diff options
54 files changed, 1696 insertions, 281 deletions
diff --git a/docs/oom_developer_guide.rst b/docs/oom_developer_guide.rst index c3fb603d04..3cced83f62 100644 --- a/docs/oom_developer_guide.rst +++ b/docs/oom_developer_guide.rst @@ -373,6 +373,9 @@ Templates are provided in order to create Kubernetes resources (Secrets, Ingress, Services, ...) or part of Kubernetes resources (names, labels, resources requests and limits, ...). +a full list and simple description is done in +`kubernetes/common/common/documentation.rst`. + Service template ---------------- diff --git a/kubernetes/aai b/kubernetes/aai -Subproject ac0ea8aa12226ac95683838e92d22928eb22163 +Subproject 4f4d14ab45a2225953961136220041189d56601 diff --git a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml index 35661c29e9..9bcf03ad3e 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml @@ -76,11 +76,10 @@ readiness: service: http: - type: NodePort + type: ClusterIP portName: blueprints-processor-http internalPort: 8080 externalPort: 8080 - nodePort: 99 grpc: type: ClusterIP portName: blueprints-processor-grpc diff --git a/kubernetes/common/common/documentation.rst b/kubernetes/common/common/documentation.rst new file mode 100644 index 0000000000..e6cf948d79 --- /dev/null +++ b/kubernetes/common/common/documentation.rst @@ -0,0 +1,549 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International +.. License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2020 Orange. All rights reserved. + +.. _developer-guide-label: + + +Current given templating functions +================================== + + +In order to have a consistent deployments of ONAP components, several templating +functions are proposed in `kubernets/common/common/templates` folder. +This file list them and gives examples for the most used. +All these templating functions have a description in their own file, here we +only give an overview. + +* conditional functions + + +----------------------------------------------------+-----------------------+ + | Function | File | + +----------------------------------------------------+-----------------------+ + | `common.needPV` | `_storage.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.onServiceMesh` | `_serviceMesh.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.common.needTLS` | `_service.tpl` | + +----------------------------------------------------+-----------------------+ + +* template generation functions + + +----------------------------------------------------+-----------------------+ + | Function | File | + +----------------------------------------------------+-----------------------+ + | `common.masterPassword` | `_createPassword.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.createPassword` | `_createPassword.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.secret.genName` | `_secret.yaml` | + +----------------------------------------------------+-----------------------+ + | `common.secret.getSecretName` | `_secret.yaml` | + +----------------------------------------------------+-----------------------+ + | `common.secret.envFromSecret` | `_secret.yaml` | + +----------------------------------------------------+-----------------------+ + | `common.secret` | `_secret.yaml` | + +----------------------------------------------------+-----------------------+ + | `ingress.config.port` | `_ingress.tpl` | + +----------------------------------------------------+-----------------------+ + | `ingress.config.annotations.ssl` | `_ingress.tpl` | + +----------------------------------------------------+-----------------------+ + | `ingress.config.annotations` | `_ingress.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.ingress` | `_ingress.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.labels` | `_labels.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.matchLabels` | `_labels.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.resourceMetadata` | `_labels.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.templateMetadata` | `_labels.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.selectors` | `_labels.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.name` | `_name.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.fullname` | `_name.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.fullnameExplicit` | `_name.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.release` | `_name.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.chart` | `_name.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.namespace` | `_namespace.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.repository` | `_repository.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.repository.secret` | `_repository.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.flavor` | `_resources.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.resources` | `_resources.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.storageClass` | `_storage.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.replicaPV` | `_storage.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.servicename` | `_service.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.serviceMetadata` | `_service.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.servicePorts` | `_service.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.genericService` | `_service.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.service` | `_service.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.headlessService` | `_service.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.mariadb.secret.rootPassUID` | `_mariadb.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.mariadb.secret.rootPassSecretName` | `_mariadb.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.mariadb.secret.userCredentialsUID` | `_mariadb.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.mariadb.secret.userCredentialsSecretName` | `_mariadb.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.mariadbService` | `_mariadb.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.mariadbPort` | `_mariadb.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.mariadbSecret` | `_mariadb.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.mariadbSecretParam` | `_mariadb.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.postgres.secret.rootPassUID` | `_postgres.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.postgres.secret.rootPassSecretName` | `_postgres.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.postgres.secret.userCredentialsUID` | `_postgres.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.postgres.secret.userCredentialsSecretName` | `_postgres.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.postgres.secret.primaryPasswordUID` | `_postgres.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.postgres.secret.primaryPasswordSecretName` | `_postgres.tpl` | + +----------------------------------------------------+-----------------------+ + | `common.tplValue` | `_tplValue.tpl` | + +----------------------------------------------------+-----------------------+ + + +Passwords +--------- + +These functions are defined in +`kubernetes/common/common/templates/_createPassword.tpl`. + +* `common.masterPassword`: Resolve the master password to be used to derive + other passwords. +* `common.createPassword`: Generate a new password based on masterPassword. + +Secrets +------- + +These functions are defined in +`kubernetes/common/common/templates/_secret.yaml`. + +* `common.secret.genName`: Generate a secret name based on provided name or UID. +* `common.secret.getSecretName`: Get the real secret name by UID or name, based + on the configuration provided by user. +* `common.secret.envFromSecret`: Convenience template which can be used to + easily set the value of environment variable to the value of a key in a + secret. +* `common.secret`: Define secrets to be used by chart. + +The most widely use templates is the last (`common.secret`). +It should be the only (except license part) line of your secret file: + +.. code-block:: yaml + + {{ include "common.secret" . }} + +In order to have the right values set, you need to create the right +configuration in `values.yaml` (example taken from mariadb configuration): + +.. code-block:: yaml + + secrets: + - uid: 'db-root-password' + type: password + externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' + password: '{{ .Values.config.dbRootPassword }}' + - uid: 'db-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.dbSdnctlPassword }}' + +Ingress +------- + +These functions are defined in +`kubernetes/common/common/templates/_ingress.tpl`. + +* `ingress.config.port`: generate the port path on an Ingress resource. +* `ingress.config.annotations.ssl`: generate the ssl annotations of an Ingress + resource. +* `ingress.config.annotations`: generate the annotations of an Ingress resource. +* `common.ingress`: generate an Ingress resource (if needed). + +The most widely use templates is the last (`common.ingress`) . + +It should be the only (except license part) line of your ingress file: + +.. code-block:: yaml + + {{ include "common.ingress" . }} + +In order to have the right values set, you need to create the right +configuration in `values.yaml` (example taken from clamp configuration): + +.. code-block:: yaml + + ingress: + enabled: false + service: + - baseaddr: "clamp" + name: "clamp" + port: 443 + config: + ssl: "redirect" + +Labels +------ + +These functions are defined in `kubernetes/common/common/templates/_labels.tpl`. + +The goal of these functions is to always create the right labels for all the +resource in a consistent way. + +* `common.labels`: generate the common labels for a resource +* `common.matchLabels`: generate the labels to match (to be used in conjunction + with `common.labels` or `common.resourceMetadata`) +* `common.resourceMetadata`: generate the "top" metadatas for a resource + (Deployment, StatefulSet, Service, ConfigMap, ...) +* `common.templateMetadata`: generate the metadata put in the template part + (for example `spec.template.metadata` for a Deployment) +* `common.selectors`: generate the right selectors for Service / Deployment / + StatefulSet, ... (to be used in conjunction with `common.labels` or + `common.resourceMetadata`) + + +Here's an example of use of these functions in a Deployment template (example +taken on nbi): + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: Deployment + metadata: {{- include "common.resourceMetadata" . | nindent 2 }} + spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + ... + +Name +---- + +These functions are defined in `kubernetes/common/common/templates/_name.tpl`. + +The goal of these functions is to always name the resource the same way. + +* `common.name`: Generate the name for a chart. +* `common.fullname`: Create a default fully qualified application name. +* `common.fullnameExplicit`: The same as common.full name but based on passed + dictionary instead of trying to figure out chart name on its own. +* `common.release`: Retrieve the "original" release from the component release. +* `common.chart`: Generate the chart name + +Here's an example of use of these functions in a Deployment template (example +taken on mariadb-galera): + +.. code-block:: yaml + + apiVersion: apps/v1beta1 + kind: StatefulSet + ... + spec: + serviceName: {{ .Values.service.name }} + replicas: {{ .Values.replicaCount }} + template: + ... + spec: + {{- if .Values.nodeSelector }} + nodeSelector: + {{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + volumes: + {{- if .Values.externalConfig }} + - name: config + configMap: + name: {{ include "common.fullname" . }}-external-config + {{- end}} + ... + containers: + - name: {{ include "common.name" . }} + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + ... + +Namespace +--------- + +These functions are defined in +`kubernetes/common/common/templates/_namespace.tpl`. + +The goal of these functions is to always retrieve the namespace the same way. + +* `common.namespace`: Generate the namespace for a chart. Shouldn't be used + directly but use `common.resourceMetadata` (which uses it). + + +Repository +---------- + +These functions are defined in +`kubernetes/common/common/templates/_repository.tpl`. + +The goal of these functions is to generate image name the same way. + +* `common.repository`: Resolve the name of the common image repository. +* `common.repository.secret`: Resolve the image repository secret token. + + +Resources +--------- + +These functions are defined in +`kubernetes/common/common/templates/_resources.tpl`. + +The goal of these functions is to generate resources for pods the same way. + +* `common.flavor`: Resolve the name of the common resource limit/request flavor. + Shouldn't be used alone. +* `common.resources`: Resolve the resource limit/request flavor using the + desired flavor value. + + +Storage +------- + +These functions are defined in +`kubernetes/common/common/templates/_storage.tpl`. + +The goal of these functions is to generate storage part of Deployment / +Statefulset and storage resource (PV, PVC, ...) in a consistent way. + +* `common.storageClass`: Expand the name of the storage class. +* `common.needPV`: Calculate if we need a PV. If a storageClass is provided, + then we don't need. +* `common.replicaPV`: Generate N PV for a statefulset + + +Pod +--- + +These functions are defined in `kubernetes/common/common/templates/_pod.tpl`. + +* `common.containerPorts`: generate the port list for containers. See Service + part to know how to declare the port list. + +Here's an example of use of these functions in a Deployment template (example +taken on nbi): + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: Deployment + ... + spec: + ... + template: + ... + spec: + containers: + - name: {{ include "common.name" . }} + ports: {{- include "common.containerPorts" . | nindent 8 } + + +Service +------- + +These functions are defined in +`kubernetes/common/common/templates/_service.tpl`. + +The goal of these functions is to generate services in a consistent way. + +* `common.servicename`: Expand the service name for a chart. +* `common.serviceMetadata`: Define the metadata of Service. Shouldn't be used + directly but used through `common.service` or `common.headlessService`. +* `common.servicePorts`: Define the ports of Service. Shouldn't be used directly + but used through `common.service` or `common.headlessService`. +* `common.genericService`: Template for creating any Service. Shouldn't be used + directly but used through `common.service` or `common.headlessService`. May be + used if you want to create a Service with some specificities (on the ports for + example). +* `common.needTLS`: Calculate if we need to use TLS ports on services +* `common.service`: Create service template. +* `common.headlessService`: Create headless service template + + +The most widely used templates are the two last (`common.service` and +`common.headlessService`). +It should use with only one (except license part) line of your service (or +service-headless) file: + +.. code-block:: yaml + + {{ include "common.service" . }} + +In order to have the right values set, you need to create the right +configuration in `values.yaml` (example taken from nbi configuration + other +part): + +.. code-block:: yaml + + service: + type: NodePort + name: nbi + annotations: + my: super-annotation + ports: + - name: api + port: 8443 + plain_port: 8080 + port_protocol: http + nodePort: 74 + - name: tcp-raw + port: 8459 + nodePort: 89 + + +would generate: + +.. code-block:: yaml + + apiVersion: v1 + kind: Service + metadata: + annotations: + my: super-annotation + name: nbi + namespace: default + labels: + app.kubernetes.io/name: nbi + helm.sh/chart: nbi-5.0.0 + app.kubernetes.io/instance: release + app.kubernetes.io/managed-by: Tiller + spec: + ports: + - port: 8443 + targetPort: api + name: https-api + nodePort: 30274 + - port: 8459 + targetPort: tcp-raw + name: tcp-raw + nodePort: 30289 + type: NodePort + selector: + app.kubernetes.io/name: nbi + app.kubernetes.io/instance: release + + +`plain_port` is used only if we mandate to use http (see ServiceMesh part). +Today a port can be http or https but not both. +headless configuration is equivalent (example taken from cassandra): + +.. code-block:: yaml + + service: + name: cassandra + headless: + suffix: "" + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + publishNotReadyAddresses: true + headlessPorts: + - name: tcp-intra + port: 7000 + - name: tls + port: 7001 + - name: tcp-jmx + port: 7199 + - name: tcp-cql + port: 9042 + - name: tcp-thrift + port: 9160 + - name: tcp-agent + port: 61621 + + +ServiceMesh +----------- + +These functions are defined in +`kubernetes/common/common/templates/_serviceMesh.tpl`. + +The goal of these functions is to handle onboarding of ONAP on service mesh. + +* `common.onServiceMesh`: Calculate if we if we are on service mesh + + + +MariaDB +------- + +These functions are defined in +`kubernetes/common/common/templates/_mariadb.tpl`. + +The goal of these functions is to simplify use of mariadb and its different +values. + +* `common.mariadb.secret.rootPassUID`: UID of mariadb root password +* `common.mariadb.secret.rootPassSecretName`: Name of mariadb root password + secret +* `common.mariadb.secret.userCredentialsUID`: UID of mariadb user credentials +* `common.mariadb.secret.userCredentialsSecretName`: Name of mariadb user + credentials secret +* `common.mariadbService`: Choose the name of the mariadb service to use +* `common.mariadbPort`: Choose the value of mariadb port to use +* `common.mariadbSecret`: Choose the value of secret to retrieve user value +* `common.mariadbSecretParam`: Choose the value of secret param to retrieve user + value + +PostgreSQL +---------- + +These functions are defined in +`kubernetes/common/common/templates/_postgres.tpl`. + +The goal of these functions is to simplify use of postgres and its different +values. + +* `common.postgres.secret.rootPassUID`: UID of postgres root password +* `common.postgres.secret.rootPassSecretName`: Name of postgres root password + secret +* `common.postgres.secret.userCredentialsUID`: UID of postgres user credentials +* `common.postgres.secret.userCredentialsSecretName`: Name of postgres user + credentials secret +* `common.postgres.secret.primaryPasswordUID`: UID of postgres primary password +* `common.postgres.secret.primaryPasswordSecretName`: Name of postgres primary + credentials secret + + +Utilities +--------- + +These functions are defined in +`kubernetes/common/common/templates/_tplValue.tpl`. + +The goal of these functions is provide utility function, usually used in other +templating functions. + +* `common.tplValue`: Renders a value that contains template. diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index 9329572a92..d3fc25ad6e 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -19,10 +19,12 @@ Will use first ".Values.service.ports" list. Will append ports from ".Values.service.headlessPorts" only if port number is not already in port list. + Will add tls port AND plain port if both_tls_and_plain is set to true */}} {{- define "common.containerPorts" -}} {{- $ports := default (list) .Values.service.ports }} {{- $portsNumber := list }} +{{- $both_tls_and_plain:= default false .Values.service.both_tls_and_plain }} {{- range $index, $port := $ports }} {{- $portsNumber = append $portsNumber $port.port }} {{- end }} @@ -31,8 +33,17 @@ {{- $ports = append $ports $port }} {{- end }} {{- end }} +{{- $global := . }} {{- range $index, $port := $ports }} +{{- if (include "common.needTLS" $global) }} - containerPort: {{ $port.port }} +{{- else }} +- containerPort: {{ default $port.port $port.plain_port }} +{{- end }} name: {{ $port.name }} +{{- if (and $port.plain_port (and (include "common.needTLS" $global) $both_tls_and_plain)) }} +- containerPort: {{ $port.plain_port }} + name: {{ $port.name }}-plain +{{- end }} {{- end }} {{- end -}} diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 55f73c1635..cd1595b0ca 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -35,6 +35,7 @@ - .dot : environment (.) - .suffix : a string which will be added at the end of the name (with a '-'). - .annotations: the annotations to add + - .msb_informations: msb information in order to create msb annotation Usage example: {{ include "common.serviceMetadata" ( dict "suffix" "myService" "dot" .) }} {{ include "common.serviceMetadata" ( dict "annotations" .Values.service.annotation "dot" .) }} @@ -43,8 +44,24 @@ {{- $dot := default . .dot -}} {{- $suffix := default "" .suffix -}} {{- $annotations := default "" .annotations -}} -{{- if $annotations -}} -annotations: {{- include "common.tplValue" (dict "value" $annotations "context" $dot) | nindent 2 }} + {{- $msb_informations := default "" .msb_informations -}} +{{- if or $annotations $msb_informations -}} +annotations: +{{- if $annotations }} +{{ include "common.tplValue" (dict "value" $annotations "context" $dot) | indent 2 }} +{{- end }} +{{- if $msb_informations }} + msb.onap.org/service-info: '[ + { + "serviceName": "{{ include "common.servicename" $dot }}", + "version": "{{ default "v1" $msb_informations.version }}", + "url": "{{ default "/" $msb_informations.url }}", + "protocol": "{{ default "REST" $msb_informations.protocol }}", + "port": "{{ $msb_informations.port }}", + "visualRange":"{{ default "1" $msb_informations.visualRange }}" + } + ]' +{{- end}} {{- end }} name: {{ include "common.servicename" $dot }}{{ if $suffix }}{{ print "-" $suffix }}{{ end }} namespace: {{ include "common.namespace" $dot }} @@ -55,65 +72,121 @@ labels: {{- include "common.labels" $dot | nindent 2 -}} The function takes three arguments (inside a dictionary): - .dot : environment (.) - .ports : an array of ports - - .portType: the type of the service - - .prefix: NodePort prefix to be used - + - .serviceType: the type of the service + - .add_plain_port: add tls port AND plain port */}} {{- define "common.servicePorts" -}} -{{- $portType := .portType -}} -{{- $dot := .dot -}} -{{- range $index, $port := .ports }} -{{- $portPrefix := default "nodePortPrefix" $port.prefix }} +{{- $serviceType := .serviceType }} +{{- $dot := .dot }} +{{- $add_plain_port := default false .add_plain_port }} +{{- range $index, $port := .ports }} +{{- if (include "common.needTLS" $dot) }} - port: {{ $port.port }} targetPort: {{ $port.name }} - {{- if (eq $portType "NodePort") }} - nodePort: {{ index $dot.Values "global" $portPrefix | default (index $dot.Values $portPrefix) }}{{ $port.nodePort }} - {{- end }} +{{- if $port.port_protocol }} + name: {{ printf "%ss-%s" $port.port_protocol $port.name }} +{{- else }} name: {{ $port.name }} -{{- end -}} +{{- end }} +{{- if (eq $serviceType "NodePort") }} + nodePort: {{ $dot.Values.global.nodePortPrefix | default $dot.Values.nodePortPrefix }}{{ $port.nodePort }} +{{- end }} +{{- else }} +- port: {{ default $port.port $port.plain_port }} + targetPort: {{ $port.name }} +{{- if $port.port_protocol }} + name: {{ printf "%s-%s" $port.port_protocol $port.name }} +{{- else }} + name: {{ $port.name }} +{{- end }} +{{- end }} +{{- if (and (and (include "common.needTLS" $dot) $add_plain_port) $port.plain_port) }} +{{- if (eq $serviceType "ClusterIP") }} +- port: {{ $port.plain_port }} + targetPort: {{ $port.name }}-plain +{{- if $port.port_protocol }} + name: {{ printf "%s-%s" $port.port_protocol $port.name }} +{{- else }} + name: {{ $port.name }}-plain +{{- end }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} {{/* Create generic service template The function takes several arguments (inside a dictionary): - .dot : environment (.) - .ports : an array of ports - - .portType: the type of the service + - .serviceType: the type of the service - .suffix : a string which will be added at the end of the name (with a '-') - .annotations: the annotations to add + - .msb_informations: msb information in order to create msb annotation - .publishNotReadyAddresses: if we publish not ready address - .headless: if the service is headless + - .add_plain_port: add tls port AND plain port */}} {{- define "common.genericService" -}} {{- $dot := default . .dot -}} {{- $suffix := default "" .suffix -}} {{- $annotations := default "" .annotations -}} +{{- $msb_informations := default "" .msb_informations -}} {{- $publishNotReadyAddresses := default false .publishNotReadyAddresses -}} -{{- $portType := .portType -}} +{{- $serviceType := .serviceType -}} {{- $ports := .ports -}} {{- $headless := default false .headless -}} +{{- $add_plain_port := default false .add_plain_port }} apiVersion: v1 kind: Service -metadata: {{ include "common.serviceMetadata" (dict "suffix" $suffix "annotations" $annotations "dot" $dot ) | nindent 2 }} +metadata: {{ include "common.serviceMetadata" (dict "suffix" $suffix "annotations" $annotations "msb_informations" $msb_informations "dot" $dot) | nindent 2 }} spec: {{- if $headless }} clusterIP: None {{- end }} - ports: {{- include "common.servicePorts" (dict "portType" $portType "ports" $ports "dot" $dot) | nindent 4 }} + ports: {{- include "common.servicePorts" (dict "serviceType" $serviceType "ports" $ports "dot" $dot "add_plain_port" $add_plain_port) | nindent 4 }} {{- if $publishNotReadyAddresses }} publishNotReadyAddresses: true {{- end }} - type: {{ $portType }} + type: {{ $serviceType }} selector: {{- include "common.matchLabels" $dot | nindent 4 }} {{- end -}} -{{/* Create service template */}} +{{/* + Create service template + Will create one or two service templates according to this table: + + | serviceType | both_tls_and_plain | result | + |---------------|--------------------|--------------| + | ClusterIP | any | one Service | + | Not ClusterIP | not present | one Service | + | Not ClusterIP | false | one Service | + | Not ClusterIP | true | two Services | + + If two services are created, one is ClusterIP with both crypted and plain + ports and the other one is NodePort (or LoadBalancer) with crypted port only. +*/}} {{- define "common.service" -}} -{{- $suffix := default "" .Values.service.suffix -}} -{{- $annotations := default "" .Values.service.annotations -}} -{{- $publishNotReadyAddresses := default false .Values.service.publishNotReadyAddresses -}} -{{- $portType := .Values.service.type -}} -{{- $ports := .Values.service.ports -}} -{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "portType" $portType) }} +{{- $suffix := default "" .Values.service.suffix -}} +{{- $annotations := default "" .Values.service.annotations -}} +{{- $publishNotReadyAddresses := default false .Values.service.publishNotReadyAddresses -}} +{{- $msb_informations := default "" .Values.service.msb -}} +{{- $serviceType := .Values.service.type -}} +{{- $ports := .Values.service.ports -}} +{{- $both_tls_and_plain:= default false .Values.service.both_tls_and_plain }} +{{- if (and (include "common.needTLS" .) $both_tls_and_plain) }} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "msb_informations" $msb_informations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" "ClusterIP" "add_plain_port" true) }} +{{- if (ne $serviceType "ClusterIP") }} +--- +{{- if $suffix }} +{{- $suffix = printf "%s-external" $suffix }} +{{- else }} +{{- $suffix = "external" }} +{{- end }} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" $serviceType) }} +{{- end }} +{{- else }} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" $serviceType) }} +{{- end }} {{- end -}} {{/* Create headless service template */}} @@ -122,7 +195,7 @@ spec: {{- $annotations := default "" .Values.service.headless.annotations -}} {{- $publishNotReadyAddresses := default false .Values.service.headless.publishNotReadyAddresses -}} {{- $ports := .Values.service.headlessPorts -}} -{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "portType" "ClusterIP" "headless" true ) }} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" "ClusterIP" "headless" true ) }} {{- end -}} {{/* @@ -135,3 +208,45 @@ spec: {{- print "headless" }} {{- end }} {{- end -}} + +{{/* + Calculate if we need to use TLS ports. + We use TLS by default unless we're on service mesh with TLS. + We can also override this behavior with override toggles: + - .Values.global.tlsEnabled : override default TLS behavior for all charts + - .Values.tlsOverride : override global and default TLS on a per chart basis + + this will give these combinations: + | tlsOverride | global.tlsEnabled | global.serviceMesh.enabled | global.serviceMesh.tls | result | + |-------------|-------------------|----------------------------|------------------------|--------| + | not present | not present | not present | any | true | + | not present | not present | false | any | true | + | not present | not present | true | false | true | + | not present | not present | true | true | false | + | not present | true | any | any | true | + | not present | false | any | any | false | + | true | any | any | any | true | + | false | any | any | any | false | + +*/}} +{{- define "common.needTLS" -}} +{{- if hasKey .Values "tlsOverride" }} +{{- if .Values.tlsOverride -}} +true +{{- end }} +{{- else }} +{{- if hasKey .Values.global "tlsEnabled" }} +{{- if .Values.global.tlsEnabled }} +true +{{- end }} +{{- else }} +{{- if not (include "common.onServiceMesh" .) -}} +true +{{- else }} +{{- if not (default false .Values.global.serviceMesh.tls) -}} +true +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl new file mode 100644 index 0000000000..6b6a26fc45 --- /dev/null +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -0,0 +1,27 @@ +{/* +# Copyright © 2020 Amdocs, Bell Canada, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + + +{/* + Calculate if we are on service mesh. +*/}} +{{- define "common.onServiceMesh" -}} +{{- if .Values.global.serviceMesh -}} +{{- if (default false .Values.global.serviceMesh.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml index 513963067f..046f64d9a8 100644 --- a/kubernetes/dmaap/components/dmaap-bc/values.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/values.yaml @@ -30,7 +30,7 @@ pullPolicy: Always # application images repository: nexus3.onap.org:10001 -image: onap/dmaap/dmaap-bc:1.1.5 +image: onap/dmaap/dmaap-bc:2.0.3 # application configuration diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml index 871a4228a2..078b15b3b5 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml @@ -22,7 +22,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-node:2.1.4 +image: onap/dmaap/datarouter-node:2.1.5 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index 6165568971..e2671e6cd8 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -34,7 +34,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-prov:2.1.4 +image: onap/dmaap/datarouter-prov:2.1.5 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/dmaap/components/message-router/templates/service.yaml b/kubernetes/dmaap/components/message-router/templates/service.yaml index db3bc76c6a..16fae2a704 100644 --- a/kubernetes/dmaap/components/message-router/templates/service.yaml +++ b/kubernetes/dmaap/components/message-router/templates/service.yaml @@ -39,11 +39,9 @@ spec: type: {{ .Values.service.type }} ports: {{if eq .Values.service.type "NodePort" -}} - {{- if .Values.global.allow_http }} - port: {{ .Values.service.externalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} name: {{ .Values.service.portName }}-{{ .Values.service.externalPort }} - {{- end}} - port: {{ .Values.service.externalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName }}-{{ .Values.service.externalPort2 }} diff --git a/kubernetes/dmaap/values.yaml b/kubernetes/dmaap/values.yaml index 4c0d8d584e..ecc5689668 100644 --- a/kubernetes/dmaap/values.yaml +++ b/kubernetes/dmaap/values.yaml @@ -29,7 +29,7 @@ global: busyBoxRepository: docker.io #Global DMaaP app config - allow_http: true + allow_http: false #Logstash config logstashServiceName: log-ls diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 2395495df3..86fd2635c7 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -63,6 +63,57 @@ global: virtualhost: enabled: true baseurl: "simpledemo.onap.org" + + # Global Service Mesh configuration + # POC Mode, don't use it in production + serviceMesh: + enabled: false + tls: true + + # Disabling AAF + # POC Mode, don't use it in production + aafEnabled: true + + # TLS + # Set to false if you want to disable TLS for NodePorts. Be aware that this + # will loosen your security. + # if set this element will force or not tls even if serviceMesh.tls is set. + # tlsEnabled: false + + +# Example of specific for the components where you want to disable TLS only for +# it: +# if set this element will force or not tls even if global.serviceMesh.tls and +# global.tlsEnabled is set otherwise. +# robot: +# tlsOverride: false + + # Global storage configuration + # Set to "-" for default, or with the name of the storage class + # Please note that if you use AAF, CDS, SDC, Netbox or Robot, you need a + # storageclass with RWX capabilities (or set specific configuration for these + # components). + # persistence: + # storageClass: "-" + +# Example of specific for the components which requires RWX: +# aaf: +# persistence: +# storageClassOverride: "My_RWX_Storage_Class" +# contrib: +# netbox: +# netbox-app: +# persistence: +# storageClassOverride: "My_RWX_Storage_Class" +# cds: +# cds-blueprints-processor: +# persistence: +# storageClassOverride: "My_RWX_Storage_Class" +# sdc: +# sdc-onboarding-be: +# persistence: +# storageClassOverride: "My_RWX_Storage_Class" + ################################################################# # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. diff --git a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties index 3bbb1a7f9b..063ba3d122 100755 --- a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties +++ b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties @@ -81,3 +81,14 @@ authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-co #cookie domain cookie_domain = onap.org + +{{- if .Values.global.aafEnabled }} +# External Access System Basic Auth Credentials & Rest endpoint(These credentials doesn't work as these are place holders for now) +ext_central_access_user_name = aaf_admin@people.osaaf.org +ext_central_access_password = thiswillbereplacedatruntime +ext_central_access_url = {{ .Values.aafURL }}/authz/ +ext_central_access_user_domain = @people.osaaf.org + +# External Central Auth system access +remote_centralized_system_access = true +{{- end }}
\ No newline at end of file diff --git a/kubernetes/portal/charts/portal-sdk/resources/server/server.xml b/kubernetes/portal/charts/portal-sdk/resources/server/server.xml new file mode 100644 index 0000000000..506a1ca4cd --- /dev/null +++ b/kubernetes/portal/charts/portal-sdk/resources/server/server.xml @@ -0,0 +1,155 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + Modifications to this file for use in ONAP are also subject to the Apache-2.0 license. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html + --> +<Server port="8005" shutdown="SHUTDOWN"> + <Listener className="org.apache.catalina.startup.VersionLoggerListener" logArgs="false"/> + <!-- Security listener. Documentation at /docs/config/listeners.html + <Listener className="org.apache.catalina.security.SecurityListener" /> + --> + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!-- Prevent memory leaks due to use of particular java/javax APIs--> + <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> + + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> + <GlobalNamingResources> + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users + --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html + --> + <Service name="Catalina"> + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 + --> + <Connector port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + {{ if .Values.global.aafEnabled }} + redirectPort="8443" + {{ end }} + /> + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 + This connector uses the NIO implementation that requires the JSSE + style configuration. When using the APR/native implementation, the + OpenSSL style configuration is required as described in the APR/native + documentation --> + <!-- + <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" + maxThreads="150" SSLEnabled="true" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> + {{ if .Values.global.aafEnabled }} + <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" + maxThreads="150" SSLEnabled="true" scheme="https" secure="true" + keystoreFile="{{.Values.persistence.aafCredsPath}}/{{.Values.aafConfig.keystoreFile}}" + keystorePass="${javax.net.ssl.keyStorePassword}" + clientAuth="false" sslProtocol="TLS" /> + {{ end }} + <!-- Define an AJP 1.3 Connector on port 8009 --> + <Connector port="8009" protocol="AJP/1.3" + {{ if .Values.global.aafEnabled }} + redirectPort="8443" + {{ end }} + /> + + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> + --> + <Engine name="Catalina" defaultHost="localhost"> + + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> + + <!-- Use the LockOutRealm to prevent attempts to guess user passwords + via a brute-force attack --> + <Realm className="org.apache.catalina.realm.LockOutRealm"> + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + </Realm> + + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true"> + + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html + Note: The pattern used is equivalent to using pattern="common" --> + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log" suffix=".txt" + pattern="%h %l %u %t "%r" %s %b" /> + </Host> + </Engine> + </Service> +</Server>
\ No newline at end of file diff --git a/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml b/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml index 51346197db..154276ea26 100644 --- a/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml +++ b/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml @@ -25,3 +25,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTALSDK/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }}
\ No newline at end of file diff --git a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml index ccdd013cbc..09080fca94 100644 --- a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml +++ b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml @@ -1,5 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2018,2020 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -46,14 +46,75 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{- if .Values.global.aafEnabled }} + - name: {{ include "common.name" . }}-aaf-readiness + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /root/ready.py + args: + - --container-name + - aaf-locate + - --container-name + - aaf-cm + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: {{ include "common.name" . }}-aaf-config + image: "{{ include "common.repository" . }}/{{ .Values.global.aafAgentImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["bash","-c"] + args: ["/opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.persistence.aafCredsPath }}/mycreds.prop"] + volumeMounts: + - mountPath: {{ .Values.persistence.aafCredsPath }} + name: {{ include "common.fullname" . }}-aaf-config-vol + env: + - name: APP_FQI + value: "{{ .Values.aafConfig.fqi }}" + - name: aaf_locate_url + value: "https://aaf-locate.{{ .Release.Namespace }}:8095" + - name: aaf_locator_container + value: "{{ .Values.global.aafLocatorContainer }}" + - name: aaf_locator_container_ns + value: "{{ .Release.Namespace }}" + - name: aaf_locator_fqdn + value: "{{ .Values.aafConfig.fqdn }}" + - name: aaf_locator_public_fqdn + value: "{{.Values.aafConfig.publicFqdn}}" + - name: aaf_locator_app_ns + value: "{{ .Values.global.aafAppNs }}" + - name: DEPLOY_FQI + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-deploy-creds" "key" "login") | indent 12 }} + - name: DEPLOY_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-deploy-creds" "key" "password") | indent 12 }} + - name: cadi_longitude + value: "{{ .Values.aafConfig.cadiLongitude }}" + - name: cadi_latitude + value: "{{ .Values.aafConfig.cadiLatitude }}" + {{ end }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /start-apache-tomcat.sh - - -b - - "{{ .Values.global.env.tomcatDir }}" + command: ["bash","-c"] + {{- if .Values.global.aafEnabled }} + args: ["export $(grep '^c' {{ .Values.persistence.aafCredsPath }}/mycreds.prop | xargs -0);\ + export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ + -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ + cat /dev/null > {{ .Values.persistence.aafCredsPath }}/mycreds.prop;\ + /start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] + env: + - name: _CATALINA_OPTS + value: > + -Djavax.net.ssl.keyStore="{{ .Values.persistence.aafCredsPath }}/{{ .Values.aafConfig.keystoreFile }}" + -Djavax.net.ssl.trustStore="{{ .Values.persistence.aafCredsPath }}/{{ .Values.aafConfig.truststoreFile }}" + {{- else }} + args: ["/start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] + {{- end }} ports: - containerPort: {{ .Values.service.internalPort }} {{- if eq .Values.liveness.enabled true }} @@ -69,6 +130,13 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: + {{- if .Values.global.aafEnabled }} + - mountPath: {{ .Values.persistence.aafCredsPath }} + name: {{ include "common.fullname" . }}-aaf-config-vol + {{- end }} + - name: properties-onapportalsdk + mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml" + subPath: server.xml - mountPath: /etc/localtime name: localtime readOnly: true @@ -129,5 +197,10 @@ spec: emptyDir: {} - name: portal-tomcat-logs emptyDir: {} + {{- if .Values.global.aafEnabled }} + - name: {{ include "common.fullname" . }}-aaf-config-vol + emptyDir: + medium: Memory + {{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml b/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml new file mode 100644 index 0000000000..b79179bc6b --- /dev/null +++ b/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml @@ -0,0 +1,15 @@ +# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/portal/charts/portal-sdk/values.yaml b/kubernetes/portal/charts/portal-sdk/values.yaml index 8572ff83da..34c29b5be1 100644 --- a/kubernetes/portal/charts/portal-sdk/values.yaml +++ b/kubernetes/portal/charts/portal-sdk/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2018, 2020 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,15 +22,48 @@ global: readinessImage: readiness-check:2.0.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 - + persistence: {} + #AAF global config overrides + aafEnabled: true + aafAgentImage: onap/aaf/aaf_agent:2.1.15 + aafAppNs: org.osaaf.aaf + aafLocatorContainer: oom ################################################################# # Application configuration defaults. ################################################################# +secrets: + - uid: aaf-deploy-creds + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aafConfig.aafDeployFqi }}' + password: '{{ .Values.aafConfig.aafDeployPass }}' + passwordPolicy: required + +## Persist cert data to a memory volume +persistence: + aafCredsPath: /opt/app/osaaf/local + # application image repository: nexus3.onap.org:10001 image: onap/portal-sdk:2.6.0 pullPolicy: Always +#AAF service +aafURL: https://aaf-service:8100/ +aafLocateUrl: https://aaf-locate:8095 + +#AAF local config +aafConfig: + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + fqdn: portal + fqi: portal@portal.onap.org + publicFqdn: portal.onap.org + cadiLatitude: 0.0 + cadiLongitude: 0.0 + keystoreFile: "org.onap.portal.p12" + truststoreFile: "org.onap.portal.trust.jks" + # flag to enable debugging - application support required debugEnabled: false @@ -57,8 +90,8 @@ service: type: NodePort name: portal-sdk portName: portal-sdk - internalPort: 8080 - externalPort: 8080 + internalPort: 8443 + externalPort: 8443 nodePort: 12 mariadb: @@ -85,7 +118,7 @@ ingress: service: - baseaddr: portalsdk name: "portal-sdk" - port: 8080 + port: 8443 config: ssl: "none" diff --git a/kubernetes/robot b/kubernetes/robot -Subproject 591bfdea4f1d833abee3c7e60f084da546d9082 +Subproject c854b484ebbd5e0c1be1e6a032a79beeb4cab6f diff --git a/kubernetes/sdnc/charts/ueb-listener/values.yaml b/kubernetes/sdnc/charts/ueb-listener/values.yaml index 9b7dcb054b..254d76a05e 100644 --- a/kubernetes/sdnc/charts/ueb-listener/values.yaml +++ b/kubernetes/sdnc/charts/ueb-listener/values.yaml @@ -52,7 +52,7 @@ secrets: passwordPolicy: required - uid: ueb-creds type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.odlCredsExternalSecret) . }}' + externalSecret: '{{ tpl (default "" .Values.config.uebCredsExternalSecret) . }}' login: '{{ .Values.config.uebUser }}' password: '{{ .Values.config.uebPassword }}' passwordPolicy: required diff --git a/kubernetes/sdnc/requirements.yaml b/kubernetes/sdnc/requirements.yaml index c3b757ae14..58db6ad7a0 100644 --- a/kubernetes/sdnc/requirements.yaml +++ b/kubernetes/sdnc/requirements.yaml @@ -29,5 +29,4 @@ dependencies: - name: mariadb-galera version: ~5.x-0 repository: '@local' - condition: config.localDBCluster - + condition: .global.mariadbGalera.localCluster diff --git a/kubernetes/sdnc/resources/config/bin/installSdncDb.sh b/kubernetes/sdnc/resources/config/bin/installSdncDb.sh index 455cb834f9..754ff2c5cc 100644..100755 --- a/kubernetes/sdnc/resources/config/bin/installSdncDb.sh +++ b/kubernetes/sdnc/resources/config/bin/installSdncDb.sh @@ -25,11 +25,11 @@ SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc} ETC_DIR=${ETC_DIR:-${SDNC_HOME}/data} BIN_DIR=${BIN_DIR-${SDNC_HOME}/bin} MYSQL_HOST=${MYSQL_HOST:-dbhost} -MYSQL_PASSWORD=${MYSQL_PASSWORD:-openECOMP1.0} +MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD} -SDNC_DB_USER=${SDNC_DB_USER:-sdnctl} -SDNC_DB_PASSWORD=${SDNC_DB_PASSWORD:-gamma} -SDNC_DB_DATABASE=${SDN_DB_DATABASE:-sdnctl} +SDNC_DB_USER=${SDNC_DB_USER} +SDNC_DB_PASSWORD=${SDNC_DB_PASSWORD} +SDNC_DB_DATABASE=${SDNC_DB_DATABASE} # Create tablespace and user account @@ -46,12 +46,12 @@ END # load schema if [ -f ${ETC_DIR}/sdnctl.dump ] then - mysql -h ${MYSQL_HOST} -u root -p${MYSQL_PASSWORD} sdnctl < ${ETC_DIR}/sdnctl.dump + mysql -h ${MYSQL_HOST} -u root -p${MYSQL_PASSWORD} ${SDNC_DB_DATABASE} < ${ETC_DIR}/sdnctl.dump fi for datafile in ${ETC_DIR}/*.data.dump do - mysql -h ${MYSQL_HOST} -u root -p${MYSQL_PASSWORD} sdnctl < $datafile + mysql -h ${MYSQL_HOST} -u root -p${MYSQL_PASSWORD} ${SDNC_DB_DATABASE} < $datafile done # Create VNIs 100-199 diff --git a/kubernetes/sdnc/resources/config/bin/startODL.sh b/kubernetes/sdnc/resources/config/bin/startODL.sh index 5f5f811fd0..af5c36207c 100755 --- a/kubernetes/sdnc/resources/config/bin/startODL.sh +++ b/kubernetes/sdnc/resources/config/bin/startODL.sh @@ -65,7 +65,7 @@ function enable_odl_cluster(){ addToFeatureBoot odl-jolokia #${ODL_HOME}/bin/client feature:install odl-mdsal-clustering #${ODL_HOME}/bin/client feature:install odl-jolokia - + echo "Update cluster information statically" hm=$(hostname) @@ -113,8 +113,8 @@ function enable_odl_cluster(){ # Install SDN-C platform components if not already installed and start container ODL_HOME=${ODL_HOME:-/opt/opendaylight/current} -ODL_ADMIN_USERNAME=${ODL_ADMIN_USERNAME:-admin} -ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD:-Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U} +ODL_ADMIN_USERNAME=${ODL_ADMIN_USERNAME} +ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD} SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc} SDNC_BIN=${SDNC_BIN:-/opt/onap/sdnc/bin} CCSDK_HOME=${CCSDK_HOME:-/opt/onap/ccsdk} @@ -166,4 +166,3 @@ nohup python ${SDNC_BIN}/installCerts.py & exec ${ODL_HOME}/bin/karaf server - diff --git a/kubernetes/sdnc/resources/config/conf/aaiclient.properties b/kubernetes/sdnc/resources/config/conf/aaiclient.properties index 035942b304..5d4473c978 100755 --- a/kubernetes/sdnc/resources/config/conf/aaiclient.properties +++ b/kubernetes/sdnc/resources/config/conf/aaiclient.properties @@ -2,8 +2,7 @@ # ============LICENSE_START======================================================= # openECOMP : SDN-C # ================================================================================ -# Copyright (C) 2018 ONAP Intellectual Property. All rights -# reserved. +# Copyright (C) 2018 ONAP Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,8 +29,8 @@ org.onap.ccsdk.sli.adaptors.aai.ssl.trust=/opt/onap/sdnc/data/stores/truststoreO org.onap.ccsdk.sli.adaptors.aai.ssl.trust.psswd=changeit org.onap.ccsdk.sli.adaptors.aai.host.certificate.ignore=true -org.onap.ccsdk.sli.adaptors.aai.client.name=sdnc@sdnc.onap.org -org.onap.ccsdk.sli.adaptors.aai.client.psswd=demo123456! +org.onap.ccsdk.sli.adaptors.aai.client.name=${AAI_CLIENT_NAME} +org.onap.ccsdk.sli.adaptors.aai.client.psswd=${AAI_CLIENT_PASSWORD} org.onap.ccsdk.sli.adaptors.aai.application=openECOMP # diff --git a/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties b/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties index 3a6b5a08f0..224e84b3a7 100644 --- a/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties +++ b/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties @@ -24,12 +24,12 @@ org.onap.ccsdk.features.blueprints.adaptors.envtype=solo org.onap.ccsdk.features.blueprints.adaptors.modelservice.type=generic org.onap.ccsdk.features.blueprints.adaptors.modelservice.enable=true org.onap.ccsdk.features.blueprints.adaptors.modelservice.url=http://controller-blueprints:8080/api/v1/ -org.onap.ccsdk.features.blueprints.adaptors.modelservice.user=ccsdkapps -org.onap.ccsdk.features.blueprints.adaptors.modelservice.passwd=ccsdkapps +org.onap.ccsdk.features.blueprints.adaptors.modelservice.user=${MODELSERVICE_USER} +org.onap.ccsdk.features.blueprints.adaptors.modelservice.passwd=${MODELSERVICE_PASSWORD} # Generic RESTCONF Adaptor org.onap.ccsdk.features.blueprints.adaptors.restconf.type=generic org.onap.ccsdk.features.blueprints.adaptors.restconf.enable=true -org.onap.ccsdk.features.blueprints.adaptors.restconf.user=admin -org.onap.ccsdk.features.blueprints.adaptors.restconf.passwd={{ .Values.config.odlPassword}} +org.onap.ccsdk.features.blueprints.adaptors.restconf.user=${RESTCONF_USER} +org.onap.ccsdk.features.blueprints.adaptors.restconf.passwd=${RESTCONF_PASSWORD} org.onap.ccsdk.features.blueprints.adaptors.restconf.url=http://sdnc:8282/restconf/ diff --git a/kubernetes/sdnc/resources/config/conf/dblib.properties b/kubernetes/sdnc/resources/config/conf/dblib.properties index 1849053411..1fb6fb8732 100644 --- a/kubernetes/sdnc/resources/config/conf/dblib.properties +++ b/kubernetes/sdnc/resources/config/conf/dblib.properties @@ -1,7 +1,6 @@ ### # ============LICENSE_START======================================================= -# Copyright (C) 2018 AT&T Intellectual Property. All rights -# reserved. +# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,11 +17,11 @@ ### org.onap.ccsdk.sli.dbtype=jdbc org.onap.ccsdk.sli.jdbc.hosts=sdnctldb01 -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}:{{.Values.config.mariadbGalera.internalPort}}/sdnctl +org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{include "common.mariadbService" $}}:{{include "common.mariadbPort" $}}/{{$.Values.config.dbSdnctlDatabase}} org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database=sdnctl -org.onap.ccsdk.sli.jdbc.user=sdnctl -org.onap.ccsdk.sli.jdbc.password={{.Values.config.dbSdnctlPassword}} +org.onap.ccsdk.sli.jdbc.database={{$.Values.config.dbSdnctlDatabase}} +org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} +org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWORD} org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 org.onap.ccsdk.sli.jdbc.connection.timeout=50 org.onap.ccsdk.sli.jdbc.request.timeout=100 diff --git a/kubernetes/sdnc/resources/config/conf/lcm-dg.properties b/kubernetes/sdnc/resources/config/conf/lcm-dg.properties index f91c62c98b..44ee0b998f 100644 --- a/kubernetes/sdnc/resources/config/conf/lcm-dg.properties +++ b/kubernetes/sdnc/resources/config/conf/lcm-dg.properties @@ -1,7 +1,7 @@ #ANSIBLE ansible.agenturl=http://{{.Values.config.ansibleServiceName}}:{{.Values.config.ansiblePort}}/Dispatch -ansible.user=sdnc -ansible.password=sdnc +ansible.user=${ANSIBLE_USER} +ansible.password=${ANSIBLE_PASSWORD} ansible.lcm.localparameters= ansible.nodelist= ansible.timeout=60 @@ -23,10 +23,10 @@ restapi.templateDir=/opt/onap/sdnc/restapi/templates lcm.restconf.configscaleout.templatefile=lcm-restconf-configscaleout.json lcm.restconf.configscaleout.urlpath=/restconf/config/vlb-business-vnf-onap-plugin:vlb-business-vnf-onap-plugin/vdns-instances/vdns-instance/ lcm.restconf.configscaleout.geturlpath=/restconf/operational/health-vnf-onap-plugin:health-vnf-onap-plugin-state/health-check -lcm.restconf.configscaleout.user=admin -lcm.restconf.configscaleout.password=admin -lcm.restconf.user=admin -lcm.restconf.password=admin +lcm.restconf.configscaleout.user=${SCALEOUT_USER} +lcm.restconf.configscaleout.password=${SCALEOUT_PASSWORD} +lcm.restconf.user=${RESTCONF_USER} +lcm.restconf.password=${RESTCONF_PASSWORD} lcm.restconf.port=8183 #DMAAP diff --git a/kubernetes/sdnc/resources/config/conf/netbox.properties b/kubernetes/sdnc/resources/config/conf/netbox.properties index 9cd3880614..a768041945 100755 --- a/kubernetes/sdnc/resources/config/conf/netbox.properties +++ b/kubernetes/sdnc/resources/config/conf/netbox.properties @@ -16,4 +16,4 @@ # Configuration file for Netbox client org.onap.ccsdk.sli.adaptors.netbox.url=http://netbox-app.{{.Release.Namespace}}:8001 -org.onap.ccsdk.sli.adaptors.netbox.apikey=onceuponatimeiplayedwithnetbox20180814
\ No newline at end of file +org.onap.ccsdk.sli.adaptors.netbox.apikey=${NETBOX_API_KEY}
\ No newline at end of file diff --git a/kubernetes/sdnc/resources/config/conf/svclogic.properties b/kubernetes/sdnc/resources/config/conf/svclogic.properties index 55ef8e7e85..adbba660c5 100644 --- a/kubernetes/sdnc/resources/config/conf/svclogic.properties +++ b/kubernetes/sdnc/resources/config/conf/svclogic.properties @@ -2,8 +2,7 @@ # ============LICENSE_START======================================================= # openECOMP : SDN-C # ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. +# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,8 +19,7 @@ ### org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}:{{.Values.config.mariadbGalera.internalPort}}/sdnctl -org.onap.ccsdk.sli.jdbc.database = sdnctl -org.onap.ccsdk.sli.jdbc.user = sdnctl -org.onap.ccsdk.sli.jdbc.password = {{.Values.config.dbSdnctlPassword}} - +org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{include "common.mariadbService" $}}:{{include "common.mariadbPort" $}}/{{$.Values.config.dbSdnctlDatabase}} +org.onap.ccsdk.sli.jdbc.database = {{$.Values.config.dbSdnctlDatabase}} +org.onap.ccsdk.sli.jdbc.user = ${SDNC_DB_USER} +org.onap.ccsdk.sli.jdbc.password = ${SDNC_DB_PASSWORD} diff --git a/kubernetes/sdnc/templates/job.yaml b/kubernetes/sdnc/templates/job.yaml index dc77006a60..0cd0eae610 100755 --- a/kubernetes/sdnc/templates/job.yaml +++ b/kubernetes/sdnc/templates/job.yaml @@ -36,12 +36,53 @@ spec: name: {{ include "common.name" . }} spec: initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: AAI_CLIENT_NAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aai-user-creds" "key" "login") | indent 10 }} + - name: AAI_CLIENT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aai-user-creds" "key" "password") | indent 10 }} + - name: MODELSERVICE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "modeling-user-creds" "key" "login") | indent 10 }} + - name: MODELSERVICE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "modeling-user-creds" "key" "password") | indent 10 }} + - name: RESTCONF_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} + - name: RESTCONF_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} + - name: ANSIBLE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ansible-creds" "key" "login") | indent 10 }} + - name: ANSIBLE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ansible-creds" "key" "password") | indent 10 }} + - name: SCALEOUT_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "scaleout-creds" "key" "login") | indent 10 }} + - name: SCALEOUT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "scaleout-creds" "key" "password") | indent 10 }} + - name: NETBOX_APIKEY + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "netbox-apikey" "key" "password") | indent 10 }} + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: properties + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - name: {{ include "common.name" . }}-readiness command: - /root/ready.py args: - --container-name - - {{ .Values.config.mariadbGalera.chartName }} + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -55,31 +96,24 @@ spec: image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} + - name: ODL_ADMIN_USERNAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "login") | indent 12 }} - name: ODL_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-odl - key: odl-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "password") | indent 12 }} + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: SDNC_DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-sdnctl - key: db-sdnctl-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: MYSQL_HOST - value: "{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}" + value: {{ include "common.mariadbService" . }} - name: SDNC_HOME value: "{{.Values.config.sdncHome}}" - name: ETC_DIR value: "{{.Values.config.etcDir}}" - name: BIN_DIR value: "{{.Values.config.binDir}}" - - name: SDNC_DB_USER - value: "{{.Values.config.dbSdnctlUser}}" - name: SDNC_DB_DATABASE value: "{{.Values.config.dbSdnctlDatabase}}" volumeMounts: @@ -119,11 +153,13 @@ spec: configMap: name: {{ include "common.fullname" . }}-bin defaultMode: 0755 - - name: properties + - name: config-input configMap: name: {{ include "common.fullname" . }}-properties defaultMode: 0644 + - name: properties + emptyDir: + medium: Memory restartPolicy: Never imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/sdnc/templates/secret-aaf.yaml b/kubernetes/sdnc/templates/secret-aaf.yaml deleted file mode 100644 index cd2e539b28..0000000000 --- a/kubernetes/sdnc/templates/secret-aaf.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Values.global.aafEnabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - aaf-password: {{ .Values.aaf_init.deploy_pass | b64enc | quote }} -{{ end }} diff --git a/kubernetes/sdnc/templates/secrets.yaml b/kubernetes/sdnc/templates/secrets.yaml index e8cb336883..dee311c336 100644 --- a/kubernetes/sdnc/templates/secrets.yaml +++ b/kubernetes/sdnc/templates/secrets.yaml @@ -1,41 +1,15 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.dbRootPassword | b64enc | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-odl - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - odl-password: {{ .Values.config.odlPassword | b64enc | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-sdnctl - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-sdnctl-password: {{ .Values.config.dbSdnctlPassword | b64enc | quote }} +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 1611449095..6054546d58 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -34,10 +34,51 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: AAI_CLIENT_NAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aai-user-creds" "key" "login") | indent 10 }} + - name: AAI_CLIENT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aai-user-creds" "key" "password") | indent 10 }} + - name: MODELSERVICE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "modeling-user-creds" "key" "login") | indent 10 }} + - name: MODELSERVICE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "modeling-user-creds" "key" "password") | indent 10 }} + - name: RESTCONF_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} + - name: RESTCONF_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} + - name: ANSIBLE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ansible-creds" "key" "login") | indent 10 }} + - name: ANSIBLE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ansible-creds" "key" "password") | indent 10 }} + - name: SCALEOUT_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "scaleout-creds" "key" "login") | indent 10 }} + - name: SCALEOUT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "scaleout-creds" "key" "password") | indent 10 }} + - name: NETBOX_APIKEY + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "netbox-apikey" "key" "password") | indent 10 }} + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: properties + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: - /root/ready.py args: - --container-name - - {{ .Values.config.mariadbGalera.chartName }} + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -89,12 +130,9 @@ spec: - name: aaf_locator_app_ns value: "{{ .Values.aaf_init.app_ns }}" - name: DEPLOY_FQI - value: "{{ .Values.aaf_init.deploy_fqi }}" + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-creds" "key" "login") | indent 12 }} - name: DEPLOY_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" .}}-aaf - key: aaf-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-creds" "key" "password") | indent 12 }} - name: cadi_longitude value: "{{ .Values.aaf_init.cadi_longitude }}" - name: cadi_latitude @@ -125,41 +163,36 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password - - name: ODL_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-odl - key: odl-password - - name: SDNC_DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-sdnctl - key: db-sdnctl-password - - name: SDNC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: ENABLE_ODL_CLUSTER - value: "{{ .Values.config.enableClustering }}" - - name: MY_ODL_CLUSTER - value: "{{ .Values.config.myODLCluster }}" - - name: PEER_ODL_CLUSTER - value: "{{ .Values.config.peerODLCluster }}" - - name: IS_PRIMARY_CLUSTER - value: "{{ .Values.config.isPrimaryCluster }}" - - name: GEO_ENABLED - value: "{{ .Values.config.geoEnabled}}" - - name: SDNC_AAF_ENABLED - value: "{{ .Values.global.aafEnabled}}" - - name: SDNC_REPLICAS - value: "{{ .Values.replicaCount }}" - - name: MYSQL_HOST - value: "{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}" - - name: JAVA_HOME - value: "{{ .Values.config.javaHome}}" + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} + - name: ODL_ADMIN_USERNAME + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "login") | indent 12 }} + - name: ODL_ADMIN_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "password") | indent 12 }} + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SDNC_CONFIG_DIR + value: "{{ .Values.config.configDir }}" + - name: ENABLE_ODL_CLUSTER + value: "{{ .Values.config.enableClustering }}" + - name: MY_ODL_CLUSTER + value: "{{ .Values.config.myODLCluster }}" + - name: PEER_ODL_CLUSTER + value: "{{ .Values.config.peerODLCluster }}" + - name: IS_PRIMARY_CLUSTER + value: "{{ .Values.config.isPrimaryCluster }}" + - name: GEO_ENABLED + value: "{{ .Values.config.geoEnabled}}" + - name: SDNC_AAF_ENABLED + value: "{{ .Values.global.aafEnabled}}" + - name: SDNC_REPLICAS + value: "{{ .Values.replicaCount }}" + - name: MYSQL_HOST + value: {{ include "common.mariadbService" . }} + - name: JAVA_HOME + value: "{{ .Values.config.javaHome}}" volumeMounts: - mountPath: /etc/localtime name: localtime @@ -252,10 +285,13 @@ spec: configMap: name: {{ include "common.fullname" . }}-bin defaultMode: 0755 - - name: properties + - name: config-input configMap: name: {{ include "common.fullname" . }}-properties defaultMode: 0644 + - name: properties + emptyDir: + medium: Memory - name: {{ include "common.fullname" . }}-certs {{ if .Values.certpersistence.enabled }} persistentVolumeClaim: diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 4447a7dfaa..8fd7590863 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -26,6 +26,83 @@ global: persistence: mountPath: /dockerdata-nfs aafEnabled: true + # envsusbt + envsubstImage: dibi/envsubst + mariadbGalera: + #This flag allows SO to instantiate its own mariadb-galera cluster + #If shared instance is used, this chart assumes that DB already exists + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-password + name: '{{ include "common.release" . }}-sdnc-db-root-password' + type: password + externalSecret: '{{ .Values.global.mariadbGalera.localCluster | ternary (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (index .Values "mariadb-galera" "nameOverride"))) (index .Values "mariadb-galera" "config" "mariadbRootPasswordExternalSecret")) (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) }}' + password: '{{ (index .Values "mariadb-galera" "config" "mariadbRootPassword" }}' + - uid: db-secret + name: &dbSecretName '{{ include "common.release" . }}-sdnc-db-secret' + type: basicAuth + # This is a nasty trick that allows you override this secret using external one + # with the same field that is used to pass this to subchart + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "config" "userName" }}' + password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' + - uid: odl-creds + name: &odlCredsSecretName '{{ include "common.release" . }}-sdnc-odl-creds' + type: basicAuth + externalSecret: '{{ .Values.config.odlCredsExternalSecret }}' + login: '{{ .Values.config.odlUser }}' + password: '{{ .Values.config.odlPassword }}' + # For now this is left hardcoded but should be revisited in a future + passwordPolicy: required + - uid: aaf-creds + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aaf_init.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aaf_init.deploy_fqi }}' + password: '{{ .Values.aaf_init.deploy_pass }}' + passwordPolicy: required + - uid: netbox-apikey + type: password + externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}' + password: '{{ .Values.config.netboxApikey }}' + passwordPolicy: required + - uid: aai-user-creds + type: basicAuth + externalSecret: '{{ .Values.config.aaiCredsExternalSecret}}' + login: '{{ .Values.config.aaiUser }}' + password: '{{ .Values.config.aaiPassword }}' + passwordPolicy: required + - uid: modeling-user-creds + type: basicAuth + externalSecret: '{{ .Values.config.modelingCredsExternalSecret}}' + login: '{{ .Values.config.modelingUser }}' + password: '{{ .Values.config.modelingPassword }}' + passwordPolicy: required + - uid: restconf-creds + type: basicAuth + externalSecret: '{{ .Values.config.restconfCredsExternalSecret}}' + login: '{{ .Values.config.restconfUser }}' + password: '{{ .Values.config.restconfPassword }}' + passwordPolicy: required + - uid: ansible-creds + name: &ansibleSecretName '{{ include "common.release" . }}-sdnc-ansible-creds' + type: basicAuth + externalSecret: '{{ .Values.config.ansibleCredsExternalSecret}}' + login: '{{ .Values.config.ansibleUser }}' + password: '{{ .Values.config.ansiblePassword }}' + passwordPolicy: required + - uid: scaleout-creds + type: basicAuth + externalSecret: '{{ .Values.config.scaleoutCredsExternalSecret}}' + login: '{{ .Values.config.scaleoutUser }}' + password: '{{ .Values.config.scaleoutPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -43,11 +120,27 @@ debugEnabled: false config: odlUid: 100 odlGid: 101 + odlUser: admin odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - dbRootPassword: secretpassword - dbSdnctlUser: sdnctl - dbSdnctlDatabase: sdnctl - dbSdnctlPassword: gamma + # odlCredsExternalSecret: some secret + netboxApikey: onceuponatimeiplayedwithnetbox20180814 + # netboxApikeyExternalSecret: some secret + aaiUser: sdnc@sdnc.onap.org + aaiPassword: demo123456! + # aaiCredsExternalSecret: some secret + modelingUser: ccsdkapps + modelingPassword: ccsdkapps + # modelingCredsExternalSecret: some secret + restconfUser: admin + restconfPassword: admin + # restconfCredsExternalSecret: some secret + scaleoutUser: admin + scaleoutPassword: admin + # scaleoutExternalSecret: some secret + ansibleUser: sdnc + ansiblePassword: sdnc + # ansibleCredsExternalSecret: some secret + dbSdnctlDatabase: &sdncDbName sdnctl enableClustering: true sdncHome: /opt/onap/sdnc binDir: /opt/onap/sdnc/bin @@ -91,17 +184,6 @@ config: parallelGCThreads : 3 numberGGLogFiles: 10 - - - #local Mariadb-galera cluster - localDBCluster: false - - #Shared mariadb-galera details - mariadbGalera: - chartName: mariadb-galera - serviceName: mariadb-galera - internalPort: 3306 - # dependency / sub-chart configuration aaf_init: agentImage: onap/aaf/aaf_agent:2.1.15 @@ -114,63 +196,82 @@ aaf_init: cadi_latitude: "38.0" cadi_longitude: "-72.0" +mariadb-galera: &mariadbGalera + nameOverride: sdnc-db + config: + rootPasswordExternalSecret: '{{ ternary (include "common.release" .)-sdnc-db-root-password "" .Values.global.mariadbGalera.localCluster }}' + userName: sdnctl + userCredentialsExternalSecret: *dbSecretName + service: + name: sdnc-dbhost + internalPort: 3306 + sdnctlPrefix: sdnc + persistence: + mountSubPath: sdnc/mariadb-galera + enabled: true + replicaCount: 1 + cds: enabled: false dmaap-listener: nameOverride: sdnc-dmaap-listener + mariadb-galera: + << : *mariadbGalera + config: + mysqlDatabase: *sdncDbName config: sdncChartName: sdnc - mysqlChartName: mariadb-galera dmaapPort: 3904 sdncPort: 8282 configDir: /opt/onap/sdnc/data/properties - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + odlCredsExternalSecret: *odlCredsSecretName ueb-listener: + mariadb-galera: + << : *mariadbGalera + config: + mysqlDatabase: *sdncDbName nameOverride: sdnc-ueb-listener config: sdncPort: 8282 sdncChartName: sdnc - mysqlChartName: mariadb-galera configDir: /opt/onap/sdnc/data/properties - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + odlCredsExternalSecret: *odlCredsSecretName sdnc-portal: + mariadb-galera: + << : *mariadbGalera + config: + mysqlDatabase: *sdncDbName config: sdncChartName: sdnc - mysqlChartName: mariadb-galera configDir: /opt/onap/sdnc/data/properties - dbRootPassword: secretpassword - dbSdnctlPassword: gamma - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + odlCredsExternalSecret: *odlCredsSecretName sdnc-ansible-server: + config: + restCredsExternalSecret: *ansibleSecretName + mariadb-galera: + << : *mariadbGalera + config: + mysqlDatabase: ansible service: name: sdnc-ansible-server internalPort: 8000 - config: - mysqlServiceName: mariadb-galera - -mariadb-galera: - nameOverride: sdnc-db - service: - name: sdnc-dbhost - internalPort: 3306 - sdnctlPrefix: sdnc - persistence: - mountSubPath: sdnc/mariadb-galera - enabled: true - replicaCount: 1 dgbuilder: nameOverride: sdnc-dgbuilder config: + db: + dbName: *sdncDbName + rootPasswordExternalSecret: '{{ ternary (printf "%s-sdnc-db-root-password" (include "common.release" .)) (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" "mariadb-galera")) .Values.global.mariadbGalera.localCluster }}' + userCredentialsExternalSecret: *dbSecretName dbPodName: mariadb-galera dbServiceName: mariadb-galera - dbRootPassword: secretpassword - dbSdnctlPassword: gamma + # This should be revisited and changed to plain text dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 + mariadb-galera: service: name: sdnc-dgbuilder nodePort: "03" diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml b/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml index b57205223e..a2e27548ba 100755 --- a/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml @@ -38,3 +38,12 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} + diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml b/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml index 91e9be6376..40b19871da 100755 --- a/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml @@ -66,26 +66,14 @@ spec: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.readwrite.port - name: DB_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.readwrite.rolename + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.readwrite.password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} - name: DB_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.admin.rolename + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.admin.password - {{- if eq .Values.global.security.aaf.enabled true }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} + {{- if eq .Values.global.security.aaf.enabled true }} - name: TRUSTSTORE value: /app/org.onap.so.trust.jks - name: TRUSTSTORE_PASSWORD @@ -111,16 +99,42 @@ spec: - name: config mountPath: /app/config readOnly: true + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap {{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} protocol: TCP + # Filebeat sidecar container + - name: {{ include "common.name" . }}-filebeat-onap + image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: {{ include "common.fullname" . }}-filebeat-conf + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: {{ include "common.fullname" . }}-data-filebeat + mountPath: /usr/share/filebeat/data + - name: logs + mountPath: /var/log/onap/so + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + - name: {{ include "common.fullname" . }}-filebeat-conf + configMap: + name: {{ .Release.Name }}-so-filebeat-configmap + - name: {{ include "common.fullname" . }}-data-filebeat + emptyDir: {} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/secret.yaml b/kubernetes/so/charts/so-bpmn-infra/templates/secret.yaml new file mode 100644 index 0000000000..dee311c336 --- /dev/null +++ b/kubernetes/so/charts/so-bpmn-infra/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/so/charts/so-bpmn-infra/values.yaml b/kubernetes/so/charts/so-bpmn-infra/values.yaml index a7925b79e5..357a8fd62c 100755 --- a/kubernetes/so/charts/so-bpmn-infra/values.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/values.yaml @@ -24,12 +24,39 @@ global: mountPath: /dockerdata-nfs ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-user-creds + name: '{{ include "common.release" . }}-so-bpmn-infra-db-user-creds' + type: basicAuth + externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + login: '{{ .Values.db.userName }}' + password: '{{ .Values.db.userPassword }}' + passwordPolicy: required + - uid: db-admin-creds + name: '{{ include "common.release" . }}-so-bpmn-infra-db-admin-creds' + type: basicAuth + externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + login: '{{ .Values.db.adminName }}' + password: '{{ .Values.db.adminPassword }}' + passwordPolicy: required + + +################################################################# # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 image: onap/so/bpmn-infra:1.5.3 pullPolicy: Always +db: + userName: so_user + userPassword: so_User123 + # userCredsExternalSecret: some secret + adminName: so_admin + adminPassword: so_Admin123 + # adminCredsExternalSecret: some secret replicaCount: 1 minReadySeconds: 10 containerPort: 8081 diff --git a/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml index 91e9be6376..63a10b0d83 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml @@ -66,25 +66,13 @@ spec: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.readwrite.port - name: DB_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.readwrite.rolename + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.readwrite.password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} - name: DB_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.admin.rolename + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-so-db-secrets - key: mariadb.admin.password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} {{- if eq .Values.global.security.aaf.enabled true }} - name: TRUSTSTORE value: /app/org.onap.so.trust.jks diff --git a/kubernetes/so/charts/so-catalog-db-adapter/templates/secret.yaml b/kubernetes/so/charts/so-catalog-db-adapter/templates/secret.yaml new file mode 100644 index 0000000000..dee311c336 --- /dev/null +++ b/kubernetes/so/charts/so-catalog-db-adapter/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml index c4e23164f2..889f2e83ec 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml @@ -24,12 +24,39 @@ global: mountPath: /dockerdata-nfs ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-user-creds + name: '{{ include "common.release" . }}-so-catalog-db-adapter-db-user-creds' + type: basicAuth + externalSecret: '{{ .Values.db.userCredsExternalSecret }}' + login: '{{ .Values.db.userName }}' + password: '{{ .Values.db.userPassword }}' + passwordPolicy: required + - uid: db-admin-creds + name: '{{ include "common.release" . }}-so-catalog-db-adapter-db-admin-creds' + type: basicAuth + externalSecret: '{{ .Values.db.adminCredsExternalSecret }}' + login: '{{ .Values.db.adminName }}' + password: '{{ .Values.db.adminPassword }}' + passwordPolicy: required + +################################################################# # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 image: onap/so/catalog-db-adapter:1.5.3 pullPolicy: Always +db: + userName: so_user + userPassword: so_User123 + # userCredsExternalSecret: some secret + adminName: so_admin + adminPassword: so_Admin123 + # adminCredsExternalSecret: some secret + replicaCount: 1 minReadySeconds: 10 containerPort: 8082 diff --git a/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml index 4710fea218..ffebc4c794 100755 --- a/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml @@ -99,7 +99,8 @@ mso: auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.encrypted "value2" .Values.mso.auth )}} logPath: ./logs/openstack msb-ip: msb-iag.{{ include "common.namespace" . }} - msb-port: 80 + msb-port: 443 + msb-scheme: https workflow: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/sobpmnengine msoKey: {{ .Values.mso.msoKey }} diff --git a/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml index b57205223e..21544798cf 100755 --- a/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml @@ -38,3 +38,11 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }}
\ No newline at end of file diff --git a/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml index 91e9be6376..c0ac078039 100755 --- a/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml @@ -111,16 +111,42 @@ spec: - name: config mountPath: /app/config readOnly: true + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap {{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} protocol: TCP + # Filebeat sidecar container + - name: {{ include "common.name" . }}-filebeat-onap + image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: {{ include "common.fullname" . }}-filebeat-conf + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: {{ include "common.fullname" . }}-data-filebeat + mountPath: /usr/share/filebeat/data + - name: logs + mountPath: /var/log/onap/so + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + - name: {{ include "common.fullname" . }}-filebeat-conf + configMap: + name: {{ .Release.Name }}-so-filebeat-configmap + - name: {{ include "common.fullname" . }}-data-filebeat + emptyDir: {} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml b/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml index b57205223e..104daae051 100755 --- a/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml +++ b/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml @@ -38,3 +38,11 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml b/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml index 91e9be6376..c0ac078039 100755 --- a/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml +++ b/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml @@ -111,16 +111,42 @@ spec: - name: config mountPath: /app/config readOnly: true + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap {{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} protocol: TCP + # Filebeat sidecar container + - name: {{ include "common.name" . }}-filebeat-onap + image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: {{ include "common.fullname" . }}-filebeat-conf + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: {{ include "common.fullname" . }}-data-filebeat + mountPath: /usr/share/filebeat/data + - name: logs + mountPath: /var/log/onap/so + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + - name: {{ include "common.fullname" . }}-filebeat-conf + configMap: + name: {{ .Release.Name }}-so-filebeat-configmap + - name: {{ include "common.fullname" . }}-data-filebeat + emptyDir: {} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml index b57205223e..104daae051 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml +++ b/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml @@ -38,3 +38,11 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml index 5c7f3ab0ca..3b3d189190 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml @@ -96,16 +96,42 @@ spec: - name: config mountPath: /app/config readOnly: true + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap {{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} protocol: TCP + # Filebeat sidecar container + - name: {{ include "common.name" . }}-filebeat-onap + image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: {{ include "common.fullname" . }}-filebeat-conf + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: {{ include "common.fullname" . }}-data-filebeat + mountPath: /usr/share/filebeat/data + - name: logs + mountPath: /var/log/onap/so + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + - name: {{ include "common.fullname" . }}-filebeat-conf + configMap: + name: {{ .Release.Name }}-so-filebeat-configmap + - name: {{ include "common.fullname" . }}-data-filebeat + emptyDir: {} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/templates/configmap.yaml b/kubernetes/so/templates/configmap.yaml index b57205223e..6aa4b5f4f0 100755 --- a/kubernetes/so/templates/configmap.yaml +++ b/kubernetes/so/templates/configmap.yaml @@ -38,3 +38,19 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/log/filebeat/filebeat.yml").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-so-filebeat-configmap + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/log/filebeat/filebeat.yml").AsConfig . | indent 2 }} diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index 91e9be6376..c0ac078039 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -111,16 +111,42 @@ spec: - name: config mountPath: /app/config readOnly: true + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap {{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} protocol: TCP + # Filebeat sidecar container + - name: {{ include "common.name" . }}-filebeat-onap + image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: {{ include "common.fullname" . }}-filebeat-conf + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: {{ include "common.fullname" . }}-data-filebeat + mountPath: /usr/share/filebeat/data + - name: logs + mountPath: /var/log/onap/so + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + - name: {{ include "common.fullname" . }}-filebeat-conf + configMap: + name: {{ .Release.Name }}-so-filebeat-configmap + - name: {{ include "common.fullname" . }}-data-filebeat + emptyDir: {} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 5a06253863..a792ff9acd 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -20,6 +20,8 @@ global: repository: nexus3.onap.org:10001 readinessRepository: oomk8s readinessImage: readiness-check:2.0.2 + loggingRepository: docker.elastic.co + loggingImage: beats/filebeat:5.5.0 mariadbGalera: nameOverride: mariadb-galera serviceName: mariadb-galera @@ -119,6 +121,12 @@ livenessProbe: nodeSelector: {} affinity: {} +# application configuration +config: + logstashServiceName: log-ls + logstashPort: 5044 + + #Used only if localCluster is enabled. Instantiates SO's own cassandra cluster #helm deploy demo local/onap --namespace onap --verbose --set so.enabled=true \ # --set so.global.mariadbGalera.localCluster=true \ diff --git a/kubernetes/uui/charts/uui-server/values.yaml b/kubernetes/uui/charts/uui-server/values.yaml index 3da0bdf976..2035c63a1a 100644 --- a/kubernetes/uui/charts/uui-server/values.yaml +++ b/kubernetes/uui/charts/uui-server/values.yaml @@ -84,16 +84,16 @@ ingress: resources: small: limits: - cpu: 250m - memory: 500Mi + cpu: 1.5 + memory: 350Mi requests: - cpu: 250m - memory: 500Mi + cpu: 1 + memory: 245Mi large: limits: - cpu: 500m + cpu: 2 memory: 500Mi requests: - cpu: 500m + cpu: 1 memory: 500Mi unlimited: {} diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml index e8d0595284..fb8f1a04f8 100644 --- a/kubernetes/vid/values.yaml +++ b/kubernetes/vid/values.yaml @@ -39,7 +39,7 @@ subChartsOnly: # application image repository: nexus3.onap.org:10001 -image: onap/vid:6.0.2 +image: onap/vid:6.0.3 pullPolicy: Always # mariadb image for initializing |