD50qi+YUbKh4yE8/nx +oGibIh6BJpsQBJFxwAYf3KDTuVan45gtf4Od34wrnDKOMpTwATwiKp9Dwi7DmDkHOHv8XgBC +H/MyJnmDhPbl8MFREsALHgQjDFSlTC9JxUrRtm5gDWv8a4uFJGS3iQ6rJUdbPM9+Sb3H6QrG +2vd+DhcI00iX0HGS8A85PjRqHH3Y8iKuu2n0M7SmSFXRDw4m6Oy2Cy2nhTXN/VnIn9HNPlop +NLk9hM6xZdRZkZFWdSHBd575euFgndOtBBj0fOtek49TSiIp+EgrPk2GrFt/ywaZWWDYWGWV +jUTR939+J399roD1B0y2PpxxVJkES/1Y+Zj0AAAAAgAUcXVvdmFkaXNyb290Y2EgW2pka10A +AAFWwkmfoAAFWC41MDkAAAXUMIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/ +MQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9v +dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0 +aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMzMzNaMH8x +CzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQLExxSb290 +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290IENlcnRp +ZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1 +lVO6V/z68mcLOhrfEYBklbTRvM16z/Ypli4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVR +HnAEdOLB1Dqr1607BxgFjv2DrOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1V +Nk7feVcxKh7YWWVJWCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sg +QUSj7cugF+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU +xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCCAk4wPQYI +KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVvdmFkaXNvZmZzaG9y +ZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREwggENMIIBCQYJKwYBBAG+WAAB +MIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNlIG9uIHRoZSBRdW9WYWRpcyBSb290IENl +cnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4g +YXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRp +ZmljYXRpb24gcHJhY3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGlj +eS4wIgYIKwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T +KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rqy+/foYGE +pIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQL +ExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290 +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCLMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG +9w0BAQUFAAOCAQEAitQUtf70mpKnGdSkfnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+Np +GA7O+0dQoE7/8CQfvbLO9Sf87C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIg +R13VRH56FmjffU1RcHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDW +XcG31a0ymQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW +xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOKSnQ2+QAA +AAIAFmFkZHRydXN0Y2xhc3MxY2EgW2pka10AAAFWwkj9XAAFWC41MDkAAAQcMIIEGDCCAwCg +AwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1 +c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVz +dCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMwMTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQsw +CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRU +UCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUG +W2ulCDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6ntGO0 +/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyldI+Yrsj5wAYi +56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJchPXQhI2U0K7t4WaPW4XY5 +mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC+Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/ +Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0OBBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsG +A1UdDwQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tER +CSG+wa9J/RB7oWmkZzBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAb +BgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAx +IENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X7f1y +FqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz43J8KiOavD7/ +KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MYeDdXL+gzB2ffHsdrKpV2 +ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJlpz/+0WatC7xrmYbvP33zGDLKe8bj +q2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOAWiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6 +tkD9xOQ14R0WHNC8K47WcdkAAAACACNkaWdpY2VydGhpZ2hhc3N1cmFuY2VldnJvb3RjYSBb +amRrXQAAAVbCSRVuAAVYLjUwOQAAA8kwggPFMIICraADAgECAhACrFwmagtAm48LefKuRiV3 +MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx +GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNz +dXJhbmNlIEVWIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBsMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl +cnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENBMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEq +w9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2 +q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRF +mqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNc +oXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6H +XRpQCyASzEG7bgtROLhLywIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw +AwEB/zAdBgNVHQ4EFgQUsT7DaQP4v0cB1JgmGggC72NkK8MwHwYDVR0jBBgwFoAUsT7DaQP4 +v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQEFBQADggEBABwaBpfc15yfPIhmBghXIdshR/gq +Z6q/GDJ2QBBXwYrzetkRZY41+p78RbWe2UwxS7iR6EMsjrN4ztvjU3lx1uUhlAHaVYeaJGT2 +imbM3pw3zag0sWmbI8ieeCIrcEPjVUcxYRnvWMWFL04w9qAxFiPI5+JlFjPLvxoboD34yl6L +MYtgCIktDAZcUrfE+QqY0RVfnxK+fDZjOL1EpH/kJisKxJdpDemM4sAQV7jIdhKRVfJIadi8 +KgJbD0TUIDHb9LpwJl2QYJ68SxcJL7TLHkNoyQcnwdJc9+ohuWgSnDycv578gFybY83sR6ol +J2egN/MAgn1U16n46S4To3foH0oAAAACABdxdW92YWRpc3Jvb3RjYTFnMyBbamRrXQAAAVbC +SeLKAAVYLjUwOQAABWQwggVgMIIDSKADAgECAhR4WF8urSwZS+M3BzU0Eyi1ltRlkzANBgkq +hkiG9w0BAQsFADBIMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEe +MBwGA1UEAxMVUXVvVmFkaXMgUm9vdCBDQSAxIEczMB4XDTEyMDExMjE3Mjc0NFoXDTQyMDEx +MjE3Mjc0NFowSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc +BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMSBHMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC +AgoCggIBAKC+UBCO6fJsQLQEnIW5McrcLeQRqQQ8G1XB51gwHSS0w++F3ows4cE934LmT61H +h2zsW0nBStW7j+yHrH+CmobsPQOZUgHSNZ6s2vBTyWY81KwCAdok0zuoAkavpBzj+HNYdrf2 +DpANtfDPzPr5xkzlw4YwCo0XfjXrxd+7DpzAjYfjiDiFZ/o+x6vgE5wFGJjPk/WxkrT8I9PP +1cQnSeCePJsIo4tdKiHg/DmqU9p9fs8aCVO8XQUEz6FKj4t2gg2h+NLHFHdbkDYHgZs+BvpS +XmPFpgD+pelSG1K1kjlyAwlivbBgFm6m3SXCA2bd8wTRQOJOi4b0b+WDoCeEXgTB9ZC9MD3E +76hpvDibpKSW0WLaacABlq7LxFE06gyq/yGOWY9KXORhmqfS6Sp4jVE9OhXuolmOqVzexfmQ +IuWIRXHdkZlsep89PZh8Xva+FmigXq4LI/xaD6oidi3JoRAd5NNEI5CIn8Yq5tf1mrNYHi8w +iQgbVKK1mCPsCHcclV1h0cuJnF+iSpGa7yGqSRYIqL1hKDHJdK2F9tnFsYvR5RAyTV+LIDo8 +SR8zhVkN28sJdUNpc/trcX3w38RMfcajLsiVectzoo5OTST7XuQEvnIbpictSVqZetdcCSC3 +f5S5T/ENHF6IQhsRt+eR255s9GrfjAaYA63MKO+lR/NTAgMBAAGjQjBAMA8GA1UdEwEB/wQF +MAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSjl9bzXqIQ4atFnzwXZDzuAXCczDAN +BgkqhkiG9w0BAQsFAAOCAgEAGPpbdfw+esdfd8fK389fwxLEQF3UMqq4atfVFRVGmCOl5pBb +GJlM461Co4IxNojN6fvEBJZIiwHHjQHPWzMGlkZmdB1P7cG2ubQNYcxjftcud4yWHCojaGuF +V3ZwMxP+4U+mI3cY+hqM6L1lyc8/9MkX3OvHvMAELi1GL2lmwxuP/uw+08qUv3YKJQ2pewIc +qdA7XwvAgTo9ZOG/py1OvU3E2CnGIhjQxaxyAoI/qjqiOiKXMd0IY8N1FLlgKC1baOAWqWaC +I1H161PYMZt76bedS+uIFs/5XTiKSTCP7fHrGfR3GjEYTWdUbC9vZfnbPewh7F709IvKYGVU +0XFk9Pmmo4EzNjNx8KR4X06tgyHeNEmN6FmsnfJ2WjbyE/Sv4AnHYSps9+CdrruGSihvLu60 +ec2QM8Ozdvr18GydAZD6npD2nHLPR9rDH+Q1IFPyVNHfYYOmAuIlON6FMi1ec5BSXULEzj1L +4fkZhB3VolDMQftBFMO91slao2NmAoC9BTo7R5zsACZM9YhRv6gjfxgHsAvtiyahZNNhSutc +n96zr2cDsx/dbV1paGmrXjrsfGm8xzuFTp4VubQVT8OVeljXyWzpbLnzKWNetCzwLT3tWmXg +qVtAwkiZgW2eHwYqPBK0iw+boiTwpo3WeuBLtmSWY5WEwkrNHC4khzNg5cMAAAACAB1jZXJ0 +cGx1c2NsYXNzMnByaW1hcnljYSBbamRrXQAAAVbCSYPHAAVYLjUwOQAAA5YwggOSMIICeqAD +AgECAhEAhb1L89ja42n2lNdfw6VEIzANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJGUjER +MA8GA1UEChMIQ2VydHBsdXMxGzAZBgNVBAMTEkNsYXNzIDIgUHJpbWFyeSBDQTAeFw05OTA3 +MDcxNzA1MDBaFw0xOTA3MDYyMzU5NTlaMD0xCzAJBgNVBAYTAkZSMREwDwYDVQQKEwhDZXJ0 +cGx1czEbMBkGA1UEAxMSQ2xhc3MgMiBQcmltYXJ5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA3FCW0BL4NdIIeHq2UnD9b+7PuRHLXXfh7Ol+BI3WzG9zQ1dgrDMKROwD +XxyAJJHlqJFWEoL34Cv0265hLokQjWtsurMCvdU2xUg3I+LwWjdSMxcS4tFgTb4vQRHj9hcl +DIuRwBuZe5lWDa/u0rxHV+N5SXs0iSckhN6x7OlYTv5O31q+Qa2sCMUYDu/SU+5s0J0SARON +3IBi95WpRIhKcU5gVZ7bIxl5VgcMP2MLXLDivn4V/JQzWEE4dMThj4vfJqwftYs7t0NZa7Ak +pm2Qi8Ry6l0zmLfL3l5775TxGz7KySHBxZgCqqL2W3eb9X6WVTQcZ2nA8ULjR6z8KBxmVQID +AQABo4GMMIGJMA8GA1UdEwQIMAYBAf8CAQowCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBTjcy3f +yw4oDN7ds6TKebiOu+gwiTARBglghkgBhvhCAQEEBAMCAQYwNwYDVR0fBDAwLjAsoCqgKIYm +aHR0cDovL3d3dy5jZXJ0cGx1cy5jb20vQ1JML2NsYXNzMi5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAKdUz4hEGcvf1H8A31YzYrX3UQGQ68M/0YhE6SRd7+cUvSC3mjwA/m2f25Dc1/Ri1otw +XeflBEipaHzJ8ULzbH/FenwdUYi60go+J13eLVFO0xNkaeQu49PnmwmZpuCVm84a13++PM5S +sxEVwQ8XzQO7nCUVuqJ2ifwG8RjQk0sOfIK3pfT2X/7tQKadhHQ5udwehRbaKRuGIwDJu4l+ +boCIHi8UtAMkqDJvA5pHLDC+VsanQgJwG+pA2LoFA3AHpJb//UgzCuHcpYGQm03dfefnss1c +yGqV+KX2jcRdeAi+ewbWSc8ZNlAjLgjmngVNRxjVFumx1rYQ1buXv6KOtFQAAAACABBhb2xy +b290Y2ExIFtqZGtdAAABVsJJt/MABVguNTA5AAADqDCCA6QwggKMoAMCAQICAQEwDQYJKoZI +hvcNAQEFBQAwYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0FtZXJpY2EgT25saW5lIEluYy4x +NjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +MTAeFw0wMjA1MjgwNjAwMDBaFw0zNzExMTkyMDQzMDBaMGMxCzAJBgNVBAYTAlVTMRwwGgYD +VQQKExNBbWVyaWNhIE9ubGluZSBJbmMuMTYwNAYDVQQDEy1BbWVyaWNhIE9ubGluZSBSb290 +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCoL+ikaQYDR8PpKpj/GaJwmsZQsn6l32hNG3wPtpdofS2mi5fpZIbJo++ghr9gZZxL +VIjCSMVKOb8U41lV5Rm0dMi0BTlcFqXilQXgEq5Zi6IzaFgcptQVt9if19xxq36av5uOMw8i +/R8u5wc272I5xd3LuiUUI94Mxj08zoII5mY+2lE7FjqjBX+g3IfVnPxyqaB9eOS3MVUeZbvU +YbAhYO0QMnLFkiUe+JBKGHhH334wNz5QG9sc02uahlMHsO+sBnj4hJn+IY1MgLYMgvZmcHka +00+jz/HPRrBLDz7diGK4jKkJKDt6x5fhHuX0n8DAriSgyKHZD9Z7JoJpMj2nAgMBAAGjYzBh +MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFACt2aP2efZudKl/Mz2BF9dMzzPeMB8GA1Ud +IwQYMBaAFACt2aP2efZudKl/Mz2BF9dMzzPeMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B +AQUFAAOCAQEAfIrRHxg3guC4sKPtVpXIYmGcBaLNwmImYc0QFtfMtGU00BGKraipBWbvdPNt +X52Zr/aL++tSsgWYom8qxVS9Jb1frsiG6kYswbO9welJcBgWlwgTjCDgGy46R8se5AAwlVv0 +RaPAGrABTqu9wCNuYz+ASsUH7dzib8fBYvHjctYEyHRnC/qIq6EByG/wFK/Smc1Rk37tLjjH +vc5GUD1y43klnZuIKxAg3aW4Mp+N4CnfIXSGgtsvgjDGxzWGs/mWX0bbDEX981DDb8bDSK1G +puEnRwodDpu2wnd/Y/LgfRq+/ODf18enbLD5rro8/XS0EehYDYC806iAOpntdcxGewAAAAIA +EWNvbW9kb3JzYWNhIFtqZGtdAAABVsJIyGkABVguNTA5AAAF3DCCBdgwggPAoAMCAQICEEyq ++crbY2/gH/dO2FsDhp0wDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNVBAYTAkdCMRswGQYDVQQI +ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E +TyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9y +aXR5MB4XDTEwMDExOTAwMDAwMFoXDTM4MDExODIzNTk1OVowgYUxCzAJBgNVBAYTAkdCMRsw +GQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoT +EUNPTU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24g +QXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTd +xc9EZ3SZKzejfSNwAHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+ +XPmT5jR62RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr +ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt4Q08RWD8 +MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIqm1y9TBsoilwie7Sr +mNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/vOldxJuvRZnio1oktLqpVj3P +b6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT8dm74YlguIwoVqwUHZwK53Hrzw7dPamW +oUi9PPevtQ0iTMARgexWO/bTouJbt7IEIlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31Bq +VUa/oKMoYX9w0MOiqiwhqkfOKJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKI +f6MzOi5cHkERgWPOGHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09 +XiidnMy/s1Hap0flhFMCAwEAAaNCMEAwHQYDVR0OBBYEFLuvfgI9+qbxPISOre44mOzZMjLU +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQAK +8dVGhLeuUbtssk1BFACTTJzL5cBUz6AljgL5/bCiDfUgmDwTLaxWorDWfhGS6S66ni6acrG9 +GURsYTWimrQWEmlajOHXPqQa6C8D9K5hHRAbKqSLesX+BabhwNbI/p6ujyu6PZn42HMJWEZu +ppz01yfTldo3g3Ic03PgokeZAzhd1Ul5ACkcx+ybIBwHJGlXeLI5/DqEoLWcfI2/LpNiJ7c5 +2hcYrr08CWj/hJs81dYLA+NXnhT30etPyL2HI7e2SUN5hVy665ILocboaKhMFrEamQroUyyS +u6EJGHUMZah7yyO3GsIohcMb/9ArYu+kewmRmGeMFAHNaAZqYyF1A4CIim6BxoXyqaQt5/Sl +JBBHg8rN9I15WLEGm+caKtmdAdeUfe0DSsrw2+ipAT71VpnJHo5JPbvlCbngT0mSPRaCQMzM +WcbmOu0SLmk8bJWx/aode3+Gvh4OMkb7+xOPdX9Mi0tGY/4ANEBwwcO5od2mcOIEs0G86YCR +6mSceuEiA6mcbm8OZU9sh4de826g+XWlm0DoU7InnUq5wHchjf+H8t68jO8X37dJC9HybjAL +Gg5Odu0R/PXpVrJ9v8dtCpOMpdDAth2+Ok6UotdubAvCinz6IPPE5OXNDajLkZKxfIXstRRp +Zg6C583OyC2mUX8hwTVThQZKXZ+tuxtfdAAAAAIAFWtleW5lY3Rpc3Jvb3RjYSBbamRrXQAA +AVbCSa4jAAVYLjUwOQAAA+kwggPlMIICzaADAgECAhIRIbwnbFVHr1hO79TO1imyooUwDQYJ +KoZIhvcNAQELBQAwTDELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUtFWU5FQ1RJUzENMAsGA1UE +CxMEUk9PVDEaMBgGA1UEAxMRS0VZTkVDVElTIFJPT1QgQ0EwHhcNMDkwNTI2MDAwMDAwWhcN +MjAwNTI2MDAwMDAwWjBMMQswCQYDVQQGEwJGUjESMBAGA1UEChMJS0VZTkVDVElTMQ0wCwYD +VQQLEwRST09UMRowGAYDVQQDExFLRVlORUNUSVMgUk9PVCBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMb9sxeFoa0mG5VpNSE9pIj63ttgNkAXacIUY/u42cJ0FTcunNAg +zWmNhDKihUwUtJvyJbNUKoM/Lb4P8ztk0f+gUO93TztO4T8LZIWaulh+0sNi02QlotSylzx3 +XWMqM5L8zYINm1SVh/W164zNW9HKMC/JiEa1zQ0RtBiP7tGhPl0V6CjP38OQm2zM0QxFd7M6 +64qQHemvZGqJe6k9Q3T65GciofvcTcT1YsnKJbTJgGAzqd17oAK/liUKXslfKXu0F4GLbYEZ +0NmDXAWPQWkaaUOAn6iv4OmMkYsnK6ImYM0P8qSjAoOOGIHCF4pDFflt8x0QpFqcRGEjIXrY ++9ECAwEAAaOBwDCBvTASBgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIBBjBXBgNV +HR8EUDBOMEygSqBIhkZodHRwOi8vdHJ1c3RjZW50ZXItY3JsLmNlcnRpZmljYXQyLmNvbS9L +ZXluZWN0aXMvS0VZTkVDVElTX1JPT1RfQ0EuY3JsMB0GA1UdDgQWBBTvtyOX0KiRf6bPpiHA +NJ/Md0Hh0DAfBgNVHSMEGDAWgBTvtyOX0KiRf6bPpiHANJ/Md0Hh0DANBgkqhkiG9w0BAQsF +AAOCAQEAGjFpmULC5UCFop+Sw2PUjyE5qBkh/nr8w01A8yvoS6xbTFmTxtx+C698X5WFa73H +b7rBvvjGOmdLk8YFaT4kLfAbkcY+P+xCGJNsAySKbvkgZyt8bas0ySoiMw3XfY/u0jZkQsg1 +mm4ZYcuNZ/Bop9AkBebDF7pFrnxDtYB4A00gcwX8QxCdNWlCdZQlgiumO5AY3sGpr/Mtlb+V +p88Yl+FZ4qKvGhZhDfcTcVOTN/08rwAdbIsUr0aWjLZSfMwtTs3h6UsK7pr+epjnKbob2hy6 +3GvNBA4mQKnrczz+UKgRJ1W9245L708Y7RX/vYaYZu6aJXE0bFDxslHLZp1NKQAAAAIAFWJ1 +eXBhc3NjbGFzczJjYSBbamRrXQAAAVbCSTesAAVYLjUwOQAABV0wggVZMIIDQaADAgECAgEC +MA0GCSqGSIb3DQEBCwUAME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4 +MzE2MzMyNzEgMB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAyIFJvb3QgQ0EwHhcNMTAxMDI2MDgz +ODAzWhcNNDAxMDI2MDgzODAzWjBOMQswCQYDVQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBB +Uy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3MgQ2xhc3MgMiBSb290IENBMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA18de98EH1Hf7QyH09PVp5O4yAdujhh/kWQ2653WD +UuvqHGEVSLsdB8qMrrDclp3qw2CShoIoc5xWBv9LZPAMKjdJteXPDHzu8Uq7czBl89Uvg7Z+ +4+f1nqtg+dPxnZJ0iuQclqxbgOm19DGHo1H8x36hb45Td9SXwVUzkj4YL3XUrYZJy5WvVAZs +2AYTjVv/4SYZWcAkuoFxeZBEUGgklF+4sxHxKUFho0HLIzbVwfEyUBBOf/SGk+yE0468S79c +AU4HPdwUipQKpOpz+wtR6BMHGPoO8SvRVBV9POH3tBlCZ2Jed+CiVey22WkX1TqvRO1KxZ7k +eid85XXXqssl599rCtsPTZNOqKDNey7yWQFqtw24B4F+izgbOOYKV5k97iHoo/UMFt2L7DSO +nCocABUXjWiD0nCfGAjNEWjVyWtSzcRGj9y189hXcx7plDkEv9PeON60U+xpHKJ+xI/kG3Ct +8qL5+/cWZGZpn0lRouIVGGcGSn/VbLVNszPgYetdvumYDzLXHUs8LloBUpEJ8t/qjdgGQGOq +EeT+wzeeFFI/9OLM8mGT0f1na9dSrr9oq0BDoFc1U3jwU/hhQgdkxtdvm0w4DWOsYq82i6Jz +Cg31Ib10qk3qcgNJ28dfHWJjx/3dkewz7vVttG4waN7I1iawdV57tAcgmKF2MrhNbE8CAwEA +AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyYB34GKSgvVGnPO690zD3rijrTkw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQBTXyH1urA6UjkskrBsAMnvziDv +BvKWnumkdH96Fvy39bb7FRs/q6bAcl0QsXHuvE/jrawDbS5xLq/E462jvQwRp7T/SrJ7EBAf +p1dBssCu9CxZ1kcQiPMhUSkwymCGr0arHe06W7CU3kTjQQiiwewd1v1PttZH0BQLyubKtXt3 +fkEfXoPHtow5lrA/loFBb2CQ4uj5+yJx2X2zPUa/tISvkBwPjxJqr+/uHnquAkqKFyt2/qxU +iSQsTz+2sqdOjKiRl/spxntcLbnLZra3qFsSUYW1CX5ieHD+qWpgth0OeQz9yuokgHLDlz/y +d6tDIgrH67YMhIIsgGtBigjA66Vr35kSy4rVXoAMkeAmCDZIxfo4ETX/JYMt8nq/2v2O/qXL +RSwfxIhTrncO2Zp2xY4sHaO61ewyrsCqrPfRek3r1AfiSPcijrCkn2rOjrKyYPSjItAj65Ra +emndD79AV6xrWVDZo5nhbv6NAXknIxXekp17CU1a50tIMFoY5gpt5o/g0rvm33xuIYLBaDlN +tJhYZmLMSpBew/onBLF5FXSZzL6tIN4mYBzrVlGmo+rkoz+n/2Hc8VpNbDIjQ+6sqO7uShIJ +PF1xwr55+sKHaB0L/VxpzAbQmn1UmSrJORoZr0sqQ/NjXVpY4i/jHeSp1tAK0J6/14EJ8cnH +Jg2smBZWoAAAAAIAFHNlY29tc2Nyb290Y2EyIFtqZGtdAAABVsJJcO4ABVguNTA5AAADezCC +A3cwggJfoAMCAQICAQAwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCSlAxJTAjBgNVBAoT +HFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3VyaXR5IENvbW11 +bmljYXRpb24gUm9vdENBMjAeFw0wOTA1MjkwNTAwMzlaFw0yOTA1MjkwNTAwMzlaMF0xCzAJ +BgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScwJQYD +VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDQFTlSsVKzusVZgsRdUq46Q2WAS8fylrzbNpfWpmSMqF7w4woc99+X +PUuu9l3sIbVBq825fnafvvk+NjSgO8H2MRFFdJM9V4DF+YmZyuWratS12kGQEMHW1kKJwr/0 +OBKVTFQF9zbkRYN7FGXW3AxN0d5+DKs7xBW+OlamWm92aVKpernI62qaXVLQLQprNRYJEITQ +aso6BgA3R+R+V08/i+tnuIiqxb5TVbKRxH25sIUZBngu22Ea+oX1SpGh5xbVjqI535S4cB8o +P4v8QF5jgzyDKhqZa8/eWWo7/G8W1x/9ShDrToIWOqwnDFPxrdUksGsDUMEtPBbdRDQnGnX7 +AgMBAAGjQjBAMB0GA1UdDgQWBBQKhal3ZQWYfECB+A+XLDjxCuw8zzAOBgNVHQ8BAf8EBAMC +AQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATDqjRKy5RbHHk37ICwpC +32TqHO5ZbAi6iV9qykqVnnqPB8XaRXKCcQ460sxvp7ShI7v2JJ/LF/6Mps7C0tvMjfxx/AMp +wWxdM19ktmU7iW8Ydnj13KJIHxk/jpPr8foX7s1O4wQSVdbl5N37PgV84h1exqe8l09oOvXp +LgpDtq9XXGJofLf9o4qEoKxivisJhzTwagG7mylWPP4AN88jbPFOqrZ0RhJske401eyakedE +vpAxctVJAvYC5fQf63zZllWp/+yK+ZlH/zVaAqoEy4pbh3Epkb2ktHoNvZr1VyMAByEXP0o5 +0QVJC6e2N4GlXYyqM16BKHynfSfrAK6NNwAAAAIACm9sZGFhaXJvb3QAAAFi32KkWwAFWC41 +MDkAAAZFMIIGQTCCBCmgAwIBAgIJANSi/bsXEOI5MA0GCSqGSIb3DQEBCwUAMIG9MQswCQYD +VQQGEwJVUzELMAkGA1UECAwCTkoxEzARBgNVBAcMCkJlZG1pbnN0ZXIxEjAQBgNVBAoMCU9w +ZW5FQ09NUDETMBEGA1UECwwKc2ltcGxlZGVtbzE6MDgGA1UEAwwxT3BlbkVDT01QIHNpbXBs +ZWRlbW8gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEnMCUGCSqGSIb3DQEJARYYc2lt +cGxlZGVtb0BvcGVuZWNvbXAub3JnMB4XDTE2MTEyODIxMTQyNVoXDTI2MTEyNjIxMTQyNVow +gb0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOSjETMBEGA1UEBwwKQmVkbWluc3RlcjESMBAG +A1UECgwJT3BlbkVDT01QMRMwEQYDVQQLDApzaW1wbGVkZW1vMTowOAYDVQQDDDFPcGVuRUNP +TVAgc2ltcGxlZGVtbyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MScwJQYJKoZIhvcN +AQkBFhhzaW1wbGVkZW1vQG9wZW5lY29tcC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw +ggIKAoICAQDLgdDTCZX5xlMFIo+tjj5DItAwbutQE3NMchx/CRIuYwRCBOEO0yOsAdnZAuhe +Yrjv/Dw4wKNzcvtIlYbfiPsGWVvx5j6+xoGBLLwIOnDyzD2B62uCvMs947MAuiqpPojPwDDb +9fF5EIhlC+cBzSYKm7D5ihYxmUCnh9yHIPEMq0IoVj2illlKeCTLW+bZKeaKoWdkFxyyzykO +oMFgZTUm01EhDIt1DHTve675Qq80UgzrZdSK6Zjv3wLV7tkJSGmCkbUELpxsTLKYuaGUkE0m +5n3SMUcvBDa6WNQpWlUbZlTwWotOrxfNGib3nGiqyCmQXrVvuuBDzmZifZaJpBGiiGiOxp0j +79E/OZkfk/9V3Hvfy78Ss9H5uhf/ACGKsUq9nN25u+Wpz7EzAQm/OBubBrBCMP/8pm+y1jCf +Q6Bwd0Nm48KrJkTeySkferISNmpQZ2dyZXQVXMarbRfagQ6XdJw6EVnDwydVzb5LAqam3JUX +jsHIj7Gv2DmXwJtwV+cnKB/OxRsP/JWwlyC9pFGy17HWc7EwPqXm1UNdDM36UaoBDzsh3DcI +vg5+BOOtYPmiZ2+CMD2JxAXmtCMAmQA1mSsW7beTuHKy+7EdCAWcregE60PE3w2lG8n50YSX +b0WZ2IaQUsBhhpZmu6VVTEcoi5eMglI6QyO21y0oKPYWPQIDAQABo0IwQDAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUmmQFQD3oWZUOVE81Qc9WSfcyqwww +DQYJKoZIhvcNAQELBQADggIBAE1ArwZwMVVJe1Pjp1R9+Q766Qhzh4EN9RFCsktCcf4pB23l +PtFhMhIZJP5eZKLB4MUIvtmleU+DmOWfjcEcgauMrc9Ihacra+IRJsr4JQjQSDHoEgl/yR6V +Ud9vbGH66ElIg9nP7XWAE6h5DTAxA8X1qyUOVGsKAps2uhBwNtl8RdX6GrZahkSOUMOq3H4w +yEEPQlpU2AewZqOUp0vdbQ/is6cbJh6dgxFrSzBti/MKj/EPM6yJwlO+RfGlJmEI7J7bLEYI +eNssLnv6FGiOgyWQ+gmwVK827F4Jwoght2BCcNsG/oPkAPbdw4yRIyi92QSWMEBKibECypQE +a1DYvfHWGQLQifGzFuJTOca9vgu2B/BQ+0Ii4DqMS8hc2rw1CAD5zHAT/BIgAKM6ygL5Oyvr +j8AQLgOkjhFh0HFKneh4j7wBtibpmDnBoSv227PAtdytCoRgivjhmF5BRyx7BswcTEtZHWHx +D/i2wlMEGNqGbcRmCCy9hhCxitAz70aq3Y/pC46n7w5bOmvJAp9D+WmTJ9PdpDjiwCXCkMD3 +QaTuUV1W3Zr4mLLj6gRLb6ycgDrsqXnY6/JB/AOdgxFK9q1vjhm02FAABIa+kL10CKPuRdlE +/GsWl03WKMeT5bY3MTO3odsNXhKWA19hwUAp0gnljuFHPX7jWwruZ1eD8mQvAAAAAgARZW50 +cnVzdGV2Y2EgW2pka10AAAFWwkjuQgAFWC41MDkAAASVMIIEkTCCA3mgAwIBAgIERWtQVDAN +BgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4x +OTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVy +ZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVz +dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEy +NzIwNTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkwNwYD +VQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVuY2Ux +HzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1c3QgUm9v +dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFoNu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWI +sMn/MYszA9u3g3s+IIRe7bJWKKf44LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQ +gFA/CYqEAOwwCj0Yzfv9KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KK +jbHjKYD+JXGIrb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+ +5pPi94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOBsDCB +rTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAigA8yMDA2MTEy +NzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRokORnpKZTgMeGZqTx90tD ++4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uEvW0wHQYJKoZIhvZ9B0EABBAwDhsI +VjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8Zynty +TtSx29CW+1RaGSwMCPeyvIWonX9tO1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47Rg +xRzwIkSNcUesyBrJ6ZuaAGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72D +QnNSi6q7pynP9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM +++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m0vdX +cDazv/wor3ElhVsT/h5/WrQ8AAAAAgAYdmVyaXNpZ25jbGFzczNnM2NhIFtqZGtdAAABVsJJ +W+wABVguNTA5AAAEHjCCBBowggMCAhEAm34GSaM+YrnV7pBIcSnvVzANBgkqhkiG9w0BAQUF +ADCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW +ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5j +LiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz +IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzMwHhcNOTkxMDAx +MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlT +aWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEo +YykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYD +VQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5IC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLupxS/HgfGh5v +GzdzvfjJa5QSME/wNkf10JEK9RfIpWHBFkBN+4phkOV2IMERBn2rLG6m9RFBjvotrSphWaRn +JkzQ6LxSW3AgBFjResmkabyDF2StBYu80FjOjYz16/BCSQudlydnMm7hrpMVHHC8IE0vGN6S +iOhshVcRGul+4yYRVKJFllWDyjCJ6NzYo+0qgD9/eWVXPhUgZggvlZO/qkcvqEaX8BLi/sIK +K1Hmdua3RrfiDabMqMNMWVWJ5uhTXBzqnfBiFgunyV8M8N7Cds6v92ry+kGmojMUyeV6Y9Oe +YjfVhWWeDuZTJHQbXh0SU1vHLOeDSTsVropouVeXAgMBAAEwDQYJKoZIhvcNAQEFBQADggEB +ABEUlsGrkgj3Py/Jsv7kWp9k3tshT4aZNHY2V93QFS/FrX8VHzdicz7U51/OFwPbNfor265g +CV8eX49uuws96loTHgxgb7XAtSMiLgcLy6l0y0e7HcHXpWvML9JC/Undp4nPU7raAFoov4Lf ++LoTHVCGgv2OMI8pRrAePTXaOGIWGEqt5rZRbN6vYusB0B4k/nqPEhoSaLj7ZpkUFEVcrueu +aReBK1o3yV4q9MbioVxUm6ZUAM/w8cHHmDAaOzYW26Nu6v2tssLa7wJHE4rA8bMxrU8c4U+c +rw8Mnfd4Ddj0NVaA2rdtF4+dHoFk4f7FRbqta7kKek5PS4TuS/F93REAAAACABxjZXJ0dW10 +cnVzdGVkbmV0d29ya2NhIFtqZGtdAAABVsJJZ94ABVguNTA5AAADvzCCA7swggKjoAMCAQIC +AwREwDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBU +ZWNobm9sb2dpZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9y +aXR5MSIwIAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMB4XDTA4MTAyMjEyMDcz +N1oXDTI5MTIzMTEyMDczN1owfjELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVj +aG5vbG9naWVzIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +eTEiMCAGA1UEAxMZQ2VydHVtIFRydXN0ZWQgTmV0d29yayBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAOP7faNyusLwyRSH9WsBTuFuQAe6bSddf/dbLbNax1Ffq6QypmGH +tm4PhtIwApf412lXoRg5XWpkecYBWaw8MUo4fNIE0kso6CBfOweizE1z2/OuT8dW1Vqnlon6 +86to1COGWSfPCSe8rG5ygxwwct/gounS4XR1Gb0qnnsVVAQb10M5rVUoxeIau/TA5K44STPM +doWfOUXSpJ7yEoxR+HzkLX/1rF/rFp+xLdG6zJFCd0wlyZA4b9vwzPuOHpdZPtVgTuYFKO1J +eRNLukjbL/ly0znK/h/YNHL1tEDPMQHD7N4RLRddH7hQ0V4Zp2neBzMoylCV+adUy1SGUEWp ++UkCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUCHbNywf/JPbFze27kLzi +hDdGdfcwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCmqK0izgE9pqP/YtBI +nYtecrB4ROPcHK8J/SNI+r0qxLlVBLUQo40n3guCY9Du3gw3eUFbIrKwmkFcpnDg1NB3yyPT +AOBsVi/haQ0N2aq/IYFQ2QalqP+VN9Cq/uKz9ZktRYSK5UIJ13QCL/eJ2JnpvCfUR426DUYc +d88UpBy5pDHEnCh0AzT/MxkmpekNdLc+l8Z26CeWo2bd4a7yQVvKmFaDc3DkhhrSMUG6L74t +E1p2b07oToEOP1sDIqASvmZYEUrLA8S0KiotlhfgOVS8SNN2J52aLQamyew50qvbn5oLJwI1 +KbFAlef56JxViBlG1rc09X7OOZrZOPFR908sAAAAAgAcdXRudXNlcmZpcnN0aGFyZHdhcmVj +YSBbamRrXQAAAVbCSPFHAAVYLjUwOQAABHgwggR0MIIDXKADAgECAhBEvgyLUAAktBHTNir+ +ZQr9MA0GCSqGSIb3DQEBBQUAMIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV +BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAf +BgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJz +dC1IYXJkd2FyZTAeFw05OTA3MDkxODEwNDJaFw0xOTA3MDkxODE5MjJaMIGXMQswCQYDVQQG +EwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVU +aGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNv +bTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALH3wzg/tKh/zzmCUWfQbZ/S/1jz558r7A2JVJm5OJkW9+AheUjCu2F0 +EpYdPGpy1TwQZzo57SsTzWbrlQkzpGyXsejG7MF1eZxGXo2r0Gr9uSpVFxBUsxnwmvbxsV22 +p2374HEXa6KI+wDf/hoxdwyaAXqxMuMrAQc4bsOlXiO8RZt7UMHJMI/b5St601v7M0AeoNWY +F7yLh8OJ012gjrKqqvaOaYgGxfqJIfMInWkuCTObKQ1GD4zMSTSwaVG9+QbNaK1mTLw+rGG9 +CogOyN897nwETJ0KXmuR1u7H7SiNq02HiXPQbqTQHhaLFOF2RAN/Y6zkzUmcxZL0qzKhSFsC +AwEAAaOBuTCBtjALBgNVHQ8EBAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoXJf +JhsomEOVXQc31YWWnUvSw0UwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1 +c3QuY29tL1VUTi1VU0VSRmlyc3QtSGFyZHdhcmUuY3JsMDEGA1UdJQQqMCgGCCsGAQUFBwMB +BggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHMA0GCSqGSIb3DQEBBQUAA4IBAQBHGQ/e +dMaZl6/8rShedY7rLWfuTnsr1wz/9t7LVaIK4UxUZZNga58SnK1egyzrWq7A5C30AGMduMBs +8s9Ju02TbwamCiKySWIITv/IyBSyiBZd5wHkEpXlRTSzi2m9z7SFj3VRnn06ODoUSBLG+6c7 +Go0NgkAH6AQIkKGJyxlQ38ocAbwdBBl7EHaXO+6QkMrEDh8WbnXvM/jTb1seluPgdHd0e4qi +bi3ddtY5MILwq5xS8irHr0lefsdo5YKByGon+SeIKtVYUJUf8DscV7t9FDliK5rJlJIqoyIM +/4kmfV8jK0fXFR2pap5RDSpRnoH51DtecBJ/EDKcHrud+GaoAAAAAgAXZHRydXN0Y2xhc3Mz +Y2EyZXYgW2pka10AAAFWwkoAlwAFWC41MDkAAARHMIIEQzCCAyugAwIBAgIDCYP0MA0GCSqG +SIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV +BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZa +Fw0yOTExMDUwODUwNDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgx +KjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpnljgJ9hBO +lSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM03TP1YtHhzRnp7hhP +TFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6ZqQTMFexgaDbtCHu39b+T7WYx +g4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lRp75mpoo6Kr3HGrHhFPC+Oh25z1uxav60 +sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pu +re3511H3a6UCAwEAAaOCASQwggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxi +EyoZLsyvcop9NteaHNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGB +hn9sZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh +c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1ERT9jZXJ0 +aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQtdHJ1c3QubmV0L2Ny +bC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDkuY3JsMA0GCSqGSIb3DQEBCwUA +A4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt +77JLvyAoJUnRpjZ3NOhk31KxEcdzes05nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23P +b0iUMkZv53GMoKaEGTcH8gNFCSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR +10M9p9OB0/DJT7naxpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2B +iYBL3ZqXKVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1AAAAAgAbZ2xv +YmFsc2lnbmVjY3Jvb3RjYXI1IFtqZGtdAAABVsJI9FEABVguNTA5AAACIjCCAh4wggGkoAMC +AQICEWBZSeAmLrtV+Qp3inH5SthsMAoGCCqGSM49BAMDMFAxJDAiBgNVBAsTG0dsb2JhbFNp +Z24gRUNDIFJvb3QgQ0EgLSBSNTETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xv +YmFsU2lnbjAeFw0xMjExMTMwMDAwMDBaFw0zODAxMTkwMzE0MDdaMFAxJDAiBgNVBAsTG0ds +b2JhbFNpZ24gRUNDIFJvb3QgQ0EgLSBSNTETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE +AxMKR2xvYmFsU2lnbjB2MBAGByqGSM49AgEGBSuBBAAiA2IABEdFDpb7fV2/6TnRIfifC7bV +ex6SOkhZHPBiMS3Aeij+Gqdcs7bMl+dF1Fj60XdtQ6LAh2U0Ch963es8M6HFnU2kb0GVOH/J +HoTr0Z5JkoeUhww6hUpmn51Zk02XYQaGSqNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0OBBYEFD3mKUib6gfKIURKJt5u3tKD0J9ZMAoGCCqGSM49BAMDA2gA +MGUCMQDlaRLJbtvGMboJQeGX+Pv9muJ9EsntfGTTywUli1bZoOdeXU4Lg5xbdimgCSYhamIC +MHHStY9c6jvheAmFqHWSO8hc/UjvDXQiqAjibsVJzscMvKdhafH3O+Eqy/kr82aQNwAAAAIA +H3N0YXJmaWVsZHNlcnZpY2Vzcm9vdGcyY2EgW2pka10AAAFWwkmiwgAFWC41MDkAAAPzMIID +7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT +B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNo +bm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVow +gZgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxl +MSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFy +ZmllbGQgU2VydmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20pOsgP +fTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm28xpWriu2dBTr +z/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1KTs9DkTvnVtYAcMtS7nt9 +rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufehRhJfGZOozptqbXuNC66DQO4M99H +67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk6mFBrMnUVN+HL8cisibMn1lUaJ/8viovxFUc +dUBgF4UCVTmLfwUCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +HQYDVR0OBBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IBAQBLNqaE +d2ndOxmfZyMIbw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSdHynVv/he +yNXBve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdByPq1zqwub +dQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkdiEDPfUYd/x7H +4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn0q23KXB56jzaYyWf/Wi3 +MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCNsSi6AAAAAgAgdHRlbGVzZWNnbG9i +YWxyb290Y2xhc3MyY2EgW2pka10AAAFWwklV9AAFWC41MDkAAAPHMIIDwzCCAqugAwIBAgIB +ATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBF +bnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50 +ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0 +MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVt +cyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBD +ZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqv +NK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/ +9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVs +qXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHm +BiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+G +PgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G +A1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsf +dOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxh +I+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA +5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWE +yS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjI +q2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6FuwgAAAAIAGWFkZHRydXN0cXVhbGlm +aWVkY2EgW2pka10AAAFWwkmxZwAFWC41MDkAAAQiMIIEHjCCAwagAwIBAgIBATANBgkqhkiG +9w0BAQUFADBnMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsT +FEFkZFRydXN0IFRUUCBOZXR3b3JrMSMwIQYDVQQDExpBZGRUcnVzdCBRdWFsaWZpZWQgQ0Eg +Um9vdDAeFw0wMDA1MzAxMDQ0NTBaFw0yMDA1MzAxMDQ0NTBaMGcxCzAJBgNVBAYTAlNFMRQw +EgYDVQQKEwtBZGRUcnVzdCBBQjEdMBsGA1UECxMUQWRkVHJ1c3QgVFRQIE5ldHdvcmsxIzAh +BgNVBAMTGkFkZFRydXN0IFF1YWxpZmllZCBDQSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA5B6a/twJWoekn0e+EV+vhDTbYjx5eLfpMLXsDBwqxBb/4Oxx64r1EW7t +Tw2R0hIYLUkVAcKkIhPHEWT/IhKauY5cLwjPcWqzZwFZ8V1G87B4pfYOQnrjfxvM0PC3KP0q +6p6zsLkEqv32x7SxuCqg+1jxGaBvcCV+PmlKfw8i2O+tCBGaKZnhqkRFmhJePp1tUvznoD1o +L/BLcHwTOK28FSXx1s6rosAx1i+f4P8UWfyEk9mHfExUE+uf0S0R+Bg6Ot4l2ffTQO2kBhLE +O+GRwVY18BTcZTYJbqukB8c10cIDMzZbdSZtQvESa0NvS3GU+jQd7RNuyoB/mC9suWXY6QID +AQABo4HUMIHRMB0GA1UdDgQWBBQ5lYtii1zJ1IC6WA+XPxUIQ8yYpzALBgNVHQ8EBAMCAQYw +DwYDVR0TAQH/BAUwAwEB/zCBkQYDVR0jBIGJMIGGgBQ5lYtii1zJ1IC6WA+XPxUIQ8yYp6Fr +pGkwZzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMR0wGwYDVQQLExRBZGRU +cnVzdCBUVFAgTmV0d29yazEjMCEGA1UEAxMaQWRkVHJ1c3QgUXVhbGlmaWVkIENBIFJvb3SC +AQEwDQYJKoZIhvcNAQEFBQADggEBABmrder4i2VhlRO6aQTvhsoToMeqT2QbPxj2qC0sVY8F +tzDqQmodwCVRLae/DLPt7wh/bDxGGuoYQ992zPlmhpwsaPXpF/gxsxjE1kh9I0xowX67ARRv +xdlu3rsEQmr49lx95dr6h+sNNVJn0J6XdgWTP5XHAeZpVTh/EGGZyeNfpso+gmNIquIISD6q +8rKFYqa0p9m9N5xotS1WfbC3P6CxB9bpT9zeRXEwMn8bLgn5v1Kh7sKAPgZcLlVAwRv1cEWw +3F369nJad9Jjzc9YiQBCYz95OdBEsIJuQRno3eDBiFrRHnGTHyQwdOUeqN48Jzd/g66ed8/w +MLH/S5noxqEAAAACABpkaWdpY2VydGdsb2JhbHJvb3RjYSBbamRrXQAAAVbCSYbZAAVYLjUw +OQAAA7MwggOvMIICl6ADAgECAhAIO+BWkEJGsaF1aslZkcdKMA0GCSqGSIb3DQEBBQUAMGEx +CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp +Y2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMB4XDTA2MTExMDAw +MDAwMFoXDTMxMTExMDAwMDAwMFowYTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0 +IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xv +YmFsIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiO+ERct6opNOj +V6pQoo8Ld5DJoqXuEs6WWwEJIMwBk6dOMLdT90PEaQBXneKNIt2HBkAAgQnOzhuDv9/NO3FG +4tZmxwWzdicWj3ueHpV97rdIowja1q96DDkGZX9KXR+8F/irvu4o13R/eniZWYVoblwjMku/ +TsDoWm3jcL93EL/8AfaF2ahEEFgyqXUY1dGivkfiJ2r0mjP4SQhgi9RftDqEv6GqSkx9Ps9P +X2x2XqBLN5Ge3CLmbc4UGo5qy/7NsxRkF8dbKZ4yv/Lu+tMLQtSrt0Ey2gzU7/iB1buNWD+1 +G+hJKKJw2jEE3feyFvJMCk4HqO1KPV61f6OQw68nAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIB +hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAfBgNV +HSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTANBgkqhkiG9w0BAQUFAAOCAQEAy5w3qkgT +Egr63UScT1Kw9N+uBPV5eQijJBj8SyuEwC251cf+9MEfWMu4bZx6dOeYKasRteNwoKHNTIiZ +k4yRcOKrDxy+k6n/Y9XkB2DTo7+dWwnx1Y7jU/SOY/o/p9u0Zt9iZtbRbkGN8i216ndKn51Y +4itZwEAj7S0ogkU+eVSSJpjggEioN+/w1nlgFt6s6A7NbqxEFzgvSdrhRT4quTZTzzpQBvcu +6MRXSWxhIRjVBK14PCw6gGun668VFOnYicG5OGzikWyK/2S5dyVXMMAbJKPh3OnfR3y1tCQI +BTDsLb0Lv0W/ULmp8+uYARKtyIjGmDRfjQo8xunVlZVt3udPoMwa+5HNtuCXcGFXXPQXABoM + diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml new file mode 100644 index 0000000000..17872d7f12 --- /dev/null +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -0,0 +1,163 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + + + +{{- define "common.certInitializer._aafConfigVolumeName" -}} + {{ include "common.fullname" . }}-aaf-config +{{- end -}} + +{{- define "common.certInitializer._aafAddConfigVolumeName" -}} + {{ print "aaf-add-config" }} +{{- end -}} + +{{/* + common templates to enable cert initialization for applictaions + + In deployments/jobs/stateful include: + initContainers: + {{ include "common.certInitializer.initContainer" . | nindent XX }} + + containers: + volumeMounts: + {{- include "common.certInitializer.volumeMount" . | nindent XX }} + volumes: + {{- include "common.certInitializer.volume" . | nindent XX}} +*/}} +{{- define "common.certInitializer._initContainer" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certInitializer .initRoot -}} +{{- $initName := default "certInitializer" -}} +{{/* Our version of helm doesn't support deepCopy so we need this nasty trick */}} +{{- $subchartDot := mergeOverwrite (fromJson (toJson $dot)) (dict "Chart" (set (fromJson (toJson .Chart)) "Name" $initRoot.nameOverride) "Values" $initRoot) }} +- name: {{ include "common.name" $dot }}-aaf-readiness + image: "{{ $dot.Values.global.readinessRepository }}/{{ $dot.Values.global.readinessImage }}" + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + command: + - /root/ready.py + args: + - --container-name + - aaf-locate + - --container-name + - aaf-cm + - --container-name + - aaf-service + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace +- name: {{ include "common.name" $dot }}-aaf-config + image: {{ (default $dot.Values.repository $dot.Values.global.repository) }}/{{ $dot.Values.global.aafAgentImage }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + volumeMounts: + - mountPath: {{ $initRoot.mountPath }} + name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }} + - mountPath: /opt/app/aaf_config/cert/truststoreONAPall.jks.b64 + name: aaf-agent-certs + subPath: truststoreONAPall.jks.b64 + - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64 + name: aaf-agent-certs + subPath: truststoreONAP.p12.b64 +{{- if $initRoot.aaf_add_config }} + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh + subPath: aaf-add-config.sh +{{- end }} + command: + - sh + - -c + - | + #!/usr/bin/env bash + /opt/app/aaf_config/bin/agent.sh +{{- if $initRoot.aaf_add_config }} + /opt/app/aaf_config/bin/aaf-add-config.sh +{{- end }} + env: + - name: APP_FQI + value: "{{ $initRoot.fqi }}" + - name: aaf_locate_url + value: "https://aaf-locate.{{ $dot.Release.Namespace}}:8095" + - name: aaf_locator_container + value: "oom" + - name: aaf_locator_container_ns + value: "{{ $dot.Release.Namespace }}" + - name: aaf_locator_fqdn + value: "{{ $initRoot.fqdn }}" + - name: aaf_locator_app_ns + value: "{{ $initRoot.app_ns }}" + - name: DEPLOY_FQI + {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "login") | indent 6 }} + - name: DEPLOY_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "password") | indent 6 }} + #Note: want to put this on Nodes, eventually + - name: cadi_longitude + value: "{{ default "52.3" $initRoot.cadi_longitude }}" + - name: cadi_latitude + value: "{{ default "13.2" $initRoot.cadi_latitude }}" + #Hello specific. Clients don't don't need this, unless Registering with AAF Locator + - name: aaf_locator_public_fqdn + value: "{{ $initRoot.public_fqdn | default "" }}" +{{- end -}} + +{{- define "common.certInitializer._volumeMount" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certInitializer .initRoot -}} +- mountPath: {{ $initRoot.mountPath }} + name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }} +{{- end -}} + +{{- define "common.certInitializer._volumes" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certInitializer .initRoot -}} +{{- $subchartDot := mergeOverwrite (fromJson (toJson $dot)) (dict "Chart" (set (fromJson (toJson .Chart)) "Name" $initRoot.nameOverride) "Values" $initRoot) }} +- name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }} + emptyDir: + medium: Memory +- name: aaf-agent-certs + configMap: + name: {{ include "common.fullname" $subchartDot }}-certs + defaultMode: 0700 + +{{- if $initRoot.aaf_add_config }} +- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + configMap: + name: {{ include "common.fullname" $subchartDot }}-add-config + defaultMode: 0700 +{{- end -}} +{{- end -}} + +{{- define "common.certInitializer.initContainer" -}} +{{- $dot := default . .dot -}} + {{- if $dot.Values.global.aafEnabled }} + {{ include "common.certInitializer._initContainer" . }} + {{- end -}} +{{- end -}} + +{{- define "common.certInitializer.volumeMount" -}} +{{- $dot := default . .dot -}} + {{- if $dot.Values.global.aafEnabled }} + {{- include "common.certInitializer._volumeMount" . }} + {{- end -}} +{{- end -}} + +{{- define "common.certInitializer.volumes" -}} +{{- $dot := default . .dot -}} + {{- if $dot.Values.global.aafEnabled }} + {{- include "common.certInitializer._volumes" . }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml new file mode 100644 index 0000000000..a89a33152b --- /dev/null +++ b/kubernetes/common/certInitializer/templates/configmap.yaml @@ -0,0 +1,32 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if .Values.aaf_add_config }} +apiVersion: v1 +kind: ConfigMap +{{- $suffix := "add-config" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +data: + aaf-add-config.sh: | + {{ tpl .Values.aaf_add_config . | indent 4 }} +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +{{- $suffix := "certs" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . ) | nindent 2 }} +data: +{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/certInitializer/templates/secret.yaml b/kubernetes/common/certInitializer/templates/secret.yaml new file mode 100644 index 0000000000..34932b713d --- /dev/null +++ b/kubernetes/common/certInitializer/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml new file mode 100644 index 0000000000..b55ba5e2f3 --- /dev/null +++ b/kubernetes/common/certInitializer/values.yaml @@ -0,0 +1,42 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + readinessRepository: oomk8s + readinessImage: readiness-check:2.0.2 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + aafEnabled: true + +pullPolicy: Always + +secrets: + - uid: deployer-creds + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aafDeployFqi }}' + password: '{{ .Values.aafDeployPass }}' + passwordPolicy: required + +aafDeployFqi: "changeme" +fqdn: "" +app_ns: "org.osaaf.aaf" +fqi: "" +fqi_namespace: "" +public_fqdn: "aaf.osaaf.org" +aafDeployFqi: "deployer@people.osaaf.org" +aafDeployPass: demo123456! +cadi_latitude: "38.0" +cadi_longitude: "-72.0" +aaf_add_config: "" +mountPath: "/opt/app/osaaf" diff --git a/kubernetes/common/common/templates/_aafconfig.tpl b/kubernetes/common/common/templates/_aafconfig.tpl index 0c78cc11b9..e90f8aea5d 100644 --- a/kubernetes/common/common/templates/_aafconfig.tpl +++ b/kubernetes/common/common/templates/_aafconfig.tpl @@ -76,6 +76,13 @@ fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi - name: {{ include "common.name" $dot }}-aaf-config image: {{ (default $dot.Values.repository $dot.Values.global.repository) }}/{{ $dot.Values.global.aafAgentImage }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} @@ -121,6 +128,13 @@ #Hello specific. Clients don't don't need this, unless Registering with AAF Locator - name: aaf_locator_public_fqdn value: "{{ $aafRoot.public_fqdn | default "" }}" + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_log.tpl b/kubernetes/common/common/templates/_log.tpl new file mode 100644 index 0000000000..3ae536aff3 --- /dev/null +++ b/kubernetes/common/common/templates/_log.tpl @@ -0,0 +1,53 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- define "common.log.sidecar" -}} +{{- if .Values.global.centralizedLoggingEnabled }} +- name: {{ include "common.name" . }}-filebeat + image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: filebeat-conf + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: logs + mountPath: {{ .Values.log.path }} + - name: filebeat-data + mountPath: /usr/share/filebeat/data +{{- end -}} +{{- end -}} + +{{- define "common.log.volumes" -}} +{{- if .Values.global.centralizedLoggingEnabled }} +- name: filebeat-conf + configMap: + name: {{ include "common.fullname" . }}-filebeat +- name: filebeat-data + emptyDir: {} +{{- end -}} +{{- end -}} + +{{- define "common.log.configMap" -}} +{{- if .Values.global.centralizedLoggingEnabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "filebeat") | nindent 2 }} +data: +{{ tpl (.Files.Glob "resources/config/log/filebeat/*").AsConfig . | indent 2 }} +{{- end }} +{{- end -}} + diff --git a/kubernetes/common/common/templates/_secret.tpl b/kubernetes/common/common/templates/_secret.tpl index 064b0c16af..990c476f29 100644 --- a/kubernetes/common/common/templates/_secret.tpl +++ b/kubernetes/common/common/templates/_secret.tpl @@ -476,7 +476,6 @@ stringData: {{- if eq $type "generic" }} data: {{- range $curFilePath := $secret.filePaths }} - {{- fail (printf "%s" $curFilePath) }} {{ tpl ($global.Files.Glob $curFilePath).AsSecrets $global | indent 2 }} {{- end }} {{- if $secret.filePath }} diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 98b8d676df..3d745ed819 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -222,8 +222,8 @@ spec: {{- $labels := default (dict) .labels -}} {{- $matchLabels := default (dict) .matchLabels -}} -{{- if (and (include "common.needTLS" .) $both_tls_and_plain) }} -{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "msb_informations" $msb_informations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" "ClusterIP" "add_plain_port" true $labels "matchLabels" $matchLabels) }} +{{- if (and (include "common.needTLS" $dot) $both_tls_and_plain) }} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "msb_informations" $msb_informations "dot" $dot "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" "ClusterIP" "add_plain_port" true $labels "matchLabels" $matchLabels) }} {{- if (ne $serviceType "ClusterIP") }} --- {{- if $suffix }} @@ -231,10 +231,10 @@ spec: {{- else }} {{- $suffix = "external" }} {{- end }} -{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" $serviceType $labels "matchLabels" $matchLabels) }} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" $dot "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" $serviceType $labels "matchLabels" $matchLabels) }} {{- end }} {{- else }} -{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" $serviceType $labels "matchLabels" $matchLabels) }} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" $dot "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" $serviceType $labels "matchLabels" $matchLabels) }} {{- end }} {{- end -}} @@ -302,3 +302,33 @@ true {{- end }} {{- end }} {{- end -}} + +{{- define "common.port.buildCache" -}} + {{- $global := . }} + {{- if not $global.Values._DmaapDrNodePortsCache }} + {{- $portCache := dict }} + {{- range $port := .Values.service.ports }} + {{- $_ := set $portCache $port.name (dict "port" $port.port "plain_port" $port.plain_port) }} + {{- end }} + {{- $_ := set $global.Values "_DmaapDrNodePortsCache" $portCache }} + {{- end }} +{{- end -}} + +{/* + Get Port value according to its name and if we want tls or plain port. + The template takes below arguments: + - .global: environment (.) + - .name: name of the port + - .getPlain: boolean allowing to choose between tls (false, default) or + plain (true) + If plain_port is not set and we ask for plain, it will return empty. +*/} +{{- define "common.getPort" -}} + {{- $global := .global }} + {{- $name := .name }} + {{- $getPlain := default false .getPlain }} + {{- include "common.port.buildCache" $global }} + {{- $portCache := $global.Values._DmaapDrNodePortsCache }} + {{- $port := index $portCache $name }} + {{- ternary $port.plain_port $port.port $getPlain }} +{{- end -}} diff --git a/kubernetes/common/dgbuilder/requirements.yaml b/kubernetes/common/dgbuilder/requirements.yaml index 7d56bf28ef..4735901dfa 100644 --- a/kubernetes/common/dgbuilder/requirements.yaml +++ b/kubernetes/common/dgbuilder/requirements.yaml @@ -15,4 +15,4 @@ dependencies: - name: common version: ~6.x-0 - repository: '@local'
\ No newline at end of file + repository: 'file://../common' diff --git a/kubernetes/common/dgbuilder/templates/ingress.yaml b/kubernetes/common/dgbuilder/templates/ingress.yaml new file mode 100644 index 0000000000..0cd8cfbd36 --- /dev/null +++ b/kubernetes/common/dgbuilder/templates/ingress.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.ingress" . }} diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml index 105facf2b9..6586573f9f 100644 --- a/kubernetes/common/dgbuilder/values.yaml +++ b/kubernetes/common/dgbuilder/values.yaml @@ -52,12 +52,12 @@ secrets: - uid: 'db-root-password' type: password externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' - password: '{{ .Values.config.dbRootPassword }}' + password: '{{ .Values.config.db.rootPassword }}' - uid: 'db-user-creds' type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.dbSdnctlPassword }}' + password: '{{ .Values.config.db.userPassword }}' - uid: 'http-user-creds' type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' @@ -118,8 +118,6 @@ config: restconfPassword: admin # restconfCredsExternalSecret: some secret - dbRootPassword: openECOMP1.0 - dbSdnctlPassword: gamma dbPodName: mysql-db dbServiceName: sdnc-dbhost # MD5 hash of dguser password ( default: test123 ) @@ -154,6 +152,12 @@ service: ingress: enabled: false + service: + - baseaddr: "dgbuilder" + name: "dgbuilder" + port: 3000 + config: + ssl: "redirect" resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml new file mode 100644 index 0000000000..517905641f --- /dev/null +++ b/kubernetes/common/elasticsearch/Chart.yaml @@ -0,0 +1,19 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +apiVersion: v1 +description: ONAP elasticsearch +name: elasticsearch +version: 6.0.0 diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml new file mode 100644 index 0000000000..d1eaa61bc2 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml @@ -0,0 +1,19 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +apiVersion: v1 +description: ONAP elasticsearch curator +name: curator +version: 6.0.0 diff --git a/kubernetes/common/elasticsearch/components/curator/hooks/job.install.yaml b/kubernetes/common/elasticsearch/components/curator/hooks/job.install.yaml new file mode 100644 index 0000000000..7e73420e13 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/hooks/job.install.yaml @@ -0,0 +1,74 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.enabled }} +{{- range $kind, $enabled := .Values.hooks }} +{{- if $enabled }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-curator-on-{{ $kind }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 2 }} + role: "curator" + annotations: + "helm.sh/hook": post-{{ $kind }} + "helm.sh/hook-weight": "1" +{{- if $.Values.cronjob.annotations }} +{{ toYaml $.Values.cronjob.annotations | indent 4 }} +{{- end }} +spec: + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + volumes: + - name: config-volume + configMap: + name: {{ template "common.fullname" (dict "suffix" "curator" "dot" .) }} +{{- if $.Values.extraVolumes }} +{{ toYaml $.Values.extraVolumes | indent 8 }} +{{- end }} + restartPolicy: Never +{{- if $.Values.priorityClassName }} + priorityClassName: "{{ $.Values.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "common.fullname" . }}-curator + image: {{printf "%s/%s:%s" (include "common.repository" .) .Values.image.imageName .Values.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: config-volume + mountPath: /etc/es-curator + {{- if $.Values.extraVolumeMounts }} +{{ toYaml $.Values.extraVolumeMounts | indent 12 }} + {{- end }} + command: [ "curator" ] + args: [ "--config", "/etc/es-curator/config.yml", "/etc/es-curator/action_file.yml" ] + resources: +{{ toYaml $.Values.resources | indent 12 }} + {{- with $.Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with $.Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with $.Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end -}} +{{- end }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/curator/requirements.yaml b/kubernetes/common/elasticsearch/components/curator/requirements.yaml new file mode 100644 index 0000000000..e9a5a5f61a --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~6.x-0 + repository: 'file://../../../common' diff --git a/kubernetes/common/elasticsearch/components/curator/templates/configmap.yaml b/kubernetes/common/elasticsearch/components/curator/templates/configmap.yaml new file mode 100644 index 0000000000..dc2a430922 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/templates/configmap.yaml @@ -0,0 +1,24 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.enabled }} +apiVersion: v1 +kind: ConfigMap +{{ $role := "curator" -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +data: + action_file.yml: {{ required "A valid .Values.configMaps.action_file_yml entry is required!" (toYaml .Values.configMaps.action_file_yml | indent 2) }} + config.yml: {{ required "A valid .Values.configMaps.config_yml entry is required!" (tpl (toYaml .Values.configMaps.config_yml | indent 2) $) }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/curator/templates/cronjob.yaml b/kubernetes/common/elasticsearch/components/curator/templates/cronjob.yaml new file mode 100644 index 0000000000..901c0a5c06 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/templates/cronjob.yaml @@ -0,0 +1,112 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.enabled }} +{{ $role := "curator" -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role) -}} +apiVersion: batch/v1beta1 +kind: CronJob +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} + {{- if .Values.cronjob.annotations }} + annotations: {{- toYaml .Values.cronjob.annotations | indent 4 }} + {{- end }} +spec: + schedule: "{{ .Values.cronjob.schedule }}" + {{- with .Values.cronjob.concurrencyPolicy }} + concurrencyPolicy: {{ . }} + {{- end }} + {{- with .Values.cronjob.failedJobsHistoryLimit }} + failedJobsHistoryLimit: {{ . }} + {{- end }} + {{- with .Values.cronjob.successfulJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ . }} + {{- end }} + jobTemplate: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + template: + metadata: {{- include "common.templateMetadata" . | nindent 10 }} + spec: + volumes: + - name: config-volume + configMap: + name: {{ template "common.fullname" . }}-curator + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 12 }} + {{- end }} + restartPolicy: {{ .Values.global.restartPolicy | default .Values.cronjob.jobRestartPolicy }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} +{{- include "elasticsearch.imagePullSecrets" . | indent 10 }} + {{- if .Values.extraInitContainers }} + initContainers: + {{- range $key, $value := .Values.extraInitContainers }} + - name: "{{ $key }}" + {{- toYaml $value | nindent 14 }} + {{- end }} + {{- end }} + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ include "elasticsearch.curator.serviceAccountName" . }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplValue" (dict "value" .Values.nodeSelector "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + containers: + - name: {{ template "common.fullname" . }}-curator + image: {{printf "%s/%s:%s" (include "common.repository" .) .Values.image.imageName .Values.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: config-volume + mountPath: /etc/es-curator + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 16 }} + {{- end }} + {{ if .Values.command }} + command: {{ toYaml .Values.command | nindent 16 }} + {{- end }} + {{- if .Values.dryrun }} + args: [ "--dry-run", "--config", "/etc/es-curator/config.yml", "/etc/es-curator/action_file.yml" ] + {{- else }} + args: [ "--config", "/etc/es-curator/config.yml", "/etc/es-curator/action_file.yml" ] + {{- end }} + env: + {{- if .Values.env }} + {{- range $key,$value := .Values.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if .Values.envFromSecrets }} + {{- range $key,$value := .Values.envFromSecrets }} + - name: {{ $key | upper | quote}} + valueFrom: + secretKeyRef: + name: {{ $value.from.secret | quote}} + key: {{ $value.from.key | quote}} + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 16 }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/curator/templates/podsecuritypolicy.yaml b/kubernetes/common/elasticsearch/components/curator/templates/podsecuritypolicy.yaml new file mode 100644 index 0000000000..6fe032d818 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/templates/podsecuritypolicy.yaml @@ -0,0 +1,46 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if and .Values.enabled .Values.psp.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +{{ $role := "curator" -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +spec: + privileged: true + #requiredDropCapabilities: + volumes: + - 'configMap' + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/curator/templates/role.yaml b/kubernetes/common/elasticsearch/components/curator/templates/role.yaml new file mode 100644 index 0000000000..0d189f448b --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/templates/role.yaml @@ -0,0 +1,32 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if and .Values.enabled .Values.rbac.enabled }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +{{ $role := "curator" -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role "component" "elasticsearch-curator-configmap") -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] + {{- if .Values.psp.create }} + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ include "common.fullname" (dict "suffix" $suffix "dot" .) }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/curator/templates/rolebinding.yaml b/kubernetes/common/elasticsearch/components/curator/templates/rolebinding.yaml new file mode 100644 index 0000000000..b112468dc3 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/templates/rolebinding.yaml @@ -0,0 +1,29 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if and .Values.enabled .Values.rbac.enabled }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +{{ $role := "curator" -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role "component" "elasticsearch-curator-configmap") -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +roleRef: + kind: Role + name: {{ template "common.name" (dict "suffix" $suffix "dot" .) }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "elasticsearch.curator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/curator/templates/serviceaccount.yaml b/kubernetes/common/elasticsearch/components/curator/templates/serviceaccount.yaml new file mode 100644 index 0000000000..0bd4ae0999 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if and .Values.enabled .Values.serviceAccount.create .Values.rbac.enabled }} +apiVersion: v1 +kind: ServiceAccount +{{ $role := .Values.name -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/curator/values.yaml b/kubernetes/common/elasticsearch/components/curator/values.yaml new file mode 100644 index 0000000000..5e0d9668d3 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/curator/values.yaml @@ -0,0 +1,180 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: + mountPath: /dockerdata-nfs + backup: + mountPath: /dockerdata-nfs/backup + storageClass: + clusterName: cluster.local +repositoryOverride: docker.io +################################################################# +# Application configuration defaults. +################################################################# +# application image +## Elasticsearch curator parameters +## +enabled: false +name: curator +image: + imageName: bitnami/elasticsearch-curator + tag: 5.8.1-debian-9-r74 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName +service: + port: 9200 +cronjob: + # At 01:00 every day + schedule: "0 1 * * *" + annotations: {} + concurrencyPolicy: "" + failedJobsHistoryLimit: "" + successfulJobsHistoryLimit: "" + jobRestartPolicy: Never +podAnnotations: {} +rbac: + # Specifies whether RBAC should be enabled + enabled: false +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: +psp: + # Specifies whether a podsecuritypolicy should be created + create: false +hooks: + install: false + upgrade: false +# run curator in dry-run mode +dryrun: false +command: ["curator"] +env: {} +configMaps: + # Delete indices older than 90 days + action_file_yml: |- + --- + actions: + 1: + action: delete_indices + description: "Clean up ES by deleting old indices" + options: + timeout_override: + continue_if_exception: False + disable_action: False + ignore_empty_list: True + filters: + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: 90 + field: + stats_result: + epoch: + exclude: False + # Default config (this value is evaluated as a template) + config_yml: |- + --- + client: + hosts: + {{ template "common.fullname" . }}.{{ template "common.namespace" . }}.svc.{{ .Values.global.clusterName }} + port: {{ .Values.service.port }} + # url_prefix: + # use_ssl: True + # certificate: + # client_cert: + # client_key: + # ssl_no_validate: True + # http_auth: + # timeout: 30 + # master_only: False + # logging: + # loglevel: INFO + # logfile: + # logformat: default + # blacklist: ['elasticsearch', 'urllib3'] +## Curator resources requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 100m + # memory: 128Mi + requests: {} + # cpu: 100m + # memory: 128Mi +priorityClassName: "" +# extraVolumes and extraVolumeMounts allows you to mount other volumes +# Example Use Case: mount ssl certificates when elasticsearch has tls enabled +# extraVolumes: +# - name: es-certs +# secret: +# defaultMode: 420 +# secretName: es-certs +# extraVolumeMounts: +# - name: es-certs +# mountPath: /certs +# readOnly: true +## Add your own init container or uncomment and modify the given example. +## +extraInitContainers: {} +## Don't configure S3 repository till Elasticsearch is reachable. +## Ensure that it is available at http://elasticsearch:9200 +## +# elasticsearch-s3-repository: +# image: bitnami/minideb:latest +# imagePullPolicy: "IfNotPresent" +# command: +# - "/bin/bash" +# - "-c" +# args: +# - | +# ES_HOST=elasticsearch +# ES_PORT=9200 +# ES_REPOSITORY=backup +# S3_REGION=us-east-1 +# S3_BUCKET=bucket +# S3_BASE_PATH=backup +# S3_COMPRESS=true +# S3_STORAGE_CLASS=standard +# install_packages curl && \ +# ( counter=0; while (( counter++ < 120 )); do curl -s http://${ES_HOST}:${ES_PORT} >/dev/null 2>&1 && break; echo "Waiting for elasticsearch $counter/120"; sleep 1; done ) && \ +# cat <<EOF | curl -sS -XPUT -H "Content-Type: application/json" -d @- http://${ES_HOST}:${ES_PORT}/_snapshot/${ES_REPOSITORY} \ +# { +# "type": "s3", +# "settings": { +# "bucket": "${S3_BUCKET}", +# "base_path": "${S3_BASE_PATH}", +# "region": "${S3_REGION}", +# "compress": "${S3_COMPRESS}", +# "storage_class": "${S3_STORAGE_CLASS}" +# } +# } + diff --git a/kubernetes/common/elasticsearch/components/data/Chart.yaml b/kubernetes/common/elasticsearch/components/data/Chart.yaml new file mode 100644 index 0000000000..5243a56101 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/data/Chart.yaml @@ -0,0 +1,19 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +apiVersion: v1 +description: ONAP elasticsearch data +name: data +version: 6.0.0 diff --git a/kubernetes/common/elasticsearch/components/data/requirements.yaml b/kubernetes/common/elasticsearch/components/data/requirements.yaml new file mode 100644 index 0000000000..a1f72ffc60 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/data/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~6.x-0 + repository: 'file://../../../common' diff --git a/kubernetes/common/elasticsearch/components/data/templates/pv.yaml b/kubernetes/common/elasticsearch/components/data/templates/pv.yaml new file mode 100644 index 0000000000..c713ec81ac --- /dev/null +++ b/kubernetes/common/elasticsearch/components/data/templates/pv.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.replicaPV" (dict "dot" . "suffix" .Values.persistence.suffix )}} diff --git a/kubernetes/common/elasticsearch/components/data/templates/serviceaccount.yaml b/kubernetes/common/elasticsearch/components/data/templates/serviceaccount.yaml new file mode 100644 index 0000000000..2ac3880886 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/data/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +{{ $role := .Values.name -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml b/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml new file mode 100644 index 0000000000..994b458e33 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml @@ -0,0 +1,175 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: StatefulSet +{{ $role := "data" -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role "discovery" (include "elasticsearch.clustername" .)) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +spec: + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "OnDelete" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- else if .Values.updateStrategy.rollingUpdatePartition }} + rollingUpdate: + partition: {{ .Values.updateStrategy.rollingUpdatePartition }} + {{- end }} + selector: {{- include "common.selectors" (dict "matchLabels" $labels "dot" .) | nindent 4 }} + serviceName: {{ include "common.fullname" . }}-data + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} + spec: +{{- include "elasticsearch.imagePullSecrets" . | nindent 6 }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplValue" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "elasticsearch.data.serviceAccountName" . }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if or .Values.sysctlImage.enabled (and .Values.volumePermissions.enabled .Values.persistence.enabled) }} + initContainers: + {{- if .Values.sysctlImage.enabled }} + ## Image that performs the sysctl operation to modify Kernel settings (needed sometimes to avoid boot errors) + - name: sysctl + image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536 + securityContext: + privileged: true + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //bitnami/elasticsearch/data + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resource }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: "/bitnami/elasticsearch/data" + {{- end }} + {{- end }} + containers: + - name: {{ include "common.name" . }}-elasticsearch + image: {{ printf "%s/%s:%s" (include "common.repository" .) .Values.image.imageName .Values.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: ELASTICSEARCH_CLUSTER_NAME + value: {{include "elasticsearch.clustername" .}} + - name: ELASTICSEARCH_CLUSTER_HOSTS + value: {{ include "common.name" . }}-discovery + {{- if .Values.plugins }} + - name: ELASTICSEARCH_PLUGINS + value: {{ .Values.plugins | quote }} + {{- end }} + - name: ELASTICSEARCH_HEAP_SIZE + value: {{ .Values.heapSize | quote }} + - name: ELASTICSEARCH_IS_DEDICATED_NODE + value: "yes" + - name: ELASTICSEARCH_NODE_TYPE + value: "data" + ports: {{- include "common.containerPorts" . |indent 12 }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + httpGet: + path: /_cluster/health?local=true + port: 9200 + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + httpGet: + path: /_cluster/health?local=true + port: 9200 + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.config }} + - mountPath: /opt/bitnami/elasticsearch/config/elasticsearch.yml + name: "config" + subPath: elasticsearch.yml + {{- end }} + - name: "data" + mountPath: "/bitnami/elasticsearch/data" + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + volumes: + {{- if .Values.config }} + - name: "config" + configMap: + name: {{ template "common.fullname" . }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} +{{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} +{{- else }} + volumeClaimTemplates: + - metadata: + name: "data" + {{- if .Values.persistence.annotations }} + annotations: {{- toYaml .Values.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + - {{ .Values.persistence.accessMode }} + storageClassName: {{ include "common.storageClass" (dict "dot" . "suffix" .Values.persistence.suffix) }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/data/values.yaml b/kubernetes/common/elasticsearch/components/data/values.yaml new file mode 100644 index 0000000000..cfb7f51da3 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/data/values.yaml @@ -0,0 +1,170 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: + mountPath: /dockerdata-nfs + backup: + mountPath: /dockerdata-nfs/backup + storageClass: +repositoryOverride: docker.io +################################################################# +# Application configuration defaults. +################################################################# +## Init containers parameters: +sysctlImage: + enabled: true +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +volumePermissions: + enabled: true +# application image +## Elasticsearch data node parameters +## +name: data +## Number of data node(s) replicas to deploy +## +replicaCount: 0 +## required for "common.containerPorts" +## no dedicated service for data nodes +service: + ## list of ports for "common.containerPorts" + ports: + - name: http-transport + port: 9300 + +image: + imageName: bitnami/elasticsearch + tag: 6.8.6-debian-9-r23 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Set to true if you would like to see extra information on logs + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + ## + debug: false + + +## updateStrategy for ElasticSearch Data statefulset +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate + # rollingUpdatePartition +heapSize: 128m +## Provide annotations for the data pods. +## +podAnnotations: {} +## Pod Security Context for data pods. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 +## Affinity for pod assignment. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} +## Node labels for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## Tolerations for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## Elasticsearch data container's resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. + limits: {} + # cpu: 100m + # memory: 128Mi + requests: + cpu: 25m + memory: 1152Mi +## Elasticsearch data container's liveness and readiness probes +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## +livenessProbe: + enabled: false +# initialDelaySeconds: 90 +# periodSeconds: 10 +# timeoutSeconds: 5 +# successThreshold: 1 +# failureThreshold: 5 +readinessProbe: + enabled: false +# initialDelaySeconds: 90 +# periodSeconds: 10 +# timeoutSeconds: 5 +# successThreshold: 1 +# failureThreshold: 5 +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + ## If true, use a Persistent Volume Claim, If false, use emptyDir + ## + enabled: true + ## suffix for pv + suffix: data-pv + + ## Persistent Volume Storage Class + ## If defined, storageClassName: <storageClass> + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + ## Persistent Volume Claim annotations + ## + annotations: {} + ## Persistent Volume Access Mode + ## + accessMode: ReadWriteOnce + ## Persistent Volume size + ## + size: 8Gi +## Provide functionality to use RBAC +## + # existingClaim: + volumeReclaimPolicy: Retain + mountSubPath: elastic-data + storageType: local + backup: + mountPath: /dockerdata-nfs/backup +serviceAccount: + ## Specifies whether a ServiceAccount should be created for the data node + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + # name: diff --git a/kubernetes/common/elasticsearch/components/master/Chart.yaml b/kubernetes/common/elasticsearch/components/master/Chart.yaml new file mode 100644 index 0000000000..e9ac99a5bc --- /dev/null +++ b/kubernetes/common/elasticsearch/components/master/Chart.yaml @@ -0,0 +1,20 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + + +apiVersion: v1 +description: ONAP elasticsearch master +name: master +version: 6.0.0 diff --git a/kubernetes/common/elasticsearch/components/master/requirements.yaml b/kubernetes/common/elasticsearch/components/master/requirements.yaml new file mode 100644 index 0000000000..a1f72ffc60 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/master/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~6.x-0 + repository: 'file://../../../common' diff --git a/kubernetes/common/elasticsearch/components/master/templates/pv.yaml b/kubernetes/common/elasticsearch/components/master/templates/pv.yaml new file mode 100644 index 0000000000..c713ec81ac --- /dev/null +++ b/kubernetes/common/elasticsearch/components/master/templates/pv.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.replicaPV" (dict "dot" . "suffix" .Values.persistence.suffix )}} diff --git a/kubernetes/common/elasticsearch/components/master/templates/serviceaccount.yaml b/kubernetes/common/elasticsearch/components/master/templates/serviceaccount.yaml new file mode 100644 index 0000000000..05a3af37f2 --- /dev/null +++ b/kubernetes/common/elasticsearch/components/master/templates/serviceaccount.yaml @@ -0,0 +1,23 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +{{ $role := .Values.name -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml b/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml new file mode 100644 index 0000000000..dfa3ccbacc --- /dev/null +++ b/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml @@ -0,0 +1,179 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: StatefulSet +{{ $role := "master" -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role "discovery" (include "elasticsearch.clustername" .)) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +spec: + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "OnDelete" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: {{- include "common.selectors" (dict "matchLabels" $labels "dot" .)| nindent 4 }} + serviceName: {{ include "common.fullname" . }}-master + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} + spec: +{{- include "elasticsearch.imagePullSecrets" . | nindent 6 }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplValue" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "elasticsearch.serviceAccountName" . }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if or .Values.sysctlImage.enabled (and .Values.volumePermissions.enabled .Values.persistence.enabled) }} + initContainers: + {{- if .Values.sysctlImage.enabled }} + ## Image that performs the sysctl operation to modify Kernel settings (needed sometimes to avoid boot errors) + - name: sysctl + image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536 + securityContext: + privileged: true + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //bitnami/elasticsearch/data + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resource }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: "/bitnami/elasticsearch/data" + {{- end }} + {{- end }} + containers: + - name: {{ include "common.name" . }}-elasticsearch + image: {{ printf "%s/%s:%s" (include "common.repository" .) .Values.image.imageName .Values.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: ELASTICSEARCH_CLUSTER_NAME + value: {{ include "elasticsearch.clustername" . }} + - name: ELASTICSEARCH_CLUSTER_HOSTS + value: {{ include "common.name" . }}-discovery + - name: ELASTICSEARCH_CLUSTER_MASTER_HOSTS + {{- $elasticsearchMasterFullname := printf "%s-%s" (include "common.fullname" . ) "master" }} + {{- $replicas := int .Values.replicaCount }} + value: {{range $i, $e := until $replicas }}{{ $elasticsearchMasterFullname }}-{{ $e }} {{ end }} + - name: ELASTICSEARCH_MINIMUM_MASTER_NODES + value: {{ add (div .Values.replicaCount 2) 1 | quote }} + {{- if .Values.plugins }} + - name: ELASTICSEARCH_PLUGINS + value: {{ .Values.plugins | quote }} + {{- end }} + - name: ELASTICSEARCH_HEAP_SIZE + value: {{ .Values.heapSize | quote }} + - name: ELASTICSEARCH_IS_DEDICATED_NODE + value: {{ .Values.dedicatednode | quote }} + - name: ELASTICSEARCH_NODE_TYPE + value: "master" + ports: {{- include "common.containerPorts" . |indent 12 }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + httpGet: + path: /_cluster/health?local=true + port: 9200 + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + httpGet: + path: /_cluster/health?local=true + port: 9200 + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.config }} + - mountPath: /opt/bitnami/elasticsearch/config/elasticsearch.yml + name: config + subPath: elasticsearch.yml + {{- end }} + - name: data + mountPath: /bitnami/elasticsearch/data + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + volumes: + {{- if .Values.config }} + - name: config + configMap: + name: {{ include "common.fullname" . }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} +{{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} +{{- else }} + volumeClaimTemplates: + - metadata: + name: "data" + {{- if .Values.persistence.annotations }} + annotations: {{- toYaml .Values.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + - {{ .Values.persistence.accessMode }} + storageClassName: {{ include "common.storageClass" (dict "dot" . "suffix" .Values.persistence.suffix) }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/components/master/templates/svc.yaml b/kubernetes/common/elasticsearch/components/master/templates/svc.yaml new file mode 100644 index 0000000000..8d66ef082e --- /dev/null +++ b/kubernetes/common/elasticsearch/components/master/templates/svc.yaml @@ -0,0 +1,19 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +{{ $role := "master" -}} +{{ $labels := (dict "role" $role) -}} +{{ $matchLabels := (dict "role" $role) }} +{{ include "common.service" (dict "labels" $labels "matchLabels" $matchLabels "dot" . ) }}
\ No newline at end of file diff --git a/kubernetes/common/elasticsearch/components/master/values.yaml b/kubernetes/common/elasticsearch/components/master/values.yaml new file mode 100644 index 0000000000..2862692eef --- /dev/null +++ b/kubernetes/common/elasticsearch/components/master/values.yaml @@ -0,0 +1,203 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: + mountPath: /dockerdata-nfs + backup: + mountPath: /dockerdata-nfs/backup + storageClass: +repositoryOverride: docker.io +################################################################# +# Application configuration defaults. +################################################################# +## Init containers parameters: +sysctlImage: + enabled: true +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +volumePermissions: + enabled: true + +# application image +## Elasticsearch master-eligible node parameters +## +name: master +## Number of master-eligible node(s) replicas to deploy +## +replicaCount: 3 +## master acts as master only node, choose 'no' if no further data nodes are deployed) +dedicatednode: "yes" +## dedicatednode: "no" +image: + imageName: bitnami/elasticsearch + tag: 6.8.6-debian-9-r23 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Set to true if you would like to see extra information on logs + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + ## + debug: false + +## String to partially override common.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override common.fullname template +## +# fullnameOverride: +## updateStrategy for ElasticSearch master statefulset +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate +heapSize: 128m +## Provide annotations for master-eligible pods. +## +podAnnotations: {} +## Pod Security Context for master-eligible pods. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 +## Affinity for pod assignment. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} +## Node labels for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## Tolerations for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## Elasticsearch master-eligible container's resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. + limits: {} + # cpu: 100m + # memory: 128Mi + requests: + cpu: 25m + memory: 256Mi +## Elasticsearch master-eligible container's liveness and readiness probes +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## +livenessProbe: + enabled: false +# initialDelaySeconds: 90 +# periodSeconds: 10 +# timeoutSeconds: 5 +# successThreshold: 1 +# failureThreshold: 5 +readinessProbe: + enabled: false +# initialDelaySeconds: 90 +# periodSeconds: 10 +# timeoutSeconds: 5 +# successThreshold: 1 +# failureThreshold: 5 +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + ## If true, use a Persistent Volume Claim, If false, use emptyDir + ## + enabled: true + ## suffix for pv + suffix: master-pv + ## Persistent Volume Storage Class + ## If defined, storageClassName: <storageClass> + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + ## Persistent Volume Claim annotations + ## + annotations: {} + ## Persistent Volume Access Mode + ## + accessMode: ReadWriteOnce + ## Persistent Volume size + ## + size: 8Gi + # existingClaim: + volumeReclaimPolicy: Retain + mountSubPath: elastic-master + storageType: local + backup: + mountPath: /dockerdata-nfs/backup +## Service parameters for master-eligible node(s) +## +service: + suffix: "service" + name: "" + ## list of ports for "common.containerPorts" + ## Elasticsearch transport port + ports: + - name: http-transport + port: 9300 + ## master-eligible service type + ## + type: ClusterIP + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: +## Provide functionality to use RBAC +## +serviceAccount: + ## Specifies whether a ServiceAccount should be created for the master node + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + # name: + + +## Elasticsearch cluster name +## +clusterName: elastic-cluster + + + diff --git a/kubernetes/common/elasticsearch/requirements.yaml b/kubernetes/common/elasticsearch/requirements.yaml new file mode 100644 index 0000000000..8a02fef7b7 --- /dev/null +++ b/kubernetes/common/elasticsearch/requirements.yaml @@ -0,0 +1,29 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~6.x-0 + repository: 'file://../common' + - name: master + version: ~6.x-0 + repository: 'file://components/master' + - name: data + version: ~6.x-0 + repository: 'file://components/data' + condition: elasticsearch.data.enabled,data.enabled + - name: curator + version: ~6.x-0 + repository: 'file://components/curator' + condition: elasticsearch.curator.enabled,curator.enabled diff --git a/kubernetes/common/elasticsearch/templates/_helpers.tpl b/kubernetes/common/elasticsearch/templates/_helpers.tpl new file mode 100644 index 0000000000..fdbe82f855 --- /dev/null +++ b/kubernetes/common/elasticsearch/templates/_helpers.tpl @@ -0,0 +1,103 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} + + +{{ define "elasticsearch.clustername"}} +{{- printf "%s-%s" (include "common.name" .) "cluster" -}} +{{- end -}} + +{{/* +This define should be used instead of "common.fullname" to allow +special handling of kibanaEnabled=true +Create a default fully qualified coordinating name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "elasticsearch.coordinating.fullname" -}} +{{- if .Values.global.kibanaEnabled -}} +{{- printf "%s-%s" .Release.Name .Values.global.coordinating.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" (include "common.fullname" .) .Values.global.coordinating.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* + Create the name of the master service account to use + */}} +{{- define "elasticsearch.master.serviceAccountName" -}} +{{- if .Values.master.serviceAccount.create -}} + {{ default (include "common.fullname" (dict "suffix" "master" "dot" .)) .Values.master.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.master.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* + Create the name of the coordinating-only service account to use + */}} +{{- define "elasticsearch.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.fullname" . ) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* + Create the name of the data service account to use + */}} +{{- define "elasticsearch.data.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.fullname" (dict "suffix" "data" "dot" .)) .Values.data.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "elasticsearch.imagePullSecrets" -}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- else }} +{{- $imagePullSecrets := coalesce .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.curator.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets -}} +{{- if $imagePullSecrets }} +imagePullSecrets: +{{- range $imagePullSecrets }} + - name: {{ . }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "elasticsearch.curator.serviceAccountName" -}} +{{- if .Values.curator.serviceAccount.create -}} + {{ default (include "common.fullname" (dict "suffix" "currator" "dot" .)) .Values.curator.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.curator.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/elasticsearch/templates/configmap-aaf-add-config.yaml b/kubernetes/common/elasticsearch/templates/configmap-aaf-add-config.yaml new file mode 100644 index 0000000000..b4e0044891 --- /dev/null +++ b/kubernetes/common/elasticsearch/templates/configmap-aaf-add-config.yaml @@ -0,0 +1,33 @@ + +{{ if .Values.global.aafEnabled }} +{{/* +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.aafConfig.addconfig -}} +apiVersion: v1 +kind: ConfigMap +{{ $suffix := "aaf-add-config" -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +data: + aaf-add-config.sh: |- + cd /opt/app/osaaf/local + mkdir -p certs + export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0) + keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.aafConfig.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password + openssl pkcs12 -in {{ .Values.aafConfig.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12 + cp {{ .Values.aafConfig.fqi_namespace }}.key certs/key.pem + chmod -R 755 certs +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/elasticsearch/templates/configmap-es.yaml b/kubernetes/common/elasticsearch/templates/configmap-es.yaml new file mode 100644 index 0000000000..38234da0cf --- /dev/null +++ b/kubernetes/common/elasticsearch/templates/configmap-es.yaml @@ -0,0 +1,20 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: + elasticsearch.yml: |- {{- toYaml .Values.config | nindent 4 }} +{{- end }} diff --git a/kubernetes/nbi/templates/configmap-aaf-add-config.yaml b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml index fe099b140d..49ce0ef76a 100644 --- a/kubernetes/nbi/templates/configmap-aaf-add-config.yaml +++ b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml @@ -1,6 +1,5 @@ -{{ if .Values.global.aafEnabled }} {{/* -# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies, Orange +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,15 +13,19 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} +{{- if .Values.nginx.serverBlock -}} -{{- if .Values.aafConfig.addconfig -}} apiVersion: v1 kind: ConfigMap -{{- $suffix := "aaf-add-config" }} +{{ $suffix := "nginx-server-block" -}} metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: - aaf-add-config.sh: |- - /opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.aafConfig.credsPath }}/mycreds.prop -{{- end -}} + server-block.conf: |- +{{ if .Values.global.aafEnabled }} +{{ .Values.nginx.serverBlock.https | indent 4 }} +{{ else }} +{{ .Values.nginx.serverBlock.http | indent 4 }} + + +{{ end }} {{- end -}} diff --git a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml new file mode 100644 index 0000000000..65a7f462e1 --- /dev/null +++ b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml @@ -0,0 +1,167 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +{{ $role := "coordinating-only" -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role "discovery" (include "elasticsearch.clustername" .)) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +spec: + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: {{- include "common.selectors" (dict "matchLabels" $labels "dot" .) | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} + spec: +{{- include "elasticsearch.imagePullSecrets" . | nindent 6 }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplValue" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "elasticsearch.serviceAccountName" . }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + + ## Image that performs the sysctl operation to modify Kernel settings (needed sometimes to avoid boot errors) + initContainers: + {{- if .Values.sysctlImage.enabled }} + - name: sysctl + image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536 + securityContext: + privileged: true + {{- end }} + {{ include "common.aaf-config" . | nindent 8}} + + containers: + - name: {{ include "common.name" . }}-nginx + image: {{printf "%s/%s:%s" (include "common.repository" .) .Values.nginx.imageName .Values.nginx.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.nginx.pullPolicy | quote }} + ports: {{- include "common.containerPorts" . | indent 12 -}} + {{- if .Values.nginx.livenessProbe }} + livenessProbe: {{- toYaml .Values.nginx.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.nginx.readinessProbe }} + readinessProbe: {{- toYaml .Values.nginx.readinessProbe | nindent 12 }} + {{- end }} + {{- if .Values.nginx.resources }} + resources: {{- toYaml .Values.nginx.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.nginx.serverBlock }} + - name: nginx-server-block + mountPath: /opt/bitnami/nginx/conf/server_blocks + {{- end }} + {{- include "common.aaf-config-volume-mountpath" . | nindent 10 }} + + - name: {{ include "common.name" . }}-elasticsearch + image: {{ printf "%s/%s:%s" (include "common.repository" .) .Values.image.imageName .Values.image.tag }} + {{- if .Values.securityContext.enabled }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: ELASTICSEARCH_CLUSTER_NAME + value: {{ include "elasticsearch.clustername" .}} + - name: ELASTICSEARCH_CLUSTER_HOSTS + value: {{ include "common.name" . }}-discovery + {{- if .Values.plugins }} + - name: ELASTICSEARCH_PLUGINS + value: {{ .Values.plugins | quote }} + {{- end }} + - name: ELASTICSEARCH_HEAP_SIZE + value: {{ .Values.heapSize | quote }} + - name: ELASTICSEARCH_IS_DEDICATED_NODE + value: "yes" + - name: ELASTICSEARCH_NODE_TYPE + value: "coordinating" + - name: ELASTICSEARCH_PORT_NUMBER + value: "9000" + {{/*ports: {{- include "common.containerPorts" . | indent 12 -}} */}} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + httpGet: + path: /_cluster/health?local=true + port: http + {{- end }} + {{- if .Values.readinessProbe.enabled}} + readinessProbe: + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + httpGet: + path: /_cluster/health?local=true + port: http + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end}} + volumeMounts: + {{- if .Values.config }} + - mountPath: /opt/bitnami/elasticsearch/config/elasticsearch.yml + name: config + subPath: elasticsearch.yml + {{- end }} + - name: data + mountPath: "/bitnami/elasticsearch/data/" + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + volumes: + {{- if .Values.config }} + - name: config + configMap: + name: {{ include "common.fullname" . }} + {{- end }} + - name: data + emptyDir: {} + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} + {{- if .Values.nginx.serverBlock }} + - name: nginx-server-block + configMap: + name: {{ include "common.fullname" . }}-nginx-server-block + {{- end }} + {{- include "common.aaf-config-volumes" . | nindent 8}} + diff --git a/kubernetes/common/elasticsearch/templates/coordinating-svc-https.yaml b/kubernetes/common/elasticsearch/templates/coordinating-svc-https.yaml new file mode 100644 index 0000000000..610c7d68c1 --- /dev/null +++ b/kubernetes/common/elasticsearch/templates/coordinating-svc-https.yaml @@ -0,0 +1,18 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ $role := "coordinating-only" -}} +{{ $labels := (dict "role" $role) -}} +{{ $matchLabels := (dict "role" $role) }} +{{ include "common.service" (dict "labels" $labels "matchLabels" $matchLabels "dot" . ) }} diff --git a/kubernetes/common/elasticsearch/templates/discovery-svc.yaml b/kubernetes/common/elasticsearch/templates/discovery-svc.yaml new file mode 100644 index 0000000000..fa79c29eca --- /dev/null +++ b/kubernetes/common/elasticsearch/templates/discovery-svc.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $matchLabels := (dict "discovery" (include "elasticsearch.clustername" .) "nameNoMatch" "useDiscoveryService") }} +{{ include "common.headlessService" (dict "matchLabels" $matchLabels "dot" .) }} diff --git a/kubernetes/common/elasticsearch/templates/secrets.yaml b/kubernetes/common/elasticsearch/templates/secrets.yaml new file mode 100644 index 0000000000..359e8975e1 --- /dev/null +++ b/kubernetes/common/elasticsearch/templates/secrets.yaml @@ -0,0 +1,15 @@ +# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2019 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/elasticsearch/templates/serviceaccount.yaml b/kubernetes/common/elasticsearch/templates/serviceaccount.yaml new file mode 100644 index 0000000000..49ad504da6 --- /dev/null +++ b/kubernetes/common/elasticsearch/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +{{ $role := .Values.global.coordinating.name -}} +{{ $suffix := $role -}} +{{ $labels := (dict "role" $role) -}} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "labels" $labels "dot" . )| nindent 2 }} +{{- end }} diff --git a/kubernetes/common/elasticsearch/values.yaml b/kubernetes/common/elasticsearch/values.yaml new file mode 100644 index 0000000000..3627b2ea97 --- /dev/null +++ b/kubernetes/common/elasticsearch/values.yaml @@ -0,0 +1,329 @@ +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + aafEnabled: true + aafAgentImage: onap/aaf/aaf_agent:2.1.15 + nodePortPrefix: 302 + readinessRepository: oomk8s + readinessImage: readiness-check:2.0.2 + loggingRepository: docker.elastic.co + loggingImage: beats/filebeat:5.5.0 + busyboxRepository: registry.hub.docker.com + busyboxImage: library/busybox:latest + clusterName: cluster.local + +persistence: + mountPath: /dockerdata-nfs + backup: + mountPath: /dockerdata-nfs/backup + storageClass: +repositoryOverride: docker.io + +################################################################# +# Application configuration defaults. +################################################################# +## Init containers parameters: +sysctlImage: + enabled: true + +# application image +image: + imageName: bitnami/elasticsearch + tag: 6.8.6-debian-9-r23 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Set to true if you would like to see extra information on logs + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + ## + debug: false + +## String to partially override common.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override common.fullname template +## +# fullnameOverride: +## updateStrategy for ElasticSearch coordinating deployment +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## +updateStrategy: + type: RollingUpdate +heapSize: 128m +## Provide annotations for the coordinating-only pods. +## +podAnnotations: {} +## Pod Security Context for coordinating-only pods. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 +## Affinity for pod assignment. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} +## Node labels for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## Tolerations for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## Elasticsearch coordinating-only container's resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. + limits: {} + # cpu: 100m + # memory: 128Mi + requests: + cpu: 25m + memory: 256Mi +## Elasticsearch coordinating-only container's liveness and readiness probes +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## +livenessProbe: + enabled: false +# initialDelaySeconds: 90 +# periodSeconds: 10 +# timeoutSeconds: 5 +# successThreshold: 1 +# failureThreshold: 5 +readinessProbe: + enabled: false +# initialDelaySeconds: 90 +# periodSeconds: 10 +# timeoutSeconds: 5 +# successThreshold: 1 +# failureThreshold: 5 +## Service parameters for coordinating-only node(s) +## +serviceAccount: + ## Specifies whether a ServiceAccount should be created for the coordinating node + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + # name: + +## Bitnami Minideb image version +## ref: https://hub.docker.com/r/bitnami/minideb/tags/ +## +sysctlImage: + enabled: true + imageName: bitnami/minideb + tag: stretch + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +# nginx image +nginx: + imageName: bitnami/nginx + tag: 1.16-debian-9 + pullPolicy: IfNotPresent + service: + name: nginx + ports: + - name: elasticsearch + port: 8080 +## Custom server block to be added to NGINX configuration +## PHP-FPM example server block: + serverBlock: + https: |- + server { + listen 9200 ssl; + #server_name ; + # auth_basic "server auth"; + # auth_basic_user_file /etc/nginx/passwords; + ssl_certificate /opt/app/osaaf/local/certs/cert.pem; + ssl_certificate_key /opt/app/osaaf/local/certs/key.pem; + location / { + # deny node shutdown api + if ($request_filename ~ "_shutdown") { + return 403; + break; + } + + proxy_pass http://localhost:9000; + proxy_http_version 1.1; + proxy_set_header Connection "Keep-Alive"; + proxy_set_header Proxy-Connection "Keep-Alive"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_redirect off; + } + + location = / { + proxy_pass http://localhost:9000; + proxy_http_version 1.1; + proxy_set_header Connection "Keep-Alive"; + proxy_set_header Proxy-Connection "Keep-Alive"; + proxy_redirect off; + auth_basic "off"; + } + } + http: |- + server { + listen 9200 ; + #server_name ; + location / { + # deny node shutdown api + if ($request_filename ~ "_shutdown") { + return 403; + break; + } + + proxy_pass http://localhost:9000; + proxy_http_version 1.1; + proxy_set_header Connection "Keep-Alive"; + proxy_set_header Proxy-Connection "Keep-Alive"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_redirect off; + } + + location = / { + proxy_pass http://localhost:9000; + proxy_http_version 1.1; + proxy_set_header Connection "Keep-Alive"; + proxy_set_header Proxy-Connection "Keep-Alive"; + proxy_redirect off; + auth_basic "off"; + } + } +################################################################# +# coordinating service configuration defaults. +################################################################# + +service: + name: "" + suffix: "" + ## coordinating-only service type + ## + type: ClusterIP + headlessPorts: + - name: http-transport + port: 9300 + headless: + suffix: discovery + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + publishNotReadyAddresses: true + ## Elasticsearch tREST API port + ## + ports: + - name: elasticsearch + port: 9200 + + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + ## Provide functionality to use RBAC + ## +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: &aaf_secret_uid elasticsearch-aaf-deploy-creds + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aafConfig.aafDeployFqi }}' + password: '{{ .Values.aafConfig.aafDeployPass }}' + passwordPolicy: required +################################################################# +# aaf configuration defaults. +################################################################# +aafConfig: + addconfig: true + fqdn: "elastic" + image: onap/aaf/aaf_agent:2.1.15 + app_ns: "org.osaaf.aaf" + fqi_namespace: org.onap.elastic + fqi: "elastic@elastic.onap.org" + public_fqdn: "aaf.osaaf.org" + deploy_fqi: "deployer@people.osaaf.org" + aafDeployFqi: "deployer@people.osaaf.org" + aafDeployPass: demo123456! + #aafDeployCredsExternalSecret: some secret + #cadi_latitude: "52.5" + #cadi_longitude: "13.4" + secret_uid: *aaf_secret_uid +################################################################# +# subcharts configuration defaults. +################################################################# + + +#data: +# enabled: false + +#curator: +# enabled: false + +## Change nameOverride to be consistent accross all elasticsearch (sub)-charts + +master: + replicaCount: 3 + # dedicatednode: "yes" + # working as master node only, in this case increase replicaCount for elasticsearch-data + # dedicatednode: "no" + # handles master and data node functionality + dedicatednode: "no" +data: + enabled: false +curator: + enabled: false diff --git a/kubernetes/common/etcd/requirements.yaml b/kubernetes/common/etcd/requirements.yaml index facbc4434e..e90e615d73 100644 --- a/kubernetes/common/etcd/requirements.yaml +++ b/kubernetes/common/etcd/requirements.yaml @@ -15,4 +15,4 @@ dependencies: - name: common version: ~6.x-0 - repository: '@local' + repository: 'file://../common' diff --git a/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh b/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh new file mode 100755 index 0000000000..42c5c89726 --- /dev/null +++ b/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh @@ -0,0 +1,89 @@ +#!/bin/bash +# +# Adfinis SyGroup AG +# openshift-mariadb-galera: mysql setup script +# + +set -eox pipefail + +echo 'Running mysql_install_db ...' +mysql_install_db --datadir=/var/lib/mysql +echo 'Finished mysql_install_db' + +mysqld --skip-networking --socket=/var/lib/mysql/mysql-init.sock --wsrep_on=OFF & +pid="$!" + +mysql=( mysql --protocol=socket -uroot -hlocalhost --socket=/var/lib/mysql/mysql-init.sock ) + +for i in {30..0}; do + if echo 'SELECT 1' | "${mysql[@]}" &> /dev/null; then + break + fi + echo 'MySQL init process in progress...' + sleep 1 +done +if [ "$i" = 0 ]; then + echo >&2 'MySQL init process failed.' + exit 1 +fi + +if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then + # sed is for https://bugs.mysql.com/bug.php?id=20545 + mysql_tzinfo_to_sql /usr/share/zoneinfo | sed 's/Local time zone must be set--see zic manual page/FCTY/' | "${mysql[@]}" mysql +fi + +function prepare_password { + echo -n $1 | sed -e "s/'/''/g" +} + +mysql_root_password=`prepare_password $MYSQL_ROOT_PASSWORD` +# add MariaDB root user +"${mysql[@]}" <<-EOSQL +-- What's done in this file shouldn't be replicated +-- or products like mysql-fabric won't work +SET @@SESSION.SQL_LOG_BIN=0; + +DELETE FROM mysql.user ; +CREATE USER 'root'@'%' IDENTIFIED BY '${mysql_root_password}' ; +GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ; +DROP DATABASE IF EXISTS test ; +FLUSH PRIVILEGES ; +EOSQL + +# add root password for subsequent calls to mysql +if [ ! -z "$MYSQL_ROOT_PASSWORD" ]; then + mysql+=( -p"${MYSQL_ROOT_PASSWORD}" ) +fi + +# add users require for Galera +# TODO: make them somehow configurable +"${mysql[@]}" <<-EOSQL +CREATE USER 'xtrabackup_sst'@'localhost' IDENTIFIED BY 'xtrabackup_sst' ; +GRANT RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'xtrabackup_sst'@'localhost' ; +CREATE USER 'readinessProbe'@'localhost' IDENTIFIED BY 'readinessProbe'; +EOSQL + +if [ "$MYSQL_DATABASE" ]; then + echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" | "${mysql[@]}" + mysql+=( "$MYSQL_DATABASE" ) +fi + +if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then + mysql_password=`prepare_password $MYSQL_PASSWORD` + echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$mysql_password' ;" | "${mysql[@]}" + + if [ "$MYSQL_DATABASE" ]; then + echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" + fi + + echo 'FLUSH PRIVILEGES ;' | "${mysql[@]}" +fi + +if ! kill -s TERM "$pid" || ! wait "$pid"; then + echo >&2 'MySQL init process failed.' + exit 1 +fi + +echo +echo 'MySQL init process done. Ready for start up.' +echo diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml index e7bb701930..a7064d7ce4 100644 --- a/kubernetes/common/mariadb-galera/templates/configmap.yaml +++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,4 +29,17 @@ metadata: data: my_extra.cnf: | {{ .Values.externalConfig | indent 4 }} -{{- end -}} +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 7157e3390b..855d50e5ea 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -47,6 +47,10 @@ spec: configMap: name: {{ include "common.fullname" . }}-external-config {{- end}} + - name: init-script + configMap: + name: {{ include "common.fullname" . }} + defaultMode: 0755 - name: localtime hostPath: path: /etc/localtime @@ -104,6 +108,9 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true + - mountPath: /usr/share/container-scripts/mysql/configure-mysql.sh + subPath: configure-mysql.sh + name: init-script {{- if .Values.persistence.enabled }} - mountPath: /var/lib/mysql name: {{ include "common.fullname" . }}-data diff --git a/kubernetes/common/mongo/requirements.yaml b/kubernetes/common/mongo/requirements.yaml index f99477141f..6ba617e990 100644 --- a/kubernetes/common/mongo/requirements.yaml +++ b/kubernetes/common/mongo/requirements.yaml @@ -15,4 +15,4 @@ dependencies: - name: common version: ~6.x-0 - repository: '@local' + repository: 'file://../common' diff --git a/kubernetes/common/music/charts/music-cassandra/requirements.yaml b/kubernetes/common/music/charts/music-cassandra/requirements.yaml index 38536fcd78..0a80d654d0 100644 --- a/kubernetes/common/music/charts/music-cassandra/requirements.yaml +++ b/kubernetes/common/music/charts/music-cassandra/requirements.yaml @@ -15,4 +15,4 @@ dependencies: - name: common version: ~6.x-0 - repository: '@local'
\ No newline at end of file + repository: 'file://../../../common' diff --git a/kubernetes/common/music/charts/music-tomcat/resources/config/music.properties b/kubernetes/common/music/charts/music-tomcat/resources/config/music.properties deleted file mode 100755 index b977ca58ee..0000000000 --- a/kubernetes/common/music/charts/music-tomcat/resources/config/music.properties +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -my.public.ip=localhost -all.public.ips=localhost -my.id=0 -all.ids=0 -### Host Info ### -zookeeper.host={{.Values.properties.zookeeperHost}} -cassandra.host={{.Values.properties.cassandraHost}} -### User Info ### -cassandra.user={{.Values.properties.cassandraUser}} -cassandra.password={{.Values.properties.cassandraPassword}} -### AAF Endpoint ### -aaf.endpoint.url={{.Values.properties.aafEndpointUrl}} -### Admin API ### -# AAF UAT -aaf.admin.url={{.Values.properties.aafAdminUrl}} -# AAF PROD -admin.aaf.role={{.Values.properties.adminAafRole}} -music.namespace={{.Values.properties.musicNamespace}} diff --git a/kubernetes/common/music/charts/music-tomcat/templates/deployment.yaml b/kubernetes/common/music/charts/music-tomcat/templates/deployment.yaml deleted file mode 100755 index dcbd4e2d88..0000000000 --- a/kubernetes/common/music/charts/music-tomcat/templates/deployment.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-zookeeper-readiness - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /root/ready.py - args: - - --container-name - - zookeeper - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-cassandra-readiness - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /root/job_complete.py - args: - - -j - - "{{ include "common.release" . }}-music-cassandra-job-config" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -# War Container - - name: "{{ .Chart.Name }}-war" - image: "{{ include "common.repository" . }}/{{ .Values.warImage }}" - command: ["cp","/app/MUSIC.war","/webapps"] - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - volumeMounts: - - mountPath: /webapps - name: shared-data - containers: - # Tomcat Container - - name: "{{ include "common.name" . }}" - image: "{{ include "common.repository" . }}/{{ .Values.image }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/tomcat/webapps - name: shared-data - - name: properties-music - mountPath: /opt/app/music/etc/music.properties - subPath: music.properties - resources: -{{ include "common.resources" . | indent 12 }} - volumes: - - name: shared-data - emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-music - configMap: - name: {{ include "common.fullname" . }}-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/music/charts/music-tomcat/templates/service.yaml b/kubernetes/common/music/charts/music-tomcat/templates/service.yaml deleted file mode 100755 index d808bf957a..0000000000 --- a/kubernetes/common/music/charts/music-tomcat/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/music/charts/music-tomcat/values.yaml b/kubernetes/common/music/charts/music-tomcat/values.yaml deleted file mode 100755 index b91ffbd4e4..0000000000 --- a/kubernetes/common/music/charts/music-tomcat/values.yaml +++ /dev/null @@ -1,114 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - repository: nexus3.onap.org:10001 - - # readiness check - readinessRepository: oomk8s - readinessImage: readiness-check:2.0.0 - - # logging agent - loggingRepository: docker.elastic.co - loggingImage: beats/filebeat:5.5.0 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -repository: nexus3.onap.org:10001 -image: library/tomcat:8.5 -pullPolicy: Always -warImage: onap/music/music:3.0.24 - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - usernameCassandra: cassandra1 - passwordCassandra: cassandra1 - -# default number of instances -replicaCount: 3 - -job: - host: cassandra - port: 9042 - busybox: - image: library/busybox:latest - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: music-tomcat - externalPort: 8080 - internalPort: 8080 - nodePort: 76 - portName: tomcat -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 900m - memory: 460Mi - requests: - cpu: 550m - memory: 360Mi - large: - limits: - cpu: 4 - memory: 2Gi - requests: - cpu: 2 - memory: 1Gi - unlimited: {} - - - -properties: - zookeeperHost: zookeeper - cassandraHost: music-cassandra - cassandraUser: nelson24 - cassandraPassword: nelson24 - - # Admin API - # ONAP AAF - aafAdminUrl: diff --git a/kubernetes/common/music/charts/music-tomcat/Chart.yaml b/kubernetes/common/music/charts/music/Chart.yaml index ec3934a2c5..7264b93e8a 100755..100644 --- a/kubernetes/common/music/charts/music-tomcat/Chart.yaml +++ b/kubernetes/common/music/charts/music/Chart.yaml @@ -13,6 +13,6 @@ # limitations under the License. apiVersion: v1 -description: ONAP - MUSIC Tomcat Container -name: music-tomcat +description: MUSIC api as a Service API Spring boot container. +name: music version: 6.0.0 diff --git a/kubernetes/common/music/charts/music/resources/config/logback.xml b/kubernetes/common/music/charts/music/resources/config/logback.xml new file mode 100755 index 0000000000..51423e547d --- /dev/null +++ b/kubernetes/common/music/charts/music/resources/config/logback.xml @@ -0,0 +1,302 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ============LICENSE_START========================================== + org.onap.music + =================================================================== + Copyright (c) 2017 AT&T Intellectual Property + =================================================================== + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + ============LICENSE_END============================================= + ==================================================================== +--> + +<configuration scan="true" scanPeriod="3 seconds"> + <!--<jmxConfigurator /> --> + <!-- directory path for all other type logs --> + <property name="logDir" value="/opt/app/music/logs" /> + + <!-- directory path for debugging type logs --> + <property name="debugDir" value="debug-logs" /> + + <!-- specify the component name --> + <!-- <property name="componentName" value="EELF"></property> --> + <property name="componentName" value="MUSIC"></property> + + <!-- log file names --> + <property name="generalLogName" value="music" /> + <property name="securityLogName" value="security" /> + <property name="errorLogName" value="error" /> + <property name="metricsLogName" value="metrics" /> + <property name="auditLogName" value="audit" /> + <property name="debugLogName" value="debug" /> + <property name="defaultPattern" value="%d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %msg%n" /> + <!-- <property name="applicationLoggerPattern" value="%d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %msg%n" /> --> + <property name="applicationLoggerPattern" value="%d{yyyy-MM-dd HH:mm:ss} %-5level %X{keyspace} [transactionId:%X{transactionId}] - %msg%n" /> + <property name="auditLoggerPattern" value="%X{BeginTimestamp}|%X{EndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread|%X{VirtualServerName}|%X{ServiceName}|%X{PartnerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{ElapsedTime}|%X{ServerFQDN}|%X{RemoteHost}|%X{ClassName}|%X{Unused}|%X{ProcessKey}|%X{CustomField1}|%X{CustomField2}|%X{CustomField3}|%X{CustomField4}| %msg%n" /> + <property name="metricsLoggerPattern" value="%X{BeginTimestamp}|%X{EndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread|%X{VirtualServerName}|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{ElapsedTime}|%X{ServerFQDN}|%X{RemoteHost}|%X{ClassName}|%X{Unused}|%X{ProcessKey}|%X{TargetVirtualEntity}|%X{CustomField1}|%X{CustomField2}|%X{CustomField3}|%X{CustomField4}| %msg%n" /> + <!-- <property name="errorLoggerPattern" value= "%d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %msg%n " /> --> + <property name="errorLoggerPattern" value="%d{yyyy-MM-dd HH:mm:ss} %-5level %X{keyspace} - %msg%n" /> + <property name="debugLoggerPattern" value="%date{ISO8601,UTC}|%X{RequestId}| %msg%n" ></property> + <property name="logDirectory" value="${logDir}/${componentName}" /> + <property name="debugLogDirectory" value="${debugDir}/${componentName}" /> + <!-- Example evaluator filter applied against console appender --> + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <!-- <encoder> + <pattern>${defaultPattern}</pattern> + </encoder> --> + <!-- <filter class="org.onap.music.eelf.logging.CustomLoggingFilter" />--> + <encoder> + <pattern>%d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %X{keyspace} %msg%n</pattern> + </encoder> + </appender> + + <!-- ============================================================================ --> + <!-- EELF Appenders --> + <!-- ============================================================================ --> + + <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${generalLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.%i.log.zip</fileNamePattern> + <maxFileSize>1GB</maxFileSize> + <maxHistory>5</maxHistory> + <totalSizeCap>5GB</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>${applicationLoggerPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELF" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <includeCallerData>true</includeCallerData> + <appender-ref ref="EELF" /> + </appender> + + <!-- Sift Appender --> + <appender name="KSEELF" class="ch.qos.logback.classic.sift.SiftingAppender"> + <!-- <discriminator class="org.onap.music.eelf.logging.AuxDiscriminator"> --> + <discriminator> + <key>keyspace</key> + <defaultValue>unknown</defaultValue> + </discriminator> + <sift> + <appender name="EELFSift" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${generalLogName}-keyspace.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${generalLogName}-${keyspace}.%d{yyyy-MM-dd}.%i.log.zip</fileNamePattern> + <maxHistory>30</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${applicationLoggerPattern}</pattern> + </encoder> + </appender> + </sift> + </appender> + + <appender name="asyncKSEELF" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <includeCallerData>true</includeCallerData> + <appender-ref ref="KSEELF" /> + </appender> + + + + + <!-- <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${generalLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.%i.log.zip</fileNamePattern> + <maxFileSize>1GB</maxFileSize> + <maxHistory>5</maxHistory> + <totalSizeCap>5GB</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>${applicationLoggerPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELF" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <includeCallerData>true</includeCallerData> + <appender-ref ref="EELF" /> + </appender> --> + + <!-- EELF Security Appender. This appender is used to record security events + to the security log file. Security events are separate from other loggers + in EELF so that security log records can be captured and managed in a secure + way separate from the other logs. This appender is set to never discard any + events. --> + <appender name="EELFSecurity" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${securityLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${logDirectory}/${securityLogName}.%i.log.zip</fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>5MB</maxFileSize> + </triggeringPolicy> + <encoder> + <pattern>%d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %msg%n </pattern> + </encoder> + </appender> + + <appender name="asyncEELFSecurity" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <discardingThreshold>0</discardingThreshold> + <appender-ref ref="EELFSecurity" /> + </appender> + + + + + <!-- EELF Audit Appender. This appender is used to record audit engine + related logging events. The audit logger and appender are specializations + of the EELF application root logger and appender. This can be used to segregate + Policy engine events from other components, or it can be eliminated to record + these events as part of the application root log. --> + + <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${auditLogName}.log</file> + <rollingPolicy + class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${logDirectory}/${auditLogName}.%i.log.zip</fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>5MB</maxFileSize> + </triggeringPolicy> + <encoder> + <pattern>${auditLoggerPattern}</pattern> + </encoder> + </appender> + <appender name="asyncEELFAudit" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFAudit" /> + </appender> + + <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${metricsLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${logDirectory}/${metricsLogName}.%i.log.zip + </fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>5MB</maxFileSize> + </triggeringPolicy> + <encoder> + <!-- <pattern>"%d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n"</pattern> --> + <pattern>${metricsLoggerPattern}</pattern> + </encoder> + </appender> + + + <appender name="asyncEELFMetrics" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFMetrics"/> + </appender> + + <appender name="EELFError" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${errorLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${logDirectory}/${errorLogName}.%i.log.zip</fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>5MB</maxFileSize> + </triggeringPolicy> + <encoder> + <pattern>${errorLoggerPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFError" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFError"/> + </appender> + + <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${debugLogDirectory}/${debugLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${debugLogDirectory}/${debugLogName}.%i.log.zip</fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>5MB</maxFileSize> + </triggeringPolicy> + <encoder> + <pattern>${debugLoggerPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFDebug" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFDebug" /> + <includeCallerData>true</includeCallerData> + </appender> + + + <!-- ============================================================================ --> + <!-- EELF loggers --> + <!-- ============================================================================ --> + <logger name="com.att.eelf" level="{{.Values.logback.applicationLogLevel}}" additivity="false"> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="asyncKSEELF" /> + </logger> + + <logger name="com.att.eelf.security" level="{{.Values.logback.securityLogLevel}}" additivity="false"> + <appender-ref ref="asyncEELFSecurity" /> + </logger> + + + <logger name="com.att.eelf.audit" level="{{.Values.logback.auditLogLevel}}" additivity="false"> + <appender-ref ref="asyncEELFAudit" /> + </logger> + + <logger name="com.att.eelf.metrics" level="{{.Values.logback.metricsLogLevel}}" additivity="false"> + <appender-ref ref="asyncEELFMetrics" /> + </logger> + + + <logger name="com.att.eelf.error" level="{{.Values.logback.errorLogLevel}}" additivity="false"> + <appender-ref ref="asyncEELFError" /> + </logger> + + <logger name="com.att.eelf.debug" level="debug" additivity="false"> + <appender-ref ref="asyncEELFDebug" /> + + </logger> + + <!-- Springboot??? --> + <!-- <logger name="org.springframework.web" level="DEBUG"> + <appender-ref ref="asyncEELF" /> + </logger> --> + + <root level="{{.Values.logback.rootLogLevel}}"> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="asyncKSEELF" /> + <appender-ref ref="STDOUT" /> + </root> + + <!-- Conductor Specific additions to squash WARNING and INFO --> + <logger name="com.datastax.driver.core.Cluster" level="ERROR"/> + <logger name="org.onap.music.main.MusicCore" level="ERROR"/> +</configuration> + diff --git a/kubernetes/common/music/charts/music/resources/config/music-sb.properties b/kubernetes/common/music/charts/music/resources/config/music-sb.properties new file mode 100755 index 0000000000..751a351737 --- /dev/null +++ b/kubernetes/common/music/charts/music/resources/config/music-sb.properties @@ -0,0 +1,13 @@ +server.port=8443 +server.servlet.context-path=/MUSIC/rest +spring.jackson.mapper.ACCEPT_CASE_INSENSITIVE_ENUMS=true +#server.ssl.enabled=false +server.tomcat.max-threads=100 +#logging.file=/opt/app/music/logs/MUSIC/music-app.log +#logging.config=file:/opt/app/music/etc/logback.xml +security.require-ssl=true +server.ssl.key-store=/opt/app/aafcertman/org.onap.music.jks +server.ssl.key-store-password=${KEYSTORE_PASSWORD} +server.ssl.key-store-provider=SUN +server.ssl.key-store-type=JKS + diff --git a/kubernetes/common/music/charts/music/resources/config/music.properties b/kubernetes/common/music/charts/music/resources/config/music.properties new file mode 100755 index 0000000000..a7681d0a02 --- /dev/null +++ b/kubernetes/common/music/charts/music/resources/config/music.properties @@ -0,0 +1,24 @@ +lock.using={{.Values.properties.lockUsing}} +cassandra.host={{.Values.properties.cassandraHost}} +cassandra.port={{ .Values.properties.cassandraPort }} +lock.lease.period={{.Values.properties.lockLeasePeriod}} +cassandra.user=${CASSA_USER} +cassandra.password=${CASSA_PASSWORD} +cassandra.connecttimeoutms={{.Values.properties.cassandraConnecttimeoutms}} +cassandra.readtimeoutms={{.Values.properties.cassandraReadtimeoutms}} +cadi={{.Values.properties.cadi}} +music.aaf.ns={{.Values.properties.musicAafNs}} +keyspace.active={{.Values.properties.keyspaceActive}} +transId.header.required={{.Values.properties.transIdRequired}} +transId.header.prefix={{.Values.properties.transIdPrefix}} +conversation.header.required={{.Values.properties.conversationRequired}} +conversation.header.prefix={{.Values.properties.conversationPrefix}} +clientId.header.required={{.Values.properties.clientIdRequired}} +clientId.header.prefix={{.Values.properties.clientIdPrefix}} +messageId.header.required={{.Values.properties.messageIdRequired}} +messageId.header.prefix={{.Values.properties.messageIdPrefix}} +retry.count={{.Values.properties.retryCount}} +lock.daemon.sleeptime.ms={{.Values.properties.lockDaemonSleeptimeMs}} +keyspaces.for.lock.cleanup={{.Values.properties.keyspaceForLockCleanup}} +create.lock.wait.period.ms=0 +create.lock.wait.increment.ms=0 diff --git a/kubernetes/common/music/charts/music/resources/config/startup.sh b/kubernetes/common/music/charts/music/resources/config/startup.sh new file mode 100755 index 0000000000..7ab32558b4 --- /dev/null +++ b/kubernetes/common/music/charts/music/resources/config/startup.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# +# ============LICENSE_START========================================== +# org.onap.music +# =================================================================== +# Copyright (c) 2019 AT&T Intellectual Property +# =================================================================== +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================= +# ==================================================================== + +echo "Running startup script to get password from certman" +PWFILE=/opt/app/aafcertman/.password +LOGFILE=/opt/app/music/logs/MUSIC/music-sb.log +PROPS=/opt/app/music/etc/music-sb.properties +LOGBACK=/opt/app/music/etc/logback.xml +LOGGING= +DEBUG_PROP= +# Debug Setup. Uses env variables +# DEBUG and DEBUG_PORT +# DEBUG=true/false | DEBUG_PORT=<Port valie must be integer> +if [ "${DEBUG}" == "true" ]; then + if [ "${DEBUG_PORT}" == "" ]; then + DEBUG_PORT=8000 + fi + echo "Debug mode on" + DEBUG_PROP="-Xdebug -Xrunjdwp:server=y,transport=dt_socket,address=${DEBUG_PORT},suspend=n" +fi + +# LOGBACK file: if /opt/app/music/etc/logback.xml exists thenuse that. +if [ -f $LOGBACK ]; then + LOGGING="--logging.config=file:${LOGBACK}" +fi + +# Get Passwords from /opt/app/aafcertman +if [ -f $PWFILE ]; then + echo "Found ${PWFILE}" >> $LOGFILE + PASSWORD=$(cat ${PWFILE}) +else + PASSWORD=changeit + echo "#### Using Default Password for Certs" >> ${LOGFILE} +fi + +# If music-sb.properties exists in /opt/app/music/etc then use that to override the application.properties +if [ -f $PROPS ]; then + # Run with different Property file + #echo "java ${DEBUG_PROP} -jar MUSIC.jar --spring.config.location=file:${PROPS} ${LOGGING} 2>&1 | tee ${LOGFILE}" + java ${DEBUG_PROP} ${JAVA_OPTS} -jar MUSIC-SB.jar ${SPRING_OPTS} --spring.config.location=file:${PROPS} ${LOGGING} 2>&1 | tee ${LOGFILE} +else + #echo "java ${DEBUG_PROP} -jar MUSIC.jar --server.ssl.key-store-password=${PASSWORD} ${LOGGING} 2>&1 | tee ${LOGFILE}" + java ${DEBUG_PROP} ${JAVA_OPTS} -jar MUSIC-SB.jar ${SPRING_OPTS} --server.ssl.key-store-password="${PASSWORD}" ${LOGGING} 2>&1 | tee ${LOGFILE} +fi + + + + diff --git a/kubernetes/common/music/charts/music/resources/keys/org.onap.music.jks b/kubernetes/common/music/charts/music/resources/keys/org.onap.music.jks Binary files differnew file mode 100644 index 0000000000..35d27c3ef7 --- /dev/null +++ b/kubernetes/common/music/charts/music/resources/keys/org.onap.music.jks diff --git a/kubernetes/common/music/charts/music/resources/keys/truststoreONAPall.jks b/kubernetes/common/music/charts/music/resources/keys/truststoreONAPall.jks Binary files differnew file mode 100644 index 0000000000..ff844b109d --- /dev/null +++ b/kubernetes/common/music/charts/music/resources/keys/truststoreONAPall.jks diff --git a/kubernetes/common/music/charts/music-tomcat/templates/configmap.yaml b/kubernetes/common/music/charts/music/templates/configmap.yaml index 15859345e8..4023f343df 100755..100644 --- a/kubernetes/common/music/charts/music-tomcat/templates/configmap.yaml +++ b/kubernetes/common/music/charts/music/templates/configmap.yaml @@ -1,5 +1,4 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,12 +11,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/music/charts/music/templates/deployment.yaml b/kubernetes/common/music/charts/music/templates/deployment.yaml new file mode 100644 index 0000000000..c3b30b22b7 --- /dev/null +++ b/kubernetes/common/music/charts/music/templates/deployment.yaml @@ -0,0 +1,119 @@ +# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - name: {{ include "common.name" . }}-cassandra-readiness + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /root/job_complete.py + args: + - -j + - "{{ include "common.release" . }}-music-cassandra-job-config" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: KEYSTORE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-keystore-pw" "key" "password") | indent 12}} + - name: CASSA_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "login") | indent 12 }} + - name: CASSA_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "password") | indent 12 }} + volumeMounts: + - mountPath: /config-input + name: properties-music-scrubbed + - mountPath: /config + name: properties-music + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + containers: + # MUSIC Container + - name: "{{ include "common.name" . }}-springboot" + image: "{{ .Values.repository }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + resources: +{{ toYaml .Values.resources | indent 12 }} + env: + - name: SPRING_OPTS + value: "{{ .Values.springOpts }}" + - name: JAVA_OPTS + value: "{{ .Values.javaOpts }}" + - name: DEBUG + value: "{{ .Values.debug }}" + volumeMounts: + - name: localtime + mountPath: /etc/localtime + readOnly: true + - name: properties-music + mountPath: /opt/app/music/etc/music.properties + subPath: music.properties + - name: properties-music + mountPath: /opt/app/music/etc/music-sb.properties + subPath: music-sb.properties + - name: properties-music-scrubbed + mountPath: /opt/app/music/etc/logback.xml + subPath: logback.xml + - name: certs-aaf + mountPath: /opt/app/aafcertman/ + volumes: + - name: shared-data + emptyDir: {} + - name: certificate-vol + emptyDir: {} + - name: localtime + hostPath: + path: /etc/localtime + - name: properties-music-scrubbed + configMap: + name: {{ include "common.fullname" . }} + - name: properties-music + emptyDir: + medium: Memory + - name: certs-aaf + secret: + secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "music-certs") }} diff --git a/kubernetes/common/music/charts/music/templates/secrets.yaml b/kubernetes/common/music/charts/music/templates/secrets.yaml new file mode 100644 index 0000000000..5d5f5bb397 --- /dev/null +++ b/kubernetes/common/music/charts/music/templates/secrets.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 AT&T, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/music/charts/music/templates/service.yaml b/kubernetes/common/music/charts/music/templates/service.yaml new file mode 100644 index 0000000000..ca774c9b5b --- /dev/null +++ b/kubernetes/common/music/charts/music/templates/service.yaml @@ -0,0 +1,15 @@ +# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.service" . }} diff --git a/kubernetes/common/music/charts/music/values.yaml b/kubernetes/common/music/charts/music/values.yaml new file mode 100644 index 0000000000..faa5a6223d --- /dev/null +++ b/kubernetes/common/music/charts/music/values.yaml @@ -0,0 +1,178 @@ +# Copyright © 2020 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + repository: nexus3.onap.org:10001 + + envsubstImage: dibi/envsubst + + # readiness check + readinessRepository: oomk8s + readinessImage: readiness-check:2.0.0 + + # logging agent + loggingRepository: docker.elastic.co + loggingImage: beats/filebeat:5.5.0 + + truststore: truststoreONAPall.jks + + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: music-certs + name: keystore.jks + type: generic + filePaths: + - resources/keys/org.onap.music.jks + - uid: music-keystore-pw + name: keystore-pw + type: password + password: '{{ .Values.keystorePassword }}' + passwordPolicy: required + - uid: cassa-secret + type: basicAuth + login: '{{ .Values.properties.cassandraUser }}' + password: '{{ .Values.properties.cassandraPassword }}' + passwordPolicy: required + + +################################################################# +# Application configuration defaults. +################################################################# +# application image +repository: nexus3.onap.org:10001 +image: onap/music/music_sb:3.2.40 +pullPolicy: Always + +job: + host: cassandra + port: 9042 + busybox: + image: library/busybox:latest + + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 30 + periodSeconds: 6 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: false + port: 8443 + + +# Java options that need to be passed to jave on CLI +#javaOpts: -Xms256m -Xmx2048m +javaOpts: +# Options that need to be passed to CLI for Sprngboot, pw is a secret passed in through ENV +springOpts: --spring.config.location=file:/opt/app/music/etc/music-sb.properties +# Resource Limit flavor -By Default using small +flavor: large +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: 1000m + memory: 1G + requests: + cpu: 300m + memory: 512Mi + large: + limits: + cpu: 1500m + memory: 3Gi + requests: + cpu: 1000m + memory: 2Gi + unlimited: {} + +readiness: + initialDelaySeconds: 350 + periodSeconds: 120 + port: 8443 + +service: + useNodePortExt: true + type: NodePort + name: music + ports: + - name: https-api + port: 8443 + nodePort: '07' + +# Turn on Debugging true/false +debug: false +ingress: + enabled: false + +keystorePassword: "ysF9CVS+xvuXr0vf&fRa5lew" + +properties: + lockUsing: "cassandra" + # Comma dilimited list of hosts + cassandraHost: "music-cassandra" + cassandraUser: "nelson24" + cassandraPassword: "nelson24" + cassandraConnecttimeoutms: 12000 + cassandraPort: 9042 + # Connection Timeout for Cassandra in ms + # Read Timeout for Cassandra in ms + cassandraReadtimeoutms: 12000 + keyspaceActive: true + # Enable CADI + cadi: false + # Special headers that may be passed and if they are required. + # With the ability to add a Prefix if required. + transIdRequired: false + transIdPrefix: X-ATT- + conversationRequired: false + conversationPrefix: X-CSI- + clientIdRequired: false + clientIdPrefix: + messageIdRequired: false + messageIdPrefix: + + # sleep time for lock cleanup daemon, negative values turn off daemon +##### Lock settings + retryCount: 3 + lockLeasePeriod: 6000 + # sleep time for lock cleanup daemon, negative values turn off daemon + lockDaemonSleeptimeMs: 30000 + #comma separated list of keyspace names + keyspaceForLockCleanup: + + +logback: + errorLogLevel: info + securityLogLevel: info + applicationLogLevel: info + metricsLogLevel: info + auditLogLevel: info + # Values must be uppercase: INFO, WARN, CRITICAL,DEBUG etc.. + rootLogLevel: INFO + diff --git a/kubernetes/common/music/charts/zookeeper/.helmignore b/kubernetes/common/music/charts/zookeeper/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/common/music/charts/zookeeper/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/common/music/charts/zookeeper/Chart.yaml b/kubernetes/common/music/charts/zookeeper/Chart.yaml deleted file mode 100644 index 01e81736f6..0000000000 --- a/kubernetes/common/music/charts/zookeeper/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: zookeeper -home: https://zookeeper.apache.org/ -version: 1.0.2 -appVersion: 3.4.10 -description: Centralized service for maintaining configuration information, naming, - providing distributed synchronization, and providing group services. -icon: https://zookeeper.apache.org/images/zookeeper_small.gif -sources: -- https://github.com/apache/zookeeper -- https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper -maintainers: -- name: lachie83 - email: lachlan.evenson@microsoft.com -- name: kow3ns - email: owensk@google.com diff --git a/kubernetes/common/music/charts/zookeeper/OWNERS b/kubernetes/common/music/charts/zookeeper/OWNERS deleted file mode 100644 index dd9facde2a..0000000000 --- a/kubernetes/common/music/charts/zookeeper/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -approvers: -- lachie83 -- kow3ns -reviewers: -- lachie83 -- kow3ns diff --git a/kubernetes/common/music/charts/zookeeper/README.md b/kubernetes/common/music/charts/zookeeper/README.md deleted file mode 100644 index 22bbac49dc..0000000000 --- a/kubernetes/common/music/charts/zookeeper/README.md +++ /dev/null @@ -1,140 +0,0 @@ -# incubator/zookeeper - -This helm chart provides an implementation of the ZooKeeper [StatefulSet](http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/) found in Kubernetes Contrib [Zookeeper StatefulSet](https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper). - -## Prerequisites -* Kubernetes 1.6+ -* PersistentVolume support on the underlying infrastructure -* A dynamic provisioner for the PersistentVolumes -* A familiarity with [Apache ZooKeeper 3.4.x](https://zookeeper.apache.org/doc/current/) - -## Chart Components -This chart will do the following: - -* Create a fixed size ZooKeeper ensemble using a [StatefulSet](http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/). -* Create a [PodDisruptionBudget](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-disruption-budget/) so kubectl drain will respect the Quorum size of the ensemble. -* Create a [Headless Service](https://kubernetes.io/docs/concepts/services-networking/service/) to control the domain of the ZooKeeper ensemble. -* Create a Service configured to connect to the available ZooKeeper instance on the configured client port. -* Optionally apply a [Pod Anti-Affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity-beta-feature) to spread the ZooKeeper ensemble across nodes. -* Optionally start JMX Exporter and Zookeeper Exporter containers inside Zookeeper pods. -* Optionally create a job which creates Zookeeper chroots (e.g. `/kafka1`). - -## Installing the Chart -You can install the chart with the release name `zookeeper` as below. - -```console -$ helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator -$ helm install --name zookeeper incubator/zookeeper -``` - -If you do not specify a name, helm will select a name for you. - -### Installed Components -You can use `kubectl get` to view all of the installed components. - -```console{%raw} -$ kubectl get all -l app=zookeeper -NAME: zookeeper -LAST DEPLOYED: Wed Apr 11 17:09:48 2018 -NAMESPACE: default -STATUS: DEPLOYED - -RESOURCES: -==> v1beta1/PodDisruptionBudget -NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGE -zookeeper N/A 1 1 2m - -==> v1/Service -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -zookeeper-headless ClusterIP None <none> 2181/TCP,3888/TCP,2888/TCP 2m -zookeeper ClusterIP 10.98.179.165 <none> 2181/TCP 2m - -==> v1beta1/StatefulSet -NAME DESIRED CURRENT AGE -zookeeper 3 3 2m -``` - -1. `statefulsets/zookeeper` is the StatefulSet created by the chart. -1. `po/zookeeper-<0|1|2>` are the Pods created by the StatefulSet. Each Pod has a single container running a ZooKeeper server. -1. `svc/zookeeper-headless` is the Headless Service used to control the network domain of the ZooKeeper ensemble. -1. `svc/zookeeper` is a Service that can be used by clients to connect to an available ZooKeeper server. - -## Configuration -You can specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install --name my-release -f values.yaml incubator/zookeeper -``` - -## Default Values - -- You can find all user-configurable settings, their defaults and commentary about them in [values.yaml](values.yaml). - -## Deep Dive - -## Image Details -The image used for this chart is based on Ubuntu 16.04 LTS. This image is larger than Alpine or BusyBox, but it provides glibc, rather than ulibc or mucl, and a JVM release that is built against it. You can easily convert this chart to run against a smaller image with a JVM that is built against that image's libc. However, as far as we know, no Hadoop vendor supports, or has verified, ZooKeeper running on such a JVM. - -## JVM Details -The Java Virtual Machine used for this chart is the OpenJDK JVM 8u111 JRE (headless). - -## ZooKeeper Details -The ZooKeeper version is the latest stable version (3.4.10). The distribution is installed into /opt/zookeeper-3.4.10. This directory is symbolically linked to /opt/zookeeper. Symlinks are created to simulate a rpm installation into /usr. - -## Failover -You can test failover by killing the leader. Insert a key: -```console -$ kubectl exec zookeeper-0 -- /opt/zookeeper/bin/zkCli.sh create /foo bar; -$ kubectl exec zookeeper-2 -- /opt/zookeeper/bin/zkCli.sh get /foo; -``` - -Watch existing members: -```console -$ kubectl run --attach bbox --image=busybox --restart=Never -- sh -c 'while true; do for i in 0 1 2; do echo zk-${i} $(echo stats | nc <pod-name>-${i}.<headless-service-name>:2181 | grep Mode); sleep 1; done; done'; - -zk-2 Mode: follower -zk-0 Mode: follower -zk-1 Mode: leader -zk-2 Mode: follower -``` - -Delete Pods and wait for the StatefulSet controller to bring them back up: -```console -$ kubectl delete po -l app=zookeeper -$ kubectl get po --watch-only -NAME READY STATUS RESTARTS AGE -zookeeper-0 0/1 Running 0 35s -zookeeper-0 1/1 Running 0 50s -zookeeper-1 0/1 Pending 0 0s -zookeeper-1 0/1 Pending 0 0s -zookeeper-1 0/1 ContainerCreating 0 0s -zookeeper-1 0/1 Running 0 19s -zookeeper-1 1/1 Running 0 40s -zookeeper-2 0/1 Pending 0 0s -zookeeper-2 0/1 Pending 0 0s -zookeeper-2 0/1 ContainerCreating 0 0s -zookeeper-2 0/1 Running 0 19s -zookeeper-2 1/1 Running 0 41s -``` - -Check the previously inserted key: -```console -$ kubectl exec zookeeper-1 -- /opt/zookeeper/bin/zkCli.sh get /foo -ionid = 0x354887858e80035, negotiated timeout = 30000 - -WATCHER:: - -WatchedEvent state:SyncConnected type:None path:null -bar -``` - -## Scaling -ZooKeeper can not be safely scaled in versions prior to 3.5.x. This chart currently uses 3.4.x. There are manual procedures for scaling a 3.4.x ensemble, but as noted in the [ZooKeeper 3.5.2 documentation](https://zookeeper.apache.org/doc/r3.5.2-alpha/zookeeperReconfig.html) these procedures require a rolling restart, are known to be error prone, and often result in a data loss. - -While ZooKeeper 3.5.x does allow for dynamic ensemble reconfiguration (including scaling membership), the current status of the release is still alpha, and 3.5.x is therefore not recommended for production use. - -## Limitations -* StatefulSet and PodDisruptionBudget are beta resources. -* Only supports storage options that have backends for persistent volume claims. diff --git a/kubernetes/common/music/charts/zookeeper/templates/NOTES.txt b/kubernetes/common/music/charts/zookeeper/templates/NOTES.txt deleted file mode 100644 index 4f7a27bd99..0000000000 --- a/kubernetes/common/music/charts/zookeeper/templates/NOTES.txt +++ /dev/null @@ -1,7 +0,0 @@ -Thank you for installing ZooKeeper on your Kubernetes cluster. More information -about ZooKeeper can be found at https://zookeeper.apache.org/doc/current/ - -Your connection string should look like: - {{ template "common.fullname" . }}-0.{{ template "common.fullname" . }}-headless:{{ .Values.service.ports.client.port }},{{ template "common.fullname" . }}-1.{{ template "common.fullname" . }}-headless:{{ .Values.service.ports.client.port }},... - -You can also use the client service {{ template "common.fullname" . }}:{{ .Values.service.ports.client.port }} to connect to an available ZooKeeper server. diff --git a/kubernetes/common/music/charts/zookeeper/templates/config-jmx-exporter.yaml b/kubernetes/common/music/charts/zookeeper/templates/config-jmx-exporter.yaml deleted file mode 100644 index 72fedbcbbb..0000000000 --- a/kubernetes/common/music/charts/zookeeper/templates/config-jmx-exporter.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.exporters.jmx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-jmx-exporter - labels: - app: {{ template "common.name" . }} - chart: {{ .Chart.Name }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - config.yml: |- - hostPort: 127.0.0.1:{{ .Values.env.JMXPORT }} - lowercaseOutputName: {{ .Values.exporters.jmx.config.lowercaseOutputName }} - rules: -{{ .Values.exporters.jmx.config.rules | toYaml | indent 6 }} - ssl: false - startDelaySeconds: {{ .Values.exporters.jmx.config.startDelaySeconds }} -{{- end }} diff --git a/kubernetes/common/music/charts/zookeeper/templates/job-chroots.yaml b/kubernetes/common/music/charts/zookeeper/templates/job-chroots.yaml deleted file mode 100644 index b857a0d7b1..0000000000 --- a/kubernetes/common/music/charts/zookeeper/templates/job-chroots.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- if .Values.jobs.chroots.enabled }} -{{- $root := . }} -{{- $job := .Values.jobs.chroots }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "common.fullname" . }}-chroots - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: {{ template "common.name" . }} - chart: {{ .Chart.Name }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - component: jobs - job: chroots -spec: - activeDeadlineSeconds: {{ $job.activeDeadlineSeconds }} - backoffLimit: {{ $job.backoffLimit }} - completions: {{ $job.completions }} - parallelism: {{ $job.parallelism }} - template: - metadata: - labels: - app: {{ template "common.name" . }} - release: {{ include "common.release" . }} - component: jobs - job: chroots - spec: - restartPolicy: {{ $job.restartPolicy }} - containers: - - name: main - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.image.pullPolicy }} - command: - - /bin/bash - - -o - - pipefail - - -euc - {{- $port := .Values.service.ports.client.port }} - - > - sleep 15; - export SERVER={{ template "common.fullname" $root }}:{{ $port }}; - {{- range $job.config.create }} - echo '==> {{ . }}'; - echo '====> Create chroot if does not exist.'; - zkCli.sh -server {{ template "common.fullname" $root }}:{{ $port }} get {{ . }} 2>&1 >/dev/null | grep 'cZxid' - || zkCli.sh -server {{ template "common.fullname" $root }}:{{ $port }} create {{ . }} ""; - echo '====> Confirm chroot exists.'; - zkCli.sh -server {{ template "common.fullname" $root }}:{{ $port }} get {{ . }} 2>&1 >/dev/null | grep 'cZxid'; - echo '====> Chroot exists.'; - {{- end }} - env: - {{- range $key, $value := $job.env }} - - name: {{ $key | upper | replace "." "_" }} - value: {{ $value | quote }} - {{- end }} - resources: -{{ toYaml $job.resources | indent 12 }} -{{- end -}} diff --git a/kubernetes/common/music/charts/zookeeper/templates/poddisruptionbudget.yaml b/kubernetes/common/music/charts/zookeeper/templates/poddisruptionbudget.yaml deleted file mode 100644 index a4bc322a31..0000000000 --- a/kubernetes/common/music/charts/zookeeper/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ template "common.fullname" . }} - labels: - app: {{ template "common.name" . }} - chart: {{ .Chart.Name }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - component: server -spec: - selector: - matchLabels: - app: {{ template "common.name" . }} - release: {{ include "common.release" . }} - component: server -{{ toYaml .Values.podDisruptionBudget | indent 2 }} diff --git a/kubernetes/common/music/charts/zookeeper/templates/pv.yaml b/kubernetes/common/music/charts/zookeeper/templates/pv.yaml deleted file mode 100644 index 6e53a9543d..0000000000 --- a/kubernetes/common/music/charts/zookeeper/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2019 Amdocs, Bell Canada, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/music/charts/zookeeper/templates/service-headless.yaml b/kubernetes/common/music/charts/zookeeper/templates/service-headless.yaml deleted file mode 100644 index 31475a1c76..0000000000 --- a/kubernetes/common/music/charts/zookeeper/templates/service-headless.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.fullname" . }}-headless - labels: - app: {{ template "common.name" . }} - chart: {{ .Chart.Name }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - clusterIP: None - ports: -{{- range $key, $port := .Values.ports }} - - name: {{ $key }} - port: {{ $port.containerPort }} - targetPort: {{ $port.name }} - protocol: {{ $port.protocol }} -{{- end }} - selector: - app: {{ template "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/music/charts/zookeeper/templates/service.yaml b/kubernetes/common/music/charts/zookeeper/templates/service.yaml deleted file mode 100644 index 0ef3a28b27..0000000000 --- a/kubernetes/common/music/charts/zookeeper/templates/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - labels: - app: {{ template "common.name" . }} - chart: {{ .Chart.Name }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -{{- with .Values.service.annotations }} -{{ toYaml . | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - {{- range $key, $value := .Values.service.ports }} - - name: {{ $key }} -{{ toYaml $value | indent 6 }} - {{- end }} - selector: - app: {{ template "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/music/charts/zookeeper/templates/statefulset.yaml b/kubernetes/common/music/charts/zookeeper/templates/statefulset.yaml deleted file mode 100644 index 73224addef..0000000000 --- a/kubernetes/common/music/charts/zookeeper/templates/statefulset.yaml +++ /dev/null @@ -1,182 +0,0 @@ -apiVersion: apps/v1beta1 -kind: StatefulSet -metadata: - name: {{ template "common.fullname" . }} - labels: - app: {{ template "common.name" . }} - chart: {{ .Chart.Name }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - component: server -spec: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - "{{ .Chart.Name }}" - serviceName: {{ template "common.fullname" . }}-headless - replicas: {{ .Values.replicaCount }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - selector: - matchLabels: - app: {{ template "common.name" . }} - release: {{ include "common.release" . }} - component: server - updateStrategy: -{{ toYaml .Values.updateStrategy | indent 4 }} - template: - metadata: - labels: - app: {{ template "common.name" . }} - release: {{ include "common.release" . }} - component: server - {{- if .Values.podLabels }} - ## Custom pod labels - {{- range $key, $value := .Values.podLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - annotations: - {{- if .Values.podAnnotations }} - ## Custom pod annotations - {{- range $key, $value := .Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - spec: -{{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" -{{- end }} - securityContext: -{{ toYaml .Values.securityContext | indent 8 }} - containers: - - - name: zookeeper - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.image.pullPolicy }} - command: - - /bin/bash - - -xec - - zkGenConfig.sh && exec zkServer.sh start-foreground - ports: -{{- range $key, $port := .Values.ports }} - - name: {{ $key }} -{{ toYaml $port | indent 14 }} -{{- end }} - livenessProbe: -{{ toYaml .Values.livenessProbe | indent 12 }} - readinessProbe: -{{ toYaml .Values.readinessProbe | indent 12 }} - env: - - name: ZK_REPLICAS - value: {{ .Values.replicaCount | quote }} - {{- range $key, $value := .Values.env }} - - name: {{ $key | upper | replace "." "_" }} - value: {{ $value | quote }} - {{- end }} - resources: -{{ include "common.resources" . }} - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/zookeeper - -{{- if .Values.exporters.jmx.enabled }} - - name: jmx-exporter - image: "{{ .Values.exporters.jmx.image.repository }}:{{ .Values.exporters.jmx.image.tag }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.exporters.jmx.image.pullPolicy }} - ports: - {{- range $key, $port := .Values.exporters.jmx.ports }} - - name: {{ $key }} -{{ toYaml $port | indent 14 }} - {{- end }} - livenessProbe: -{{ toYaml .Values.exporters.jmx.livenessProbe | indent 12 }} - readinessProbe: -{{ toYaml .Values.exporters.jmx.readinessProbe | indent 12 }} - env: - - name: SERVICE_PORT - value: {{ .Values.exporters.jmx.ports.jmxxp.containerPort | quote }} - {{- with .Values.exporters.jmx.env }} - {{- range $key, $value := . }} - - name: {{ $key | upper | replace "." "_" }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - resources: -{{ toYaml .Values.exporters.jmx.resources | indent 12 }} - volumeMounts: - - name: config-jmx-exporter - mountPath: /opt/jmx_exporter/config.yml - subPath: config.yml -{{- end }} - -{{- if .Values.exporters.zookeeper.enabled }} - - name: zookeeper-exporter - image: "{{ .Values.exporters.zookeeper.image.repository }}:{{ .Values.exporters.zookeeper.image.tag }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.exporters.zookeeper.image.pullPolicy }} - args: - - -bind-addr=:{{ .Values.exporters.zookeeper.ports.zookeeperxp.containerPort }} - - -metrics-path={{ .Values.exporters.zookeeper.path }} - - -zookeeper=localhost:{{ .Values.ports.client.containerPort }} - - -log-level={{ .Values.exporters.zookeeper.config.logLevel }} - - -reset-on-scrape={{ .Values.exporters.zookeeper.config.resetOnScrape }} - ports: - {{- range $key, $port := .Values.exporters.zookeeper.ports }} - - name: {{ $key }} -{{ toYaml $port | indent 14 }} - {{- end }} - livenessProbe: -{{ toYaml .Values.exporters.zookeeper.livenessProbe | indent 12 }} - readinessProbe: -{{ toYaml .Values.exporters.zookeeper.readinessProbe | indent 12 }} - env: - {{- range $key, $value := .Values.exporters.zookeeper.env }} - - name: {{ $key | upper | replace "." "_" }} - value: {{ $value | quote }} - {{- end }} - resources: -{{ toYaml .Values.exporters.zookeeper.resources | indent 12 }} -{{- end }} - - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if (or .Values.exporters.jmx.enabled (not .Values.persistence.enabled)) }} - volumes: - {{- if .Values.exporters.jmx.enabled }} - - name: config-jmx-exporter - configMap: - name: {{ include "common.release" . }}-jmx-exporter - {{- end }} - {{- end }} - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- end }} diff --git a/kubernetes/common/music/charts/zookeeper/values.yaml b/kubernetes/common/music/charts/zookeeper/values.yaml deleted file mode 100644 index 28c9711e84..0000000000 --- a/kubernetes/common/music/charts/zookeeper/values.yaml +++ /dev/null @@ -1,282 +0,0 @@ -## As weighted quorums are not supported, it is imperative that an odd number of replicas -## be chosen. Moreover, the number of replicas should be either 1, 3, 5, or 7. -## -## ref: https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper#stateful-set -replicaCount: 3 # Desired quantity of ZooKeeper pods. This should always be (1,3,5, or 7) - -podDisruptionBudget: - maxUnavailable: 1 # Limits how many Zokeeper pods may be unavailable due to voluntary disruptions. - -terminationGracePeriodSeconds: 1800 # Duration in seconds a Zokeeper pod needs to terminate gracefully. - -## OnDelete requires you to manually delete each pod when making updates. -## This approach is at the moment safer than RollingUpdate because replication -## may be incomplete when replication source pod is killed. -## -## ref: http://blog.kubernetes.io/2017/09/kubernetes-statefulsets-daemonsets.html -updateStrategy: - type: OnDelete # Pods will only be created when you manually delete old pods. - -## refs: -## - https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper -## - https://github.com/kubernetes/contrib/blob/master/statefulsets/zookeeper/Makefile#L1 -image: - #repository: nexus3.onap.org:10001/library/zookeeper - #tag: 3.3 - repository: gcr.io/google_samples/k8szk # Container image repository for zookeeper container. - tag: v3 # Container image tag for zookeeper container. - pullPolicy: IfNotPresent # Image pull criteria for zookeeper container. - -service: - name: zookeeper - type: ClusterIP # Exposes zookeeper on a cluster-internal IP. - annotations: {} # Arbitrary non-identifying metadata for zookeeper service. - ## AWS example for use with LoadBalancer service type. - # external-dns.alpha.kubernetes.io/hostname: zookeeper.cluster.local - # service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - # service.beta.kubernetes.io/aws-load-balancer-internal: "true" - ports: - client: - port: 2181 # Service port number for client port. - targetPort: client # Service target port for client port. - protocol: TCP # Service port protocol for client port. - - -ports: - client: - containerPort: 2181 # Port number for zookeeper container client port. - protocol: TCP # Protocol for zookeeper container client port. - election: - containerPort: 3888 # Port number for zookeeper container election port. - protocol: TCP # Protocol for zookeeper container election port. - server: - containerPort: 2888 # Port number for zookeeper container server port. - protocol: TCP # Protocol for zookeeper container server port. - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 500m - memory: 900Mi - requests: - cpu: 10m - memory: 730Mi - large: - limits: - cpu: 3 - memory: 2Gi - requests: - cpu: 2 - memory: 1Gi - unlimited: {} - -nodeSelector: {} # Node label-values required to run zookeeper pods. - -tolerations: [] # Node taint overrides for zookeeper pods. - -affinity: {} # Criteria by which pod label-values influence scheduling for zookeeper pods. -affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - release: zookeeper - -podAnnotations: {} # Arbitrary non-identifying metadata for zookeeper pods. - -podLabels: {} # Key/value pairs that are attached to zookeeper pods. - -livenessProbe: - exec: - command: - - zkOk.sh - initialDelaySeconds: 20 - -readinessProbe: - exec: - command: - - zkOk.sh - initialDelaySeconds: 20 - -securityContext: - fsGroup: 1000 - #runAsUser: 1000 - -persistence: - enabled: true - ## zookeeper data Persistent Volume Storage Class - ## If defined, storageClassName: <storageClass> - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountPath: /dockerdata-nfs - mountSubPath: music/zookeeper - size: 4Gi - -## Exporters query apps for metrics and make those metrics available for -## Prometheus to scrape. -exporters: - - jmx: - enabled: false - image: - repository: sscaling/jmx-prometheus-exporter - tag: 0.3.0 - pullPolicy: IfNotPresent - config: - lowercaseOutputName: false - rules: - - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+)><>(\\w+)" - name: "zookeeper_$2" - - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+)><>(\\w+)" - name: "zookeeper_$3" - labels: - replicaId: "$2" - - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+)><>(\\w+)" - name: "zookeeper_$4" - labels: - replicaId: "$2" - memberType: "$3" - - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+), name3=(\\w+)><>(\\w+)" - name: "zookeeper_$4_$5" - labels: - replicaId: "$2" - memberType: "$3" - startDelaySeconds: 30 - env: {} - resources: {} - path: /metrics - ports: - jmxxp: - containerPort: 9404 - protocol: TCP - livenessProbe: - httpGet: - path: /metrics - port: jmxxp - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 60 - failureThreshold: 8 - successThreshold: 1 - readinessProbe: - httpGet: - path: /metrics - port: jmxxp - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 60 - failureThreshold: 8 - successThreshold: 1 - - zookeeper: - enabled: false - image: - repository: josdotso/zookeeper-exporter - tag: v1.1.2 - pullPolicy: IfNotPresent - config: - logLevel: info - resetOnScrape: "true" - env: {} - resources: {} - path: /metrics - ports: - zookeeperxp: - containerPort: 9141 - protocol: TCP - livenessProbe: - httpGet: - path: /metrics - port: zookeeperxp - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 60 - failureThreshold: 8 - successThreshold: 1 - readinessProbe: - httpGet: - path: /metrics - port: zookeeperxp - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 60 - failureThreshold: 8 - successThreshold: 1 - -env: - - ## Options related to JMX exporter. - JMXAUTH: "false" - JMXDISABLE: "false" - JMXPORT: 1099 - JMXSSL: "false" - - ## The port on which the server will accept client requests. - ZK_CLIENT_PORT: 2181 - - ## The port on which the ensemble performs leader election. - ZK_ELECTION_PORT: 3888 - - ## The JVM heap size. - ZK_HEAP_SIZE: 2G - - ## The number of Ticks that an ensemble member is allowed to perform leader - ## election. - ZK_INIT_LIMIT: 5 - - ## The Log Level that for the ZooKeeper processes logger. - ## Choices are `TRACE,DEBUG,INFO,WARN,ERROR,FATAL`. - ZK_LOG_LEVEL: INFO - - ## The maximum number of concurrent client connections that - ## a server in the ensemble will accept. - ZK_MAX_CLIENT_CNXNS: 60 - - ## The maximum session timeout that the ensemble will allow a client to request. - ## Upstream default is `20 * ZK_TICK_TIME` - ZK_MAX_SESSION_TIMEOUT: 40000 - - ## The minimum session timeout that the ensemble will allow a client to request. - ## Upstream default is `2 * ZK_TICK_TIME`. - ZK_MIN_SESSION_TIMEOUT: 4000 - - ## The delay, in hours, between ZooKeeper log and snapshot cleanups. - ZK_PURGE_INTERVAL: 0 - - ## The port on which the leader will send events to followers. - ZK_SERVER_PORT: 2888 - - ## The number of snapshots that the ZooKeeper process will retain if - ## `ZK_PURGE_INTERVAL` is set to a value greater than `0`. - ZK_SNAP_RETAIN_COUNT: 3 - - ## The number of Tick by which a follower may lag behind the ensembles leader. - ZK_SYNC_LIMIT: 10 - - ## The number of wall clock ms that corresponds to a Tick for the ensembles - ## internal time. - ZK_TICK_TIME: 2000 - -jobs: - chroots: - enabled: false - activeDeadlineSeconds: 300 - backoffLimit: 5 - completions: 1 - config: - create: [] - # - /kafka - # - /ureplicator - env: [] - parallelism: 1 - resources: {} - restartPolicy: Never diff --git a/kubernetes/common/music/requirements.yaml b/kubernetes/common/music/requirements.yaml index a7089ea6b3..1c428d214e 100644 --- a/kubernetes/common/music/requirements.yaml +++ b/kubernetes/common/music/requirements.yaml @@ -15,4 +15,4 @@ dependencies: - name: common version: ~6.x-0 - repository: '@local' + repository: 'file://../common' diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml index 51c467cf2f..fe4cbaee9c 100644 --- a/kubernetes/common/music/values.yaml +++ b/kubernetes/common/music/values.yaml @@ -1,4 +1,4 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# Copyright © 2018-2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/common/network-name-gen/requirements.yaml b/kubernetes/common/network-name-gen/requirements.yaml index 8152196ab5..8c2277c210 100644 --- a/kubernetes/common/network-name-gen/requirements.yaml +++ b/kubernetes/common/network-name-gen/requirements.yaml @@ -15,12 +15,12 @@ dependencies:
- name: common
version: ~6.x-0
- repository: '@local'
+ repository: 'file://../common'
- name: mariadb-galera
version: ~6.x-0
- repository: '@local'
+ repository: 'file://../mariadb-galera'
condition: global.mariadbGalera.localCluster
- name: mariadb-init
version: ~6.x-0
- repository: '@local'
+ repository: 'file://../mariadb-init'
condition: not global.mariadbGalera.localCluster
diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml index 0defa97c26..a9f2a5bbd4 100644 --- a/kubernetes/common/network-name-gen/values.yaml +++ b/kubernetes/common/network-name-gen/values.yaml @@ -73,7 +73,7 @@ mariadb-init: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/ccsdk-apps-ms-neng:0.6.3 +image: onap/ccsdk-apps-ms-neng:0.7.1 pullPolicy: IfNotPresent # application configuration diff --git a/kubernetes/common/postgres/requirements.yaml b/kubernetes/common/postgres/requirements.yaml index 76afd96b98..6f898b6171 100644 --- a/kubernetes/common/postgres/requirements.yaml +++ b/kubernetes/common/postgres/requirements.yaml @@ -15,4 +15,4 @@ dependencies: - name: common version: ~6.x-0 - repository: '@local' + repository: 'file://../common' diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml index 10f9405de6..a5a416329b 100644 --- a/kubernetes/common/postgres/values.yaml +++ b/kubernetes/common/postgres/values.yaml @@ -58,9 +58,9 @@ pullPolicy: Always config: pgUserName: testuser pgDatabase: userdb - pgPrimaryPassword: password - pgUserPassword: password - pgRootPassword: password + # pgPrimaryPassword: password + # pgUserPassword: password + # pgRootPassword: password container: name: diff --git a/kubernetes/consul/values.yaml b/kubernetes/consul/values.yaml index d55ea4666e..34272c6b96 100644 --- a/kubernetes/consul/values.yaml +++ b/kubernetes/consul/values.yaml @@ -61,7 +61,7 @@ service: {} ingress: enabled: false service: - - baseaddr: "consul-server" + - baseaddr: "consul.api" name: "consul-server" port: 8800 config: diff --git a/kubernetes/contrib/components/awx/charts/awx-postgres/templates/deployment.yaml b/kubernetes/contrib/components/awx/charts/awx-postgres/templates/deployment.yaml index 67d13cf477..56315285cd 100755 --- a/kubernetes/contrib/components/awx/charts/awx-postgres/templates/deployment.yaml +++ b/kubernetes/contrib/components/awx/charts/awx-postgres/templates/deployment.yaml @@ -60,7 +60,7 @@ spec: name: localtime readOnly: true - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/postgresql/data + mountPath: /var/lib/postgresql/ resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} diff --git a/kubernetes/contrib/components/netbox/charts/netbox-postgres/templates/deployment.yaml b/kubernetes/contrib/components/netbox/charts/netbox-postgres/templates/deployment.yaml index 45468e4969..3a4bb90b98 100755 --- a/kubernetes/contrib/components/netbox/charts/netbox-postgres/templates/deployment.yaml +++ b/kubernetes/contrib/components/netbox/charts/netbox-postgres/templates/deployment.yaml @@ -50,7 +50,7 @@ spec: name: localtime readOnly: true - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/postgresql/data + mountPath: /var/lib/postgresql/ resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml index 23bb080690..eb4cf252d4 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml @@ -16,4 +16,4 @@ # ============LICENSE_END========================================================= k8s_pgaas_instance_fqdn: {{ .Values.postgres.service.name2 }}.{{include "common.namespace" . }} -k8s_initial_password: {{ .Values.postgres.config.pgRootPassword }} +k8s_initial_password: $PG_ROOT_PASSWORD diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml index a36164d164..9009f6b114 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml @@ -1,130 +1,150 @@ -#============LICENSE_START========================================================
-# ================================================================================
-# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
-# Modifications Copyright © 2018 Amdocs, Bell Canada
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ============LICENSE_END=========================================================
-
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-spec:
- replicas: 1
- template:
- metadata:
- labels:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
- spec:
- initContainers:
- - name: {{ include "common.name" . }}-readiness
- image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command:
- - /root/ready.py
- args:
- - --container-name
- - dcae-cloudify-manager
- - --container-name
- - consul-server
- - --container-name
- - msb-discovery
- - --container-name
- - kube2msb
- - --container-name
- - dcae-config-binding-service
- - --container-name
- - dcae-db
- - --container-name
- - dcae-inventory-api
- - "-t"
- - "15"
-
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: init-tls
- env:
- - name: POD_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- - name: aaf_locator_fqdn
- value: dcae
- image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- resources: {}
- volumeMounts:
- - mountPath: /opt/app/osaaf
- name: tls-info
- containers:
- - name: {{ include "common.name" . }}
- image: "{{ include "common.repository" . }}/{{ .Values.image }}"
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- resources:
-{{ include "common.resources" . | indent 12 }}
- volumeMounts:
- - mountPath: /inputs
- name: {{ include "common.fullname" . }}-dcae-inputs
- - mountPath: /dcae-configs
- name: {{ include "common.fullname" . }}-dcae-config
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- - mountPath: /certs
- name: tls-info
- readOnly: true
- env:
- - name: CMADDR
- value: {{ .Values.config.address.cm.host }}
- - name: CMPASS
- valueFrom:
- secretKeyRef:
- name: {{ include "common.name" . }}-cmpass
- key: password
- - name: CMPROTO
- value: {{ .Values.config.address.cm.proto }}
- - name: CMPORT
- value: !!string {{ .Values.config.address.cm.port }}
- - name: CONSUL
- value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }}
- - name: DCAE_NAMESPACE
- value: {{ .Values.dcae_ns | default "" }}
- - name: ONAP_NAMESPACE
- value: {{ include "common.namespace" . }}
- volumes:
- - name: {{ include "common.fullname" . }}-dcae-inputs
- configMap:
- name: {{ include "common.fullname" . }}-dcae-inputs
- - name: {{ include "common.fullname" . }}-dcae-config
- configMap:
- name: {{ include "common.fullname" . }}-dcae-config
- - name: localtime
- hostPath:
- path: /etc/localtime
- - name: tls-info
- emptyDir: {}
- imagePullSecrets:
- - name: "{{ include "common.namespace" . }}-docker-registry-key"
+#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs, Bell Canada +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: PG_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: {{ include "common.fullname" . }}-dcae-inputs-input + - mountPath: /config + name: {{ include "common.fullname" . }}-dcae-inputs + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - name: {{ include "common.name" . }}-readiness + image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /root/ready.py + args: + - --container-name + - dcae-cloudify-manager + - --container-name + - consul-server + - --container-name + - msb-discovery + - --container-name + - kube2msb + - --container-name + - dcae-config-binding-service + - --container-name + - dcae-db + - --container-name + - dcae-inventory-api + - "-t" + - "15" + + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: init-tls + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: aaf_locator_fqdn + value: dcae + image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {} + volumeMounts: + - mountPath: /opt/app/osaaf + name: tls-info + containers: + - name: {{ include "common.name" . }} + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: +{{ include "common.resources" . | indent 12 }} + volumeMounts: + - mountPath: /inputs + name: {{ include "common.fullname" . }}-dcae-inputs + - mountPath: /dcae-configs + name: {{ include "common.fullname" . }}-dcae-config + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /certs + name: tls-info + readOnly: true + env: + - name: CMADDR + value: {{ .Values.config.address.cm.host }} + - name: CMPASS + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-cmpass + key: password + - name: CMPROTO + value: {{ .Values.config.address.cm.proto }} + - name: CMPORT + value: !!string {{ .Values.config.address.cm.port }} + - name: CONSUL + value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }} + - name: DCAE_NAMESPACE + value: {{ .Values.dcae_ns | default "" }} + - name: ONAP_NAMESPACE + value: {{ include "common.namespace" . }} + volumes: + - name: {{ include "common.fullname" . }}-dcae-inputs-input + configMap: + name: {{ include "common.fullname" . }}-dcae-inputs + - name: {{ include "common.fullname" . }}-dcae-inputs + emptyDir: + medium: Memory + - name: {{ include "common.fullname" . }}-dcae-config + configMap: + name: {{ include "common.fullname" . }}-dcae-config + - name: localtime + hostPath: + path: /etc/localtime + - name: tls-info + emptyDir: {} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml index d8b2ba2220..44395e48e8 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml @@ -29,3 +29,5 @@ metadata: type: Opaque data: password: YWRtaW4= +--- +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml index a5bd69af02..a9cac8beac 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml @@ -28,6 +28,15 @@ global: loggingImage: beats/filebeat:5.5.0 tlsRepository: nexus3.onap.org:10001 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 + envsubstImage: dibi/envsubst + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-dcae-bootstrap-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dcae-bootstrap-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate config: logstashServiceName: log-ls @@ -77,21 +86,10 @@ postgres: primary: dcae-pg-primary replica: dcae-pg-replica config: - pgPrimaryPassword: onapdemodb - pgRootPassword: onapdemodb + pgRootPasswordExternalSecret: *pgRootPassSecretName persistence: mountSubPath: dcae/data mountInitPath: dcae - pgpool: - nameOverride: dcae-pgpool - service: - name: dcae-pgpool - credentials: - pgpassword: onapdemodb - container: - name: - primary: dcae-pgpool-primary - replica: dcae-pgpool-replica mongo: nameOverride: dcae-mongo @@ -109,7 +107,7 @@ mongo: # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.12.5 +image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.12.6 default_k8s_location: central # DCAE component images to be deployed via Cloudify Manager diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml index 9bee0510cd..8a03e90333 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml @@ -65,6 +65,19 @@ spec: volumeMounts: - mountPath: /opt/app/osaaf name: tls-info + {{- if .Values.persistence.enabled }} + - name: remove-lost-found + image: "{{ .Values.global.busyboxRepository }}/{{ .Values.global.busyboxImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /cfy-persist + name: cm-persistent + command: + - /bin/sh + args: + - -c + - "rm -rf '/cfy-persist/lost+found';" + {{- end }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml index a926fb396b..bab034469b 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml @@ -126,11 +126,11 @@ spec: - name: consul_url value: http://consul-server-ui:8500 - name: postgres_user_dashboard - value: {{ .Values.postgres.config.pgUserName }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 14 }} + - name: postgres_password_dashboard + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 14 }} - name: postgres_db_name value: {{ .Values.postgres.config.pgDatabase }} - - name: postgres_password_dashboard - value: {{ .Values.postgres.config.pgUserPassword }} - name: postgres_ip value: {{ .Values.postgres.service.name2 }} - name: POD_IP @@ -169,4 +169,3 @@ spec: name: tls-info imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/secret.yaml new file mode 100644 index 0000000000..b143034d8f --- /dev/null +++ b/kubernetes/dcaegen2/components/dcae-dashboard/templates/secret.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml index fd7069450e..8e3f94dc64 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml @@ -27,6 +27,15 @@ global: tlsRepository: nexus3.onap.org:10001 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 +secrets: + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-dcae-dashboard-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dcae-dashboard-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + config: logstashServiceName: log-ls logstashPort: 5044 @@ -81,10 +90,8 @@ postgres: replica: dcae-dashboard-pg-replica config: pgUserName: dashboard_pg_admin + pgUserExternalSecret: *pgUserCredsSecretName pgDatabase: dashboard_pg_db_common - pgPrimaryPassword: onapdemodb - pgUserPassword: onapdemodb - pgRootPassword: onapdemodb pgPort: "5432" persistence: mountSubPath: dcae-dashboard/data diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json index d9927314e1..4be8c195d2 100644 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json @@ -1,8 +1,8 @@ { "database": { "driverClass": "org.postgresql.Driver", - "user": "{{ .Values.postgres.config.pgUserName }}", - "password": "{{ .Values.postgres.config.pgUserPassword }}", + "user": "${PG_USER}", + "password": "${PG_PASSWORD}", "url": "jdbc:postgresql://{{ .Values.postgres.service.name2 }}:5432/{{ .Values.postgres.config.pgDatabase }}", "properties": { "charSet": "UTF-8" diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml index 6769c00a2d..bf49157762 100644 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml @@ -34,6 +34,25 @@ spec: release: {{ include "common.release" . }} spec: initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + - name: PG_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + volumeMounts: + - mountPath: /config-input + name: {{ include "common.fullname" . }}-inv-config-input + - mountPath: /config + name: {{ include "common.fullname" . }}-inv-config + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - name: {{ include "common.name" . }}-readiness image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -135,11 +154,13 @@ spec: defaultMode: 420 name: {{ include "common.fullname" . }}-filebeat-configmap name: filebeat-conf - - name: {{ include "common.fullname" . }}-inv-config + - name: {{ include "common.fullname" . }}-inv-config-input configMap: name: {{ include "common.fullname" . }}-configmap + - name: {{ include "common.fullname" . }}-inv-config + emptyDir: + medium: Memory - emptyDir: {} name: tls-info imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml new file mode 100644 index 0000000000..b143034d8f --- /dev/null +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml index 51af963343..a26ae5d196 100644 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml @@ -26,10 +26,20 @@ global: loggingImage: beats/filebeat:5.5.0 tlsRepository: nexus3.onap.org:10001 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 + envsubstImage: dibi/envsubst repositoryCred: user: docker password: docker +secrets: + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-dcae-inventory-api-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dcae-inventory-api-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + config: logstashServiceName: log-ls logstashPort: 5044 @@ -82,24 +92,11 @@ postgres: replica: dcae-inv-pg-replica config: pgUserName: dcae_inv + pgUserExternalSecret: *pgUserCredsSecretName pgDatabase: dcae_inventory - pgPrimaryPassword: onapdemodb - pgUserPassword: onapdemodb - pgRootPassword: onapdemodb persistence: mountSubPath: dcae-inv/data mountInitPath: dcae-inv - pgpool: - nameOverride: dcae-inv-pgpool - service: - name: dcae-inv-pgpool - credentials: - pgusername: ddcae_inv - pgpassword: onapdemodb - container: - name: - primary: dcae-inv-pgpool-primary - replica: dcae-inv-pgpool-replica # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaegen2/values.yaml b/kubernetes/dcaegen2/values.yaml index 25ddfc7558..aff40d4a6a 100644 --- a/kubernetes/dcaegen2/values.yaml +++ b/kubernetes/dcaegen2/values.yaml @@ -22,5 +22,7 @@ global: tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderRepository: nexus3.onap.org:10001 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 + busyboxRepository: docker.io + busyboxImage: library/busybox:1.30 redis: replicaCount: 6 diff --git a/kubernetes/dmaap/components/dmaap-bc/requirements.yaml b/kubernetes/dmaap/components/dmaap-bc/requirements.yaml index e0d80e7515..656fee77f8 100644 --- a/kubernetes/dmaap/components/dmaap-bc/requirements.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/requirements.yaml @@ -16,6 +16,9 @@ dependencies: - name: common version: ~6.x-0 repository: '@local' + - name: certInitializer + version: ~6.x-0 + repository: '@local' - name: postgres version: ~6.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/aaf/org.onap.dmaap-bc.props b/kubernetes/dmaap/components/dmaap-bc/resources/aaf/org.onap.dmaap-bc.props deleted file mode 100644 index 3c29073e7a..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/aaf/org.onap.dmaap-bc.props +++ /dev/null @@ -1,15 +0,0 @@ -############################################################ -# Properties Generated by AT&T Certificate Manager -# by root -# on 2019-03-22T17:37:33.690+0000 -# @copyright 2016, AT&T -############################################################ -aaf_env=DEV -aaf_id=dmaap-bc@dmaap-bc.onap.org -aaf_locate_url={{ .Values.aafLocateUrl }} -aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.1 -cadi_etc_dir=/opt/app/osaaf/local -cadi_latitude=38.000 -cadi_longitude=-72.000 -cadi_prop_files=/opt/app/osaaf/local/org.onap.dmaap-bc.location.props:/opt/app/osaaf/local/org.onap.dmaap-bc.cred.props -cm_url=https://AAF_LOCATE_URL/%CNS.%AAF_NS.cm:2.1 diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties index 59f64bd99c..3f5b1b4336 100644 --- a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties +++ b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties @@ -69,10 +69,10 @@ DB.host: {{ .Values.postgres.service.name2 }} #DB.schema: {{ .Values.postgres.config.pgDatabase }} # postgres user name -#DB.user: {{ .Values.postgres.config.pgUserName }} +DB.user: ${PG_USER} # postgres user password -DB.cred: {{ .Values.postgres.config.pgUserPassword }} +DB.cred: ${PG_PASSWORD} ##################################################### diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/dr_nodes/central.yaml b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml index 7ef2dcdb8f..7ef2dcdb8f 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/dr_nodes/central.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/dr_nodes/edge.yaml b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml index 272cd75e52..272cd75e52 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/dr_nodes/edge.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/feeds/README b/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README index 4f5eac5ba1..4f5eac5ba1 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/feeds/README +++ b/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README diff --git a/kubernetes/dmaap/components/message-router/resources/topics/PNF_READY.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json index 8f4cf8bd64..8f4cf8bd64 100644 --- a/kubernetes/dmaap/components/message-router/resources/topics/PNF_READY.json +++ b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json diff --git a/kubernetes/dmaap/components/message-router/resources/topics/PNF_REGISTRATION.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json index f0dd2c7829..f0dd2c7829 100644 --- a/kubernetes/dmaap/components/message-router/resources/topics/PNF_REGISTRATION.json +++ b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json diff --git a/kubernetes/dmaap/components/message-router/resources/topics/README b/kubernetes/dmaap/components/dmaap-bc/resources/topics/README index fbb88b97e6..fbb88b97e6 100644 --- a/kubernetes/dmaap/components/message-router/resources/topics/README +++ b/kubernetes/dmaap/components/dmaap-bc/resources/topics/README diff --git a/kubernetes/dmaap/components/message-router/resources/topics/mirrormakeragent.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json index ff1a5732e2..ff1a5732e2 100644 --- a/kubernetes/dmaap/components/message-router/resources/topics/mirrormakeragent.json +++ b/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml index 46ef837504..bb68eb783e 100644 --- a/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml @@ -55,7 +55,7 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-aaf-config + name: {{ include "common.fullname" . }}-dr-nodes namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -63,4 +63,43 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/aaf/*").AsConfig . | indent 2 }}
\ No newline at end of file +{{ tpl (.Files.Glob "resources/dr_nodes/*.json").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-feeds + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/feeds/*.json").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-mr-clusters + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/mr_clusters/*.json").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-topics + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/topics/*.json").AsConfig . | indent 2 }}
\ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml index ea2720f9ce..3c6a23a470 100644 --- a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml @@ -23,64 +23,29 @@ spec: spec: {{- if or .Values.global.aafEnabled .Values.PG.enabled }} initContainers: -{{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-aaf-readiness - command: - - /root/ready.py + - command: + - sh args: - - --container-name - - aaf-locate - - --container-name - - aaf-cm - - --container-name - - aaf-service + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - name: {{ include "common.name" . }}-aaf-config - image: "{{ include "common.repository" . }}/{{ .Values.global.aafAgentImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c","exec /opt/app/aaf_config/bin/agent.sh"] + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PG_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} volumeMounts: - - mountPath: {{ .Values.persistence.aafCredsPath }} - name: {{ include "common.name" . }}-aaf-config-vol - env: - - name: APP_FQI - value: "{{ .Values.aafConfig.fqi }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace }}:8095" - - name: aaf_locator_container - value: "{{ .Values.global.aafLocatorContainer }}" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_fqdn - value: "{{ .Values.aafConfig.fqdn }}" - - name: aaf_locator_public_fqdn - value: "{{.Values.aafConfig.publicFqdn}}" - - name: aaf_locator_app_ns - value: "{{ .Values.global.aafAppNs }}" - - name: DEPLOY_FQI - value: "{{ .Values.aafConfig.aafDeployFqi }}" - - name: DEPLOY_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.fullname" . }}-secret - key: aaf-deploy-password - - name: cadi_longitude - value: "{{ .Values.aafConfig.cadiLongitude }}" - - name: cadi_latitude - value: "{{ .Values.aafConfig.cadiLatitude }}" + - mountPath: /config-input + name: {{ include "common.name" . }}-config-input + - mountPath: /config + name: {{ include "common.name" . }}-config + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config +{{ include "common.certInitializer.initContainer" . | nindent 6 }} - name: {{ include "common.name" . }}-permission-fixer image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: {{ .Values.persistence.aafCredsPath }} - name: {{ include "common.name" . }}-aaf-config-vol + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} command: ["chown","-Rf","1000:1001", "/opt/app/"] # See AAF-425 for explanation of why this is needed. # This artifact is provisioned in AAF for both pks12 and jks format and apparently @@ -89,20 +54,19 @@ spec: - name: {{ include "common.name" . }}-cred-fixer image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: {{ .Values.persistence.aafCredsPath }} - name: {{ include "common.name" . }}-aaf-config-vol + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} command: ["/bin/sh"] args: [ "-c", "sed -i -e '/cadi_keystore_password=/d' -e '/cadi_keystore_password_jks/p' -e 's/cadi_keystore_password_jks/cadi_keystore_password/' -e 's/dmaap-bc.p12/dmaap-bc.jks/' /opt/app/osaaf/local/org.onap.dmaap-bc.cred.props" ] - -{{- end }} -{{- if .Values.PG.enabled }} - name: {{ include "common.name" . }}-postgres-readiness command: - /root/ready.py args: - --container-name - {{ .Values.postgres.nameOverride }} + - --container-name + - message-router + - --container-name + - dmaap-dr-node env: - name: NAMESPACE valueFrom: @@ -112,7 +76,6 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} {{- end }} -{{- end }} containers: - name: {{ include "common.name" . }} image: "{{ .Values.repository }}/{{ .Values.image }}" @@ -134,12 +97,10 @@ spec: scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true - - mountPath: {{ .Values.persistence.aafCredsPath }} - name: {{ include "common.name" . }}-aaf-config-vol # NOTE: on the following several configMaps, careful to include / at end # since there may be more than one file in each mountPath - name: {{ include "common.name" . }}-config @@ -151,14 +112,15 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime - - name: {{ include "common.name" . }}-config + - name: {{ include "common.name" . }}-config-input configMap: name: {{ include "common.fullname" . }}-config - - name: {{ include "common.name" . }}-aaf-config-vol - emptyDir: {} + - name: {{ include "common.name" . }}-config + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/post-install-job.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml index c06d4e1130..5b22f06aa8 100644 --- a/kubernetes/dmaap/components/dmaap-bc/templates/post-install-job.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml @@ -1,44 +1,49 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-post-install + name: {{ include "common.fullname" . }}-dmaap-provisioning namespace: {{ include "common.namespace" . }} labels: {{- include "common.labels" . | nindent 4 }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded spec: + backoffLimit: 5 template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: restartPolicy: Never + initContainers: + - name: {{ include "common.name" . }}-init-readiness + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /root/ready.py + args: + - --container-name + - dmaap-bc + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace containers: - - name: post-install-job + - name: dmaap-provisioning-job image: "{{ include "common.repository" . }}/{{ .Values.global.clientImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - name: DELAY value: "0" + {{- if .Values.global.allow_http }} - name: PROTO -{{- if (include "common.needTLS" .) }} - value: "https" - - name: PORT - value: "8443" -{{- else }} value: "http" - name: PORT value: "8080" -{{- end }} + {{ end }} - name: REQUESTID - value: "{{.Chart.Name}}-post-install" + value: "{{.Chart.Name}}-dmaap-provisioning" volumeMounts: - mountPath: /etc/localtime name: localtime readOnly: true - # NOTE: on the following several configMaps, careful to include / at end # since there may be more than one file in each mountPath # NOTE: the basename of the subdirectory of mountPath is important - it matches the DBCL API URI @@ -46,6 +51,14 @@ spec: mountPath: /opt/app/config/dmaap/ - name: {{ include "common.fullname" . }}-dbc-dcaelocations mountPath: /opt/app/config/dcaeLocations/ + - name: {{ include "common.fullname" . }}-dr-nodes + mountPath: /opt/app/config/dr-nodes/ + - name: {{ include "common.fullname" . }}-feeds + mountPath: /opt/app/config/feeds/ + - name: {{ include "common.fullname" . }}-mr-clusters + mountPath: /opt/app/config/mr-clusters/ + - name: {{ include "common.fullname" . }}-topics + mountPath: /opt/app/config/topics/ resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -63,5 +76,17 @@ spec: - name: {{ include "common.fullname" . }}-dbc-dcaelocations configMap: name: {{ include "common.fullname" . }}-dbc-dcaelocations + - name: {{ include "common.fullname" . }}-dr-nodes + configMap: + name: {{ include "common.fullname" . }}-dr-nodes + - name: {{ include "common.fullname" . }}-feeds + configMap: + name: {{ include "common.fullname" . }}-feeds + - name: {{ include "common.fullname" . }}-mr-clusters + configMap: + name: {{ include "common.fullname" . }}-mr-clusters + - name: {{ include "common.fullname" . }}-topics + configMap: + name: {{ include "common.fullname" . }}-topics imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml index e15a152a21..7074e4de9a 100644 --- a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml @@ -13,18 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- if .Values.global.aafEnabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - aaf-deploy-password: {{ index .Values.aafConfig.aafDeployPass | b64enc | quote }} -{{- end }} +{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml index 3a18787826..d9936d79f4 100644 --- a/kubernetes/dmaap/components/dmaap-bc/values.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/values.yaml @@ -22,6 +22,22 @@ global: readinessImage: readiness-check:2.0.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + envsubstImage: dibi/envsubst + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-dmaap-bc-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dmaap-bc-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-dmaap-bc-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dmaap-bc-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate ################################################################# # Application configuration defaults. @@ -48,15 +64,21 @@ topicMgrPwd: demo123456! adminUser: aaf_admin@people.osaaf.org adminPwd: demo123456! -#AAF local config -aafConfig: +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: dmaap-bc-cert-initializer aafDeployFqi: deployer@people.osaaf.org aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret fqdn: dmaap-bc fqi: dmaap-bc@dmaap-bc.onap.org publicFqdn: dmaap-bc.onap.org cadiLatitude: 0.0 cadiLongitude: 0.0 + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local persistence: aafCredsPath: /opt/app/osaaf/local/ @@ -114,9 +136,8 @@ postgres: config: pgUserName: dmaap_admin pgDatabase: dmaap - pgPrimaryPassword: onapdemodb - pgUserPassword: onapdemodb - pgRootPassword: onapdemodb + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName persistence: mountSubPath: dbc/data mountInitPath: dbc diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml index e0cb1dd21b..d2bba1124e 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml +++ b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml @@ -57,4 +57,4 @@ output.logstash: #ssl.key: $ssl.key #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase
\ No newline at end of file + #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties index 3a95b5a221..784a35e25b 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties +++ b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties @@ -38,11 +38,11 @@ LogUploadURL=https://{{ .Values.global.dmaapDrProvName }}:{{ .Values.global.dmaa # The port number for http as seen within the server # #IntHttpPort: ${DRTR_NODE_INTHTTPPORT:-8080} -IntHttpPort={{.Values.config.dmaapDrNode.internalPort}} +IntHttpPort={{ include "common.getPort" (dict "global" . "name" "api" "getPlain" true) }} # # The port number for https as seen within the server # -IntHttpsPort={{.Values.config.dmaapDrNode.internalPort2}} +IntHttpsPort={{ include "common.getPort" (dict "global" . "name" "api") }} # # The external port number for https taking port mapping into account # @@ -59,7 +59,7 @@ MinRedirSaveInterval=10000 # # The path to the directory where log files are stored # -LogDir=/opt/app/datartr/logs +LogDir={{ .Values.persistence.event.path }} # # The retention interval (in days) for log files # @@ -67,7 +67,7 @@ LogRetention=30 # # The path to the directories where data and meta data files are stored # -SpoolDir=/opt/app/datartr/spool +SpoolDir={{ .Values.persistence.spool.path }} # # The path to the redirection data file # @@ -101,5 +101,4 @@ AAFAction = publish CadiEnabled = false # # AAF Props file path -AAFPropsFilePath = /opt/app/osaaf/local/org.onap.dmaap-dr.props - +AAFPropsFilePath = {{ .Values.aafConfig.credsPath }}/org.onap.dmaap-dr.props diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt index 65597e062f..62aeffbe80 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt @@ -17,17 +17,17 @@ {{- range .Values.ingress.hosts }} http://{{ . }} {{- end }} -{{- else if contains "NodePort" .Values.config.dmaapDrNode.servicetype }} +{{- else if contains "NodePort" .Values.service.type }} export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.config.dmaapDrNode.servicetype }} +{{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo http://$SERVICE_IP:{{.Values.config.dmaapDrNode.externalPort}} -{{- else if contains "ClusterIP" .Values.config.dmaapDrNode.servicetype }} +{{- else if contains "ClusterIP" .Values.service.type }} export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{.Values.config.dmaapDrNode.internalPort}} -{{- end }}
\ No newline at end of file + kubectl port-forward $POD_NAME 8080:{{ include "common.getPort" (dict "global" . "name" "api" "getPlain" true) }} +{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/post-install-job.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/post-install-job.yaml deleted file mode 100644 index e9ab9c96fe..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/post-install-job.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-post-install - labels: - app.kubernetes.io/managed-by: {{.Release.Service | quote }} - app.kubernetes.io/instance: {{include "common.release" . | quote }} - helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" - release: {{ include "common.release" . }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-2" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - template: - metadata: - name: {{ include "common.fullname" . }} - labels: - app.kubernetes.io/managed-by: {{.Release.Service | quote }} - app.kubernetes.io/instance: {{include "common.release" . | quote }} - helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - containers: - - name: post-install-job - image: "{{ include "common.repository" . }}/{{ .Values.global.clientImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DELAY - value: "60" - {{- if .Values.global.allow_http }} - - name: PROTO - value: "http" - - name: PORT - value: "8080" - {{ end }} - - name: REQUESTID - value: "{{.Chart.Name}}-post-install" - - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath -# NOTE: the basename of the subdirectory is important - it matches the DBCL API URI - - name: {{ include "common.fullname" . }}-dbc-drnodes - mountPath: /opt/app/config/dr_nodes/ - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbc-drnodes - configMap: - name: {{ include "common.fullname" . }}-dbc-drnodes - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-aaf.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-aaf.yaml deleted file mode 100644 index 4c30f58a6c..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-aaf.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{/* - # ============LICENSE_START======================================================= - # Copyright (C) 2019 Nordix Foundation. - # ================================================================================ - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # ============LICENSE_END========================================================= -*/}} - - -{{- if .Values.global.aafEnabled }} -{{- $global := . }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} ---- -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-aaf-props-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }}-aaf-props -spec: - capacity: - storage: {{ $global.Values.persistence.aafCredsSize }} - accessModes: - - {{ $global.Values.persistence.accessMode }} - storageClassName: "{{ include "common.fullname" $global }}-data-aaf-props" - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.aafCredsMountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-event.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-event.yaml index c7ecb07452..59b7b8c30e 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-event.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-event.yaml @@ -1,7 +1,7 @@ {{/* - # ============LICENSE_START======================================================= - # Copyright (C) 2019 Nordix Foundation. - # ================================================================================ + # ============LICENSE_START=================================================== + # Copyright (C) 2020 Nordix Foundation, Orange. + # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -15,37 +15,7 @@ # limitations under the License. # # SPDX-License-Identifier: Apache-2.0 - # ============LICENSE_END========================================================= + # ============LICENSE_END===================================================== */}} ---- -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-event-logs-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }}-event-logs -spec: - capacity: - storage: {{ $global.Values.persistence.eventLogSize}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data-event-logs" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.eventLogsMountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} +{{ include "common.replicaPV" (dict "dot" . "suffix" "event-logs" "persistenceInfos" .Values.persistence.event) }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-spool.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-spool.yaml index 094e92a4ad..8ada88319d 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-spool.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-spool.yaml @@ -1,7 +1,7 @@ {{/* - # ============LICENSE_START======================================================= - # Copyright (C) 2019 Nordix Foundation. - # ================================================================================ + # ============LICENSE_START=================================================== + # Copyright (C) 2020 Nordix Foundation, Orange. + # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -15,36 +15,7 @@ # limitations under the License. # # SPDX-License-Identifier: Apache-2.0 - # ============LICENSE_END========================================================= + # ============LICENSE_END===================================================== */}} -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-spool-data-{{$i}} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }}-spool-data -spec: - capacity: - storage: {{ $global.Values.persistence.spoolSize}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.spoolMountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} +{{ include "common.replicaPV" (dict "dot" . "suffix" "spool" "persistenceInfos" .Values.persistence.spool) }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml new file mode 100644 index 0000000000..f8c32e0670 --- /dev/null +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/service.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/service.yaml index 77aae1dd41..4ad43acf2a 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/service.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/service.yaml @@ -12,40 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{.Values.config.dmaapDrNode.name}} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: {{.Values.config.dmaapDrNode.servicetype}} - ports: - {{if eq .Values.config.dmaapDrNode.servicetype "NodePort" -}} - {{- if .Values.global.allow_http }} - - port: {{.Values.config.dmaapDrNode.externalPort}} - targetPort: {{.Values.config.dmaapDrNode.internalPort}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{.Values.config.dmaapDrNode.nodePort}} - name: {{.Values.config.dmaapDrNode.name}} - {{- end}} - - port: {{.Values.config.dmaapDrNode.externalPort2}} - targetPort: {{.Values.config.dmaapDrNode.internalPort2}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{.Values.config.dmaapDrNode.nodePort2}} - name: {{.Values.config.dmaapDrNode.name}}2 - {{- else -}} - - port: {{.Values.config.dmaapDrNode.externalPort}} - targetPort: {{.Values.config.dmaapDrNode.internalPort}} - name: {{.Values.config.dmaapDrNode.name}} - - port: {{.Values.config.dmaapDrNode.externalPort2}} - targetPort: {{.Values.config.dmaapDrNode.internalPort2}} - name: {{.Values.config.dmaapDrNode.name}}2 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }}
\ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml index 5ef7c2f242..6d797156d8 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml @@ -11,24 +11,15 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: apps/v1beta1 +apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} - serviceName: {{ .Values.config.dmaapDrNode.name }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - name: {{ include "common.name" . }}-readiness @@ -45,94 +36,37 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-aaf-readiness - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /root/ready.py - args: - - --container-name - - aaf-locate - - --container-name - - aaf-cm - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-dr-node-aaf-config - image: "{{ include "common.repository" . }}/{{ .Values.global.aafAgentImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: {{ .Values.persistence.aafCredsPath }} - name: {{ include "common.fullname" . }}-aaf-props - command: ["bash","-c","exec /opt/app/aaf_config/bin/agent.sh"] - env: - - name: APP_FQI - value: "{{ .Values.aafConfig.fqi }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace }}:8095" - - name: aaf_locator_container - value: "{{ .Values.global.aafLocatorContainer }}" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_fqdn - value: "{{ .Values.aafConfig.fqdn }}" - - name: aaf_locator_public_fqdn - value: "{{.Values.aafConfig.publicFqdn}}" - - name: aaf_locator_app_ns - value: "{{ .Values.global.aafAppNs }}" - - name: DEPLOY_FQI - value: "{{ .Values.aafConfig.aafDeployFqi }}" - - name: DEPLOY_PASSWORD - value: "{{ .Values.aafConfig.aafDeployPass }}" - - name: cadi_longitude - value: "{{ .Values.aafConfig.cadiLongitude }}" - - name: cadi_latitude - value: "{{ .Values.aafConfig.cadiLatitude }}" - {{- end }} + {{- if .Values.global.aafEnabled }}{{ include "common.aaf-config" . | nindent 8 }}{{ end }} - name: {{ include "common.name" . }}-permission-fixer image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: {{ .Values.persistence.spoolPath }} - name: {{ include "common.fullname" . }}-data - - mountPath: {{ .Values.persistence.eventLogsPath }} + volumeMounts: {{- if .Values.global.aafEnabled }}{{ include "common.aaf-config-volume-mountpath" . | nindent 10 }}{{ end }} + - mountPath: {{ .Values.persistence.spool.path }} + name: {{ include "common.fullname" . }}-spool + - mountPath: {{ .Values.persistence.event.path }} name: {{ include "common.fullname" . }}-event-logs - {{- if .Values.global.aafEnabled }} - - mountPath: {{ .Values.persistence.aafCredsPath }} - name: {{ include "common.fullname" . }}-aaf-props - {{- end }} command: ["chown","-Rf","1000:1001", "/opt/app/"] containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{.Values.config.dmaapDrNode.externalPort}} - - containerPort: {{.Values.config.dmaapDrNode.externalPort2}} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{.Values.config.dmaapDrNode.internalPort}} + port: {{.Values.liveness.port}} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{.Values.config.dmaapDrNode.internalPort}} + port: {{.Values.readiness.port}} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - {{- if .Values.global.aafEnabled }} - - mountPath: {{ .Values.persistence.aafCredsPath }} - name: {{ include "common.fullname" . }}-aaf-props - {{- end }} - - mountPath: {{ .Values.persistence.spoolPath }} - name: {{ include "common.fullname" . }}-data - - mountPath: {{ .Values.persistence.eventLogsPath }} + volumeMounts: {{- if .Values.global.aafEnabled }}{{ include "common.aaf-config-volume-mountpath" . | nindent 10 }}{{ end }} + - mountPath: {{ .Values.persistence.spool.path }} + name: {{ include "common.fullname" . }}-spool + - mountPath: {{ .Values.persistence.event.path }} name: {{ include "common.fullname" . }}-event-logs - mountPath: /etc/localtime name: localtime @@ -145,15 +79,12 @@ spec: subPath: logback.xml - mountPath: {{ .Values.global.loggingDirectory }} name: {{ include "common.fullname" . }}-logs - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end -}} # Filebeat sidecar container - name: {{ include "common.name" . }}-filebeat-onap @@ -169,7 +100,7 @@ spec: mountPath: /var/log/onap/datarouter-node imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: + volumes: {{ include "common.aaf-config-volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime @@ -192,56 +123,11 @@ spec: {{- if not .Values.persistence.enabled }} - name: {{ include "common.fullname" . }}-event-logs emptyDir: {} - - name: {{ include "common.fullname" . }}-data - emptyDir: {} - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-aaf-props + - name: {{ include "common.fullname" . }}-spool emptyDir: {} {{- end }} - {{- end }} {{- if .Values.persistence.enabled }} volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.spoolSize }} - - metadata: - name: {{ include "common.fullname" . }}-event-logs - labels: - name: {{ include "common.fullname" . }} - spec: - accessModes: - - {{ .Values.persistence.accessMode }} - {{- if eq "True" (include "common.needPV" .) }} - storageClassName: "{{ include "common.fullname" . }}-data-event-logs" - {{- else }} - storageClassName: {{ include "common.storageClass" . }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.eventLogSize }} -{{- if .Values.global.aafEnabled }} - - metadata: - name: {{ include "common.fullname" . }}-aaf-props - labels: - name: {{ include "common.fullname" . }} - spec: - accessModes: - - {{ .Values.persistence.accessMode }} - {{- if eq "True" (include "common.needPV" .) }} - storageClassName: "{{ include "common.fullname" . }}-data-aaf-props" - {{- else }} - storageClassName: {{ include "common.storageClass" . }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.aafCredsSize }} -{{- end }} + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "spool" "persistenceInfos" .Values.persistence.spool) | indent 4 | trim }} + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "event-logs" "persistenceInfos" .Values.persistence.event) | indent 4 | trim }} {{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml index 9ed8a0b8e8..2b4b722bfb 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml @@ -18,6 +18,7 @@ global: loggingDirectory: /var/log/onap/datarouter persistence: {} + aafEnabled: true ################################################################# # Application configuration defaults. @@ -45,40 +46,64 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: api readiness: initialDelaySeconds: 30 periodSeconds: 10 + port: api ## Persist data to a persitent volume persistence: enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce mountPath: /dockerdata-nfs + spool: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountSubPath: data-router/dr-node/spool-data + size: 2Gi + path: /opt/app/datartr/spool + labels: + app.kubernetes.io/component: spool + + event: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountSubPath: data-router/dr-node/event-logs + path: /opt/app/datartr/logs + size: 2Gi + labels: + app.kubernetes.io/component: event-logs - spoolMountSubPath: data-router/dr-node/spool-data - spoolSize: 2Gi - spoolPath: /opt/app/datartr/spool - - eventLogsMountSubPath: data-router/dr-node/event-logs - eventLogSize: 2Gi - eventLogsPath: /opt/app/datartr/logs - - aafCredsMountSubPath: data-router/dr-node/aaf-props - aafCredsSize: 10M - aafCredsPath: /opt/app/osaaf/local - -#AAF local config +################################################################# +# AAF part +################################################################# aafConfig: aafDeployFqi: deployer@people.osaaf.org aafDeployPass: demo123456! fqdn: dmaap-dr-node fqi: dmaap-dr-node@dmaap-dr.onap.org - publicFqdn: dmaap-dr.onap.org - cadiLatitude: 0.0 - cadiLongitude: 0.0 + public_fqdn: dmaap-dr.onap.org + cadi_longitude: 0.0 + cadi_latitude: 0.0 + app_ns: org.osaaf.aaf + permission_user: 1000 + permission_group: 1001 + secret_uid: &aaf_secret_uid dmaap-dr-node-aaf-deploy-creds + credsPath: /opt/app/osaaf/local +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: *aaf_secret_uid + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aafConfig.aafDeployFqi }}' + password: '{{ .Values.aafConfig.aafDeployPass }}' + passwordPolicy: required ingress: enabled: false @@ -109,19 +134,23 @@ resources: memory: 2Gi unlimited: {} +service: + type: NodePort + name: dmaap-dr-node + useNodePortExt: true + both_tls_and_plain: true + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + ports: + - name: api + port: 8443 + plain_port: 8080 + port_protocol: http + nodePort: 94 + config: # dr node server configuration dmaapDrNode: - servicetype: NodePort - name: dmaap-dr-node - externalPort: 8080 - externalPort2: 8443 - internalPort: 8080 - internalPort2: 8443 - portName: dr-node-port - portName2: dr-node-port2 - nodePort: 93 - nodePort2: 94 # dr uses the EELF Logging framework https://github.com/att/EELF # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF logLevel: "INFO" diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/post-install-job.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/post-install-job.yaml deleted file mode 100644 index f8ce02835a..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/post-install-job.yaml +++ /dev/null @@ -1,79 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-post-install - labels: - app.kubernetes.io/managed-by: {{.Release.Service | quote }} - app.kubernetes.io/instance: {{include "common.release" . | quote }} - helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" - release: {{ include "common.release" . }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - template: - metadata: - name: {{ include "common.fullname" . }} - labels: - app.kubernetes.io/managed-by: {{.Release.Service | quote }} - app.kubernetes.io/instance: {{include "common.release" . | quote }} - helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - containers: - - name: post-install-job - image: "{{ include "common.repository" . }}/{{ .Values.global.clientImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DELAY - value: "30" - {{- if .Values.global.allow_http }} - - name: PROTO - value: "http" - - name: PORT - value: "8080" - {{ end }} - - name: REQUESTID - value: "{{.Chart.Name}}-post-install" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath -# NOTE: the basename of the subdirectory is important - it matches the DBCL API URI - - name: {{ include "common.fullname" . }}-dbc-feeds - mountPath: /opt/app/config/feeds/ - - name: {{ include "common.fullname" . }}-dbc-drpubs - mountPath: /opt/app/config/dr_pubs/ - - name: {{ include "common.fullname" . }}-dbc-drsubs - mountPath: /opt/app/config/dr_subs/ - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbc-feeds - configMap: - name: {{ include "common.fullname" . }}-dbc-feeds - - name: {{ include "common.fullname" . }}-dbc-drpubs - configMap: - name: {{ include "common.fullname" . }}-dbc-drpubs - - name: {{ include "common.fullname" . }}-dbc-drsubs - configMap: - name: {{ include "common.fullname" . }}-dbc-drsubs - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index 196be0dabe..3fb90f0533 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -120,7 +120,6 @@ mariadb: persistence: size: 1Gi mountSubPath: data-router/dr-db-data - disableNfsProvisioner: true #AAF local config aafConfig: diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml index 4ba11ec8c7..0163fbd5d4 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml @@ -82,6 +82,7 @@ spec: - sh - -exec - | + rm -rf '/var/lib/kafka/data/lost+found'; chown -R 1000:0 /var/lib/kafka/data; image: "{{ .Values.busyBoxRepository }}/{{ .Values.busyBoxImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} diff --git a/kubernetes/dmaap/components/message-router/resources/mr_clusters/san-francisco.json b/kubernetes/dmaap/components/message-router/resources/mr_clusters/san-francisco.json deleted file mode 100644 index 6c201f6b30..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/mr_clusters/san-francisco.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName": "san-francisco", - "fqdn": "message-router", - "topicProtocol": "https", - "topicPort": "3905" -} diff --git a/kubernetes/dmaap/components/message-router/templates/post-install-job.yaml b/kubernetes/dmaap/components/message-router/templates/post-install-job.yaml deleted file mode 100644 index 26f38c9a4f..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/post-install-job.yaml +++ /dev/null @@ -1,90 +0,0 @@ -{{- if .Values.global.aafEnabled }} -# Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-post-install - labels: - app.kubernetes.io/managed-by: {{.Release.Service | quote }} - app.kubernetes.io/instance: {{include "common.release" . | quote }} - helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" - release: {{ include "common.release" . }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-4" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - template: - metadata: - name: {{ include "common.fullname" . }} - labels: - app.kubernetes.io/managed-by: {{.Release.Service | quote }} - app.kubernetes.io/instance: {{include "common.release" . | quote }} - helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - containers: - - name: post-install-job - image: "{{ include "common.repository" . }}/{{ .Values.global.clientImage }}" - imagePullPolicy: "Always" - env: - - name: DELAY - value: "30" - {{- if .Values.global.allow_http }} - - name: PROTO - value: "http" - - name: PORT - value: "8080" - {{ end }} - - name: REQUESTID - value: "{{.Chart.Name}}-post-install" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath -# NOTE: the basename of the subdirectory of mountPath is important - it matches the DBCL API URI - - name: {{ include "common.fullname" . }}-dbc-mrclusters - mountPath: /opt/app/config/mr_clusters/ - - name: {{ include "common.fullname" . }}-dbc-topics - mountPath: /opt/app/config/topics/ - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbc-mrclusters - configMap: - name: {{ include "common.fullname" . }}-dbc-mrclusters - - name: {{ include "common.fullname" . }}-dbc-topics - configMap: - name: {{ include "common.fullname" . }}-dbc-topics - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- end }}
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml index 78721169d4..f742419b46 100644 --- a/kubernetes/dmaap/components/message-router/values.yaml +++ b/kubernetes/dmaap/components/message-router/values.yaml @@ -95,6 +95,13 @@ prometheus: ingress: enabled: false + service: + - baseaddr: "mr.api" + name: "message-router" + port: 3905 + config: + ssl: "redirect" + # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dmaap/values.yaml b/kubernetes/dmaap/values.yaml index f9f20a3665..c6b4566e64 100644 --- a/kubernetes/dmaap/values.yaml +++ b/kubernetes/dmaap/values.yaml @@ -46,8 +46,6 @@ global: aafAppNs: org.osaaf.aaf aafLocatorContainer: oom - - #Component overrides message-router: enabled: true diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml index 9319485ddf..9c70d327d7 100644 --- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml +++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml @@ -31,6 +31,27 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + initContainers: + - command: + - cp + args: + - -r + - -T + - /home/esr/tomcat + - /opt/tomcat + securityContext: + privileged: true + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: create-tomcat-dir + volumeMounts: + - name: tomcat-workdir + mountPath: /opt/tomcat + containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -54,15 +75,23 @@ spec: env: - name: MSB_ADDR value: {{ tpl .Values.msbaddr . }} + volumeMounts: + - name: tomcat-workdir + mountPath: /home/esr/tomcat/ resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: + nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} {{- end -}} {{- if .Values.affinity }} - affinity: + affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + + volumes: + - name: tomcat-workdir + emptyDir: {} + imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/esr/charts/esr-server/templates/deployment.yaml b/kubernetes/esr/charts/esr-server/templates/deployment.yaml index d6704285d0..995a409d8a 100644 --- a/kubernetes/esr/charts/esr-server/templates/deployment.yaml +++ b/kubernetes/esr/charts/esr-server/templates/deployment.yaml @@ -31,6 +31,27 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + initContainers: + - command: + - cp + args: + - -r + - -T + - /home/esr/conf + - /opt/conf + securityContext: + privileged: true + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: create-conf-dir + volumeMounts: + - name: conf-dir + mountPath: /opt/conf + containers: - name: {{ .Chart.Name }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -60,6 +81,8 @@ spec: readOnly: true - mountPath: /home/esr/works/logs name: {{ include "common.fullname" . }}-logs + - mountPath: /home/esr/conf + name: conf-dir resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -72,6 +95,9 @@ spec: {{- end }} # Filebeat sidecar container - name: {{ include "common.name" . }}-filebeat-onap + securityContext: + runAsUser: 1000 + runAsGroup: 1000 image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: @@ -99,5 +125,8 @@ spec: emptyDir: {} - name: {{ include "common.fullname" . }}-logs emptyDir: {} + - name: conf-dir + emptyDir: {} + imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/charts/log-kibana/values.yaml b/kubernetes/log/charts/log-kibana/values.yaml index d69ab8ef42..8d4b49e20f 100644 --- a/kubernetes/log/charts/log-kibana/values.yaml +++ b/kubernetes/log/charts/log-kibana/values.yaml @@ -81,7 +81,7 @@ service: ingress: enabled: false service: - - baseaddr: "logkibana" + - baseaddr: "kibana.api" name: "log-kibana" port: 5601 config: @@ -105,4 +105,4 @@ resources: requests: cpu: 2 memory: 4Gi - unlimited: {}
\ No newline at end of file + unlimited: {} diff --git a/kubernetes/modeling/charts/modeling-etsicatalog/templates/deployment.yaml b/kubernetes/modeling/charts/modeling-etsicatalog/templates/deployment.yaml index 00c2661391..f294abf14e 100644 --- a/kubernetes/modeling/charts/modeling-etsicatalog/templates/deployment.yaml +++ b/kubernetes/modeling/charts/modeling-etsicatalog/templates/deployment.yaml @@ -73,6 +73,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbProtocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - name: MYSQL_ADDR diff --git a/kubernetes/modeling/charts/modeling-etsicatalog/templates/service.yaml b/kubernetes/modeling/charts/modeling-etsicatalog/templates/service.yaml index c4aad67beb..61aefa570c 100644 --- a/kubernetes/modeling/charts/modeling-etsicatalog/templates/service.yaml +++ b/kubernetes/modeling/charts/modeling-etsicatalog/templates/service.yaml @@ -30,14 +30,16 @@ metadata: "url": "/api/parser/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" }, { - "serviceName": "etsicatalog", + "serviceName": "catalog", "version": "v1", "url": "/api/catalog/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" }, { @@ -46,6 +48,7 @@ metadata: "url": "/api/nsd/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" }, { @@ -54,6 +57,7 @@ metadata: "url": "/api/vnfpkgm/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml b/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml index af0d4730ac..30ca493775 100644 --- a/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml +++ b/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml @@ -23,6 +23,8 @@ global: loggingImage: beats/filebeat:5.5.0 config: + ssl_enabled: false + msbProtocol: https msbServiceName: msb-iag msbPort: 443 @@ -60,7 +62,7 @@ mariadb-galera: flavor: small repository: nexus3.onap.org:10001 -image: onap/modeling/etsicatalog:1.0.5 +image: onap/modeling/etsicatalog:1.0.6 pullPolicy: Always #Istio sidecar injection policy diff --git a/kubernetes/msb/charts/kube2msb/values.yaml b/kubernetes/msb/charts/kube2msb/values.yaml index af845939a5..556931d07e 100644 --- a/kubernetes/msb/charts/kube2msb/values.yaml +++ b/kubernetes/msb/charts/kube2msb/values.yaml @@ -24,7 +24,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/oom/kube2msb:1.1.0 +image: onap/oom/kube2msb:1.2.6 pullPolicy: Always istioSidecar: true @@ -70,4 +70,4 @@ resources: requests: cpu: 1 memory: 1Gi - unlimited: {}
\ No newline at end of file + unlimited: {} diff --git a/kubernetes/msb/charts/msb-discovery/values.yaml b/kubernetes/msb/charts/msb-discovery/values.yaml index 268385d59f..9f8f061d8e 100644 --- a/kubernetes/msb/charts/msb-discovery/values.yaml +++ b/kubernetes/msb/charts/msb-discovery/values.yaml @@ -60,7 +60,7 @@ service: ingress: enabled: false service: - - baseaddr: "msbdiscovery" + - baseaddr: "msb.api.discovery" name: "msb-discovery" port: 10081 config: diff --git a/kubernetes/msb/charts/msb-eag/values.yaml b/kubernetes/msb/charts/msb-eag/values.yaml index c5820ae3dc..60c197327e 100644 --- a/kubernetes/msb/charts/msb-eag/values.yaml +++ b/kubernetes/msb/charts/msb-eag/values.yaml @@ -24,7 +24,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/msb/msb_apigateway:1.2.6 +image: onap/msb/msb_apigateway:1.2.7 pullPolicy: Always istioSidecar: true diff --git a/kubernetes/msb/charts/msb-iag/values.yaml b/kubernetes/msb/charts/msb-iag/values.yaml index 00adb83658..a927816492 100644 --- a/kubernetes/msb/charts/msb-iag/values.yaml +++ b/kubernetes/msb/charts/msb-iag/values.yaml @@ -24,7 +24,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/msb/msb_apigateway:1.2.6 +image: onap/msb/msb_apigateway:1.2.7 pullPolicy: Always istioSidecar: true diff --git a/kubernetes/msb/resources/config/certificates/ca.crt b/kubernetes/msb/resources/config/certificates/ca.crt new file mode 100644 index 0000000000..62da777a58 --- /dev/null +++ b/kubernetes/msb/resources/config/certificates/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkjCCAnoCCQCHtNgoWafiHzANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMC +Q04xETAPBgNVBAgMCHNpY2h1YW5nMRAwDgYDVQQHDAdjaGVuZ2R1MQwwCgYDVQQK +DAN6dGUxDjAMBgNVBAsMBXplbmFwMTgwNgYDVQQDDC9aVEUgT3BlblBhbGV0dGUg +Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxNzAeFw0xNzAzMTcwMTU2MjBa +Fw0yNzAzMTUwMTU2MjBaMIGKMQswCQYDVQQGEwJDTjERMA8GA1UECAwIc2ljaHVh +bmcxEDAOBgNVBAcMB2NoZW5nZHUxDDAKBgNVBAoMA3p0ZTEOMAwGA1UECwwFemVu +YXAxODA2BgNVBAMML1pURSBPcGVuUGFsZXR0ZSBSb290IENlcnRpZmljYXRlIEF1 +dGhvcml0eSAyMDE3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA23LK +Eq56pVzsRbYJ6NMdk82QfLjnp+f7KzdQ46SfwldG3gmipasPwDXV9jT9FvUlX8s/ +mRphOyuZ7vDzL2QjlS/FBATTWrJ2VCJmBVlzVu4STZ6YrxpQrSAalGkiYd9uT2Yt +2quNUPCsZSlJ8qJCYs098bJ2XTsK0JBby94j3nTdvNWhhErrheWdG/CHje32sKog +6BxN4GzMeZ2fUd0vKsqBs89M0pApdjpRMqEGHg+Lri4iiE9kKa/Y8S3V6ggJZjbp +7xs7N0miy/paeosjfFe5U6mhumUSZPFy8ueAgGxqBkwvLJwCY3HYcrsFGaXTu+c3 +p2q1Adygif1h43HrvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAb/cgmsCxvQmvu +5e4gpn5WEMo0k7F6IAghd8139i9vmtQ88reYZvfiVsp/5ZjNnNj75lLbjjexDkPA +bdnAiJfRKOrMaPqY6Bem4v8lPu1B/kj1umn4BXOCC1kpcH/2JCmvI8uh49SSlT9J +wUSKWw8Qhy9XKN692y02QZke9Xp2HoFvMUlntglmQUIRO5eBYLQCSWpfv/iyMs6w +ar7Tk1p2rURpRh02P7WFQ5j5fxXEOrkMT7FX80EB3AddSthstj2iDlUcqfG3jXH/ +FA5r1q45kMUaMYxV9WIE67Vt0RaxrUJYWDR2kDSSox7LR5GpjWiSlPAfcLCeVuA3 +3lR7lW/J +-----END CERTIFICATE----- diff --git a/kubernetes/msb/resources/config/certificates/cert.crt b/kubernetes/msb/resources/config/certificates/cert.crt new file mode 100644 index 0000000000..7d1314f59e --- /dev/null +++ b/kubernetes/msb/resources/config/certificates/cert.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqjCCApKgAwIBAgIJAOQWcdss4Qu5MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD +VQQGEwJDTjERMA8GA1UECAwIc2ljaHVhbmcxEDAOBgNVBAcMB2NoZW5nZHUxDDAK +BgNVBAoMA3p0ZTEOMAwGA1UECwwFemVuYXAxODA2BgNVBAMML1pURSBPcGVuUGFs +ZXR0ZSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDE3MB4XDTIwMDQyMjAy +NTc1MFoXDTIyMDQyMjAyNTc1MFowYDELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB1Np +Y2h1YW4xEDAOBgNVBAcMB0NoZW5nZHUxDTALBgNVBAoMBE9OQVAxDDAKBgNVBAsM +A01TQjEQMA4GA1UEAwwHbXNiLWlhZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAMa1YlTIL8APcmASbxrD7Q9BhWL9Hwi+FKO4HsIrSiJj/A/FLVe3kV2a +xA7b5wdv44P0qQnh3pc0djlnZ47Fgli3lhEZ33+j5vrXHCjEFKiZZVeO+y/p+OcZ +VMNiL+MPJNTNgMkPoaljs/U6fn6fFyAgMMIqqigxHJaNvz7IH+UpqbWWzZo7+JqC +lBi8t5ZIDk18/3cPQWXIne+3MoYULdEayAS8/4wYoJANH1knmSG+J07f9uCXniiz +4zFFngMGHm4kuKXJCAl5E6S5fPzsLKqtwbbn9kJNyWoNFDuc7zW5dPfqPVckHHQ8 +Dx0q2111UgrzrBZMW1RKmcwB+1YXip8CAwEAAaM8MDowCQYDVR0TBAIwADALBgNV +HQ8EBAMCBeAwIAYDVR0RBBkwF4IVKi5zaW1wbGVkZW1vLm9uYXAub3JnMA0GCSqG +SIb3DQEBCwUAA4IBAQCXSECDNzsg2MhVIVvviqxhpZWZ3sa7KxXlyd9iSmBzkneS ++XiyUC575ZM3lmh1Kme35bWgz5R/w76XLSMBPxIX6uZ4HVNQqwSPv63Nk9+ON3IN +iCn6ehHKJgT0rpx/aB3sIcE1hEtIWLGaaKVEb3DOuDbkbBT9eJbIgHKkT80PKynK +l35dQRMiGBQiD8cBUxTOJaj7QohZ/aUWArZCOl0uvddkrs/IOCMY3BDQ0WZ7RYp3 +LwpgZVPzkVRaSLSq3TS07Re+nZcaht69T6mdMY5V0gW20O4J2nWMaldSmlNqcddb +Nl5Xn0lRMW651ZzxEkcaXNtR78yLYi2JXtyQBgVA +-----END CERTIFICATE----- diff --git a/kubernetes/multicloud/charts/multicloud-k8s/values.yaml b/kubernetes/multicloud/charts/multicloud-k8s/values.yaml index 3c7b1d3a65..f0bfedb43a 100644 --- a/kubernetes/multicloud/charts/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/charts/multicloud-k8s/values.yaml @@ -27,7 +27,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/multicloud/k8s:0.5.0 +image: onap/multicloud/k8s:0.6.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/nbi/requirements.yaml b/kubernetes/nbi/requirements.yaml index 4bd4fd863e..7ce343627a 100644 --- a/kubernetes/nbi/requirements.yaml +++ b/kubernetes/nbi/requirements.yaml @@ -20,6 +20,9 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' + - name: certInitializer + version: ~6.x-0 + repository: '@local' - name: mongo version: ~6.x-0 repository: '@local' diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml index 1b4195c733..22dd4a1ded 100644 --- a/kubernetes/nbi/templates/deployment.yaml +++ b/kubernetes/nbi/templates/deployment.yaml @@ -33,7 +33,7 @@ spec: name: {{ include "common.fullname" . }} spec: {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.aaf-config" . | nindent 6 }} + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} {{- end }} containers: - name: {{ include "common.name" . }} @@ -49,11 +49,11 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.aafConfig.credsPath }}/mycreds.prop | xargs -0) + export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Dserver.ssl.key-store={{ .Values.aafConfig.credsPath }}/org.onap.nbi.p12 \ + -Dserver.ssl.key-store={{ .Values.certInitializer.credsPath }}/org.onap.nbi.p12 \ -Dserver.ssl.key-store-type=PKCS12 \ - -Djavax.net.ssl.trustStore={{ .Values.aafConfig.credsPath }}/org.onap.nbi.trust.jks \ + -Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/org.onap.nbi.trust.jks \ -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \ -Djavax.net.ssl.trustStoreType=jks\ -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443" @@ -122,7 +122,7 @@ spec: value: "msb-discovery.{{ include "common.namespace" . }}" - name: MSB_DISCOVERY_PORT value: "10081" - volumeMounts: {{ include "common.aaf-config-volume-mountpath" . | nindent 12 }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -148,7 +148,7 @@ spec: # name: esr-server-logs # - mountPath: /usr/share/filebeat/data # name: esr-server-filebeat - volumes: {{ include "common.aaf-config-volumes" . | nindent 8 }} + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/nbi/templates/ingress.yaml b/kubernetes/nbi/templates/ingress.yaml new file mode 100644 index 0000000000..0cd8cfbd36 --- /dev/null +++ b/kubernetes/nbi/templates/ingress.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.ingress" . }} diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index dcf9573bc7..4fe092e603 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -36,7 +36,8 @@ global: ################################################################# # AAF part ################################################################# -aafConfig: +certInitializer: + nameOverride: nbi-cert-initializer aafDeployFqi: deployer@people.osaaf.org aafDeployPass: demo123456! # aafDeployCredsExternalSecret: some secret @@ -45,13 +46,16 @@ aafConfig: public_fqdn: nbi.onap.org cadi_longitude: "0.0" cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh; + /opt/app/aaf_config/bin/agent.sh local showpass + {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + +aafConfig: permission_user: 1000 permission_group: 999 - addconfig: true - secret_uid: &aaf_secret_uid nbi-aaf-deploy-creds - ################################################################# # Secrets metaconfig @@ -63,19 +67,13 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' login: '{{ .Values.config.db.userName }}' password: '{{ .Values.config.db.userPassword }}' - - uid: *aaf_secret_uid - type: basicAuth - externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' - login: '{{ .Values.aafConfig.aafDeployFqi }}' - password: '{{ .Values.aafConfig.aafDeployPass }}' - passwordPolicy: required subChartsOnly: enabled: true # application image repository: nexus3.onap.org:10001 -image: onap/externalapi/nbi:6.0.2 +image: onap/externalapi/nbi:6.0.3 pullPolicy: IfNotPresent sdc_authorization: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU= aai_authorization: Basic QUFJOkFBSQ== @@ -162,6 +160,12 @@ service: ingress: enabled: false + service: + - baseaddr: "nbi.api" + name: "nbi" + port: 8443 + config: + ssl: "redirect" # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml index 291a0321f7..997bca9f4d 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml @@ -42,10 +42,6 @@ dmaap: enabled: true esr: enabled: true -log: - enabled: true -sniro-emulator: - enabled: true oof: enabled: true msb: @@ -56,8 +52,6 @@ nbi: enabled: true policy: enabled: true -pomba: - enabled: true portal: enabled: true robot: diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml index 005bf1c726..86f898d18c 100644 --- a/kubernetes/onap/resources/overrides/onap-all.yaml +++ b/kubernetes/onap/resources/overrides/onap-all.yaml @@ -17,6 +17,7 @@ ################################################################### global: addTestingComponents: &testing true + centralizedLoggingEnabled: ¢ralizedLogging false cassandra: enabled: true mariadb-galera: @@ -48,10 +49,6 @@ dmaap: enabled: true esr: enabled: true -log: - enabled: true -sniro-emulator: - enabled: true oof: enabled: true msb: @@ -62,8 +59,6 @@ nbi: enabled: true policy: enabled: true -pomba: - enabled: true portal: enabled: true robot: diff --git a/kubernetes/onap/resources/overrides/sm-onap.yaml b/kubernetes/onap/resources/overrides/sm-onap.yaml new file mode 100644 index 0000000000..796643171b --- /dev/null +++ b/kubernetes/onap/resources/overrides/sm-onap.yaml @@ -0,0 +1,139 @@ +# Copyright 2020 Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# This override file is used to deploy a core configuration. It is based on +# minimal-onap.yaml and Orange accomplishments [1][2][3]. +# It includes the following components: +# AAI, DMAAP, SDC, SDNC, SO (+ Cassandra) +# +# Minimal resources are also reviewed for the various containers +# AAI: no override => to be fixed +# DMAAP: no override # SO: no override +# SDC: new values +# SDNC: no override +# +# Replicas are set to: +# AAI Cassandra: 1 +# Cassandra: 3 (to allow reaching quorum) +# +# In addition, some parameters are set to limit the memory footprint. +# +# It overrides the default ONAP parent chart behaviour to deploy +# all of ONAP. +# +# helm deploy core local/onap --namespace onap -f core-onap.yaml +# +# [1] https://gitlab.com/Orange-OpenSource/lfn/onap/onap_oom_automatic_installation +# [2] https://wiki.lfnetworking.org/display/LN/Call%20for%20ONAP%20DDF%20Topics%20-%20Prague%202020#CallforONAPDDFTopics-Prague2020-OOM-IntroductionofServicemesh +# [3] https://wiki.lfnetworking.org/download/attachments/25364127/OOM%20Service%20Mesh%20Prague.pptx + +####################### +# Core ONAP deployment +####################### +global: + aafEnabled: false +aai: + enabled: true + global: + cassandra: + replicas: 1 + aai-cassandra: + replicaCount: 1 +aaf: + enabled: false +appc: + enabled: false +cassandra: + enabled: true + replicaCount: 3 +clamp: + enabled: false +cli: + enabled: false +consul: + enabled: false +contrib: + enabled: false +dcaegen2: + enabled: false +dmaap: + enabled: true +esr: + enabled: false +log: + enabled: false +mariadb-galera: + enabled: true +msb: + enabled: false +multicloud: + enabled: false +nbi: + enabled: false +oof: + enabled: false +policy: + enabled: false +pomba: + enabled: false +portal: + enabled: false +robot: + enabled: false +sdc: + enabled: true + sdc-be: + config: + javaOptions: "-Xdebug -agentlib:jdwp=transport=dt_socket,address=4000,server=y,suspend=n -Xmx512m -Xms256m" + sdc-fe: + resources: + small: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 10m + memory: 500Mi + sdc-cs: + config: + maxHeapSize: "512M" + heapNewSize: "256M" +sdnc: + enabled: true +sniro-emulator: + enabled: false +so: + enabled: true + config: + # openstack configuration + openStackUserName: "$OPENSTACK_USER_NAME" + openStackRegion: "$OPENSTACK_REGION" + openStackKeyStoneUrl: "$OPENSTACK_KEYSTONE_URL" + openStackServiceTenantName: "$OPENSTACK_TENANT_NAME" + openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD" +uui: + enabled: false +vid: + enabled: false +vfc: + enabled: false +vnfsdk: + enabled: false +cds: + enabled: true +dmaap: + enabled: true + dmaap-bc: + enabled: false diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index a782cc63bd..973613b464 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -61,6 +61,10 @@ global: # image pull policy pullPolicy: Always + # default clusterName + # {{ template "common.fullname" . }}.{{ template "common.namespace" . }}.svc.{{ .Values.global.clusterName }} + clusterName: cluster.local + # default mount path root directory referenced # by persistent volumes and log files persistence: @@ -104,6 +108,11 @@ global: # if set this element will force or not tls even if serviceMesh.tls is set. # tlsEnabled: false + # Logging + # Currently, centralized logging is not in best shape so it's disabled by + # default + centralizedLoggingEnabled: ¢ralizedLogging false + # Example of specific for the components where you want to disable TLS only for # it: @@ -143,7 +152,7 @@ global: # to customize the ONAP deployment. ################################################################# aaf: - enabled: true + enabled: false aai: enabled: false appc: @@ -181,8 +190,11 @@ dmaap: enabled: false esr: enabled: false +# Today, "logging" chart that perform the central part of logging must also be +# enabled in order to make it work. So `logging.enabled` must have the same +# value than centralizedLoggingEnabled log: - enabled: false + enabled: *centralizedLogging sniro-emulator: enabled: false oof: diff --git a/kubernetes/oof/charts/oof-has/charts/oof-has-api/templates/ingress.yaml b/kubernetes/oof/charts/oof-has/charts/oof-has-api/templates/ingress.yaml new file mode 100644 index 0000000000..0cd8cfbd36 --- /dev/null +++ b/kubernetes/oof/charts/oof-has/charts/oof-has-api/templates/ingress.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.ingress" . }} diff --git a/kubernetes/oof/charts/oof-has/charts/oof-has-api/values.yaml b/kubernetes/oof/charts/oof-has/charts/oof-has-api/values.yaml index df13309087..da6ab9b548 100755 --- a/kubernetes/oof/charts/oof-has/charts/oof-has-api/values.yaml +++ b/kubernetes/oof/charts/oof-has/charts/oof-has-api/values.yaml @@ -56,3 +56,13 @@ liveness: readiness: initialDelaySeconds: 10 periodSeconds: 10 + + +ingress: + enabled: false + service: + - baseaddr: "oof-has-api.onap" + name: "oof-has-api" + port: 8091 + config: + ssl: "redirect" diff --git a/kubernetes/oof/charts/oof-has/charts/oof-has-controller/templates/deployment.yaml b/kubernetes/oof/charts/oof-has/charts/oof-has-controller/templates/deployment.yaml index b31d0399ff..73c8e81cdb 100755 --- a/kubernetes/oof/charts/oof-has/charts/oof-has-controller/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-has/charts/oof-has-controller/templates/deployment.yaml @@ -37,7 +37,7 @@ spec: - /root/ready.py args: - --container-name - - music-tomcat + - music-springboot - --container-name - aaf-sms env: diff --git a/kubernetes/oof/charts/oof-has/charts/oof-has-data/templates/deployment.yaml b/kubernetes/oof/charts/oof-has/charts/oof-has-data/templates/deployment.yaml index 80992f1cbd..054d181c96 100755 --- a/kubernetes/oof/charts/oof-has/charts/oof-has-data/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-has/charts/oof-has-data/templates/deployment.yaml @@ -37,7 +37,7 @@ spec: - /root/ready.py args: - --container-name - - music-tomcat + - music-springboot env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/oof/charts/oof-has/charts/oof-has-reservation/templates/deployment.yaml b/kubernetes/oof/charts/oof-has/charts/oof-has-reservation/templates/deployment.yaml index 4faf4647d8..335ac4c5a7 100755 --- a/kubernetes/oof/charts/oof-has/charts/oof-has-reservation/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-has/charts/oof-has-reservation/templates/deployment.yaml @@ -37,7 +37,7 @@ spec: - /root/ready.py args: - --container-name - - music-tomcat + - music-springboot env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/oof/charts/oof-has/charts/oof-has-solver/templates/deployment.yaml b/kubernetes/oof/charts/oof-has/charts/oof-has-solver/templates/deployment.yaml index 26380f6a15..4c2a345054 100755 --- a/kubernetes/oof/charts/oof-has/charts/oof-has-solver/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-has/charts/oof-has-solver/templates/deployment.yaml @@ -37,7 +37,7 @@ spec: - /root/ready.py args: - --container-name - - music-tomcat + - music-springboot env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/oof/charts/oof-has/resources/config/conductor.conf b/kubernetes/oof/charts/oof-has/resources/config/conductor.conf index c3d9307836..94a47fed2f 100755 --- a/kubernetes/oof/charts/oof-has/resources/config/conductor.conf +++ b/kubernetes/oof/charts/oof-has/resources/config/conductor.conf @@ -428,7 +428,7 @@ server_url = http://{{.Values.config.msb.serviceName}}.{{ include "common.namesp # Base URL for Music REST API without a trailing slash. (string value) #server_url = http://oof-has-music:8080/MUSIC/rest/v2 -server_url = http://{{.Values.config.music.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.music.port}}/MUSIC/rest/v2 +server_url = https://{{.Values.config.music.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.music.port}}/MUSIC/rest/v2 version = v2 # DEPRECATED: List of hostnames (round-robin access) (list value) @@ -492,7 +492,7 @@ music_new_version = True # for version (string value) #music_version = <None> -music_version = "3.0.21" +music_version = "3.2.40" # username value that used for creating basic authorization header (string # value) @@ -508,6 +508,13 @@ aafpass = c0nduct0r #aafns = <None> aafns = conductor +# Enabling HTTPs mode (boolean value) +enable_https_mode = True + +# Certificate Authority Bundle file in pem format. Must contain the appropriate +# trust chain for the Certificate file. (string value) +certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer + [prometheus] diff --git a/kubernetes/oof/charts/oof-has/templates/job-healthcheck.yaml b/kubernetes/oof/charts/oof-has/templates/job-healthcheck.yaml index 92d6cbf441..34f215c9ab 100755 --- a/kubernetes/oof/charts/oof-has/templates/job-healthcheck.yaml +++ b/kubernetes/oof/charts/oof-has/templates/job-healthcheck.yaml @@ -59,7 +59,7 @@ spec: sleep 15; resp="FAILURE"; until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null --write-out %{http_code} -X POST http://{{.Values.config.music.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.music.port}}/MUSIC/rest/v2/keyspaces/conductor/tables/plans/rows?id=healthcheck \ + resp=$(curl -k -s -o /dev/null --write-out %{http_code} -X POST https://{{.Values.config.music.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.music.port}}/MUSIC/rest/v2/keyspaces/conductor/tables/plans/rows?id=healthcheck \ -H "Content-Type: application/json" \ -H "ns: conductor" \ -H "Authorization: Basic Y29uZHVjdG9yOmMwbmR1Y3Qwcg==" \ diff --git a/kubernetes/oof/charts/oof-has/templates/job-onboard.yaml b/kubernetes/oof/charts/oof-has/templates/job-onboard.yaml index 499d0923c8..ad42a1fe08 100755 --- a/kubernetes/oof/charts/oof-has/templates/job-onboard.yaml +++ b/kubernetes/oof/charts/oof-has/templates/job-onboard.yaml @@ -40,7 +40,7 @@ spec: - /root/ready.py args: - --container-name - - "music-tomcat" + - "music-springboot" - --container-name - "music-cassandra" env: @@ -71,10 +71,7 @@ spec: - "/bin/sh" - "-c" - | - curl -X POST http://{{.Values.config.music.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.music.port}}/MUSIC/rest/v2/admin/onboardAppWithMusic \ - -H "Content-Type: application/json" \ - -H "Authorization: Basic Y29uZHVjdG9yOmMwbmR1Y3Qwcg==" \ - --data @onboard.json + echo "job-onboard" workingDir: /has volumeMounts: - mountPath: /etc/localtime diff --git a/kubernetes/oof/charts/oof-has/values.yaml b/kubernetes/oof/charts/oof-has/values.yaml index 730d6e20a1..f4debe93fc 100755 --- a/kubernetes/oof/charts/oof-has/values.yaml +++ b/kubernetes/oof/charts/oof-has/values.yaml @@ -25,7 +25,7 @@ global: commonConfigPrefix: onap-oof-has image: readiness: oomk8s/readiness-check:2.0.0 - optf_has: onap/optf-has:2.0.2 + optf_has: onap/optf-has:2.0.3 filebeat: docker.elastic.co/beats/filebeat:5.5.0 pullPolicy: Always @@ -42,8 +42,8 @@ config: serviceName: msb-iag port: 80 music: - serviceName: music-tomcat - port: 8080 + serviceName: music + port: 8443 sms: serviceName: aaf-sms port: 10443 diff --git a/kubernetes/oof/values.yaml b/kubernetes/oof/values.yaml index 0cdfa9dfe7..5205a1df1f 100644 --- a/kubernetes/oof/values.yaml +++ b/kubernetes/oof/values.yaml @@ -125,4 +125,4 @@ ingress: name: "oof-osdf" port: 8698 config: - ssl: "none"
\ No newline at end of file + ssl: "redirect" diff --git a/kubernetes/policy/charts/brmsgw/resources/config/pe/brmsgw.conf b/kubernetes/policy/charts/brmsgw/resources/config/pe/brmsgw.conf index 1598a8ff3f..90248b8836 100644 --- a/kubernetes/policy/charts/brmsgw/resources/config/pe/brmsgw.conf +++ b/kubernetes/policy/charts/brmsgw/resources/config/pe/brmsgw.conf @@ -63,5 +63,5 @@ BRMS_UEB_API_KEY= BRMS_UEB_API_SECRET= #Dependency.json file version -BRMS_DEPENDENCY_VERSION=1.6.0 -BRMS_MODELS_DEPENDENCY_VERSION=2.2.2 +BRMS_DEPENDENCY_VERSION=1.6.3 +BRMS_MODELS_DEPENDENCY_VERSION=2.2.5 diff --git a/kubernetes/policy/charts/brmsgw/templates/deployment.yaml b/kubernetes/policy/charts/brmsgw/templates/deployment.yaml index 95446b24bb..8d9863784f 100644 --- a/kubernetes/policy/charts/brmsgw/templates/deployment.yaml +++ b/kubernetes/policy/charts/brmsgw/templates/deployment.yaml @@ -36,7 +36,7 @@ spec: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1 *.conf`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; chmod 0755 /config/${PFILE}; done" env: - name: JDBC_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} @@ -55,10 +55,14 @@ spec: - name: REPOSITORY_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nexus-creds" "key" "password") | indent 10 }} volumeMounts: - - mountPath: /config-input + - mountPath: /config-input/pe + name: pe-input + - mountPath: /config-input/pe-brmsgw + name: pe-brmsgw-input + - mountPath: /config/pe name: pe - - mountPath: /config - name: pe-processed + - mountPath: /config/pe-brmsgw + name: pe-brmsgw image: "{{ .Values.global.envsubstImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config @@ -101,7 +105,6 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nexus-creds" "key" "login") | indent 10 }} - name: REPOSITORY_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nexus-creds" "key" "password") | indent 10 }} - volumeMounts: ports: - containerPort: {{ .Values.service.externalPort }} {{- if eq .Values.liveness.enabled true }} @@ -127,7 +130,7 @@ spec: name: pe-brmsgw subPath: brmsgw.conf - mountPath: /tmp/policy-install/config/base.conf - name: pe-processed + name: pe subPath: base.conf - mountPath: /tmp/policy-install/do-start.sh name: pe-scripts @@ -146,7 +149,7 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: pe + - name: pe-input configMap: name: {{ include "common.release" . }}-pe-configmap defaultMode: 0755 @@ -154,11 +157,14 @@ spec: configMap: name: {{ include "common.release" . }}-pe-scripts-configmap defaultMode: 0777 - - name: pe-brmsgw + - name: pe-brmsgw-input configMap: name: {{ include "common.fullname" . }}-pe-configmap defaultMode: 0755 - - name: pe-processed + - name: pe + emptyDir: + medium: Memory + - name: pe-brmsgw emptyDir: medium: Memory imagePullSecrets: diff --git a/kubernetes/policy/charts/brmsgw/values.yaml b/kubernetes/policy/charts/brmsgw/values.yaml index ee47b4a4c3..b906e46468 100644 --- a/kubernetes/policy/charts/brmsgw/values.yaml +++ b/kubernetes/policy/charts/brmsgw/values.yaml @@ -56,7 +56,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pe:1.6.2 +image: onap/policy-pe:1.6.3 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/charts/drools/values.yaml b/kubernetes/policy/charts/drools/values.yaml index 05f7c1b0a8..3552b2e2f6 100644 --- a/kubernetes/policy/charts/drools/values.yaml +++ b/kubernetes/policy/charts/drools/values.yaml @@ -40,7 +40,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pdpd-cl:1.6.1 +image: onap/policy-pdpd-cl:1.6.3 pullPolicy: Always # flag to enable debugging - application support required @@ -82,7 +82,7 @@ ingress: # Default installation values to be overridden server: - jvmOpts: -server -Xms1024m -Xmx2048m + jvmOpts: -server -XshowSettings:vm aaf: enabled: "false" diff --git a/kubernetes/policy/charts/pap/resources/config/config.json b/kubernetes/policy/charts/pap/resources/config/config.json index 544ecdfc32..5c02ce0f12 100644 --- a/kubernetes/policy/charts/pap/resources/config/config.json +++ b/kubernetes/policy/charts/pap/resources/config/config.json @@ -20,8 +20,8 @@ "restServerParameters":{ "host":"0.0.0.0", "port":6969, - "userName":"healthcheck", - "password":"zb!XztG34", + "userName":"${RESTSERVER_USER}", + "password":"${RESTSERVER_PASSWORD}", "https": true, "aaf": false }, @@ -69,8 +69,8 @@ "clientName": "api", "hostname": "policy-api", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34", + "userName": "${API_USER}", + "password": "${API_PASSWORD}", "useHttps": true, "basePath": "policy/api/v1/healthcheck" }, @@ -78,8 +78,8 @@ "clientName": "distribution", "hostname": "policy-distribution", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34", + "userName": "${DISTRIBUTION_USER}", + "password": "${DISTRIBUTION_PASSWORD}", "useHttps": true, "basePath": "healthcheck" }] diff --git a/kubernetes/policy/charts/pap/templates/deployment.yaml b/kubernetes/policy/charts/pap/templates/deployment.yaml index 85ca9c1486..39ac8a81ec 100644 --- a/kubernetes/policy/charts/pap/templates/deployment.yaml +++ b/kubernetes/policy/charts/pap/templates/deployment.yaml @@ -42,6 +42,18 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} + - name: API_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-secret" "key" "login") | indent 10 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-secret" "key" "password") | indent 10 }} + - name: DISTRIBUTION_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} + - name: DISTRIBUTION_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} volumeMounts: - mountPath: /config-input name: papconfig diff --git a/kubernetes/policy/charts/pap/values.yaml b/kubernetes/policy/charts/pap/values.yaml index ad7cf96306..630b2055fa 100644 --- a/kubernetes/policy/charts/pap/values.yaml +++ b/kubernetes/policy/charts/pap/values.yaml @@ -34,13 +34,31 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required + - uid: restserver-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + - uid: api-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.healthCheckRestClient.api.credsExternalSecret) . }}' + login: '{{ .Values.healthCheckRestClient.api.user }}' + password: '{{ .Values.healthCheckRestClient.api.password }}' + passwordPolicy: required + - uid: distribution-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.healthCheckRestClient.distribution.credsExternalSecret) . }}' + login: '{{ .Values.healthCheckRestClient.distribution.user }}' + password: '{{ .Values.healthCheckRestClient.distribution.password }}' + passwordPolicy: required ################################################################# # Application configuration defaults. ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pap:2.2.1 +image: onap/policy-pap:2.2.2 pullPolicy: Always # flag to enable debugging - application support required @@ -51,6 +69,16 @@ debugEnabled: false db: user: policy_user password: policy_user +restServer: + user: healthcheck + password: zb!XztG34 +healthCheckRestClient: + api: + user: healthcheck + password: zb!XztG34 + distribution: + user: healthcheck + password: zb!XztG34 # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/charts/pdp/resources/config/pe/pdp.conf b/kubernetes/policy/charts/pdp/resources/config/pe/pdp.conf index 52480e59ff..bb12880ca7 100644 --- a/kubernetes/policy/charts/pdp/resources/config/pe/pdp.conf +++ b/kubernetes/policy/charts/pdp/resources/config/pe/pdp.conf @@ -39,10 +39,10 @@ REST_PDP_REGISTER_RETRIES=-1 REST_PDP_MAXCONTENT=999999999 # PDP related properties -PDP_HTTP_USER_ID=testpdp -PDP_HTTP_PASSWORD=alpha123 -PDP_PAP_PDP_HTTP_USER_ID=testpap -PDP_PAP_PDP_HTTP_PASSWORD=alpha123 +PDP_HTTP_USER_ID=${PDP_HTTP_USER_ID} +PDP_HTTP_PASSWORD=${PDP_HTTP_PASSWORD} +PDP_PAP_PDP_HTTP_USER_ID=${PDP_PAP_PDP_HTTP_USER_ID} +PDP_PAP_PDP_HTTP_PASSWORD=${PDP_PAP_PDP_HTTP_PASSWORD} node_type=pdp_xacml resource_name=pdp_1 diff --git a/kubernetes/policy/charts/pdp/templates/statefulset.yaml b/kubernetes/policy/charts/pdp/templates/statefulset.yaml index e55f9d0987..b70b04b023 100644 --- a/kubernetes/policy/charts/pdp/templates/statefulset.yaml +++ b/kubernetes/policy/charts/pdp/templates/statefulset.yaml @@ -40,17 +40,29 @@ spec: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1 *.conf`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; chmod 0755 /config/${PFILE}; done" env: - name: JDBC_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: JDBC_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: PDP_HTTP_USER_ID + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pdp-http-creds" "key" "login") | indent 10 }} + - name: PDP_HTTP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pdp-http-creds" "key" "password") | indent 10 }} + - name: PDP_PAP_PDP_HTTP_USER_ID + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pap-http-creds" "key" "login") | indent 10 }} + - name: PDP_PAP_PDP_HTTP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pap-http-creds" "key" "password") | indent 10 }} volumeMounts: - - mountPath: /config-input + - mountPath: /config-input/pe + name: pe-input + - mountPath: /config-input/pe-pdp + name: pe-pdp-input + - mountPath: /config/pe name: pe - - mountPath: /config - name: pe-processed + - mountPath: /config/pe-pdp + name: pe-pdp image: "{{ .Values.global.envsubstImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config @@ -102,10 +114,10 @@ spec: name: localtime readOnly: true - mountPath: /tmp/policy-install/config/base.conf - name: pe-processed + name: pe subPath: base.conf - mountPath: /tmp/policy-install/config/pdp-tweaks.sh - name: pe-pdp + name: pe-pdp-input subPath: pdp-tweaks.sh - mountPath: /tmp/policy-install/config/pdplp.conf name: pe-pdp @@ -150,7 +162,7 @@ spec: - name: policy-logback configMap: name: {{ include "common.fullname" . }}-log-configmap - - name: pe + - name: pe-input configMap: name: {{ include "common.release" . }}-pe-configmap defaultMode: 0755 @@ -158,11 +170,14 @@ spec: configMap: name: {{ include "common.release" . }}-pe-scripts-configmap defaultMode: 0777 - - name: pe-pdp + - name: pe-pdp-input configMap: name: {{ include "common.fullname" . }}-pe-configmap defaultMode: 0755 - - name: pe-processed + - name: pe + emptyDir: + medium: Memory + - name: pe-pdp emptyDir: medium: Memory imagePullSecrets: diff --git a/kubernetes/policy/charts/pdp/values.yaml b/kubernetes/policy/charts/pdp/values.yaml index 7b5f6f8ac9..fa6c141c1c 100644 --- a/kubernetes/policy/charts/pdp/values.yaml +++ b/kubernetes/policy/charts/pdp/values.yaml @@ -33,13 +33,25 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required + - uid: pdp-http-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.pdp.pdpCredsExternalSecret) . }}' + login: '{{ .Values.pdp.pdphttpuserid }}' + password: '{{ .Values.pdp.pdphttppassword }}' + passwordPolicy: required + - uid: pap-http-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.pap.papCredsExternalSecret) . }}' + login: '{{ .Values.pap.pdppappdphttpuserid }}' + password: '{{ .Values.pap.pdppappdphttppassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pe:1.6.2 +image: onap/policy-pe:1.6.3 pullPolicy: Always # flag to enable debugging - application support required @@ -50,6 +62,12 @@ debugEnabled: false db: user: policy_user password: policy_user +pdp: + pdphttpuserid: testpdp + pdphttppassword: alpha123 +pap: + pdppappdphttpuserid: testpap + pdppappdphttppassword: alpha123 config: papPort: 9091 diff --git a/kubernetes/policy/charts/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/charts/policy-apex-pdp/resources/config/OnapPfConfig.json index 3b6813d3e3..767d1452cc 100644 --- a/kubernetes/policy/charts/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/charts/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -3,8 +3,8 @@ "restServerParameters": { "host": "0.0.0.0", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34", + "userName": "${RESTSERVER_USER}", + "password": "${RESTSERVER_PASSWORD}", "https": true }, "pdpStatusParameters":{ diff --git a/kubernetes/policy/charts/policy-apex-pdp/resources/config/config.json b/kubernetes/policy/charts/policy-apex-pdp/resources/config/config.json index 57542c3510..5df0a26596 100644 --- a/kubernetes/policy/charts/policy-apex-pdp/resources/config/config.json +++ b/kubernetes/policy/charts/policy-apex-pdp/resources/config/config.json @@ -18,7 +18,7 @@ { "javaProperties" : [ ["javax.net.ssl.trustStore", "/opt/app/policy/apex-pdp/etc/ssl/policy-truststore"], - ["javax.net.ssl.trustStorePassword", "UG9sMWN5XzBuYXA="] + ["javax.net.ssl.trustStorePassword", "${TRUSTSTORE_PASSWORD_BASE64}"] ], "engineServiceParameters": { "name": "MyApexEngine", diff --git a/kubernetes/policy/charts/policy-apex-pdp/templates/secrets.yaml b/kubernetes/policy/charts/policy-apex-pdp/templates/secrets.yaml new file mode 100644 index 0000000000..bd7eb8ea40 --- /dev/null +++ b/kubernetes/policy/charts/policy-apex-pdp/templates/secrets.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/charts/policy-apex-pdp/templates/statefulset.yaml b/kubernetes/policy/charts/policy-apex-pdp/templates/statefulset.yaml index 4d35509d9a..35f8aacb40 100644 --- a/kubernetes/policy/charts/policy-apex-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/charts/policy-apex-pdp/templates/statefulset.yaml @@ -38,6 +38,27 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + initContainers: + - command: + - sh + args: + - -c + - "export TRUSTSTORE_PASSWORD_BASE64=`echo -n ${TRUSTSTORE_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: TRUSTSTORE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 10 }} + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: apexconfig-input + - mountPath: /config + name: apexconfig + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -87,9 +108,12 @@ spec: path: /etc/localtime - name: policy-logs emptyDir: {} - - name: apexconfig + - name: apexconfig-input configMap: name: {{ include "common.fullname" . }}-configmap defaultMode: 0755 + - name: apexconfig + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/charts/policy-apex-pdp/values.yaml b/kubernetes/policy/charts/policy-apex-pdp/values.yaml index 1fdc215ff7..8730c9ef29 100644 --- a/kubernetes/policy/charts/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/charts/policy-apex-pdp/values.yaml @@ -25,6 +25,21 @@ global: persistence: {} ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + - uid: truststore-pass + type: password + externalSecret: '{{ tpl (default "" .Values.truststore.passwordExternalSecret) . }}' + password: '{{ .Values.truststore.password }}' + policy: required + +################################################################# # Application configuration defaults. ################################################################# # application image @@ -37,6 +52,12 @@ debugEnabled: false # application configuration +restServer: + user: healthcheck + password: zb!XztG34 +truststore: + password: Pol1cy_0nap + # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/charts/policy-api/resources/config/config.json b/kubernetes/policy/charts/policy-api/resources/config/config.json index 2e46ccae96..fba7e6ce12 100644 --- a/kubernetes/policy/charts/policy-api/resources/config/config.json +++ b/kubernetes/policy/charts/policy-api/resources/config/config.json @@ -20,8 +20,8 @@ "restServerParameters":{ "host":"0.0.0.0", "port":6969, - "userName":"healthcheck", - "password":"zb!XztG34", + "userName":"${RESTSERVER_USER}", + "password":"${RESTSERVER_PASSWORD}", "https": true, "aaf": false }, diff --git a/kubernetes/policy/charts/policy-api/templates/deployment.yaml b/kubernetes/policy/charts/policy-api/templates/deployment.yaml index 777cc4954d..e1f699eccf 100644 --- a/kubernetes/policy/charts/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-api/templates/deployment.yaml @@ -39,9 +39,13 @@ spec: - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }} + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 12 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 12 }} volumeMounts: - mountPath: /config-input name: apiconfig diff --git a/kubernetes/policy/charts/policy-api/values.yaml b/kubernetes/policy/charts/policy-api/values.yaml index 2e31f6b2ef..906e86ad38 100644 --- a/kubernetes/policy/charts/policy-api/values.yaml +++ b/kubernetes/policy/charts/policy-api/values.yaml @@ -28,19 +28,25 @@ global: # Secrets metaconfig ################################################################# secrets: - - uid: db-secret + - uid: db-creds type: basicAuth externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required ################################################################# # Application configuration defaults. ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-api:2.2.2 +image: onap/policy-api:2.2.3 pullPolicy: Always # flag to enable debugging - application support required @@ -50,6 +56,9 @@ debugEnabled: false db: user: policy_user password: policy_user +restServer: + user: healthcheck + password: zb!XztG34 # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/charts/policy-common/resources/config/scripts/do-start.sh b/kubernetes/policy/charts/policy-common/resources/config/scripts/do-start.sh index 0e473105a2..ee427af678 100644 --- a/kubernetes/policy/charts/policy-common/resources/config/scripts/do-start.sh +++ b/kubernetes/policy/charts/policy-common/resources/config/scripts/do-start.sh @@ -1,4 +1,7 @@ +#!/bin/bash + # Copyright © 2017 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2020 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,7 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -#!/bin/bash # Script to configure and start the Policy components that are to run in the designated container, # It is intended to be used as the entrypoint in the Dockerfile, so the last statement of the @@ -65,7 +67,7 @@ else fi if [[ -f config/policy-truststore ]]; then - cp -f config/policy-truststore $[POLICY_HOME]/etc/ssl + cp -f config/policy-truststore $POLICY_HOME/etc/ssl fi if [[ -f config/$container-tweaks.sh ]] ; then @@ -95,13 +97,4 @@ else fi policy.sh start - -# on pap, wait for pap, pdp, brmsgw, nexus and drools up, -# then push the initial default policies -if [[ $container == pap ]]; then - # wait addional 1 minute for all processes to get fully initialized and synched up - sleep 60 - bash -xv config/push-policies.sh -fi - sleep 1000d diff --git a/kubernetes/policy/charts/policy-distribution/resources/config/config.json b/kubernetes/policy/charts/policy-distribution/resources/config/config.json index 906263343a..4c42ed2353 100644 --- a/kubernetes/policy/charts/policy-distribution/resources/config/config.json +++ b/kubernetes/policy/charts/policy-distribution/resources/config/config.json @@ -21,8 +21,8 @@ "restServerParameters":{ "host":"0.0.0.0", "port":6969, - "userName":"healthcheck", - "password":"zb!XztG34", + "userName":"${RESTSERVER_USER}", + "password":"${RESTSERVER_PASSWORD}", "https":true }, "receptionHandlerParameters":{ @@ -61,8 +61,8 @@ "messageBusAddress": [ "message-router" ], - "user": "policy", - "password": "Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U", + "user": "${SDCBE_USER}", + "password": "${SDCBE_PASSWORD}", "pollingInterval":20, "pollingTimeout":30, "consumerId": "policy-id", @@ -107,14 +107,14 @@ "apiParameters": { "hostName": "policy-api", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34" + "userName": "${API_USER}", + "password": "${API_PASSWORD}" }, "papParameters": { "hostName": "policy-pap", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34" + "userName": "${PAP_USER}", + "password": "${PAP_PASSWORD}" }, "isHttps": true, "deployPolicies": true diff --git a/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml b/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml index 65961d8f8b..b3b017acd3 100644 --- a/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml @@ -16,6 +16,37 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: API_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "apiparameters-creds" "key" "login") | indent 10 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "apiparameters-creds" "key" "password") | indent 10 }} + - name: PAP_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "papparameters-creds" "key" "login") | indent 10 }} + - name: PAP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "papparameters-creds" "key" "password") | indent 10 }} + - name: SDCBE_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdcbe-creds" "key" "login") | indent 10 }} + - name: SDCBE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdcbe-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: distributionconfig-input + - mountPath: /config + name: distributionconfig + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -58,9 +89,12 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: distributionconfig + - name: distributionconfig-input configMap: name: {{ include "common.fullname" . }}-configmap defaultMode: 0755 + - name: distributionconfig + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/charts/policy-distribution/templates/secrets.yaml b/kubernetes/policy/charts/policy-distribution/templates/secrets.yaml new file mode 100644 index 0000000000..bd7eb8ea40 --- /dev/null +++ b/kubernetes/policy/charts/policy-distribution/templates/secrets.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/charts/policy-distribution/values.yaml b/kubernetes/policy/charts/policy-distribution/values.yaml index 835bfc4656..c8d24e5563 100644 --- a/kubernetes/policy/charts/policy-distribution/values.yaml +++ b/kubernetes/policy/charts/policy-distribution/values.yaml @@ -18,10 +18,40 @@ # ============LICENSE_END========================================================= ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + - uid: apiparameters-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.apiParameters.credsExternalSecret) . }}' + login: '{{ .Values.apiParameters.user }}' + password: '{{ .Values.apiParameters.password }}' + passwordPolicy: required + - uid: papparameters-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.papParameters.credsExternalSecret) . }}' + login: '{{ .Values.papParameters.user }}' + password: '{{ .Values.papParameters.password }}' + passwordPolicy: required + - uid: sdcbe-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.sdcBe.credsExternalSecret) . }}' + login: '{{ .Values.sdcBe.user }}' + password: '{{ .Values.sdcBe.password }}' + passwordPolicy: required + +################################################################# # Global configuration defaults. ################################################################# global: persistence: {} + envsubstImage: dibi/envsubst ################################################################# # Application configuration defaults. @@ -36,6 +66,19 @@ debugEnabled: false # application configuration +restServer: + user: healthcheck + password: zb!XztG34 +apiParameters: + user: healthcheck + password: zb!XztG34 +papParameters: + user: healthcheck + password: zb!XztG34 +sdcBe: + user: policy + password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json index a52cc0f6d4..3b72d8ed90 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json +++ b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json @@ -21,16 +21,16 @@ "restServerParameters": { "host": "0.0.0.0", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34", + "userName": "${RESTSERVER_USER}", + "password": "${RESTSERVER_PASSWORD}", "https": true, "aaf": false }, "policyApiParameters": { "host": "policy-api", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34", + "userName": "${API_USER}", + "password": "${API_PASSWORD}", "https": true, "aaf": false }, diff --git a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties index f2c2cd7765..c7e4ad197e 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties @@ -50,4 +50,4 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome javax.persistence.jdbc.driver=org.mariadb.jdbc.Driver javax.persistence.jdbc.url=jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/operationshistory javax.persistence.jdbc.user=${SQL_USER} -javax.persistence.jdbc.password=${SQL_PASSWORD} +javax.persistence.jdbc.password=${SQL_PASSWORD_BASE64} diff --git a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml index 5b02c177b5..bd126b810b 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml @@ -31,17 +31,38 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + - command: + - sh + args: + - -c + - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: API_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }} + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: pdpxconfig + - mountPath: /config + name: pdpxconfig-processed + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"] args: ["/opt/app/policy/pdpx/etc/mounted/config.json"] - env: - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -63,7 +84,9 @@ spec: name: localtime readOnly: true - mountPath: /opt/app/policy/pdpx/etc/mounted - name: pdpxconfig + name: pdpxconfig-processed + emptyDir: + medium: Memory resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -82,5 +105,8 @@ spec: configMap: name: {{ include "common.fullname" . }}-configmap defaultMode: 0755 + - name: pdpxconfig-processed + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml index a2c0aa0e63..63f50fd7fa 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml @@ -21,6 +21,7 @@ ################################################################# global: persistence: {} + envsubstImage: dibi/envsubst ################################################################# # Secrets metaconfig @@ -32,6 +33,18 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + - uid: api-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}' + login: '{{ .Values.apiServer.user }}' + password: '{{ .Values.apiServer.password }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -49,6 +62,12 @@ debugEnabled: false db: user: policy_user password: policy_user +restServer: + user: healthcheck + password: zb!XztG34 +apiServer: + user: healthcheck + password: zb!XztG34 # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/resources/config/pe/push-policies.sh b/kubernetes/policy/resources/config/pe/push-policies.sh deleted file mode 100644 index ec8c914c17..0000000000 --- a/kubernetes/policy/resources/config/pe/push-policies.sh +++ /dev/null @@ -1,485 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2018-2019 AT&T. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -#! /bin/bash - -# forked from https://gerrit.onap.org/r/gitweb?p=policy/docker.git;a=blob;f=config/pe/push-policies.sh;h=555ab357e6b4f54237bf07ef5e6777d782564bc0;hb=refs/heads/amsterdam and adapted for OOM - -#########################################Upload BRMS Param Template########################################## - -echo "Upload BRMS Param Template" - -sleep 2 - -wget -O cl-amsterdam-template.drl https://git.onap.org/policy/drools-applications/plain/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl - -sleep 2 - -curl -k -v --silent -X POST --header 'Content-Type: multipart/form-data' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -F "file=@cl-amsterdam-template.drl" -F "importParametersJson={\"serviceName\":\"ClosedLoopControlName\",\"serviceType\":\"BRMSPARAM\"}" 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/policyEngineImport' - -echo "PRELOAD_POLICIES is $PRELOAD_POLICIES" - -if [ "$PRELOAD_POLICIES" == "false" ]; then - exit 0 -fi - -#########################################Create BRMS Param policies########################################## - -echo "Create BRMSParam Operational Policies" - -sleep 2 - -echo "Create BRMSParamvFirewall Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/html' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyConfigType": "BRMS_PARAM", - "policyName": "com.BRMSParamvFirewall", - "policyDescription": "BRMS Param vFirewall policy", - "policyScope": "com", - "attributes": { - "MATCHING": { - "controller" : "amsterdam" - }, - "RULE": { - "templateName": "ClosedLoopControlName", - "closedLoopControlName": "ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a", - "controlLoopYaml": "controlLoop%3A%0D%0A++version%3A+2.0.0%0D%0A++controlLoopName%3A+ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a%0D%0A++trigger_policy%3A+unique-policy-id-1-modifyConfig%0D%0A++timeout%3A+1200%0D%0A++abatement%3A+false%0D%0A+%0D%0Apolicies%3A%0D%0A++-+id%3A+unique-policy-id-1-modifyConfig%0D%0A++++name%3A+modify+packet+gen+config%0D%0A++++description%3A%0D%0A++++actor%3A+APPC%0D%0A++++recipe%3A+ModifyConfig%0D%0A++++target%3A%0D%0A++++++%23+TBD+-+Cannot+be+known+until+instantiation+is+done%0D%0A++++++resourceID%3A+Eace933104d443b496b8.nodes.heat.vpg%0D%0A++++++type%3A+VNF%0D%0A++++retry%3A+0%0D%0A++++timeout%3A+300%0D%0A++++success%3A+final_success%0D%0A++++failure%3A+final_failure%0D%0A++++failure_timeout%3A+final_failure_timeout%0D%0A++++failure_retries%3A+final_failure_retries%0D%0A++++failure_exception%3A+final_failure_exception%0D%0A++++failure_guard%3A+final_failure_guard" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Create BRMSParamvDNS Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/html' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyConfigType": "BRMS_PARAM", - "policyName": "com.BRMSParamvDNS", - "policyDescription": "BRMS Param vDNS policy", - "policyScope": "com", - "attributes": { - "MATCHING": { - "controller" : "amsterdam" - }, - "RULE": { - "templateName": "ClosedLoopControlName", - "closedLoopControlName": "ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3", - "controlLoopYaml": "controlLoop%3A%0A++version%3A+2.0.0%0A++controlLoopName%3A+ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3%0A++trigger_policy%3A+unique-policy-id-1-scale-up%0A++timeout%3A+1200%0A++abatement%3A+false%0Apolicies%3A%0A++-+id%3A+unique-policy-id-1-scale-up%0A++++name%3A+Create+a+new+VF+Module%0A++++description%3A%0A++++actor%3A+SO%0A++++recipe%3A+VF+Module+Create%0A++++target%3A%0A++++++type%3A+VNF%0A++++payload%3A%0A++++++requestParameters%3A+%27%7B%22usePreload%22%3Atrue%2C%22userParams%22%3A%5B%5D%7D%27%0A++++++configurationParameters%3A+%27%5B%7B%22ip-addr%22%3A%22%24.vf-module-topology.vf-module-parameters.param%5B9%5D%22%2C%22oam-ip-addr%22%3A%22%24.vf-module-topology.vf-module-parameters.param%5B16%5D%22%2C%22enabled%22%3A%22%24.vf-module-topology.vf-module-parameters.param%5B23%5D%22%7D%5D%27%0A++++retry%3A+0%0A++++timeout%3A+1200%0A++++success%3A+final_success%0A++++failure%3A+final_failure%0A++++failure_timeout%3A+final_failure_timeout%0A++++failure_retries%3A+final_failure_retries%0A++++failure_exception%3A+final_failure_exception%0A++++failure_guard%3A+final_failure_guard" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Create BRMSParamVOLTE Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/html' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyConfigType": "BRMS_PARAM", - "policyName": "com.BRMSParamVOLTE", - "policyDescription": "BRMS Param VOLTE policy", - "policyScope": "com", - "attributes": { - "MATCHING": { - "controller" : "amsterdam" - }, - "RULE": { - "templateName": "ClosedLoopControlName", - "closedLoopControlName": "ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b", - "controlLoopYaml": "controlLoop%3A%0D%0A++version%3A+2.0.0%0D%0A++controlLoopName%3A+ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b%0D%0A++trigger_policy%3A+unique-policy-id-1-restart%0D%0A++timeout%3A+3600%0D%0A++abatement%3A+false%0D%0A+%0D%0Apolicies%3A%0D%0A++-+id%3A+unique-policy-id-1-restart%0D%0A++++name%3A+Restart+the+VM%0D%0A++++description%3A%0D%0A++++actor%3A+VFC%0D%0A++++recipe%3A+Restart%0D%0A++++target%3A%0D%0A++++++type%3A+VM%0D%0A++++retry%3A+3%0D%0A++++timeout%3A+1200%0D%0A++++success%3A+final_success%0D%0A++++failure%3A+final_failure%0D%0A++++failure_timeout%3A+final_failure_timeout%0D%0A++++failure_retries%3A+final_failure_retries%0D%0A++++failure_exception%3A+final_failure_exception%0D%0A++++failure_guard%3A+final_failure_guard" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Create BRMSParamvCPE Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/html' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyConfigType": "BRMS_PARAM", - "policyName": "com.BRMSParamvCPE", - "policyDescription": "BRMS Param vCPE policy", - "policyScope": "com", - "attributes": { - "MATCHING": { - "controller" : "amsterdam" - }, - "RULE": { - "templateName": "ClosedLoopControlName", - "closedLoopControlName": "ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e", - "controlLoopYaml": "controlLoop%3A%0D%0A++version%3A+2.0.0%0D%0A++controlLoopName%3A+ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e%0D%0A++trigger_policy%3A+unique-policy-id-1-restart%0D%0A++timeout%3A+3600%0D%0A++abatement%3A+true%0D%0A+%0D%0Apolicies%3A%0D%0A++-+id%3A+unique-policy-id-1-restart%0D%0A++++name%3A+Restart+the+VM%0D%0A++++description%3A%0D%0A++++actor%3A+APPC%0D%0A++++recipe%3A+Restart%0D%0A++++target%3A%0D%0A++++++type%3A+VM%0D%0A++++retry%3A+3%0D%0A++++timeout%3A+1200%0D%0A++++success%3A+final_success%0D%0A++++failure%3A+final_failure%0D%0A++++failure_timeout%3A+final_failure_timeout%0D%0A++++failure_retries%3A+final_failure_retries%0D%0A++++failure_exception%3A+final_failure_exception%0D%0A++++failure_guard%3A+final_failure_guard" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Create BRMSParamvPCI Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/html' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyConfigType": "BRMS_PARAM", - "policyName": "com.BRMSParamvPCI", - "policyDescription": "BRMS Param vPCI policy", - "policyScope": "com", - "attributes": { - "MATCHING": { - "controller" : "casablanca" - }, - "RULE": { - "templateName": "ClosedLoopControlName", - "closedLoopControlName": "ControlLoop-vPCI-fb41f388-a5f2-11e8-98d0-529269fb1459", - "controlLoopYaml": "controlLoop%3A%0D%0A++version%3A+3.0.0%0D%0A++controlLoopName%3A+ControlLoop-vPCI-fb41f388-a5f2-11e8-98d0-529269fb1459%0D%0A++trigger_policy%3A+unique-policy-id-123-modifyconfig%0D%0A++timeout%3A+1200%0D%0A++abatement%3A+false%0D%0A+%0D%0Apolicies%3A%0D%0A++-+id%3A+unique-policy-id-123-modifyconfig%0D%0A++++name%3A+modify+PCI+config%0D%0A++++description%3A%0D%0A++++actor%3A+SDNR%0D%0A++++recipe%3A+ModifyConfig%0D%0A++++target%3A%0D%0A++++++%23+These+fields+are+not+used%0D%0A++++++resourceID%3A+Eace933104d443b496b8.nodes.heat.vpg%0D%0A++++++type%3A+VNF%0D%0A++++retry%3A+0%0D%0A++++timeout%3A+300%0D%0A++++success%3A+final_success%0D%0A++++failure%3A+final_failure%0D%0A++++failure_timeout%3A+final_failure_timeout%0D%0A++++failure_retries%3A+final_failure_retries%0D%0A++++failure_exception%3A+final_failure_exception%0D%0A++++failure_guard%3A+final_failure_guard" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Create BRMSParamCCVPN Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/html' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyConfigType": "BRMS_PARAM", - "policyName": "com.BRMSParamCCVPN", - "policyDescription": "BRMS Param CCVPN policy", - "policyScope": "com", - "attributes": { - "MATCHING": { - "controller" : "amsterdam" - }, - "RULE": { - "templateName": "ClosedLoopControlName", - "closedLoopControlName": "ControlLoop-CCVPN-2179b738-fd36-4843-a71a-a8c24c70c66b", - "controlLoopYaml": "controlLoop%3A%0D%0A++version%3A+2.0.0%0D%0A++controlLoopName%3A+ControlLoop-CCVPN-2179b738-fd36-4843-a71a-a8c24c70c66b%0D%0A++trigger_policy%3A+unique-policy-id-16-Reroute%0D%0A++timeout%3A+3600%0D%0A++abatement%3A+false%0D%0A+%0D%0Apolicies%3A%0D%0A++-+id%3A+unique-policy-id-16-Reroute%0D%0A++++name%3A+Connectivity Reroute%0D%0A++++description%3A%0D%0A++++actor%3A+SDNC%0D%0A++++recipe%3A+Reroute%0D%0A++++target%3A%0D%0A++++++type%3A+VM%0D%0A++++retry%3A+3%0D%0A++++timeout%3A+1200%0D%0A++++success%3A+final_success%0D%0A++++failure%3A+final_failure%0D%0A++++failure_timeout%3A+final_failure_timeout%0D%0A++++failure_retries%3A+final_failure_retries%0D%0A++++failure_exception%3A+final_failure_exception%0D%0A++++failure_guard%3A+final_failure_guard" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -#########################################Create Micro Service Config policies########################################## - -echo "Create MicroService Config Policies" - -sleep 2 - -echo "Create MicroServicevFirewall Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "configBody": "{ \"service\": \"tca_policy\", \"location\": \"SampleServiceLocation\", \"uuid\": \"test\", \"policyName\": \"MicroServicevFirewall\", \"description\": \"MicroService vFirewall Policy\", \"configName\": \"SampleConfigName\", \"templateVersion\": \"OpenSource.version.1\", \"version\": \"1.1.0\", \"priority\": \"1\", \"policyScope\": \"resource=SampleResource,service=SampleService,type=SampleType,closedLoopControlName=ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\", \"riskType\": \"SampleRiskType\", \"riskLevel\": \"1\", \"guard\": \"False\", \"content\": { \"tca_policy\": { \"domain\": \"measurementsForVfScaling\", \"metricsPerEventName\": [{ \"eventName\": \"vFirewallBroadcastPackets\", \"controlLoopSchemaType\": \"VNF\", \"policyScope\": \"DCAE\", \"policyName\": \"DCAE.Config_tca-hi-lo\", \"policyVersion\": \"v0.0.1\", \"thresholds\": [{ \"closedLoopControlName\": \"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\", \"version\": \"1.0.2\", \"fieldPath\": \"$.event.measurementsForVfScalingFields.vNicUsageArray[*].receivedTotalPacketsDelta\", \"thresholdValue\": 300, \"direction\": \"LESS_OR_EQUAL\", \"severity\": \"MAJOR\", \"closedLoopEventStatus\": \"ONSET\" }, { \"closedLoopControlName\": \"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\", \"version\": \"1.0.2\", \"fieldPath\": \"$.event.measurementsForVfScalingFields.vNicUsageArray[*].receivedTotalPacketsDelta\", \"thresholdValue\": 700, \"direction\": \"GREATER_OR_EQUAL\", \"severity\": \"CRITICAL\", \"closedLoopEventStatus\": \"ONSET\" } ] }] } } }", - "policyConfigType": "MicroService", - "policyName": "com.MicroServicevFirewall", - "onapName": "DCAE" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - - -sleep 2 - -echo "Create MicroServicevDNS Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "configBody": "{ \"service\": \"tca_policy\", \"location\": \"SampleServiceLocation\", \"uuid\": \"test\", \"policyName\": \"MicroServicevDNS\", \"description\": \"MicroService vDNS Policy\", \"configName\": \"SampleConfigName\", \"templateVersion\": \"OpenSource.version.1\", \"version\": \"1.1.0\", \"priority\": \"1\", \"policyScope\": \"resource=SampleResource,service=SampleService,type=SampleType,closedLoopControlName=ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3\", \"riskType\": \"SampleRiskType\", \"riskLevel\": \"1\", \"guard\": \"False\", \"content\": { \"tca_policy\": { \"domain\": \"measurementsForVfScaling\", \"metricsPerEventName\": [{ \"eventName\": \"vLoadBalancer\", \"controlLoopSchemaType\": \"VM\", \"policyScope\": \"DCAE\", \"policyName\": \"DCAE.Config_tca-hi-lo\", \"policyVersion\": \"v0.0.1\", \"thresholds\": [{ \"closedLoopControlName\": \"ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3\", \"version\": \"1.0.2\", \"fieldPath\": \"$.event.measurementsForVfScalingFields.vNicUsageArray[*].receivedTotalPacketsDelta\", \"thresholdValue\": 300, \"direction\": \"GREATER_OR_EQUAL\", \"severity\": \"CRITICAL\", \"closedLoopEventStatus\": \"ONSET\" }] }] } } }", - "policyConfigType": "MicroService", - "policyName": "com.MicroServicevDNS", - "onapName": "DCAE" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - - -sleep 2 - -echo "Create MicroServicevCPE Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "configBody": "{ \"service\": \"tca_policy\", \"location\": \"SampleServiceLocation\", \"uuid\": \"test\", \"policyName\": \"MicroServicevCPE\", \"description\": \"MicroService vCPE Policy\", \"configName\": \"SampleConfigName\", \"templateVersion\": \"OpenSource.version.1\", \"version\": \"1.1.0\", \"priority\": \"1\", \"policyScope\": \"resource=SampleResource,service=SampleService,type=SampleType,closedLoopControlName=ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\", \"riskType\": \"SampleRiskType\", \"riskLevel\": \"1\", \"guard\": \"False\", \"content\": { \"tca_policy\": { \"domain\": \"measurementsForVfScaling\", \"metricsPerEventName\": [{ \"eventName\": \"Measurement_vGMUX\", \"controlLoopSchemaType\": \"VNF\", \"policyScope\": \"DCAE\", \"policyName\": \"DCAE.Config_tca-hi-lo\", \"policyVersion\": \"v0.0.1\", \"thresholds\": [{ \"closedLoopControlName\": \"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\", \"version\": \"1.0.2\", \"fieldPath\": \"$.event.measurementsForVfScalingFields.additionalMeasurements[*].arrayOfFields[0].value\", \"thresholdValue\": 0, \"direction\": \"EQUAL\", \"severity\": \"MAJOR\", \"closedLoopEventStatus\": \"ABATED\" }, { \"closedLoopControlName\": \"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\", \"version\": \"1.0.2\", \"fieldPath\": \"$.event.measurementsForVfScalingFields.additionalMeasurements[*].arrayOfFields[0].value\", \"thresholdValue\": 0, \"direction\": \"GREATER\", \"severity\": \"CRITICAL\", \"closedLoopEventStatus\": \"ONSET\" }] }] } } }", - "policyConfigType": "MicroService", - "policyName": "com.MicroServicevCPE", - "onapName": "DCAE" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -#########################################Create SDNC Naming Policies########################################## - -echo "Create Generic SDNC Naming Policy for VNF" - -sleep 2 - -echo "Create SDNC vFW Naming Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "configBody": "{ \"service\": \"SDNC-GenerateName\", \"version\": \"CSIT\", \"content\": { \"policy-instance-name\": \"ONAP_VNF_NAMING_TIMESTAMP\", \"naming-models\": [ { \"naming-properties\": [ { \"property-name\": \"AIC_CLOUD_REGION\" }, { \"property-name\": \"CONSTANT\", \"property-value\": \"ONAP-NF\" }, { \"property-name\": \"TIMESTAMP\" }, { \"property-value\": \"_\", \"property-name\": \"DELIMITER\" } ], \"naming-type\": \"VNF\", \"naming-recipe\": \"AIC_CLOUD_REGION|DELIMITER|CONSTANT|DELIMITER|TIMESTAMP\" }, { \"naming-properties\": [ { \"property-name\": \"VNF_NAME\" }, { \"property-name\": \"SEQUENCE\", \"increment-sequence\": { \"max\": \"zzz\", \"scope\": \"ENTIRETY\", \"start-value\": \"001\", \"length\": \"3\", \"increment\": \"1\", \"sequence-type\": \"alpha-numeric\" } }, { \"property-name\": \"NFC_NAMING_CODE\" }, { \"property-value\": \"_\", \"property-name\": \"DELIMITER\" } ], \"naming-type\": \"VNFC\", \"naming-recipe\": \"VNF_NAME|DELIMITER|NFC_NAMING_CODE|DELIMITER|SEQUENCE\" }, { \"naming-properties\": [ { \"property-name\": \"VNF_NAME\" }, { \"property-value\": \"_\", \"property-name\": \"DELIMITER\" }, { \"property-name\": \"VF_MODULE_LABEL\" }, { \"property-name\": \"VF_MODULE_TYPE\" }, { \"property-name\": \"SEQUENCE\", \"increment-sequence\": { \"max\": \"zzz\", \"scope\": \"PRECEEDING\", \"start-value\": \"01\", \"length\": \"3\", \"increment\": \"1\", \"sequence-type\": \"alpha-numeric\" } } ], \"naming-type\": \"VF-MODULE\", \"naming-recipe\": \"VNF_NAME|DELIMITER|VF_MODULE_LABEL|DELIMITER|VF_MODULE_TYPE|DELIMITER|SEQUENCE\" } ] } }", - "policyName": "SDNC_Policy.ONAP_VNF_NAMING_TIMESTAMP", - "policyConfigType": "MicroService", - "onapName": "SDNC", - "riskLevel": "4", - "riskType": "test", - "guard": "false", - "priority": "4", - "description": "ONAP_VNF_NAMING_TIMESTAMP" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -#########################################Creating OOF PCI Policies########################################## -sleep 2 - -echo "Create MicroServicevPCI Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "configBody": "{ \"service\": \"tca_policy\", \"location\": \"SampleServiceLocation_pci\", \"uuid\": \"test_pci\", \"policyName\": \"MicroServicevPCI\", \"description\": \"MicroService vPCI Policy\", \"configName\": \"SampleConfigName\", \"templateVersion\": \"OpenSource.version.1\", \"version\": \"1.1.0\", \"priority\": \"1\", \"policyScope\": \"resource=SampleResource,service=SampleService,type=SampleType,closedLoopControlName=ControlLoop-vPCI-fb41f388-a5f2-11e8-98d0-529269fb1459\", \"riskType\": \"SampleRiskType\", \"riskLevel\": \"1\", \"guard\": \"False\", \"content\": { \"tca_policy\": { \"domain\": \"measurementsForVfScaling\", \"metricsPerEventName\": [{ \"eventName\": \"vFirewallBroadcastPackets\", \"controlLoopSchemaType\": \"VNF\", \"policyScope\": \"DCAE\", \"policyName\": \"DCAE.Config_tca-hi-lo\", \"policyVersion\": \"v0.0.1\", \"thresholds\": [{ \"closedLoopControlName\": \"ControlLoop-vPCI-fb41f388-a5f2-11e8-98d0-529269fb1459\", \"version\": \"1.0.2\", \"fieldPath\": \"$.event.executePolicy\", \"thresholdValue\": 1, \"direction\": \"GREATER_OR_EQUAL\", \"severity\": \"MAJOR\", \"closedLoopEventStatus\": \"ONSET\" } ] }] } } }", - "policyConfigType": "MicroService", - "policyName": "com.MicroServicevPCI", - "onapName": "DCAE" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Create PCI MS Config Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyName": "com.PCIMS_CONFIG_POLICY", - "configBody": "{ \"PCI_NEIGHBOR_CHANGE_CLUSTER_TIMEOUT_IN_SECS\":60, \"PCI_MODCONFIG_POLICY_NAME\":\"ControlLoop-vPCI-fb41f388-a5f2-11e8-98d0-529269fb1459\", \"PCI_OPTMIZATION_ALGO_CATEGORY_IN_OOF\":\"OOF-PCI-OPTIMIZATION\", \"PCI_SDNR_TARGET_NAME\":\"SDNR\" }", - "policyType": "Config", - "attributes" : { "matching" : { "key1" : "value1" } }, - "policyConfigType": "Base", - "onapName": "DCAE", - "configName": "PCIMS_CONFIG_POLICY", - "configBodyType": "JSON" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Create OOF Config Policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyName": "com.OOF_PCI_CONFIG_POLICY", - "configBody": "{ \"ALGO_CATEGORY\":\"OOF-PCI-OPTIMIZATION\", \"PCI_OPTMIZATION_ALGO_NAME\":\"OOF-PCI-OPTIMIZATION-LEVEL1\", \"PCI_OPTIMIZATION_NW_CONSTRAINT\":\"MAX5PCICHANGESONLY\", \"PCI_OPTIMIZATION_PRIORITY\": 2, \"PCI_OPTIMIZATION_TIME_CONSTRAINT\":\"ONLYATNIGHT\" }", - "attributes" : { "matching" : { "key1" : "value1" } }, - "policyType": "Config", - "policyConfigType": "Base", - "onapName": "DCAE", - "configName": "OOF_PCI_CONFIG_POLICY", - "configBodyType": "JSON" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -#########################################Creating Decision Guard policies######################################### - -sleep 2 - -echo "Creating Decision Guard policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyClass": "Decision", - "policyName": "com.AllPermitGuard", - "policyDescription": "Testing all Permit YAML Guard Policy", - "onapName": "PDPD", - "ruleProvider": "GUARD_YAML", - "attributes": { - "MATCHING": { - "actor": ".*", - "recipe": ".*", - "targets": ".*", - "clname": ".*", - "limit": "10", - "timeWindow": "1", - "timeUnits": "minute", - "guardActiveStart": "00:00:01-05:00", - "guardActiveEnd": "23:59:59-05:00" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Creating Decision vDNS Guard - Frequency Limiter policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyClass": "Decision", - "policyName": "com.vDNS_Frequency", - "policyDescription": "Limit vDNS Scale Up over time period", - "onapName": "PDPD", - "ruleProvider": "GUARD_YAML", - "attributes": { - "MATCHING": { - "actor": "SO", - "recipe": "scaleOut", - "targets": ".*", - "clname": "ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3", - "limit": "1", - "timeWindow": "10", - "timeUnits": "minute", - "guardActiveStart": "00:00:01-05:00", - "guardActiveEnd": "23:59:59-05:00" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -sleep 2 - -echo "Creating Decision vDNS Guard - Min/Max policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "policyClass": "Decision", - "policyName": "com.vDNS_MinMax", - "policyDescription": "Ensure number of instances within a range", - "onapName": "SampleDemo", - "ruleProvider": "GUARD_MIN_MAX", - "attributes": { - "MATCHING": { - "actor": "SO", - "recipe": "scaleOut", - "targets": ".*", - "clname": "ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3", - "min": "1", - "max": "5", - "guardActiveStart": "00:00:01-05:00", - "guardActiveEnd": "23:59:59-05:00" - } - } -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/createPolicy' - -#########################################Push Decision policy######################################### - -sleep 2 - -echo "Push Decision policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.AllPermitGuard", - "policyType": "DECISION" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 2 - -echo "Push Decision policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.vDNS_Frequency", - "policyType": "DECISION" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 2 - -echo "Push Decision policy" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.vDNS_MinMax", - "policyType": "DECISION" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -#########################################Pushing BRMS Param policies########################################## - -echo "Pushing BRMSParam Operational policies" - -sleep 2 - -echo "pushPolicy : PUT : com.BRMSParamvFirewall" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.BRMSParamvFirewall", - "policyType": "BRMS_Param" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 2 - -echo "pushPolicy : PUT : com.BRMSParamvDNS" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.BRMSParamvDNS", - "policyType": "BRMS_Param" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 2 - -echo "pushPolicy : PUT : com.BRMSParamVOLTE" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.BRMSParamVOLTE", - "policyType": "BRMS_Param" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 2 - -echo "pushPolicy : PUT : com.BRMSParamvCPE" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.BRMSParamvCPE", - "policyType": "BRMS_Param" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 2 - -echo "pushPolicy : PUT : com.BRMSParamvPCI" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.BRMSParamvPCI", - "policyType": "BRMS_Param" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 2 - -echo "pushPolicy : PUT : com.BRMSParamCCVPN" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.BRMSParamCCVPN", - "policyType": "BRMS_Param" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -#########################################Pushing MicroService Config policies########################################## - -echo "Pushing MicroService Config policies" - -sleep 2 - -echo "pushPolicy : PUT : com.MicroServicevFirewall" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.MicroServicevFirewall", - "policyType": "MicroService" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 10 - -echo "pushPolicy : PUT : com.MicroServicevDNS" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.MicroServicevDNS", - "policyType": "MicroService" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 10 - -echo "pushPolicy : PUT : com.MicroServicevCPE" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.MicroServicevCPE", - "policyType": "MicroService" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -#########################################Pushing SDNC Naming Policies########################################## -echo "Pushing SDNC Naming Policies" - -sleep 2 - -echo "pushPolicy : PUT : SDNC_Policy.ONAP_VNF_NAMING_TIMESTAMP" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "SDNC_Policy.ONAP_VNF_NAMING_TIMESTAMP", - "policyType": "MicroService" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -#########################################Pushing OOF PCI Policies########################################## -sleep 10 - -echo "pushPolicy : PUT : com.MicroServicevPCI" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.MicroServicevPCI", - "policyType": "MicroService" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 10 - -echo "pushPolicy : PUT : com.PCIMS_CONFIG_POLICY" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.PCIMS_CONFIG_POLICY", - "policyType": "Base" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' - -sleep 10 - -echo "pushPolicy : PUT : com.OOF_PCI_CONFIG_POLICY" -curl -k -v --silent -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHBkcDphbHBoYTEyMw==' --header 'Environment: TEST' -d '{ - "pdpGroup": "default", - "policyName": "com.OOF_PCI_CONFIG_POLICY", - "policyType": "Base" -}' 'https://{{.Values.global.pdp.nameOverride}}:{{.Values.config.pdpPort}}/pdp/api/pushPolicy' diff --git a/kubernetes/policy/templates/deployment.yaml b/kubernetes/policy/templates/deployment.yaml index 7f96888ec8..fec565fb59 100644 --- a/kubernetes/policy/templates/deployment.yaml +++ b/kubernetes/policy/templates/deployment.yaml @@ -96,9 +96,6 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true - - mountPath: /tmp/policy-install/config/push-policies.sh - name: pe-pap - subPath: push-policies.sh - mountPath: /tmp/policy-install/config/pap-tweaks.sh name: pe-pap subPath: pap-tweaks.sh diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 3a2b1f1f96..f283d9042f 100644 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -67,7 +67,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pe:1.6.2 +image: onap/policy-pe:1.6.3 mariadb_image: library/mariadb:10 pullPolicy: Always @@ -137,6 +137,12 @@ service: ingress: enabled: false + service: + - baseaddr: "policy.api" + name: "pap" + port: 8443 + config: + ssl: "redirect" mariadb-galera: # mariadb-galera.config and global.mariadb.config must be equals diff --git a/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties index 63348f02d6..aeef85e54c 100755 --- a/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties +++ b/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties @@ -115,13 +115,12 @@ external_system_notification_url= https://jira.onap.org/browse/ #cookie domain cookie_domain = onap.org -{{- if .Values.global.aafEnabled }} -# External Access System Basic Auth Credentials & Rest endpoint(These credentials doesn't work as these are place holders for now) -ext_central_access_user_name = aaf_admin@people.osaaf.org -ext_central_access_password = thiswillbereplacedatruntime -ext_central_access_url = {{ .Values.aafURL }}/authz/ -ext_central_access_user_domain = @people.osaaf.org - # External Central Auth system access -remote_centralized_system_access = true -{{- end }} +remote_centralized_system_access = {{.Values.global.aafEnabled}} + +# External Access System Basic Auth Credentials & Rest endpoint +# The credentials are placeholders as these are replaced by AAF X509 identity at runtime +ext_central_access_user_name = portal@portal.onap.org +ext_central_access_password = thisfakepasswordwillbereplacedbythex509cert +ext_central_access_url = {{.Values.aafURL}} +ext_central_access_user_domain = @people.osaaf.org
\ No newline at end of file diff --git a/kubernetes/portal/charts/portal-app/templates/deployment.yaml b/kubernetes/portal/charts/portal-app/templates/deployment.yaml index 14bbd3c7f6..af00b5ff89 100644 --- a/kubernetes/portal/charts/portal-app/templates/deployment.yaml +++ b/kubernetes/portal/charts/portal-app/templates/deployment.yaml @@ -60,7 +60,7 @@ spec: -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ /start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"] env: - - name: _CATALINA_OPTS + - name: CATALINA_OPTS value: > -Djavax.net.ssl.keyStore="{{ .Values.aafConfig.credsPath }}/{{ .Values.aafConfig.keystoreFile }}" -Djavax.net.ssl.trustStore="{{ .Values.aafConfig.credsPath }}/{{ .Values.aafConfig.truststoreFile }}" diff --git a/kubernetes/portal/charts/portal-app/values.yaml b/kubernetes/portal/charts/portal-app/values.yaml index 24388277f4..01bc0dab93 100644 --- a/kubernetes/portal/charts/portal-app/values.yaml +++ b/kubernetes/portal/charts/portal-app/values.yaml @@ -32,12 +32,12 @@ global: # application image repository: nexus3.onap.org:10001 -image: onap/portal-app:3.2.0 +image: onap/portal-app:3.2.1 pullPolicy: Always #AAF local config -aafURL: https://aaf-service:8100/ +aafURL: https://aaf-service:8100/authz/ aafConfig: aafDeployFqi: deployer@people.osaaf.org aafDeployPass: demo123456! @@ -121,7 +121,7 @@ messageRouter: ingress: enabled: false service: - - baseaddr: portalapp + - baseaddr: portal.api name: "portal-app" port: 8443 config: diff --git a/kubernetes/portal/charts/portal-mariadb/resources/config/mariadb/oom_updates.sql b/kubernetes/portal/charts/portal-mariadb/resources/config/mariadb/oom_updates.sql index fd357f3cd5..7502e9322a 100644 --- a/kubernetes/portal/charts/portal-mariadb/resources/config/mariadb/oom_updates.sql +++ b/kubernetes/portal/charts/portal-mariadb/resources/config/mariadb/oom_updates.sql @@ -23,7 +23,7 @@ while the OOM K8s version has these service split up. */ -- app_url is the FE, app_rest_endpoint is the BE --portal-sdk => TODO: doesn't open a node port yet -update fn_app set app_url = 'http://{{.Values.config.portalSdkHostName}}:{{.Values.config.portalSdkPort}}/ONAPPORTALSDK/welcome.htm', app_rest_endpoint = 'http://portal-sdk:8080/ONAPPORTALSDK/api/v3' where app_name = 'xDemo App'; +update fn_app set app_url = 'https://{{.Values.config.portalSdkHostName}}:{{.Values.config.portalSdkPort}}/ONAPPORTALSDK/welcome.htm', app_rest_endpoint = 'https://portal-sdk:8080/ONAPPORTALSDK/api/v3' where app_name = 'xDemo App'; --dmaap-bc => the dmaap-bc doesn't open a node port.. update fn_app set app_url = 'http://{{.Values.config.dmaapBcHostName}}:{{.Values.config.dmaapBcPort}}/ECOMPDBCAPP/dbc#/dmaap', app_rest_endpoint = 'http://dmaap-bc:8989/ECOMPDBCAPP/api/v2' where app_name = 'DMaaP Bus Ctrl'; --sdc-be => 8443:30204 @@ -38,7 +38,7 @@ update fn_app set app_url = 'https://{{.Values.config.aaiSparkyHostName}}:{{.Val --cli => 8080:30260 update fn_app set app_url = 'https://{{.Values.config.cliHostName}}:{{.Values.config.cliPort}}/', app_type = 1 where app_name = 'CLI'; --msb-iag => 80:30280 -update fn_app set app_url = 'http://{{.Values.config.msbHostName}}:{{.Values.config.msbPort}}/iui/microservices/default.html' where app_name = 'MSB'; +update fn_app set app_url = 'https://{{.Values.config.msbHostName}}:{{.Values.config.msbPort}}/iui/microservices/default.html' where app_name = 'MSB'; /* @@ -78,7 +78,7 @@ update fn_app set app_username='aaiui', app_password='4LK69amiIFtuzcl6Gsv97Tt7ML /* Replace spaces with underscores for role names to match AAF role names */ -UPDATE fn_role SET role_name= REPLACE(role_name, ' ', '_') WHERE active_yn= 'Y'; +UPDATE fn_role SET role_name= REPLACE(role_name, ' ', '_') WHERE active_yn= 'Y' AND role_id NOT IN (999); /* diff --git a/kubernetes/portal/charts/portal-mariadb/values.yaml b/kubernetes/portal/charts/portal-mariadb/values.yaml index 5a3b08d469..1234b6bc46 100644 --- a/kubernetes/portal/charts/portal-mariadb/values.yaml +++ b/kubernetes/portal/charts/portal-mariadb/values.yaml @@ -66,7 +66,7 @@ config: # application's front end hostname. Must be resolvable on the client side environment dmaapBcHostName: "dmaap-bc.simpledemo.onap.org" # msb IAG ui assignment for port 80 - msbPort: "30280" + msbPort: "30283" # application's front end hostname. Must be resolvable on the client side environment msbHostName: "msb.api.simpledemo.onap.org" # SO Monitoring assignment for port 30224 diff --git a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties index 063ba3d122..45ea9b70ca 100755 --- a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties +++ b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties @@ -82,13 +82,12 @@ authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-co #cookie domain cookie_domain = onap.org -{{- if .Values.global.aafEnabled }} -# External Access System Basic Auth Credentials & Rest endpoint(These credentials doesn't work as these are place holders for now) -ext_central_access_user_name = aaf_admin@people.osaaf.org -ext_central_access_password = thiswillbereplacedatruntime -ext_central_access_url = {{ .Values.aafURL }}/authz/ -ext_central_access_user_domain = @people.osaaf.org - # External Central Auth system access -remote_centralized_system_access = true -{{- end }}
\ No newline at end of file +remote_centralized_system_access = {{.Values.global.aafEnabled}} + +# External Access System Basic Auth Credentials & Rest endpoint +# The credentials are placeholders as these are replaced by AAF X509 identity at runtime +ext_central_access_user_name = portal@portal.onap.org +ext_central_access_password = thisfakepasswordwillbereplacedbythex509cert +ext_central_access_url = {{.Values.aafURL}} +ext_central_access_user_domain = @people.osaaf.org
\ No newline at end of file diff --git a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml index 2de9a1bd24..b78ef34fa1 100644 --- a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml +++ b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml @@ -60,7 +60,7 @@ spec: -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ /start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] env: - - name: _CATALINA_OPTS + - name: CATALINA_OPTS value: > -Djavax.net.ssl.keyStore="{{ .Values.aafConfig.credsPath }}/{{ .Values.aafConfig.keystoreFile }}" -Djavax.net.ssl.trustStore="{{ .Values.aafConfig.credsPath }}/{{ .Values.aafConfig.truststoreFile }}" diff --git a/kubernetes/portal/charts/portal-sdk/values.yaml b/kubernetes/portal/charts/portal-sdk/values.yaml index 45af55fe1d..7f3aa70a2c 100644 --- a/kubernetes/portal/charts/portal-sdk/values.yaml +++ b/kubernetes/portal/charts/portal-sdk/values.yaml @@ -37,7 +37,7 @@ image: onap/portal-sdk:3.2.0 pullPolicy: Always #AAF local config -aafURL: https://aaf-service:8100/ +aafURL: https://aaf-service:8100/authz/ aafConfig: aafDeployFqi: deployer@people.osaaf.org aafDeployPass: demo123456! @@ -115,11 +115,11 @@ messageRouter: ingress: enabled: false service: - - baseaddr: portalsdk + - baseaddr: portal-sdk name: "portal-sdk" port: 8443 config: - ssl: "none" + ssl: "redirect" # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/robot b/kubernetes/robot -Subproject 431689c7879a92be54477f13f8e39908db5f07f +Subproject 1bc31c7d76408bdf2267bf72bf3b1b1e18e2367 diff --git a/kubernetes/sdc/charts/sdc-be/values.yaml b/kubernetes/sdc/charts/sdc-be/values.yaml index a40b27d2aa..a0e9b539e6 100644 --- a/kubernetes/sdc/charts/sdc-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-be/values.yaml @@ -28,8 +28,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-backend:1.6.4 -backendInitImage: onap/sdc-backend-init:1.6.4 +image: onap/sdc-backend:1.6.5 +backendInitImage: onap/sdc-backend-init:1.6.5 pullPolicy: Always # flag to enable debugging - application support required @@ -88,7 +88,7 @@ service: ingress: enabled: false service: - - baseaddr: "sdcbe" + - baseaddr: "sdc.api.be" name: "sdc-be" port: 8443 config: diff --git a/kubernetes/sdc/charts/sdc-cs/values.yaml b/kubernetes/sdc/charts/sdc-cs/values.yaml index 6c63927cf5..3cef2cf49e 100644 --- a/kubernetes/sdc/charts/sdc-cs/values.yaml +++ b/kubernetes/sdc/charts/sdc-cs/values.yaml @@ -28,8 +28,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-cassandra:1.6.4 -cassandraInitImage: onap/sdc-cassandra-init:1.6.4 +image: onap/sdc-cassandra:1.6.5 +cassandraInitImage: onap/sdc-cassandra-init:1.6.5 pullPolicy: Always diff --git a/kubernetes/sdc/charts/sdc-dcae-be/values.yaml b/kubernetes/sdc/charts/sdc-dcae-be/values.yaml index d1fe131f82..0dfed6ae14 100644 --- a/kubernetes/sdc/charts/sdc-dcae-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-be/values.yaml @@ -69,6 +69,12 @@ service: ingress: enabled: false + service: + - baseaddr: "sdc.dcae.plugin" + name: "sdc-dcae-be" + port: 8282 + config: + ssl: "none" # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/sdc/charts/sdc-dcae-dt/values.yaml b/kubernetes/sdc/charts/sdc-dcae-dt/values.yaml index ad46842393..6dbec2bc24 100644 --- a/kubernetes/sdc/charts/sdc-dcae-dt/values.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-dt/values.yaml @@ -61,12 +61,9 @@ ingress: service: - baseaddr: "dcaedt" name: "sdc-dcae-dt" - port: 8186 - - baseaddr: "dcaedt2" - name: "sdc-dcae-dt" port: 9446 config: - ssl: "none" + ssl: "redirect" # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/sdc/charts/sdc-dcae-fe/values.yaml b/kubernetes/sdc/charts/sdc-dcae-fe/values.yaml index b6572f5d3d..eae409a431 100644 --- a/kubernetes/sdc/charts/sdc-dcae-fe/values.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-fe/values.yaml @@ -68,7 +68,7 @@ ingress: name: "sdc-dcae-fe" port: 9444 config: - ssl: "none" + ssl: "redirect" # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/sdc/charts/sdc-fe/values.yaml b/kubernetes/sdc/charts/sdc-fe/values.yaml index f5d1956f18..8754d0fc87 100644 --- a/kubernetes/sdc/charts/sdc-fe/values.yaml +++ b/kubernetes/sdc/charts/sdc-fe/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-frontend:1.6.4 +image: onap/sdc-frontend:1.6.5 pullPolicy: Always config: @@ -81,7 +81,7 @@ service: ingress: enabled: false service: - - baseaddr: "sdcfe" + - baseaddr: "sdc.api.fe" name: "sdc-fe" port: 9443 config: diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml index 3db3685b86..108c781f54 100644 --- a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml @@ -70,6 +70,19 @@ spec: mountPath: /config-input/ - name: sdc-environments-output mountPath: /config-output/ + - name: volume-permissions + image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //onboard/cert + securityContext: + runAsUser: 0 + volumeMounts: + - name: {{ include "common.fullname" . }}-cert-storage + mountPath: "/onboard/cert" containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml index 946cb3491f..0471c031a6 100644 --- a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml @@ -28,8 +28,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-onboard-backend:1.6.4 -onboardingInitImage: onap/sdc-onboard-cassandra-init:1.6.4 +image: onap/sdc-onboard-backend:1.6.5 +onboardingInitImage: onap/sdc-onboard-cassandra-init:1.6.5 pullPolicy: Always # flag to enable debugging - application support required @@ -103,6 +103,9 @@ cert: volumeReclaimPolicy: Retain mountSubPath: /sdc/onbaording/cert +securityContext: + fsGroup: 35953 + runAsUser: 352070 ingress: enabled: false diff --git a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml index 8bab2c84ea..05793d4f5b 100644 --- a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml @@ -28,8 +28,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/workflow-backend:1.6.4 -configInitImage: onap/workflow-init:1.6.4 +image: onap/sdc-workflow-backend:1.7.0 +configInitImage: onap/sdc-workflow-init:1.7.0 pullPolicy: Always initJob: diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml b/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml index 359c33ab61..aaa7795709 100644 --- a/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/workflow-frontend:1.6.4 +image: onap/sdc-workflow-frontend:1.7.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index 5701a91f27..2694b5de80 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -28,6 +28,8 @@ global: wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== ubuntuInitRepository: oomk8s ubuntuInitImage: ubuntu-init:1.0.0 + busyboxRepository: registry.hub.docker.com + busyboxImage: library/busybox:latest cassandra: #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled diff --git a/kubernetes/sdnc/Makefile b/kubernetes/sdnc/Makefile index d634a8c506..e4b5dda95d 100644 --- a/kubernetes/sdnc/Makefile +++ b/kubernetes/sdnc/Makefile @@ -18,8 +18,8 @@ OUTPUT_DIR := $(ROOT_DIR)/../dist PACKAGE_DIR := $(OUTPUT_DIR)/packages SECRET_DIR := $(OUTPUT_DIR)/secrets -EXCLUDES := -HELM_CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) +EXCLUDES := dist resources templates charts +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -48,4 +48,4 @@ clean: @rm -f *tgz */charts/*tgz @rm -rf $(PACKAGE_DIR) %: - @:
\ No newline at end of file + @: diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-CMNotify.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-CMNotify.properties index eff236a962..6d5afef190 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-CMNotify.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-CMNotify.properties @@ -2,7 +2,7 @@ TransportType=HTTPNOAUTH Latitude =50.000000 Longitude =-100.000000 Version =1.0 -ServiceName=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort}} +ServiceName=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort}}/events Environment =TEST Partner = routeOffer=MR1 @@ -32,4 +32,4 @@ sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt sdnc.odl.user=${ODL_USER} sdnc.odl.password=${ODL_PASSWORD} -sdnc.odl.url-base=https://sdnc-oam.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations +sdnc.odl.url-base=http://sdnc-oam.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-a1Adapter-policy.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-a1Adapter-policy.properties index 944b63f4c2..fcb56e08c3 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-a1Adapter-policy.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-a1Adapter-policy.properties @@ -2,7 +2,7 @@ TransportType=HTTPNOAUTH Latitude =50.000000 Longitude =-100.000000 Version =1.0 -ServiceName=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort}} +ServiceName=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort}}/events Environment =TEST Partner = routeOffer=MR1 @@ -32,4 +32,4 @@ sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt sdnc.odl.user=${ODL_USER} sdnc.odl.password=${ODL_PASSWORD} -sdnc.odl.url-base=https://sdnc-oam.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations +sdnc.odl.url-base=http://sdnc-oam.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-oofpcipoc.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-oofpcipoc.properties index b670d436c0..a03871d428 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-oofpcipoc.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dmaap-consumer-oofpcipoc.properties @@ -2,7 +2,7 @@ TransportType=HTTPNOAUTH Latitude =50.000000 Longitude =-100.000000 Version =1.0 -ServiceName=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort}} +ServiceName=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort}}/events Environment =TEST Partner = routeOffer=MR1 @@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000 AFT_DME2_EP_READ_TIMEOUT_MS=50000 sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt -sdnc.odl.user=$(ODL_USER} +sdnc.odl.user=${ODL_USER} sdnc.odl.password=${ODL_PASSWORD} -sdnc.odl.url-base=https://sdnc-oam.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations +sdnc.odl.url-base=http://sdnc-oam.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations diff --git a/kubernetes/sdnc/charts/dmaap-listener/values.yaml b/kubernetes/sdnc/charts/dmaap-listener/values.yaml index 51f7afeeb5..bcbad0d68e 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/values.yaml +++ b/kubernetes/sdnc/charts/dmaap-listener/values.yaml @@ -56,7 +56,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-dmaap-listener-image:1.8.1 +image: onap/sdnc-dmaap-listener-image:1.8.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml index c08e53a84a..d0455d5647 100644 --- a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml @@ -56,7 +56,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-ansible-server-image:1.8.1 +image: onap/sdnc-ansible-server-image:1.8.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/charts/sdnc-portal/templates/ingress.yaml b/kubernetes/sdnc/charts/sdnc-portal/templates/ingress.yaml new file mode 100644 index 0000000000..0cd8cfbd36 --- /dev/null +++ b/kubernetes/sdnc/charts/sdnc-portal/templates/ingress.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.ingress" . }} diff --git a/kubernetes/sdnc/charts/sdnc-portal/values.yaml b/kubernetes/sdnc/charts/sdnc-portal/values.yaml index 280a2af5e9..71ebb69819 100644 --- a/kubernetes/sdnc/charts/sdnc-portal/values.yaml +++ b/kubernetes/sdnc/charts/sdnc-portal/values.yaml @@ -73,7 +73,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/admportal-sdnc-image:1.8.1 +image: onap/admportal-sdnc-image:1.8.2 config: dbFabricDB: mysql dbFabricUser: admin @@ -133,6 +133,12 @@ service: ingress: enabled: false + service: + - baseaddr: "sdnc-portal.api" + name: "sdnc-portal" + port: 8443 + config: + ssl: "redirect" #Resource limit flavor -By default using small flavor: small diff --git a/kubernetes/sdnc/charts/ueb-listener/values.yaml b/kubernetes/sdnc/charts/ueb-listener/values.yaml index a02a38531c..7a19b12865 100644 --- a/kubernetes/sdnc/charts/ueb-listener/values.yaml +++ b/kubernetes/sdnc/charts/ueb-listener/values.yaml @@ -62,7 +62,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-ueb-listener-image:1.8.1 +image: onap/sdnc-ueb-listener-image:1.8.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/Makefile b/kubernetes/sdnc/components/Makefile new file mode 100644 index 0000000000..4e737638a6 --- /dev/null +++ b/kubernetes/sdnc/components/Makefile @@ -0,0 +1,51 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# FIXME OOM-765 +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/requirements.yaml ]; then helm dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then helm lint $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi + @helm repo index $(PACKAGE_DIR) + +clean: + @rm -f */requirements.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/sdnc/sdnc-prom/Chart.yaml b/kubernetes/sdnc/components/sdnc-prom/Chart.yaml index 54fb337f04..54fb337f04 100644 --- a/kubernetes/sdnc/sdnc-prom/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/Chart.yaml diff --git a/kubernetes/sdnc/sdnc-prom/requirements.yaml b/kubernetes/sdnc/components/sdnc-prom/requirements.yaml index e4c7240290..e4c7240290 100644 --- a/kubernetes/sdnc/sdnc-prom/requirements.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/requirements.yaml diff --git a/kubernetes/sdnc/sdnc-prom/resources/bin/ensureSdncActive.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh index fb24653129..fb24653129 100755 --- a/kubernetes/sdnc/sdnc-prom/resources/bin/ensureSdncActive.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh diff --git a/kubernetes/sdnc/sdnc-prom/resources/bin/ensureSdncStandby.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh index 8dd84bd3ea..8dd84bd3ea 100755 --- a/kubernetes/sdnc/sdnc-prom/resources/bin/ensureSdncStandby.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh diff --git a/kubernetes/sdnc/sdnc-prom/resources/bin/prom.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh index c93ba24bd7..c93ba24bd7 100755 --- a/kubernetes/sdnc/sdnc-prom/resources/bin/prom.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh diff --git a/kubernetes/sdnc/sdnc-prom/resources/bin/sdnc.cluster b/kubernetes/sdnc/components/sdnc-prom/resources/bin/sdnc.cluster index bdfa1a440b..bdfa1a440b 100755 --- a/kubernetes/sdnc/sdnc-prom/resources/bin/sdnc.cluster +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/sdnc.cluster diff --git a/kubernetes/sdnc/sdnc-prom/resources/bin/sdnc.dnsswitch b/kubernetes/sdnc/components/sdnc-prom/resources/bin/sdnc.dnsswitch index 209352c4e3..209352c4e3 100755 --- a/kubernetes/sdnc/sdnc-prom/resources/bin/sdnc.dnsswitch +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/sdnc.dnsswitch diff --git a/kubernetes/sdnc/sdnc-prom/resources/bin/sdnc.failover b/kubernetes/sdnc/components/sdnc-prom/resources/bin/sdnc.failover index e78b7eeee3..e78b7eeee3 100755 --- a/kubernetes/sdnc/sdnc-prom/resources/bin/sdnc.failover +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/sdnc.failover diff --git a/kubernetes/sdnc/sdnc-prom/resources/bin/sdnc.monitor b/kubernetes/sdnc/components/sdnc-prom/resources/bin/sdnc.monitor index 0042ac368a..0042ac368a 100755 --- a/kubernetes/sdnc/sdnc-prom/resources/bin/sdnc.monitor +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/sdnc.monitor diff --git a/kubernetes/sdnc/sdnc-prom/resources/bin/switchVoting.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh index f13196e7e8..f13196e7e8 100755 --- a/kubernetes/sdnc/sdnc-prom/resources/bin/switchVoting.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh diff --git a/kubernetes/sdnc/sdnc-prom/resources/config/config.json b/kubernetes/sdnc/components/sdnc-prom/resources/config/config.json index 54f95c140c..54f95c140c 100644 --- a/kubernetes/sdnc/sdnc-prom/resources/config/config.json +++ b/kubernetes/sdnc/components/sdnc-prom/resources/config/config.json diff --git a/kubernetes/sdnc/sdnc-prom/resources/config/healthchecks.json b/kubernetes/sdnc/components/sdnc-prom/resources/config/healthchecks.json index ea8ceccc0c..ea8ceccc0c 100644 --- a/kubernetes/sdnc/sdnc-prom/resources/config/healthchecks.json +++ b/kubernetes/sdnc/components/sdnc-prom/resources/config/healthchecks.json diff --git a/kubernetes/sdnc/sdnc-prom/templates/configmap.yaml b/kubernetes/sdnc/components/sdnc-prom/templates/configmap.yaml index 927bb1e5be..927bb1e5be 100644 --- a/kubernetes/sdnc/sdnc-prom/templates/configmap.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/templates/configmap.yaml diff --git a/kubernetes/sdnc/sdnc-prom/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml index 7492b5501e..7492b5501e 100644 --- a/kubernetes/sdnc/sdnc-prom/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml diff --git a/kubernetes/sdnc/sdnc-prom/templates/pv.yaml b/kubernetes/sdnc/components/sdnc-prom/templates/pv.yaml index bef2d6a85f..bef2d6a85f 100644 --- a/kubernetes/sdnc/sdnc-prom/templates/pv.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/templates/pv.yaml diff --git a/kubernetes/sdnc/sdnc-prom/templates/pvc.yaml b/kubernetes/sdnc/components/sdnc-prom/templates/pvc.yaml index 9933852f16..9933852f16 100644 --- a/kubernetes/sdnc/sdnc-prom/templates/pvc.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/templates/pvc.yaml diff --git a/kubernetes/sdnc/sdnc-prom/values.yaml b/kubernetes/sdnc/components/sdnc-prom/values.yaml index 7216e81abf..7216e81abf 100644 --- a/kubernetes/sdnc/sdnc-prom/values.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/values.yaml diff --git a/kubernetes/sdnc/requirements.yaml b/kubernetes/sdnc/requirements.yaml index 967a674c08..3f44c6dca1 100644 --- a/kubernetes/sdnc/requirements.yaml +++ b/kubernetes/sdnc/requirements.yaml @@ -30,3 +30,6 @@ dependencies: version: ~6.x-0 repository: '@local' condition: .global.mariadbGalera.localCluster + - name: elasticsearch + version: ~6.x-0 + repository: '@local' diff --git a/kubernetes/sdnc/templates/configmap.yaml b/kubernetes/sdnc/templates/configmap.yaml index 087ed30055..cd39425073 100644 --- a/kubernetes/sdnc/templates/configmap.yaml +++ b/kubernetes/sdnc/templates/configmap.yaml @@ -78,3 +78,16 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Get "resources/env.yaml") . | indent 2 }} + +{{ if .Values.global.aafEnabled }} +{{- if .Values.aafConfig.addconfig -}} +--- +apiVersion: v1 +kind: ConfigMap +{{- $suffix := "aaf-add-config" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +data: + aaf-add-config.sh: |- + cd /opt/app/osaaf/local && /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} | grep cadi_keystore_password= | cut -d= -f 2 > {{ .Values.aafConfig.credsPath }}/.pass 2>&1 +{{- end -}} +{{- end -}} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 4511ca9125..58ca866fca 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -92,54 +92,7 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness {{ if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-aaf-readiness - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /root/ready.py - args: - - --container-name - - aaf-locate - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-aaf - image: {{ .Values.global.repository }}/{{ .Values.aaf_init.agentImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: {{ .Values.certpersistence.certPath }} - name: {{ include "common.fullname" . }}-certs - command: - - bash - - -c - - | - /opt/app/aaf_config/bin/agent.sh && - cd /opt/app/osaaf/local && - /opt/app/aaf_config/bin/agent.sh local showpass | grep cadi_keystore_password= | cut -d= -f 2 > /opt/app/osaaf/local/.pass 2>&1 - env: - - name: APP_FQI - value: "{{ .Values.aaf_init.fqi }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:8095" - - name: aaf_locator_container - value: "oom" - - name: aaf_locator_container_ns - value: "{{ .Release.Namespace }}" - - name: aaf_locator_fqdn - value: "{{ .Values.aaf_init.fqdn }}" - - name: aaf_locator_app_ns - value: "{{ .Values.aaf_init.app_ns }}" - - name: DEPLOY_FQI - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-creds" "key" "login") | indent 12 }} - - name: DEPLOY_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-creds" "key" "password") | indent 12 }} - - name: cadi_longitude - value: "{{ .Values.aaf_init.cadi_longitude }}" - - name: cadi_latitude - value: "{{ .Values.aaf_init.cadi_latitude }}" +{{ include "common.aaf-config" . | indent 6 }} {{ end }} - name: {{ include "common.name" . }}-chown image: "busybox" @@ -147,8 +100,9 @@ spec: volumeMounts: - mountPath: {{ .Values.persistence.mdsalPath }} name: {{ include "common.fullname" . }}-data - - mountPath: {{ .Values.certpersistence.certPath }} - name: {{ include "common.fullname" . }}-certs +{{- if .Values.global.aafEnabled }} +{{ include "common.aaf-config-volume-mountpath" . | indent 10 }} +{{- end }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -197,6 +151,9 @@ spec: - name: JAVA_HOME value: "{{ .Values.config.javaHome}}" volumeMounts: + {{- if .Values.global.aafEnabled }} +{{ include "common.aaf-config-volume-mountpath" . | indent 10 }} + {{- end }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -237,8 +194,6 @@ spec: name: {{ include "common.fullname" . }}-data - mountPath: /var/log/onap name: logs - - mountPath: {{ .Values.certpersistence.certPath }} - name: {{ include "common.fullname" . }}-certs - mountPath: {{ .Values.config.odl.salConfigDir }}/{{ .Values.config.odl.salConfigVersion}}/sal-clustering-config-{{ .Values.config.odl.salConfigVersion}}-akkaconf.xml name: properties subPath: akka.conf @@ -298,17 +253,13 @@ spec: - name: properties emptyDir: medium: Memory - - name: {{ include "common.fullname" . }}-certs - {{ if .Values.certpersistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-certs - {{ else }} - emptyDir: {} - {{ end }} {{ if not .Values.persistence.enabled }} - name: {{ include "common.fullname" . }}-data emptyDir: {} {{ else }} + {{- if .Values.global.aafEnabled }} +{{ include "common.aaf-config-volumes" . | indent 8 }} + {{- end }} volumeClaimTemplates: - metadata: name: {{ include "common.fullname" . }}-data diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index fda5617f78..96ea6e33fd 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -24,6 +24,7 @@ global: readinessImage: readiness-check:2.0.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + aafAgentImage: onap/aaf/aaf_agent:2.1.15 persistence: mountPath: /dockerdata-nfs aafEnabled: true @@ -69,7 +70,7 @@ secrets: password: '{{ .Values.config.odlPassword }}' # For now this is left hardcoded but should be revisited in a future passwordPolicy: required - - uid: aaf-creds + - uid: &aaf_secret_uid aaf-creds type: basicAuth externalSecret: '{{ ternary (tpl (default "" .Values.aaf_init.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}' login: '{{ .Values.aaf_init.deploy_fqi }}' @@ -118,7 +119,7 @@ secrets: # application images repository: nexus3.onap.org:10001 pullPolicy: Always -image: onap/sdnc-image:1.8.1 +image: onap/sdnc-image:1.8.2 # flag to enable debugging - application support required @@ -194,6 +195,20 @@ config: numberGGLogFiles: 10 # dependency / sub-chart configuration +aafConfig: + addconfig: true + fqdn: "sdnc" + app_ns: "org.osaaf.aaf" + fqi: "sdnc@sdnc.onap.org" + fqi_namespace: org.onap.sdnc + public_fqdn: "sdnc.onap.org" + aafDeployFqi: "deployer@people.osaaf.org" + aafDeployPass: demo123456! + cadi_latitude: "38.0" + cadi_longitude: "-72.0" + secret_uid: *aaf_secret_uid + credsPath: /opt/app/osaaf/local + aaf_init: agentImage: onap/aaf/aaf_agent:2.1.15 app_ns: "org.osaaf.aaf" @@ -289,6 +304,45 @@ dgbuilder: name: sdnc-dgbuilder nodePort: "03" + ingress: + enabled: false + service: + - baseaddr: "sdnc-dgbuilder" + name: "sdnc-dgbuilder" + port: 3000 + config: + ssl: "redirect" + +# local elasticsearch cluster +localElasticCluster: true +elasticsearch: + nameOverride: sdnrdb + name: sdnrdb-cluster + aafConfig: + fqdn: "sdnc" + fqi_namespace: org.onap.sdnc + fqi: "sdnc@sdnc.onap.org" + service: + name: sdnrdb + + master: + replicaCount: 3 + # dedicatednode: "yes" + # working as master node only, in this case increase replicaCount for elasticsearch-data + # dedicatednode: "no" + # handles master and data node functionality + dedicatednode: "no" + nameOverride: sdnrdb + + curator: + enabled: true + nameOverride: sdnrdb + data: + enabled: true + replicaCount: 1 + nameOverride: sdnrdb + + # default number of instances replicaCount: 1 @@ -379,7 +433,7 @@ certpersistence: ingress: enabled: false service: - - baseaddr: "sdnc" + - baseaddr: "sdnc.api" name: "sdnc" port: 8443 config: diff --git a/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml index aa1189dcba..8c21a99ac1 100755 --- a/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml @@ -104,6 +104,8 @@ mso: workflow: message: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage + nssmf: + endpoint: http://so-nssmf-adapter.{{ include "common.namespace" . }}:8088 bpmn: process: historyTimeToLive: '30' @@ -122,6 +124,8 @@ mso: log: debug: 'false' infra: + endpoint: + url: http://so.{{ include "common.namespace" . }}:8080/onap/so/infra customer: id: testCustIdInfra po: @@ -146,7 +150,7 @@ mso: oof: auth: {{ .Values.mso.oof.auth }} callbackEndpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698/api/oof/v1/placement + endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698 timeout: PT30M workflow: CreateGenericVNFV1: diff --git a/kubernetes/so/charts/so-bpmn-infra/values.yaml b/kubernetes/so/charts/so-bpmn-infra/values.yaml index b04343feef..71c7ceef1a 100755 --- a/kubernetes/so/charts/so-bpmn-infra/values.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/values.yaml @@ -57,7 +57,7 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/bpmn-infra:1.6.0 +image: onap/so/bpmn-infra:1.6.1 pullPolicy: Always db: diff --git a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml index b616abcc06..4d30ae76c2 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml @@ -54,7 +54,7 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/catalog-db-adapter:1.6.0 +image: onap/so/catalog-db-adapter:1.6.1 pullPolicy: Always db: diff --git a/kubernetes/so/charts/so-monitoring/values.yaml b/kubernetes/so/charts/so-monitoring/values.yaml index 910b694245..e3f5c3cc81 100644 --- a/kubernetes/so/charts/so-monitoring/values.yaml +++ b/kubernetes/so/charts/so-monitoring/values.yaml @@ -57,7 +57,7 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/so-monitoring:1.6.0 +image: onap/so/so-monitoring:1.6.1 pullPolicy: Always db: diff --git a/kubernetes/so/charts/so-nssmf-adapter/Chart.yaml b/kubernetes/so/charts/so-nssmf-adapter/Chart.yaml new file mode 100755 index 0000000000..b3311d1c8c --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: so-nssmf-adapter +version: 6.0.0
\ No newline at end of file diff --git a/kubernetes/so/charts/so-nssmf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-nssmf-adapter/resources/config/overrides/override.yaml new file mode 100755 index 0000000000..10741b75e7 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/resources/config/overrides/override.yaml @@ -0,0 +1,66 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +aai: + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + endpoint: https://aai.{{ include "common.namespace" . }}:8443 +logging: + path: logs +spring: + datasource: + jdbc-url: jdbc:mariadb://${DB_HOST}:${DB_PORT}/requestdb + username: ${DB_USERNAME} + password: ${DB_PASSWORD} + driver-class-name: org.mariadb.jdbc.Driver + jpa: + show-sql: false + hibernate: + dialect: org.hibernate.dialect.MySQL5Dialect + ddl-auto: validate + naming-strategy: org.hibernate.cfg.ImprovedNamingStrategy + enable-lazy-load-no-trans: true + security: + usercredentials: + - username: ${BPEL_USERNAME} + password: ${BPEL_PASSWORD} + role: BPEL-Client + - username: ${ACTUATOR_USERNAME} + password: ${ACTUATOR_PASSWORD} + role: ACTUATOR +server: + port: {{ index .Values.containerPort }} + tomcat: + max-threads: 50 + +mso: + site-name: localSite + logPath: ./logs/nssmf + msb-ip: msb-iag.{{ include "common.namespace" . }} + msb-port: 80 + adapters: + requestDb: + endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} +#Actuator +management: + endpoints: + web: + base-path: /manage + exposure: + include: "*" + metrics: + se-global-registry: false + export: + prometheus: + enabled: true # Whether exporting of metrics to Prometheus is enabled. + step: 1m # Step size (i.e. reporting frequency) to use. diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-nssmf-adapter/templates/configmap.yaml new file mode 100755 index 0000000000..85d00fddf3 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/templates/configmap.yaml @@ -0,0 +1,26 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | nindent 2 }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: +{{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-nssmf-adapter/templates/deployment.yaml new file mode 100755 index 0000000000..8d1eaf8ea4 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/templates/deployment.yaml @@ -0,0 +1,131 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} + minReadySeconds: {{ index .Values.minReadySeconds }} + strategy: + type: {{ index .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ index .Values.updateStrategy.maxSurge }} + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + spec: + initContainers: {{ include "so.certificate.container_importer" . | nindent 8 }} + - name: {{ include "common.name" . }}-readiness + command: + - /root/job_complete.py + args: + - --job-name + - {{ include "common.release" . }}-so-mariadb-config-job + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + containers: + - name: {{ include "common.name" . }} + command: + - sh + args: + - -c + - export BPEL_PASSWORD=`htpasswd -bnBC 10 "" $BPEL_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'`; export ACTUATOR_PASSWORD=`htpasswd -bnBC 10 "" $ACTUATOR_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'`; ./start-app.sh + image: {{ include "common.repository" . }}/{{ .Values.image }} + resources: {{ include "common.resources" . | nindent 12 }} + ports: {{- include "common.containerPorts" . | nindent 12 }} + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-so-db-secrets + key: mariadb.readwrite.host + - name: DB_PORT + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-so-db-secrets + key: mariadb.readwrite.port + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 14 }} + - name: DB_ADMIN_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} + - name: DB_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} + - name: TRUSTSTORE + value: {{ .Values.global.client.certs.truststore }} + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: BPEL_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-bpel-creds" "key" "login") | indent 14 }} + - name: BPEL_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-bpel-creds" "key" "password") | indent 14 }} + - name: ACTUATOR_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} + - name: ACTUATOR_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} + {{- if eq .Values.global.security.aaf.enabled true }} + - name: KEYSTORE + value: {{ .Values.global.client.certs.keystore }} + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-env + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 12 }} + - name: logs + mountPath: /app/logs + - name: config + mountPath: /app/config + readOnly: true + - name: {{ include "common.fullname" . }}-truststore + mountPath: /app/client + readOnly: true + livenessProbe: + httpGet: + path: {{ index .Values.livenessProbe.path}} + port: {{ index .Values.containerPort }} + scheme: {{ index .Values.livenessProbe.scheme}} + initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} + periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} + timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} + successThreshold: {{ index .Values.livenessProbe.successThreshold}} + failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} + volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + - name: logs + emptyDir: {} + - name: config + configMap: + name: {{ include "common.fullname" . }} + - name: {{ include "common.fullname" . }}-truststore + secret: + secretName: {{ include "common.release" . }}-so-truststore-secret + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/secret.yaml b/kubernetes/so/charts/so-nssmf-adapter/templates/secret.yaml new file mode 100644 index 0000000000..a39363ffdd --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/service.yaml b/kubernetes/so/charts/so-nssmf-adapter/templates/service.yaml new file mode 100755 index 0000000000..cf08482ad2 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/templates/service.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.service" . }} diff --git a/kubernetes/so/charts/so-nssmf-adapter/values.yaml b/kubernetes/so/charts/so-nssmf-adapter/values.yaml new file mode 100755 index 0000000000..6a5f5fbd30 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/values.yaml @@ -0,0 +1,136 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + repository: nexus3.onap.org:10001 + readinessRepository: oomk8s + readinessImage: readiness-check:2.0.2 + persistence: + mountPath: /dockerdata-nfs + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-user-creds + name: '{{ include "common.release" . }}-so-bpmn-infra-db-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' + login: '{{ .Values.db.userName }}' + password: '{{ .Values.db.userPassword }}' + passwordPolicy: required + - uid: db-admin-creds + name: '{{ include "common.release" . }}-so-bpmn-infra-db-admin-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' + login: '{{ .Values.db.adminName }}' + password: '{{ .Values.db.adminPassword }}' + passwordPolicy: required + - uid: "so-onap-certs" + externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' + type: generic + filePaths: '{{ .Values.secretsFilePaths }}' + - uid: server-bpel-creds + name: '{{ include "common.release" . }}-so-server-bpel-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.server.bpelCredsExternalSecret) . }}' + login: '{{ .Values.server.bpel.username }}' + password: '{{ .Values.server.bpel.password }}' + passwordPolicy: required + - uid: server-actuator-creds + name: '{{ include "common.release" . }}-so-server-actuator-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.server.actuatorCredsExternalSecret) . }}' + login: '{{ .Values.server.actuator.username }}' + password: '{{ .Values.server.actuator.password }}' + passwordPolicy: required + + +#secretsFilePaths: | +# - 'my file 1' +# - '{{ include "templateThatGeneratesFileName" . }}' + +################################################################# +# Application configuration defaults. +################################################################# +repository: nexus3.onap.org:10001 +image: onap/so/nssmf-adapter:1.6.1 +pullPolicy: Always + +db: + userName: so_user + userPassword: so_User123 + # userCredsExternalSecret: some secret + adminName: so_admin + adminPassword: so_Admin123 + # adminCredsExternalSecret: some secret +server: + actuator: + username: mso_admin + password: password1$ + bpel: + username: bpel + password: password1$ + +replicaCount: 1 +minReadySeconds: 10 +containerPort: 8088 +logPath: ./logs/nssmf/ +app: nssmf-adapter +service: + type: ClusterIP + ports: + - name: api + port: 8088 +updateStrategy: + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + memory: 4Gi + cpu: 2000m + requests: + memory: 1Gi + cpu: 500m + large: + limits: + memory: 8Gi + cpu: 4000m + requests: + memory: 2Gi + cpu: 1000m + unlimited: {} +livenessProbe: + path: /manage/health + port: 8088 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 +ingress: + enabled: false +nodeSelector: {} +tolerations: [] +affinity: {} diff --git a/kubernetes/so/charts/so-openstack-adapter/values.yaml b/kubernetes/so/charts/so-openstack-adapter/values.yaml index ea8dd0d45d..f2cd74d1c9 100755 --- a/kubernetes/so/charts/so-openstack-adapter/values.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/values.yaml @@ -51,7 +51,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/openstack-adapter:1.6.0 +image: onap/so/openstack-adapter:1.6.1 pullPolicy: Always repository: nexus3.onap.org:10001 diff --git a/kubernetes/so/charts/so-request-db-adapter/values.yaml b/kubernetes/so/charts/so-request-db-adapter/values.yaml index 2f890421e6..9018c099bd 100755 --- a/kubernetes/so/charts/so-request-db-adapter/values.yaml +++ b/kubernetes/so/charts/so-request-db-adapter/values.yaml @@ -52,7 +52,7 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/request-db-adapter:1.6.0 +image: onap/so/request-db-adapter:1.6.1 pullPolicy: Always db: diff --git a/kubernetes/so/charts/so-sdc-controller/values.yaml b/kubernetes/so/charts/so-sdc-controller/values.yaml index a38e256615..31fdb63b45 100755 --- a/kubernetes/so/charts/so-sdc-controller/values.yaml +++ b/kubernetes/so/charts/so-sdc-controller/values.yaml @@ -52,7 +52,7 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/sdc-controller:1.6.0 +image: onap/so/sdc-controller:1.6.1 pullPolicy: Always db: diff --git a/kubernetes/so/charts/so-sdnc-adapter/values.yaml b/kubernetes/so/charts/so-sdnc-adapter/values.yaml index 42c5d4ddb3..ce42af00b7 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/charts/so-sdnc-adapter/values.yaml @@ -55,7 +55,7 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/sdnc-adapter:1.6.0 +image: onap/so/sdnc-adapter:1.6.1 pullPolicy: Always db: diff --git a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks Binary files differindex 96931ce168..9ebe9a8041 100644 --- a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks +++ b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks diff --git a/kubernetes/so/charts/so-ve-vnfm-adapter/values.yaml b/kubernetes/so/charts/so-ve-vnfm-adapter/values.yaml index 1d9854c191..434a3e166f 100755 --- a/kubernetes/so/charts/so-ve-vnfm-adapter/values.yaml +++ b/kubernetes/so/charts/so-ve-vnfm-adapter/values.yaml @@ -37,7 +37,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/ve-vnfm-adapter:1.6.0 +image: onap/so/ve-vnfm-adapter:1.6.1 pullPolicy: Always replicaCount: 1 service: diff --git a/kubernetes/so/charts/so-vfc-adapter/values.yaml b/kubernetes/so/charts/so-vfc-adapter/values.yaml index aa4923a9bd..28ca7016ef 100755 --- a/kubernetes/so/charts/so-vfc-adapter/values.yaml +++ b/kubernetes/so/charts/so-vfc-adapter/values.yaml @@ -52,7 +52,7 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/vfc-adapter:1.6.0 +image: onap/so/vfc-adapter:1.6.1 pullPolicy: Always db: diff --git a/kubernetes/so/charts/so-vnfm-adapter/values.yaml b/kubernetes/so/charts/so-vnfm-adapter/values.yaml index 72efcb4b78..f911e499cd 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/values.yaml +++ b/kubernetes/so/charts/so-vnfm-adapter/values.yaml @@ -40,7 +40,7 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/vnfm-adapter:1.6.0 +image: onap/so/vnfm-adapter:1.6.1 pullPolicy: Always replicaCount: 1 diff --git a/kubernetes/so/resources/config/log/logback.nssmf.xml b/kubernetes/so/resources/config/log/logback.nssmf.xml new file mode 100755 index 0000000000..b3117ee7a0 --- /dev/null +++ b/kubernetes/so/resources/config/log/logback.nssmf.xml @@ -0,0 +1,132 @@ +<configuration scan="false" debug="true"> + <!--<jmxConfigurator /> --> + <!-- directory path for all other type logs --> + <property name="logDir" value="/var/log/onap" /> + <!-- directory path for debugging type logs --> + <property name="debugDir" value="/var/log/onap" /> + <!-- specify the component name + <ECOMP-component-name>::= "MSO" | "DCAE" | "ASDC " | "AAI" |"Policy" | "SDNC" | "AC" --> + <property name="componentName" value="MSO"></property> + <property name="subComponentName" value="nssmfadapter"></property> + <!-- log file names --> + <property name="errorLogName" value="error" /> + <property name="metricsLogName" value="metrics" /> + <property name="auditLogName" value="audit" /> + <property name="debugLogName" value="debug" /> + + <property name="errorPattern" value="%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%.-5level|%X{ErrorCode}|%X{ErrorDesc}|%msg%n" /> + <property name="debugPattern" value="%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}|%X{RequestId}|%msg%n" /> + + <property name="auditPattern" value="%X{BeginTimestamp}|%X{EndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread||%X{ServiceName}|%X{PartnerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDesc}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{Timer}|%X{ServerFQDN}|%X{RemoteHost}||||||||%msg%n" /> + <property name="metricPattern" value="%X{BeginTimestamp}|%X{EndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread||%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDesc}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{Timer}|%X{ServerFQDN}|%X{RemoteHost}||||%X{TargetVirtualEntity}|||||%msg%n" /> + <property name="logDirectory" value="${logDir}/${componentName}/${subComponentName}" /> + <property name="debugLogDirectory" value="${debugDir}/${componentName}/${subComponentName}" /> + + <!-- ============================================================================ --> + <!-- EELF Appenders --> + <!-- ============================================================================ --> + + <!-- The EELFAppender is used to record events to the general application + log --> + <!-- EELF Audit Appender. This appender is used to record audit engine + related logging events. The audit logger and appender are specializations + of the EELF application root logger and appender. This can be used to segregate + Policy engine events from other components, or it can be eliminated to record + these events as part of the application root log. --> + <appender name="EELFAudit" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${auditLogName}${jboss.server.name}.log</file> + <rollingPolicy + class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${auditLogName}${jboss.server.name}.log.%d</fileNamePattern> + <!--<maxHistory>30</maxHistory>--> + </rollingPolicy> + <encoder> + <pattern>${auditPattern}</pattern> + </encoder> + </appender> + <appender name="asyncEELFAudit" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFAudit" /> + </appender> + + <appender name="EELFMetrics" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${metricsLogName}${jboss.server.name}.log</file> + <rollingPolicy + class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${metricsLogName}${jboss.server.name}.log.%d</fileNamePattern> + <!--<maxHistory>30</maxHistory>--> + </rollingPolicy> + <encoder> + <!-- <pattern>"%d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - + %msg%n"</pattern> --> + <pattern>${metricPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFMetrics" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFMetrics"/> + </appender> + + <appender name="EELFError" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${errorLogName}${jboss.server.name}.log</file> + <rollingPolicy + class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${errorLogName}${jboss.server.name}.log.%d</fileNamePattern> + <!--<maxHistory>30</maxHistory>--> + </rollingPolicy> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>INFO</level> + </filter> + <encoder> + <pattern>${errorPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFError" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFError"/> + </appender> + + <appender name="EELFDebug" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${debugLogDirectory}/${debugLogName}${jboss.server.name}.log</file> + <rollingPolicy + class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${debugLogDirectory}/${debugLogName}${jboss.server.name}.log.%d</fileNamePattern> + <!--<maxHistory>30</maxHistory>--> + </rollingPolicy> + <encoder> + <pattern>${debugPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFDebug" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFDebug" /> + <includeCallerData>true</includeCallerData> + </appender> + + <!-- ============================================================================ --> + <!-- EELF loggers --> + <!-- ============================================================================ --> + + <logger name="com.att.eelf.audit" level="info" additivity="false"> + <appender-ref ref="asyncEELFAudit" /> + </logger> + + <logger name="com.att.eelf.metrics" level="info" additivity="false"> + <appender-ref ref="asyncEELFMetrics" /> + </logger> + + <logger name="com.att.eelf.error" level="debug" additivity="false"> + <appender-ref ref="asyncEELFError" /> + </logger> + <root level="INFO"> + <appender-ref ref="asyncEELFDebug" /> + </root> + +</configuration> diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index e9c5637eef..a8910b2a1d 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -137,7 +137,7 @@ dbCreds: adminName: so_admin repository: nexus3.onap.org:10001 -image: onap/so/api-handler-infra:1.6.0 +image: onap/so/api-handler-infra:1.6.1 pullPolicy: Always replicaCount: 1 minReadySeconds: 10 @@ -211,7 +211,7 @@ mariadb-galera: ingress: enabled: false service: - - baseaddr: "so" + - baseaddr: "so.api" name: "so" port: 8080 config: @@ -407,6 +407,28 @@ so-vfc-adapter: requestDb: auth: Basic YnBlbDpwYXNzd29yZDEk +so-nssmf-adapter: + certSecret: *so-certs + db: + <<: *dbSecrets + aaf: + auth: + username: so@so.onap.org + password: 8DB1C939BFC6A35C3832D0E52E452D0E05AE2537AF142CECD125FF827C05A972FDD0F4700547DA + aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.nssmfAdapterPerm + noAuthn: /manage/health + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + so-vnfm-adapter: certSecret: *so-certs aaf: diff --git a/kubernetes/uui/charts/uui-server/values.yaml b/kubernetes/uui/charts/uui-server/values.yaml index 567baabbdf..03265d4014 100644 --- a/kubernetes/uui/charts/uui-server/values.yaml +++ b/kubernetes/uui/charts/uui-server/values.yaml @@ -69,7 +69,7 @@ ingress: name: "uui-server" port: 8082 config: - ssl: "none" + ssl: "redirect" # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index ca45b68727..2c15c9683c 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -65,11 +65,11 @@ service: ingress: enabled: false service: - - baseaddr: uui + - baseaddr: "uui.api" name: "uui" port: 8443 config: - ssl: "none" + ssl: "redirect" # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml index ebac50bc51..63c6307f06 100644 --- a/kubernetes/vid/values.yaml +++ b/kubernetes/vid/values.yaml @@ -116,11 +116,11 @@ service: ingress: enabled: false service: - - baseaddr: "vid" + - baseaddr: "vid.api" name: "vid-http" - port: 8080 + port: 8443 config: - ssl: "none" + ssl: "redirect" # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/vnfsdk/resources/config/configuration.xml b/kubernetes/vnfsdk/resources/config/configuration.xml new file mode 100644 index 0000000000..6bd4e1c8eb --- /dev/null +++ b/kubernetes/vnfsdk/resources/config/configuration.xml @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Copyright 2017 Huawei Technologies Co., Ltd. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!DOCTYPE configuration +PUBLIC "//mybatis.org//DTD Config 3.0//EN" +"http://mybatis.org/dtd/mybatis-3-config.dtd"> +<configuration> + <environments default="development"> + <environment id="development"> + <transactionManager type="JDBC" /> + <dataSource type="UNPOOLED"> + <property name="driver" value="org.postgresql.Driver" /> + <property name="url" value="jdbc:postgresql://{{ .Values.postgres.service.name }}:{{ .Values.postgres.service.externalPort }}/marketplaceDB" /> + <property name="username" value="${PG_USER}" /> + <property name="password" value="${PG_PASSWORD}" /> + </dataSource> + </environment> + </environments> + <mappers> + <mapper resource="mybatis/sql/MarketplaceMapper.xml" /> + </mappers> +</configuration> diff --git a/kubernetes/vnfsdk/templates/configmap.yaml b/kubernetes/vnfsdk/templates/configmap.yaml index 44d5f41f15..0c39e6e685 100644 --- a/kubernetes/vnfsdk/templates/configmap.yaml +++ b/kubernetes/vnfsdk/templates/configmap.yaml @@ -23,4 +23,4 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/marketplace_tables_postgres.sql").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/vnfsdk/templates/deployment.yaml b/kubernetes/vnfsdk/templates/deployment.yaml index bd187db286..3f4d6c43eb 100644 --- a/kubernetes/vnfsdk/templates/deployment.yaml +++ b/kubernetes/vnfsdk/templates/deployment.yaml @@ -35,6 +35,25 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PG_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: init-data-input + - mountPath: /config + name: init-data + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: - /root/ready.py args: - --container-name @@ -54,9 +73,10 @@ spec: name: {{ include "common.name" . }} resources: {{ include "common.resources" . | indent 12 }} - env: - - name: POSTGRES_SERVICE_HOST - value: "$(VNFSDK_DBSET_SERVICE_HOST)" + volumes: + - mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml + name: init-data + subPath: configuration.xml readinessProbe: tcpSocket: port: {{ .Values.service.internalPort }} @@ -64,3 +84,10 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" + volumes: + - name: init-data-input + configMap: + name: {{ include "common.fullname" . }} + - name: init-data + emptyDir: + medium: Memory diff --git a/kubernetes/vnfsdk/templates/job.yaml b/kubernetes/vnfsdk/templates/job.yaml index 2ec7b95772..1d0dd29f59 100644 --- a/kubernetes/vnfsdk/templates/job.yaml +++ b/kubernetes/vnfsdk/templates/job.yaml @@ -51,13 +51,15 @@ spec: image: "{{ .Values.postgresRepository }}/{{ .Values.postgresImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: + - name: PGUSER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - name: PGPASSWORD - value: "{{ .Values.postgres.config.pgUserPassword }}" + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} command: - /bin/sh - -c - | - psql -U {{ .Values.postgres.config.pgUserName }} -h $(VNFSDK_DBPRI_SERVICE_HOST) -f /aaa/init/marketplace_tables_postgres.sql + psql -h $(VNFSDK_DBPRI_SERVICE_HOST) -f /aaa/init/marketplace_tables_postgres.sql volumeMounts: - name: init-data mountPath: /aaa/init/marketplace_tables_postgres.sql diff --git a/kubernetes/vnfsdk/templates/secrets.yaml b/kubernetes/vnfsdk/templates/secrets.yaml new file mode 100644 index 0000000000..b143034d8f --- /dev/null +++ b/kubernetes/vnfsdk/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index 96cacfbf82..82bef2d4eb 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -22,6 +22,22 @@ global: readinessImage: readiness-check:2.0.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + envsubstImage: dibi/envsubst + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-vnfsdk-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "vnfsdk-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-vnfsdk-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "vnfsdk-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate ################################################################# # Application configuration defaults. @@ -50,9 +66,8 @@ postgres: config: pgUserName: postgres pgDatabase: postgres - pgPrimaryPassword: postgres - pgUserPassword: postgres - pgRootPassword: postgres + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName # flag to enable debugging - application support required debugEnabled: false @@ -105,6 +120,6 @@ ingress: service: - baseaddr: "refrepo" name: "refrepo" - port: 97 + port: 8703 config: - ssl: "none" + ssl: "redirect" |