diff options
314 files changed, 9194 insertions, 2724 deletions
diff --git a/docs/archived/oom_setup_kubernetes_rancher.rst b/docs/archived/oom_setup_kubernetes_rancher.rst deleted file mode 100644 index f81bd91cd8..0000000000 --- a/docs/archived/oom_setup_kubernetes_rancher.rst +++ /dev/null @@ -1,530 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung - -.. Links -.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements -.. _kubectl Cheat Sheet: https://kubernetes.io/docs/reference/kubectl/cheatsheet/ -.. _Kubernetes documentation for emptyDir: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir -.. _Docker DevOps: https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16239251/Docker+DevOps#Docker-Build -.. _http://cd.onap.info:30223/mso/logging/debug: http://cd.onap.info:30223/mso/logging/debug -.. _README.md: https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/README.md - -.. figure:: images/oom_logo/oomLogoV2-medium.png - :align: right - -.. _onap-on-kubernetes-with-rancher: - -ONAP on HA Kubernetes Cluster -############################# - -This guide provides instructions on how to setup a Highly-Available Kubernetes -Cluster. For this, we are hosting our cluster on OpenStack VMs and using the -Rancher Kubernetes Engine (RKE) to deploy and manage our Kubernetes Cluster. - -.. contents:: - :depth: 1 - :local: -.. - -The result at the end of this tutorial will be: - -#. Creation of a Key Pair to use with Open Stack and RKE - -#. Creation of OpenStack VMs to host Kubernetes Control Plane - -#. Creation of OpenStack VMs to host Kubernetes Workers - -#. Installation and configuration of RKE to setup an HA Kubernetes - -#. Installation and configuration of kubectl - -#. Installation and configuration of Helm - -#. Creation of an NFS Server to be used by ONAP as shared persistance - -There are many ways one can execute the above steps. Including automation -through the use of HEAT to setup the OpenStack VMs. To better illustrate the -steps involved, we have captured the manual creation of such an environment -using the ONAP Wind River Open Lab. - -Create Key Pair -=============== -A Key Pair is required to access the created OpenStack VMs and will be used by -RKE to configure the VMs for Kubernetes. - -Use an existing key pair, import one or create a new one to assign. - -.. image:: images/keys/key_pair_1.png - -.. Note:: - If you're creating a new Key Pair, ensure to create a local copy of the - Private Key through the use of "Copy Private Key to Clipboard". - -For the purpose of this guide, we will assume a new local key called "onap-key" -has been downloaded and is copied into **~/.ssh/**, from which it can be -referenced. - -Example:: - - > mv onap-key ~/.ssh - - > chmod 600 ~/.ssh/onap-key - - -Create Network -============== - -An internal network is required in order to deploy our VMs that will host -Kubernetes. - -.. image:: images/network/network_1.png - -.. image:: images/network/network_2.png - -.. image:: images/network/network_3.png - -.. Note:: - It's better to have one network per deployment and obviously the name of this - network should be unique. - -Now we need to create a router to attach this network to outside: - -.. image:: images/network/network_4.png - -Create Security Group -===================== - -A specific security group is also required - -.. image:: images/sg/sg_1.png - -then click on `manage rules` of the newly created security group. -And finally click on `Add Rule` and create the following one: - -.. image:: images/sg/sg_2.png - -.. Note:: - the security is clearly not good here and the right SG will be proposed in a - future version - -Create Kubernetes Control Plane VMs -=================================== - -The following instructions describe how to create 3 OpenStack VMs to host the -Highly-Available Kubernetes Control Plane. -ONAP workloads will not be scheduled on these Control Plane nodes. - -Launch new VM instances ------------------------ - -.. image:: images/cp_vms/control_plane_1.png - -Select Ubuntu 18.04 as base image ---------------------------------- -Select "No" for "Create New Volume" - -.. image:: images/cp_vms/control_plane_2.png - -Select Flavor -------------- -The recommended flavor is at least 4 vCPU and 8GB ram. - -.. image:: images/cp_vms/control_plane_3.png - -Networking ----------- - -Use the created network: - -.. image:: images/cp_vms/control_plane_4.png - -Security Groups ---------------- - -Use the created security group: - -.. image:: images/cp_vms/control_plane_5.png - -Key Pair --------- -Assign the key pair that was created/selected previously (e.g. onap_key). - -.. image:: images/cp_vms/control_plane_6.png - -Apply customization script for Control Plane VMs ------------------------------------------------- - -Click :download:`openstack-k8s-controlnode.sh <shell/openstack-k8s-controlnode.sh>` -to download the script. - -.. literalinclude:: shell/openstack-k8s-controlnode.sh - :language: bash - -This customization script will: - -* update ubuntu -* install docker - -.. image:: images/cp_vms/control_plane_7.png - -Launch Instance ---------------- - -.. image:: images/cp_vms/control_plane_8.png - - - -Create Kubernetes Worker VMs -============================ -The following instructions describe how to create OpenStack VMs to host the -Highly-Available Kubernetes Workers. ONAP workloads will only be scheduled on -these nodes. - -Launch new VM instances ------------------------ - -The number and size of Worker VMs is dependent on the size of the ONAP -deployment. By default, all ONAP applications are deployed. It's possible to -customize the deployment and enable a subset of the ONAP applications. For the -purpose of this guide, however, we will deploy 12 Kubernetes Workers that have -been sized to handle the entire ONAP application workload. - -.. image:: images/wk_vms/worker_1.png - -Select Ubuntu 18.04 as base image ---------------------------------- -Select "No" on "Create New Volume" - -.. image:: images/wk_vms/worker_2.png - -Select Flavor -------------- -The size of Kubernetes hosts depend on the size of the ONAP deployment -being installed. - -If a small subset of ONAP applications are being deployed -(i.e. for testing purposes), then 16GB or 32GB may be sufficient. - -.. image:: images/wk_vms/worker_3.png - -Networking ------------ - -.. image:: images/wk_vms/worker_4.png - -Security Group ---------------- - -.. image:: images/wk_vms/worker_5.png - -Key Pair --------- -Assign the key pair that was created/selected previously (e.g. onap_key). - -.. image:: images/wk_vms/worker_6.png - -Apply customization script for Kubernetes VM(s) ------------------------------------------------ - -Click :download:`openstack-k8s-workernode.sh <shell/openstack-k8s-workernode.sh>` to -download the script. - -.. literalinclude:: shell/openstack-k8s-workernode.sh - :language: bash - -This customization script will: - -* update ubuntu -* install docker -* install nfs common - - -Launch Instance ---------------- - -.. image:: images/wk_vms/worker_7.png - - - - -Assign Floating IP addresses ----------------------------- -Assign Floating IPs to all Control Plane and Worker VMs. -These addresses provide external access to the VMs and will be used by RKE -to configure kubernetes on to the VMs. - -Repeat the following for each VM previously created: - -.. image:: images/floating_ips/floating_1.png - -Resulting floating IP assignments in this example. - -.. image:: images/floating_ips/floating_2.png - - - - -Configure Rancher Kubernetes Engine (RKE) -========================================= - -Install RKE ------------ -Download and install RKE on a VM, desktop or laptop. -Binaries can be found here for Linux and Mac: https://github.com/rancher/rke/releases/tag/v1.0.6 - -.. note:: - There are several ways to install RKE. Further parts of this documentation - assumes that you have rke command available. - If you don't know how to install RKE you may follow the below steps: - - * chmod +x ./rke_linux-amd64 - * sudo mv ./rke_linux-amd64 /user/local/bin/rke - -RKE requires a *cluster.yml* as input. An example file is show below that -describes a Kubernetes cluster that will be mapped onto the OpenStack VMs -created earlier in this guide. - -Click :download:`cluster.yml <yaml/cluster.yml>` to download the -configuration file. - -.. literalinclude:: yaml/cluster.yml - :language: yaml - -Prepare cluster.yml -------------------- -Before this configuration file can be used the external **address** -and the **internal_address** must be mapped for each control and worker node -in this file. - -Run RKE -------- -From within the same directory as the cluster.yml file, simply execute:: - - > rke up - -The output will look something like:: - - INFO[0000] Initiating Kubernetes cluster - INFO[0000] [certificates] Generating admin certificates and kubeconfig - INFO[0000] Successfully Deployed state file at [./cluster.rkestate] - INFO[0000] Building Kubernetes cluster - INFO[0000] [dialer] Setup tunnel for host [10.12.6.82] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.249] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.74] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.85] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.238] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.89] - INFO[0000] [dialer] Setup tunnel for host [10.12.5.11] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.90] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.244] - INFO[0000] [dialer] Setup tunnel for host [10.12.5.165] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.126] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.111] - INFO[0000] [dialer] Setup tunnel for host [10.12.5.160] - INFO[0000] [dialer] Setup tunnel for host [10.12.5.191] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.195] - INFO[0002] [network] Deploying port listener containers - INFO[0002] [network] Pulling image [nexus3.onap.org:10001/rancher/rke-tools:v0.1.27] on host [10.12.6.85] - INFO[0002] [network] Pulling image [nexus3.onap.org:10001/rancher/rke-tools:v0.1.27] on host [10.12.6.89] - INFO[0002] [network] Pulling image [nexus3.onap.org:10001/rancher/rke-tools:v0.1.27] on host [10.12.6.90] - INFO[0011] [network] Successfully pulled image [nexus3.onap.org:10001/rancher/rke-tools:v0.1.27] on host [10.12.6.89] - . . . . - INFO[0309] [addons] Setting up Metrics Server - INFO[0309] [addons] Saving ConfigMap for addon rke-metrics-addon to Kubernetes - INFO[0309] [addons] Successfully saved ConfigMap for addon rke-metrics-addon to Kubernetes - INFO[0309] [addons] Executing deploy job rke-metrics-addon - INFO[0315] [addons] Metrics Server deployed successfully - INFO[0315] [ingress] Setting up nginx ingress controller - INFO[0315] [addons] Saving ConfigMap for addon rke-ingress-controller to Kubernetes - INFO[0316] [addons] Successfully saved ConfigMap for addon rke-ingress-controller to Kubernetes - INFO[0316] [addons] Executing deploy job rke-ingress-controller - INFO[0322] [ingress] ingress controller nginx deployed successfully - INFO[0322] [addons] Setting up user addons - INFO[0322] [addons] no user addons defined - INFO[0322] Finished building Kubernetes cluster successfully - -Install Kubectl -=============== - -Download and install kubectl. Binaries can be found here for Linux and Mac: - -https://storage.googleapis.com/kubernetes-release/release/v1.15.11/bin/linux/amd64/kubectl -https://storage.googleapis.com/kubernetes-release/release/v1.15.11/bin/darwin/amd64/kubectl - -You only need to install kubectl where you'll launch Kubernetes command. This -can be any machines of the Kubernetes cluster or a machine that has IP access -to the APIs. -Usually, we use the first controller as it has also access to internal -Kubernetes services, which can be convenient. - -Validate deployment -------------------- - -:: - - > mkdir -p ~/.kube - - > cp kube_config_cluster.yml ~/.kube/config.onap - - > export KUBECONFIG=~/.kube/config.onap - - > kubectl config use-context onap - - > kubectl get nodes -o=wide - -:: - - NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME - onap-control-1 Ready controlplane,etcd 3h53m v1.15.2 10.0.0.8 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-control-2 Ready controlplane,etcd 3h53m v1.15.2 10.0.0.11 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-control-3 Ready controlplane,etcd 3h53m v1.15.2 10.0.0.12 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-1 Ready worker 3h53m v1.15.2 10.0.0.14 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-10 Ready worker 3h53m v1.15.2 10.0.0.16 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-11 Ready worker 3h53m v1.15.2 10.0.0.18 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-12 Ready worker 3h53m v1.15.2 10.0.0.7 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-2 Ready worker 3h53m v1.15.2 10.0.0.26 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-3 Ready worker 3h53m v1.15.2 10.0.0.5 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-4 Ready worker 3h53m v1.15.2 10.0.0.6 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-5 Ready worker 3h53m v1.15.2 10.0.0.9 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-6 Ready worker 3h53m v1.15.2 10.0.0.17 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-7 Ready worker 3h53m v1.15.2 10.0.0.20 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-8 Ready worker 3h53m v1.15.2 10.0.0.10 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-9 Ready worker 3h53m v1.15.2 10.0.0.4 <none> Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - - -Install Helm -============ - -Example Helm client install on Linux:: - - > wget https://get.helm.sh/helm-v2.16.6-linux-amd64.tar.gz - - > tar -zxvf helm-v2.16.6-linux-amd64.tar.gz - - > sudo mv linux-amd64/helm /usr/local/bin/helm - -Initialize Kubernetes Cluster for use by Helm ---------------------------------------------- - -:: - - > kubectl -n kube-system create serviceaccount tiller - - > kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller - - > helm init --service-account tiller - - > kubectl -n kube-system rollout status deploy/tiller-deploy - - - -Setting up an NFS share for Multinode Kubernetes Clusters -========================================================= -Deploying applications to a Kubernetes cluster requires Kubernetes nodes to -share a common, distributed filesystem. In this tutorial, we will setup an -NFS Master, and configure all Worker nodes a Kubernetes cluster to play -the role of NFS slaves. - -It is recommended that a separate VM, outside of the kubernetes -cluster, be used. This is to ensure that the NFS Master does not compete for -resources with Kubernetes Control Plane or Worker Nodes. - - -Launch new NFS Server VM instance ---------------------------------- -.. image:: images/nfs_server/nfs_server_1.png - -Select Ubuntu 18.04 as base image ---------------------------------- -Select "No" on "Create New Volume" - -.. image:: images/nfs_server/nfs_server_2.png - -Select Flavor -------------- - -.. image:: images/nfs_server/nfs_server_3.png - -Networking ------------ - -.. image:: images/nfs_server/nfs_server_4.png - -Security Group ---------------- - -.. image:: images/nfs_server/nfs_server_5.png - -Key Pair --------- -Assign the key pair that was created/selected previously (e.g. onap_key). - -.. image:: images/nfs_server/nfs_server_6.png - -Apply customization script for NFS Server VM --------------------------------------------- - -Click :download:`openstack-nfs-server.sh <shell/openstack-nfs-server.sh>` to download -the script. - -.. literalinclude:: shell/openstack-nfs-server.sh - :language: bash - -This customization script will: - -* update ubuntu -* install nfs server - - -Launch Instance ---------------- - -.. image:: images/nfs_server/nfs_server_7.png - - - -Assign Floating IP addresses ----------------------------- - -.. image:: images/nfs_server/nfs_server_8.png - -Resulting floating IP assignments in this example. - -.. image:: images/nfs_server/nfs_server_9.png - - -To properly set up an NFS share on Master and Slave nodes, the user can run the -scripts below. - -Click :download:`master_nfs_node.sh <shell/master_nfs_node.sh>` to download the -script. - -.. literalinclude:: shell/master_nfs_node.sh - :language: bash - -Click :download:`slave_nfs_node.sh <shell/slave_nfs_node.sh>` to download the script. - -.. literalinclude:: shell/slave_nfs_node.sh - :language: bash - -The master_nfs_node.sh script runs in the NFS Master node and needs the list of -NFS Slave nodes as input, e.g.:: - - > sudo ./master_nfs_node.sh node1_ip node2_ip ... nodeN_ip - -The slave_nfs_node.sh script runs in each NFS Slave node and needs the IP of -the NFS Master node as input, e.g.:: - - > sudo ./slave_nfs_node.sh master_node_ip - - -ONAP Deployment via OOM -======================= -Now that Kubernetes and Helm are installed and configured you can prepare to -deploy ONAP. Follow the instructions in the README.md_ or look at the official -documentation to get started: - -- :ref:`quick-start-label` - deploy ONAP on an existing cloud -- :ref:`user-guide-label` - a guide for operators of an ONAP instance diff --git a/docs/archived/oom_user_guide.rst b/docs/archived/oom_user_guide.rst index 2ff74b5898..b4d1891864 100644 --- a/docs/archived/oom_user_guide.rst +++ b/docs/archived/oom_user_guide.rst @@ -55,8 +55,8 @@ ONAP with a few simple commands. Pre-requisites -------------- -Your environment must have the Kubernetes `kubectl` with Strimzi Apache Kafka, Cert-Manager -and Helm setup as a one time activity. +Your environment must have the Kubernetes `kubectl` with Strimzi Apache Kafka, +Cert-Manager and Helm setup as a one time activity. Install Kubectl ~~~~~~~~~~~~~~~ @@ -275,7 +275,7 @@ precedence of all. The top level onap/values.yaml file contains the values required to be set before deploying ONAP. Here is the contents of this file: -.. include:: ../kubernetes/onap/values.yaml +.. include:: ../../kubernetes/onap/values.yaml :code: yaml One may wish to create a value file that is specific to a given deployment such diff --git a/docs/archived/yaml/environments_onap_demo.yaml b/docs/archived/yaml/environments_onap_demo.yaml new file mode 100644 index 0000000000..64dee3e846 --- /dev/null +++ b/docs/archived/yaml/environments_onap_demo.yaml @@ -0,0 +1,87 @@ +################################################################# +# Global configuration overrides. +# +# These overrides will affect all helm charts (ie. applications) +# that are listed below and are 'enabled'. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image repositories + repository: nexus3.onap.org:10001 + repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== + # readiness check + readinessImage: onap/oom/readiness:6.0.3 + # logging agent + loggingRepository: docker.elastic.co + + # image pull policy + pullPolicy: IfNotPresent + + # override default mount path root directory + # referenced by persistent volumes and log files + persistence: + mountPath: /dockerdata + + # flag to enable debugging - application support required + debugEnabled: true + +################################################################# +# Enable/disable and configure helm charts (ie. applications) +# to customize the ONAP deployment. +################################################################# +aai: + enabled: false +cli: + enabled: false +cps: + enabled: false +dcaegen2: + enabled: false +message-router: + enabled: false +msb: + enabled: false +multicloud: + enabled: false +policy: + enabled: false +robot: # Robot Health Check + enabled: true +sdc: + enabled: false +sdnc: + enabled: false +so: # Service Orchestrator + enabled: true + + replicaCount: 1 + + liveness: + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + + # so server configuration + config: + # message router configuration + dmaapTopic: "AUTO" + # openstack configuration + openStackUserName: "vnf_user" + openStackRegion: "RegionOne" + openStackKeyStoneUrl: "http://1.2.3.4:5000" + openStackServiceTenantName: "service" + openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" + + # configure embedded mariadb + mariadb: + config: + mariadbRootPassword: password +uui: + enabled: false +vfc: + enabled: false +vnfsdk: + enabled: false diff --git a/docs/requirements-docs.txt b/docs/requirements-docs.txt index be92e5dcea..ba04a8dce9 100644 --- a/docs/requirements-docs.txt +++ b/docs/requirements-docs.txt @@ -6,4 +6,4 @@ sphinxcontrib-swaggerdoc sphinxcontrib-spelling sphinxcontrib-plantuml sphinx_toolbox>=3.2.0 -six
\ No newline at end of file +six diff --git a/docs/sections/guides/access_guides/oom_access_info.rst b/docs/sections/guides/access_guides/oom_access_info.rst index ebc2f65104..44491cce17 100644 --- a/docs/sections/guides/access_guides/oom_access_info.rst +++ b/docs/sections/guides/access_guides/oom_access_info.rst @@ -30,14 +30,15 @@ In the ServiceMesh deployment the Istio IngressGateway is the only access point for ONAP component interfaces. Usually the Ingress is accessed via a LoadBalancer IP (<ingress-IP>), which is used as central address. -All APIs/UIs are provided via separate URLs which are routed to the component service. +All APIs/UIs are provided via separate URLs which are routed to the component +service. To use these URLs they need to be resolvable via DNS or via /etc/hosts. -The domain name is usually defined in the `global` section of the ONAP helm-charts, -`virtualhost.baseurl` (here "simpledemo.onap.org") whereas the hostname of -the service (e.g. "sdc-fe-ui") is defined in the component's chart. +The domain name is usually defined in the `global` section of the ONAP +helm-charts, `virtualhost.baseurl` (here "simpledemo.onap.org") whereas the +hostname of the service (e.g. "sdc-fe-ui") is defined in the component's chart. -.. code-block:: none +.. code-block:: bash <ingress-IP> kiali.simpledemo.onap.org <ingress-IP> cds-ui.simpledemo.onap.org @@ -54,9 +55,9 @@ Access via NodePort/Loadbalancer (development) In the development setop OOM operates in a private IP network that isn't publicly accessible (i.e. OpenStack VMs with private internal network) which blocks access to the ONAP User Interfaces. -To enable direct access to a service from a user's own environment (a laptop etc.) -the application's internal port is exposed through a `Kubernetes NodePort`_ or -`Kubernetes LoadBalancer`_ object. +To enable direct access to a service from a user's own environment (a laptop +etc.) the application's internal port is exposed through a +`Kubernetes NodePort`_ or `Kubernetes LoadBalancer`_ object. Typically, to be able to access the Kubernetes nodes publicly a public address is assigned. In OpenStack this is a floating IP address. @@ -64,24 +65,24 @@ is assigned. In OpenStack this is a floating IP address. Most ONAP applications use the `NodePort` as predefined `service:type`, which opens allows access to the service through the the IP address of each Kubernetes node. -When using the `Loadbalancer` as `service:type` `Kubernetes LoadBalancer`_ object -which gets a separate IP address. +When using the `Loadbalancer` as `service:type` `Kubernetes LoadBalancer`_ +object which gets a separate IP address. When e.g. the `sdc-fe` chart is deployed a Kubernetes service is created that instantiates a load balancer. The LB chooses the private interface of one of -the nodes as in the example below (10.0.0.4 is private to the K8s cluster only). +the nodes as in the example below (10.0.0.4 is private to the K8s cluster +only). Then to be able to access the portal on port 8989 from outside the K8s & -OpenStack environment, the user needs to assign/get the floating IP address that -corresponds to the private IP as follows:: +OpenStack environment, the user needs to assign/get the floating IP address +that corresponds to the private IP as follows:: > kubectl -n onap get services|grep "sdc-fe" sdc-fe LoadBalancer 10.43.142.201 10.0.0.4 8181:30207/TCP - In this example, use the 10.0.0.4 private address as a key find the corresponding public address which in this example is 10.12.6.155. If you're using OpenStack you'll do the lookup with the horizon GUI or the OpenStack CLI -for your tenant (openstack server list). That IP is then used in your +for your tenant (openstack server list). That IP is then used in your `/etc/hosts` to map the fixed DNS aliases required by the ONAP Portal as shown below:: @@ -100,8 +101,8 @@ the portal and then simply access now the new ssl-encrypted URL: | Alternatives Considered: - Kubernetes port forwarding was considered but discarded as it would - require the end user to run a script that opens up port forwarding tunnels - to each of the pods that provides a portal application widget. + require the end user to run a script that opens up port forwarding + tunnels to each of the pods that provides a portal application widget. - Reverting to a VNC server similar to what was deployed in the Amsterdam release was also considered but there were many issues with resolution, @@ -111,9 +112,9 @@ the portal and then simply access now the new ssl-encrypted URL: Observations: - If you are not using floating IPs in your Kubernetes deployment and - directly attaching a public IP address (i.e. by using your public provider - network) to your K8S Node VMs' network interface, then the output of - 'kubectl -n onap get services | grep "portal-app"' + directly attaching a public IP address (i.e. by using your public + provider network) to your K8S Node VMs' network interface, then the + output of 'kubectl -n onap get services | grep "portal-app"' will show your public IP instead of the private network's IP. Therefore, you can grab this public IP directly (as compared to trying to find the floating IP first) and map this IP in /etc/hosts. @@ -142,11 +143,9 @@ The following table lists all the NodePorts used by ONAP. :widths: 20,20,20,20,20 :header-rows: 1 - This table retrieves information from the ONAP deployment using the following Kubernetes command: .. code-block:: bash kubectl get svc -n onap -o go-template='{{range .items}}{{range.spec.ports}}{{if .nodePort}}{{.nodePort}}{{.}}{{"\n"}}{{end}}{{end}}{{end}}' - diff --git a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst index a5458f8562..52fb7e5d5b 100644 --- a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst +++ b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst @@ -11,12 +11,15 @@ OOM Custom Overrides #################### -The OOM `helm deploy`_ plugin requires deployment configuration as input, usually in the form of override yaml files. -These input files determine what ONAP components get deployed, and the configuration of the OOM deployment. +The OOM `helm deploy`_ plugin requires deployment configuration as input, +usually in the form of override yaml files. +These input files determine what ONAP components get deployed, and the +configuration of the OOM deployment. Other helm config options like `--set log.enabled=true|false` are available. -See the `helm deploy`_ plugin usage section for more detail, or it the plugin has already been installed, execute the following:: +See the `helm deploy`_ plugin usage section for more detail, or it the plugin +has already been installed, execute the following:: > helm deploy --help @@ -121,31 +124,46 @@ Global settings relevant for ServiceMesh and Ingress: ServiceMesh settings: -- enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment) +- enabled: true → enables ServiceMesh functionality in the ONAP Namespace + (Istio: enables Sidecar deployment) - tls: true → enables mTLS encryption in Sidecar communication - engine: istio → sets the SM engine (currently only Istio is supported) - aafEnabled: false → disables AAF usage for TLS interfaces - tlsEnabled: false → disables creation of TLS in component services - cmpv2Enabled: false → disable cmpv2 feature -- msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend) +- msbEnabled: false → MSB is not used in Istio setup (Open, if all components + are MSB independend) Ingress settings: -- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled) +- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio + IngressGateway (when SM enabled) - enable_all: true → enables Ingress configuration in each component - provider: "..." → sets the Ingress provider (ingress, istio, gw-api) -- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, traefik -- ingressSelector: "" → Selector (only for provider "istio") to match with the ingress pod label "istio=ingress" -- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and http(s) listener names -- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components, - resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride -- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components, - resulting in e.g. "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.preaddrOverride -- virtualhost.postaddr: "-post" → sets globally a postfix for the Application name for all Interfaces set by the components, - resulting in e.g. "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: ingress.postaddrOverride -- config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443) -- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret -- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate +- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, + traefik +- ingressSelector: "" → Selector (only for provider "istio") to match with the + ingress pod label "istio=ingress" +- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and + http(s) listener names +- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all + Interfaces set by the components, resulting in e.g. + "aai-api.simpledemo.onap.org", can be overwritten in the component via: + ingress.baseurlOverride +- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name + for all Interfaces set by the components, resulting in e.g. + "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: + ingress.preaddrOverride +- virtualhost.postaddr: "-post" → sets globally a postfix for the Application + name for all Interfaces set by the components, resulting in e.g. + "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: + ingress.postaddrOverride +- config.ssl: redirect → sets in the Ingress globally the redirection of all + Interfaces from http (port 80) to https (port 443) +- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL + certificate with a certificate stored in the specified secret +- namespace: istio-ingress → (optional) overrides the namespace of the ingress + gateway which is used for the created SSL certificate .. note:: For the Ingress setup example override files (`onap-all-ingress-istio.yaml`, `onap-all-ingress-gatewayapi.yaml`) diff --git a/docs/sections/guides/deployment_guides/oom_deployment.rst b/docs/sections/guides/deployment_guides/oom_deployment.rst index ba4f4e22eb..21e988da5b 100644 --- a/docs/sections/guides/deployment_guides/oom_deployment.rst +++ b/docs/sections/guides/deployment_guides/oom_deployment.rst @@ -14,7 +14,8 @@ OOM Deployment Guide .. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png :align: right -ONAP OOM supports several options for the deployment of ONAP using it's helm charts. +ONAP OOM supports several options for the deployment of ONAP using it's helm +charts. * :ref:`oom_helm_release_repo_deploy` * :ref:`oom_helm_testing_repo_deploy` @@ -27,7 +28,8 @@ ONAP OOM supports several options for the deployment of ONAP using it's helm cha | :ref:`Set up your base platform<oom_base_setup_guide>` -Each deployment method can be customized to deploy a subset of ONAP component applications. +Each deployment method can be customized to deploy a subset of ONAP component +applications. See the :ref:`oom_customize_overrides` section for more details. diff --git a/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst b/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst index b0deff0e2b..debca31918 100644 --- a/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst @@ -10,8 +10,8 @@ OOM Developer Testing Deployment ================================ -Developing and testing changes to the existing OOM project can be done locally by setting up some additional -tools to host the updated helm charts. +Developing and testing changes to the existing OOM project can be done locally +by setting up some additional tools to host the updated helm charts. **Step 1.** Clone the OOM repository from ONAP gerrit:: @@ -31,7 +31,8 @@ tools to host the updated helm charts. **Step 3.** Install Chartmuseum -Chart museum is required to host the helm charts locally when deploying in a development environment:: +Chart museum is required to host the helm charts locally when deploying in a +development environment:: > curl https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum | bash @@ -41,7 +42,8 @@ Chart museum is required to host the helm charts locally when deploying in a dev > chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 & -Note the port number that is listed and use it in the Helm repo add as follows:: +Note the port number that is listed and use it in the Helm repo add as +follows:: > helm repo add local http://127.0.0.1:8879 diff --git a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst index df2ede39dc..5e3115da6b 100644 --- a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst @@ -32,7 +32,8 @@ Add the repository: To customize what applications are deployed, see the :ref:`oom_customize_overrides` section for more details, to provide your own custom overrides yaml file. -- To deploy a release, execute the following, substituting the <version> tag with your preferred release (ie. 13.0.0):: +- To deploy a release, execute the following, substituting the <version> tag with + your preferred release (ie. 13.0.0):: > helm deploy dev onap-release/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange --version <version> -f oom/kubernetes/onap/resources/overrides/onap-all.yaml diff --git a/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst index e9312382b3..92c0e68dff 100644 --- a/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst @@ -12,12 +12,14 @@ OOM Helm Testing Deployment =========================== -ONAP hosts the OOM `testing` helm charts in it's `ONAP helm testing repository`_. +ONAP hosts the OOM `testing` helm charts in it's +`ONAP helm testing repository`_. This is helm repo contains: * The `latest` charts built from the head of the `OOM`_ project's master - branch, tagged with the version number of the current development cycle (ie. 12.0.0). + branch, tagged with the version number of the current development cycle + (ie. 15.0.0). Add the OOM testing repo & Deploy diff --git a/docs/sections/guides/development_guides/oom_dev_config_management.rst b/docs/sections/guides/development_guides/oom_dev_config_management.rst index 36a02dc85d..c6f1c4735d 100644 --- a/docs/sections/guides/development_guides/oom_dev_config_management.rst +++ b/docs/sections/guides/development_guides/oom_dev_config_management.rst @@ -441,4 +441,4 @@ SO deployment specification excerpt: - --container-name - so-mariadb env: - ...
\ No newline at end of file + ... diff --git a/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst b/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst index b137bff8b6..ecbaabd7be 100644 --- a/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst +++ b/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst @@ -363,4 +363,4 @@ containers and any state information within it. To avoid a loss of state, a persistent volume should be used to store all data that needs to be persisted over the re-creation of a container. Persistent volumes have been created for the database components of each of the projects and the same technique can be -used for all persistent state information.
\ No newline at end of file +used for all persistent state information. diff --git a/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst b/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst index 533f60e29b..0299c9579f 100644 --- a/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst +++ b/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst @@ -22,9 +22,9 @@ in a hierarchy as found in the `aai`_ ONAP component. Charts are created as files laid out in a particular directory tree, then they can be packaged into versioned archives to be deployed. There is a public -archive of `Helm Charts`_ on ArtifactHUB that includes many technologies applicable -to ONAP. Some of these charts have been used in ONAP and all of the ONAP charts -have been created following the guidelines provided. +archive of `Helm Charts`_ on ArtifactHUB that includes many technologies +applicable to ONAP. Some of these charts have been used in ONAP and all of the +ONAP charts have been created following the guidelines provided. An example structure of the OOM common helm charts is shown below: diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst index e5ca289aff..6638eb71b6 100644 --- a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst +++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst @@ -31,18 +31,21 @@ the following mandatory installation and configuration steps must be completed. :local: .. -For additional platform add-ons, see the :ref:`oom_base_optional_addons` section. +For additional platform add-ons, see the :ref:`oom_base_optional_addons` +section. Install & configure kubectl --------------------------- -The Kubernetes command line interface used to manage a Kubernetes cluster needs to be installed -and configured to run as non root. +The Kubernetes command line interface used to manage a Kubernetes cluster needs +to be installed and configured to run as non root. -For additional information regarding kubectl installation and configuration see the `kubectl installation guide`_ +For additional information regarding kubectl installation and configuration see +the `kubectl installation guide`_ -To install kubectl, execute the following, replacing the <recommended-kubectl-version> with the version defined -in the :ref:`versions_table` table:: +To install kubectl, execute the following, replacing the +<recommended-kubectl-version> with the version defined in the +:ref:`versions_table` table:: > curl -LO https://dl.k8s.io/release/v<recommended-kubectl-version>/bin/linux/amd64/kubectl @@ -78,11 +81,12 @@ Validate the installation:: Install & configure helm ------------------------ -Helm is used for package and configuration management of the relevant helm charts. -For additional information, see the `helm installation guide`_ +Helm is used for package and configuration management of the relevant helm +charts. For additional information, see the `helm installation guide`_ -To install helm, execute the following, replacing the <recommended-helm-version> with the version defined -in the :ref:`versions_table` table:: +To install helm, execute the following, replacing the +<recommended-helm-version> with the version defined in the +:ref:`versions_table` table:: > wget https://get.helm.sh/helm-v<recommended-helm-version>-linux-amd64.tar.gz @@ -94,8 +98,8 @@ Verify the helm version with:: > helm version -Helm's default CNCF provided `Curated applications for Kubernetes`_ repository called -*stable* can be removed to avoid confusion:: +Helm's default CNCF provided `Curated applications for Kubernetes`_ repository +called *stable* can be removed to avoid confusion:: > helm repo remove stable @@ -120,10 +124,12 @@ Verify the plugins are installed:: Set the default StorageClass ---------------------------- -In some ONAP components it is important to have a default storageClass defined (e.g. cassandra), -if you don't want to explicitly set it during the deployment via helm overrides. +In some ONAP components it is important to have a default storageClass defined +(e.g. cassandra), if you don't want to explicitly set it during the deployment +via helm overrides. -Therefor you should set the default storageClass (if not done during the K8S cluster setup) via the command:: +Therefor you should set the default storageClass (if not done during the K8S +cluster setup) via the command:: > kubectl patch storageclass <storageclass> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' @@ -132,9 +138,10 @@ see `DefaultStorageClass`_ Install the Strimzi Kafka Operator ---------------------------------- -Strimzi Apache Kafka provides a way to run an Apache Kafka cluster on Kubernetes -in various deployment configurations by using kubernetes operators. -Operators are a method of packaging, deploying, and managing Kubernetes applications. +Strimzi Apache Kafka provides a way to run an Apache Kafka cluster on +Kubernetes in various deployment configurations by using kubernetes operators. +Operators are a method of packaging, deploying, and managing Kubernetes +applications. Strimzi Operators extend the Kubernetes functionality, automating common and complex tasks related to a Kafka deployment. By implementing @@ -153,8 +160,9 @@ To add the required helm repository, execute the following:: > helm repo add strimzi https://strimzi.io/charts/ -To install the strimzi kafka operator, execute the following, replacing the <recommended-strimzi-version> with the version defined -in the :ref:`versions_table` table:: +To install the strimzi kafka operator, execute the following, replacing the +<recommended-strimzi-version> with the version defined in the +:ref:`versions_table` table:: > helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version <recommended-strimzi-version> --set watchAnyNamespace=true --create-namespace @@ -192,8 +200,9 @@ to manage cert-manager resources inside your cluster. For installation steps, please refer to `Cert-Manager kubectl plugin documentation`_. -To install cert-manager, execute the following, replacing the <recommended-cm-version> with the version defined -in the :ref:`versions_table` table:: +To install cert-manager, execute the following, replacing the +<recommended-cm-version> with the version defined in the +:ref:`versions_table` table:: > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v<recommended-cm-version>/cert-manager.yaml @@ -216,8 +225,8 @@ Istio Service Mesh `ONAP Next Generation Security & Logging Architecture`_ ONAP is currenty supporting Istio as default ServiceMesh platform. -Therefor the following instructions describe the setup of Istio and required tools. -Used `Istio setup guide`_ +Therefor the following instructions describe the setup of Istio and required +tools. Used `Istio setup guide`_ .. _oom_base_optional_addons_istio_installation: @@ -247,11 +256,11 @@ Install Istio Basic Platform > helm upgrade -i istio-base istio/base -n istio-system --version <recommended-istio-version> -- Create an override for istiod (e.g. istiod.yaml) to add the oauth2-proxy as external - authentication provider and apply some specific config settings - Be aware, that from Istio version 1.21.0 the format of the values.yaml changes. - Additionally a new feature (Native Sidecars) can be enabled, if it is enabled in - Kubernetes (version > 1.28) +- Create an override for istiod (e.g. istiod.yaml) to add the oauth2-proxy as + external authentication provider and apply some specific config settings + Be aware, that from Istio version 1.21.0 the format of the values.yaml + changes. Additionally a new feature (Native Sidecars) can be enabled, if it + is enabled in Kubernetes (version > 1.28) .. collapse:: istiod.yaml (version => 1.21) @@ -263,8 +272,9 @@ Install Istio Basic Platform .. include:: ../../resources/yaml/istiod.yaml :code: yaml -- Install the Istio Base Istio Discovery chart which deploys the istiod service, replacing the - <recommended-istio-version> with the version defined in the :ref:`versions_table` table:: +- Install the Istio Base Istio Discovery chart which deploys the istiod + service, replacing the <recommended-istio-version> with the version + defined in the :ref:`versions_table` table:: > helm upgrade -i istiod istio/istiod -n istio-system --version <recommended-istio-version> --wait -f ./istiod.yaml @@ -303,7 +313,8 @@ In the production setup 2 different Ingress setups are supported. - Istio Gateway `Istio-Gateway`_ (alternative, but in the future deprecated) Depending on the solution, the ONAP helm values.yaml has to be configured. -See the :ref:`OOM customized deployment<oom_customize_overrides>` section for more details. +See the :ref:`OOM customized deployment<oom_customize_overrides>` section for +more details. Gateway-API (recommended) ^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -336,8 +347,8 @@ Istio Gateway (alternative) > kubectl label namespace istio-ingress istio-injection=enabled -- To expose additional ports besides HTTP/S (e.g. for external Kafka access, SDNC-callhome) - create an override file (e.g. istio-ingress.yaml) +- To expose additional ports besides HTTP/S (e.g. for external Kafka access, + SDNC-callhome) create an override file (e.g. istio-ingress.yaml) .. collapse:: istio-ingress.yaml @@ -387,7 +398,8 @@ Configure Keycloak ^^^^^^^^^^^^^^^^^^ - To configure the Keycloak instance - create an override file (e.g. keycloak-server-values.yaml) + create an override file (e.g. keycloak-server-values.yaml) and use + the "image.tag" of the keycloak version (here 26.0.6) .. collapse:: keycloak-server-values.yaml diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst index 5020e22563..535ee10d64 100644 --- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst @@ -15,8 +15,8 @@ ONAP Deployment Requirements .. rubric:: Minimum Hardware Configuration -Some recommended hardware requirements are provided below. Note that this is for a -full ONAP deployment (all components). +Some recommended hardware requirements are provided below. Note that this is +for a full ONAP deployment (all components). .. table:: OOM Hardware Requirements @@ -26,8 +26,10 @@ full ONAP deployment (all components). 224GB 160GB 112 0.0.0.0/0 (all open) ===== ===== ====== ==================== -Customizing ONAP to deploy only components that are needed will drastically reduce these requirements. -See the :ref:`OOM customized deployment<oom_customize_overrides>` section for more details. +Customizing ONAP to deploy only components that are needed will drastically +reduce these requirements. +See the :ref:`OOM customized deployment<oom_customize_overrides>` section for +more details. .. note:: | Kubernetes supports a maximum of 110 pods per node - this can be overcome by modifying your kubelet config. @@ -50,7 +52,7 @@ The versions of software that are supported and tested by OOM are as follows: ============== =========== ======= ======== ======== ============= ======== Montreal 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.36.1 New Delhi 1.28.6 3.13.1 1.28.x 20.10.x 1.14.4 0.41.0 - Oslo 1.28.6 3.13.1 1.28.x 20.10.x 1.14.4 0.43.0 + Oslo 1.28.6 3.13.1 1.30.x 23.0.x 1.16.2 0.44.0 ============== =========== ======= ======== ======== ============= ======== .. table:: OOM Software Requirements (production) @@ -60,15 +62,15 @@ The versions of software that are supported and tested by OOM are as follows: ============== ====== ============ ============== Montreal 1.19.3 v1.0.0 19.0.3-legacy New Delhi 1.21.0 v1.0.0 22.0.4 - Oslo 1.23.0 v1.0.0 22.0.4 + Oslo 1.24.1 v1.2.1 26.0.6 ============== ====== ============ ============== .. table:: OOM Software Requirements (optional) - ============== ================= ========== ================= - Release Prometheus Stack K8ssandra MariaDB-Operator - ============== ================= ========== ================= - Montreal 45.x 1.10.2 0.23.1 - New Delhi 45.x 1.16.0 0.28.1 - Oslo 45.x 1.19.0 0.30.0 - ============== ================= ========== ================= + ============== =========== ========== =========== ============ =========== + Release Prometheus K8ssandra MariaDB-Op Postgres-Op MongoDB-Op + ============== =========== ========== =========== ============ =========== + Montreal 45.x 1.10.2 0.23.1 - - + New Delhi 45.x 1.16.0 0.28.1 - - + Oslo 45.x 1.20.2 0.36.0 5.7.2 1.18.0 + ============== =========== ========== =========== ============ =========== diff --git a/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst b/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst index 7723a231f4..ce623f3d14 100644 --- a/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst +++ b/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst @@ -12,6 +12,7 @@ .. _K8ssandra setup guide: https://docs.k8ssandra.io/install/ .. _Mariadb-Operator setup guide: https://github.com/mariadb-operator/mariadb-operator .. _Postgres-Operator setup guide: https://github.com/CrunchyData/postgres-operator +.. _MongoDB-Operator setup guide: https://docs.percona.com/percona-operator-for-mongodb/helm.html .. _oom_base_optional_addons: @@ -44,7 +45,9 @@ To install the prometheus stack, execute the following: > helm repo update -- To install prometheus, execute the following, replacing the <recommended-pm-version> with the version defined in the :ref:`versions_table` table:: +- To install prometheus, execute the following, replacing the + <recommended-pm-version> with the version defined in the + :ref:`versions_table` table:: > helm install prometheus prometheus-community/kube-prometheus-stack --namespace=prometheus --create-namespace --version=<recommended-pm-version> @@ -93,7 +96,6 @@ For setup the kiali operator is used, see `Kiali setup guide`_ > kubectl -n istio-system apply -f kiali-ingress.yaml - Jaeger Installation ------------------- @@ -113,7 +115,8 @@ For setup the K8ssandra operator is used, see `K8ssandra setup guide`_ > kubectl label namespace k8ssandra-operator istio-injection=enabled -- Install the k8ssandra-operator replacing the <recommended-version> with the version defined in the :ref:`versions_table` table:: +- Install the k8ssandra-operator replacing the <recommended-version> with the + version defined in the :ref:`versions_table` table:: > helm repo add k8ssandra https://helm.k8ssandra.io/stable @@ -137,12 +140,15 @@ For setup the Mariadb-Operator is used, see `Mariadb-Operator setup guide`_ > kubectl label namespace mariadb-operator istio-injection=enabled -- Install the mariadb-operator replacing the <recommended-version> with the version defined in the :ref:`versions_table` table:::: +- Install the mariadb-operator replacing the <recommended-version> with the + version defined in the :ref:`versions_table` table:::: - > helm repo add mariadb-operator https://mariadb-operator.github.io/mariadb-operator + > helm repo add mariadb-operator https://helm.mariadb.com/mariadb-operator > helm repo update mariadb-operator + > helm install mariadb-operator-crds --namespace mariadb-operator --version=<recommended-version> + > helm install mariadb-operator --namespace mariadb-operator mariadb-operator/mariadb-operator --set ha.enabled=true --set metrics.enabled=true --set webhook.certificate.certManager=true @@ -156,6 +162,30 @@ Postgres DB clusters, including monitoring and backup For setup the Postgres-Operator is used, see `Postgres-Operator setup guide`_ +MongoDB-Operator Installation +------------------------------ + +MongoDB-Operator is used to ease the installation and lifecycle management of +MongoDB DB instances, including monitoring and backup + +For setup the MongoDB-Operator is used, see `MongoDB-Operator setup guide`_ + +- Install mongodb-operator namespace:: + + > kubectl create namespace mongodb-operator + + > kubectl label namespace mongodb-operator istio-injection=enabled + +- Install the mongodb-operator replacing the <recommended-version> with the + version defined in the :ref:`versions_table` table:: + + > helm repo add percona https://percona.github.io/percona-helm-charts + + > helm repo update percona + + > helm install mongodb-operator --namespace mongodb-operator + percona/psmdb-operator --version=<recommended-version> + Kserve Installation ------------------- @@ -169,16 +199,19 @@ This installation is necessary for the ML models to be deployed as inference service. Once deployed, the inference services can be queried for the prediction. -**Kserve participant component in Policy ACM requires this installation. Kserve participant deploy/undeploy inference services in Kserve.** +**Kserve participant component in Policy ACM requires this installation.** +**Kserve participant deploy/undeploy inference services in Kserve.** Dependent component version compatibility details and installation instructions can be found at `Kserve setup guide`_ Kserve installation requires the following components: -- Istio. Its installation instructions can be found at :ref:`oom_base_optional_addons_istio_installation` +- Istio. Its installation instructions can be found at + :ref:`oom_base_optional_addons_istio_installation` -- Cert-Manager. Its installation instructions can be found at :ref:`oom_base_setup_cert_manager` +- Cert-Manager. Its installation instructions can be found at + :ref:`oom_base_setup_cert_manager` Installation instructions as follows, diff --git a/docs/sections/guides/user_guides/oom_user_guide.rst b/docs/sections/guides/user_guides/oom_user_guide.rst index d31c818d44..85e4eefc9f 100644 --- a/docs/sections/guides/user_guides/oom_user_guide.rst +++ b/docs/sections/guides/user_guides/oom_user_guide.rst @@ -44,7 +44,8 @@ The following sections describe the life-cycle operations: - Monitor_ - real-time health monitoring feeding to a Consul UI and Kubernetes - Heal_- failed ONAP containers are recreated automatically - Scale_ - cluster ONAP services to enable seamless scaling -- Upgrade_ - change-out containers or configuration with little or no service impact +- Upgrade_ - change-out containers or configuration with little or no service + impact - Delete_ - cleanup individual containers or entire deployments .. figure:: ../../resources/images/oom_logo/oomLogoV2-Deploy.png @@ -59,7 +60,8 @@ describe the composition of each of the ONAP components and the relationship within and between components. Using this model Helm is able to deploy all of ONAP with a few simple commands. -Please refer to the :ref:`oom_deploy_guide` for deployment pre-requisites and options +Please refer to the :ref:`oom_deploy_guide` for deployment pre-requisites and +options .. note:: Refer to the :ref:`oom_customize_overrides` section on how to update overrides.yaml and values.yaml diff --git a/docs/sections/oom_project_description.rst b/docs/sections/oom_project_description.rst index 774237946d..402c64aa31 100644 --- a/docs/sections/oom_project_description.rst +++ b/docs/sections/oom_project_description.rst @@ -38,18 +38,21 @@ In summary OOM provides the following capabilities: service impact - **Delete** - cleanup individual containers or entire deployments -OOM supports a wide variety of Kubernetes private clouds - built with ClusterAPI, -Kubespray - and public cloud infrastructures such as: Microsoft +OOM supports a wide variety of Kubernetes private clouds - built with +ClusterAPI, Kubespray - and public cloud infrastructures such as: Microsoft Azure, Amazon AWS, Google GCD, VMware VIO, and OpenStack. The OOM documentation is broken into four different areas each targeted at a different user: - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use -- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance -- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications The :ref:`release_notes` for OOM describe the incremental features per release. diff --git a/docs/sections/release_notes/release-notes-kohn.rst b/docs/sections/release_notes/release-notes-kohn.rst index 4b3dae71dd..cdd1889440 100644 --- a/docs/sections/release_notes/release-notes-kohn.rst +++ b/docs/sections/release_notes/release-notes-kohn.rst @@ -56,7 +56,8 @@ New features * Kubernetes support for version up to 1.23.8 * Helm support for version up to Helm: 3.8.2 -* Kubespray version used for automated deployment 2.19 (used for automated deployment) +* Kubespray version used for automated deployment 2.19 (used for automated + deployment) * Initial Setup for "ONAP on ServiceMesh" deployment * using Istio 1.14.1 as SM platform @@ -83,12 +84,16 @@ OOM provides `Helm charts <https://nexus3.onap.org/service/rest/repository/brows Documentation Deliverables ~~~~~~~~~~~~~~~~~~~~~~~~~~ -- :ref:`Project Description <oom_project_description>` - a guide for developers of OOM +- :ref:`Project Description <oom_project_description>` - a guide for developers + of OOM - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use -- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance -- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications Known Limitations, Issues and Workarounds ========================================= diff --git a/docs/sections/release_notes/release-notes-london.rst b/docs/sections/release_notes/release-notes-london.rst index 68c91dc84e..6ccbac0a27 100644 --- a/docs/sections/release_notes/release-notes-london.rst +++ b/docs/sections/release_notes/release-notes-london.rst @@ -58,9 +58,12 @@ New features * Introduction of "Production" ONAP setup, including: * Istio Service Mesh based deployment - * Ingress (Istio-Gateway) deployment and usage as standard external access method - * Internal Security provided by ServiceMesh and Component2Component AuthorizationPolicies - * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for Ingress Access + * Ingress (Istio-Gateway) deployment and usage as standard external access + method + * Internal Security provided by ServiceMesh and Component2Component + AuthorizationPolicies + * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for + Ingress Access * Removal of unsupported components (AAF, Portal, Contrib,...) * Update of Helmcharts to use common templates and practices @@ -102,12 +105,16 @@ OOM provides `Helm charts <https://nexus3.onap.org/service/rest/repository/brows Documentation Deliverables ~~~~~~~~~~~~~~~~~~~~~~~~~~ -- :ref:`Project Description <oom_project_description>` - a guide for developers of OOM +- :ref:`Project Description <oom_project_description>` - a guide for developers + of OOM - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use -- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance -- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications Known Limitations, Issues and Workarounds ========================================= diff --git a/docs/sections/release_notes/release-notes-montreal.rst b/docs/sections/release_notes/release-notes-montreal.rst index 1a592f1fcd..ab12d1e4f6 100644 --- a/docs/sections/release_notes/release-notes-montreal.rst +++ b/docs/sections/release_notes/release-notes-montreal.rst @@ -91,12 +91,16 @@ OOM provides `Helm charts <https://nexus3.onap.org/service/rest/repository/brows Documentation Deliverables ~~~~~~~~~~~~~~~~~~~~~~~~~~ -- :ref:`Project Description <oom_project_description>` - a guide for developers of OOM +- :ref:`Project Description <oom_project_description>` - a guide for developers + of OOM - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use -- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance -- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications Known Limitations, Issues and Workarounds ========================================= diff --git a/docs/sections/release_notes/release-notes-newdelhi.rst b/docs/sections/release_notes/release-notes-newdelhi.rst new file mode 100644 index 0000000000..cf7cee510b --- /dev/null +++ b/docs/sections/release_notes/release-notes-newdelhi.rst @@ -0,0 +1,138 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_newdelhi: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Montreal <release_notes_montreal>` +- :ref:`London <release_notes_london>` +- :ref:`Kohn <release_notes_kohn>` +- :ref:`Jakarta <release_notes_jakarta>` +- :ref:`Istanbul <release_notes_istanbul>` +- :ref:`Honolulu <release_notes_honolulu>` +- :ref:`Guilin <release_notes_guilin>` +- :ref:`Frankfurt <release_notes_frankfurt>` +- :ref:`El Alto <release_notes_elalto>` +- :ref:`Dublin <release_notes_dublin>` +- :ref:`Casablanca <release_notes_casablanca>` +- :ref:`Beijing <release_notes_beijing>` +- :ref:`Amsterdam <release_notes_amsterdam>` + +Abstract +======== + +This document provides the release notes for the New Delhi release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | New Delhi | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2024/06/13 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* authentication (14.0.0) - add configurable Keycloak Realm and enable Ingress + Interface Authentication and Authorization +* Update the helm common templates (13.2.0) to: + + * Support the latest Database Operators: + + * MariaDB-Operator (0.28.1) + * K8ssandra-Operator (v0.16.0) + * Postgres-Operator (CrunchyData) (5.5.0) + +* cassandra (13.1.0) - support for new K8ssandra-Operator +* mariadb-galera (13.1.0) - support for new MariaDB-Operator +* mongodb (14.12.3) - update to latest bitnami chart version +* postgres (13.1.0) - support for new Postgres-Operator +* postgres-init (13.0.1) - support for new Postgres-Operator +* readinessCheck (13.1.0) - added check for "Service" readiness +* serviceAccount (13.0.1) - add default role creation + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://lf-onap.atlassian.net/projects/OOM/versions/11502 + +**Known Issues** + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts <https://nexus3.onap.org/service/rest/repository/browse/onap-helm-release/>`_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description <oom_project_description>` - a guide for developers + of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org +.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ diff --git a/docs/sections/release_notes/release-notes.rst b/docs/sections/release_notes/release-notes.rst index 2ede1b8939..161f251a45 100644 --- a/docs/sections/release_notes/release-notes.rst +++ b/docs/sections/release_notes/release-notes.rst @@ -11,6 +11,7 @@ ONAP Operations Manager Release Notes Previous Release Notes ====================== +- :ref:`New Delhi <release_notes_newdelhi>` - :ref:`Montreal <release_notes_montreal>` - :ref:`London <release_notes_london>` - :ref:`Kohn <release_notes_kohn>` @@ -28,7 +29,7 @@ Previous Release Notes Abstract ======== -This document provides the release notes for the New Delhi release. +This document provides the release notes for the Oslo release. Summary ======= @@ -45,38 +46,74 @@ Release Data | **Docker images** | N/A | | | | +--------------------------------------+--------------------------------------+ -| **Release designation** | New Delhi | +| **Release designation** | Oslo | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | 2024/06/13 | +| **Release date** | 2025/01/09 | | | | +--------------------------------------+--------------------------------------+ New features ------------ -* authentication (14.0.0) - add configurable Keycloak Realm and enable Ingress - Interface Authentication and Authorization -* Update the helm common templates (13.2.0) to: +* Support the latest Database Operators: - * Support the latest Database Operators: + * MariaDB-Operator (0.36.0) + * K8ssandra-Operator (v0.20.2) + * Postgres-Operator (CrunchyData) (5.7.2) + * MongoDB-Operator (Percona) (1.18.0) - * MariaDB-Operator (0.28.1) - * K8ssandra-Operator (v0.16.0) - * Postgres-Operator (CrunchyData) (5.5.0) +* authentication (15.0.0) -* cassandra (13.1.0) - support for new K8ssandra-Operator -* mariadb-galera (13.1.0) - support for new MariaDB-Operator -* mongodb (14.12.3) - update to latest bitnami chart version -* postgres (13.1.0) - support for new Postgres-Operator -* postgres-init (13.0.1) - support for new Postgres-Operator -* readinessCheck (13.1.0) - added check for "Service" readiness -* serviceAccount (13.0.1) - add default role creation + * support for REALM Client AuthorizationSettings + * update oauth2-proxy and keycloak-config-cli versions + * add support for latest keycloak version 26.x + +* Update the helm common templates (13.2.10) to: + + * add SecurityContext settings for Production readiness + +* cassandra (13.1.1) + + * support for new cassandra version (4.1.6) + * add SecurityContext settings for Production readiness + +* mariadb-galera (13.2.3) + + * add SecurityContext settings for Production readiness + +* mariadb-init (13.0.2) + + * add SecurityContext settings for Production readiness + +* mongodb (14.12.4) + + * add SecurityContext settings for Production readiness + +* mongodb-init (13.0.2) + + * new chart to support external mongodb initialization + +* postgres (13.1.0) + + * add SecurityContext settings for Production readiness + +* postgres-init (13.0.3) + + * add SecurityContext settings for Production readiness + +* readinessCheck (13.1.1) + + * add SecurityContext settings for Production readiness + +* serviceAccount (13.0.2) + + * adjust default role mapping **Bug fixes** A list of issues resolved in this release can be found here: -https://lf-onap.atlassian.net/projects/OOM/versions/11502 +https://lf-onap.atlassian.net/projects/OOM/versions/10783 **Known Issues** @@ -92,12 +129,16 @@ OOM provides `Helm charts <https://nexus3.onap.org/service/rest/repository/brows Documentation Deliverables ~~~~~~~~~~~~~~~~~~~~~~~~~~ -- :ref:`Project Description <oom_project_description>` - a guide for developers of OOM +- :ref:`Project Description <oom_project_description>` - a guide for developers + of OOM - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use -- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance -- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications Known Limitations, Issues and Workarounds ========================================= diff --git a/docs/sections/resources/helm/helm-search.txt b/docs/sections/resources/helm/helm-search.txt index fbca944bf9..b854c7adce 100644 --- a/docs/sections/resources/helm/helm-search.txt +++ b/docs/sections/resources/helm/helm-search.txt @@ -1,29 +1,24 @@ NAME CHART VERSION APP VERSION DESCRIPTION -local/onap 12.0.0 London Open Network Automation Platform (ONAP) -local/a1policymanagement 12.0.0 ONAP A1 Policy Management -local/aai 12.0.0 ONAP Active and Available Inventory -local/cassandra 12.0.0 ONAP cassandra -local/cds 12.0.0 ONAP Controller Design Studio (CDS) -local/cli 12.0.0 ONAP Command Line Interface -local/common 12.0.0 Common templates for inclusion in other charts -local/cps 12.0.0 ONAP Configuration Persistene Service (CPS) -local/dcaegen2 12.0.0 ONAP DCAE Gen2 -local/dmaap 12.0.0 ONAP DMaaP components -local/mariadb-galera 12.0.0 Chart for MariaDB Galera cluster -local/msb 12.0.0 ONAP MicroServices Bus -local/multicloud 12.0.0 ONAP multicloud broker -local/nbi 12.0.0 ONAP Northbound Interface -local/nfs-provisioner 12.0.0 NFS provisioner -local/oof 12.0.0 ONAP Optimization Framework -local/policy 12.0.0 ONAP Policy Administration Point -local/postgres 12.0.0 ONAP Postgres Server -local/robot 12.0.0 A helm Chart for kubernetes-ONAP Robot -local/sdc 12.0.0 Service Design and Creation Umbrella Helm charts -local/sdnc 12.0.0 SDN Controller -local/sdnc-prom 12.0.0 ONAP SDNC Policy Driven Ownership Management -local/sniro-emulator 12.0.0 ONAP Mock Sniro Emulator -local/so 12.0.0 ONAP Service Orchestrator -local/strimzi 12.0.0 ONAP Strimzi Apache Kafka -local/uui 12.0.0 ONAP uui -local/vfc 12.0.0 ONAP Virtual Function Controller (VF-C) -local/vnfsdk 12.0.0 ONAP VNF SDK +local/onap 15.0.0 Oslo Open Network Automation Platform (ONAP) +local/a1policymanagement 13.0.0 ONAP A1 Policy Management +local/aai 15.0.1 ONAP Active and Available Inventory +local/authentication 15.0.0 ONAP Realm creation, Oauth2Proxy installation and configuration +local/cassandra 13.1.1 ONAP cassandra +local/cds 13.0.2 ONAP Controller Design Studio (CDS) +local/common 13.2.10 Common templates for inclusion in other charts +local/cps 13.0.1 ONAP Configuration Persistene Service (CPS) +local/dcaegen2 15.0.1 ONAP DCAE Gen2 +local/mariadb-galera 13.2.3 Chart for MariaDB Galera cluster +local/multicloud 15.0.2 ONAP multicloud broker +local/platform 13.0.1 ONAP platform components +local/policy 15.0.1 ONAP Policy Administration Point +local/portal-ng 13.0.1 ONAP Next Generation Portal +local/postgres 13.1.0 ONAP Postgres Server +local/repository-wrapper 13.0.0 Wrapper chart to allow docker secret to be shared all instances +local/robot 13.0.0 A helm Chart for kubernetes-ONAP Robot +local/roles-wrapper 13.0.0 Wrapper chart to allow default roles to be shared among onap instances +local/sdc 13.0.1 Service Design and Creation Umbrella Helm charts +local/sdnc 15.1.0 SDN Controller +local/so 13.0.1 ONAP Service Orchestrator +local/strimzi 13.0.2 ONAP Strimzi Apache Kafka +local/uui 13.1.0 ONAP uui diff --git a/docs/sections/resources/yaml/common-gateway.yaml b/docs/sections/resources/yaml/common-gateway.yaml index 3cc1cc55bc..cc6ed61a6d 100644 --- a/docs/sections/resources/yaml/common-gateway.yaml +++ b/docs/sections/resources/yaml/common-gateway.yaml @@ -1,4 +1,4 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 +apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: common-gateway diff --git a/docs/sections/resources/yaml/keycloak-ingress.yaml b/docs/sections/resources/yaml/keycloak-ingress.yaml index 91fc34f381..9318b374e2 100644 --- a/docs/sections/resources/yaml/keycloak-ingress.yaml +++ b/docs/sections/resources/yaml/keycloak-ingress.yaml @@ -24,7 +24,7 @@ spec: Matches: Path: Type: PathPrefix - Value: /auth + Value: / --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute @@ -46,10 +46,10 @@ spec: - backendRefs: - group: "" kind: Service - name: keycloak-keycloakx-http + name: keycloak-http port: 80 weight: 1 matches: - path: type: PathPrefix - value: /auth + value: / diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml index 516a26a76b..52bf5a9809 100644 --- a/docs/sections/resources/yaml/keycloak-server-values.yaml +++ b/docs/sections/resources/yaml/keycloak-server-values.yaml @@ -1,12 +1,17 @@ --- +fullnameOverride: keycloak + +image: + tag: "26.0.6" + command: - "/opt/keycloak/bin/kc.sh" - "--verbose" - "start" + - "--proxy-headers=forwarded" - "--http-enabled=true" - "--http-port=8080" - "--hostname-strict=false" - - "--hostname-strict-https=false" - "--spi-events-listener-jboss-logging-success-level=info" - "--spi-events-listener-jboss-logging-error-level=warn" diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml index 351f01a5e0..77078332c9 100644 --- a/kubernetes/aai/Chart.yaml +++ b/kubernetes/aai/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Active and Available Inventory name: aai -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -34,6 +34,9 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' - name: aai-babel version: ~15.x-0 repository: 'file://components/aai-babel' diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml index d5783066ad..2d0a78bde4 100644 --- a/kubernetes/aai/components/aai-babel/Chart.yaml +++ b/kubernetes/aai/components/aai-babel/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Babel microservice name: aai-babel -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-babel/templates/configmap.yaml b/kubernetes/aai/components/aai-babel/templates/configmap.yaml index baee38c0e2..39d494acc2 100644 --- a/kubernetes/aai/components/aai-babel/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-babel/templates/configmap.yaml @@ -21,10 +21,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml index f3fc04c00c..782ed1226c 100644 --- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml @@ -38,10 +38,12 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} ports: {{- if .Values.debug.enabled }} - containerPort: {{ .Values.debug.port }} @@ -99,6 +101,10 @@ spec: - mountPath: /opt/app/babel/config/logback.xml name: config subPath: logback.xml + - mountPath: /opt/app/babel/logs + name: babel-logs + - mountPath: /tmp + name: tmp resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -120,7 +126,14 @@ spec: secret: secretName: {{ include "common.fullname" . }}-babel-secrets - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + - name: babel-logs + emptyDir: + sizeLimit: {{ .Values.volumes.babelLogsSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-babel/templates/secrets.yaml b/kubernetes/aai/components/aai-babel/templates/secrets.yaml index 9d7d2c5a80..3f2b97c210 100644 --- a/kubernetes/aai/components/aai-babel/templates/secrets.yaml +++ b/kubernetes/aai/components/aai-babel/templates/secrets.yaml @@ -21,11 +21,7 @@ kind: Secret metadata: name: {{ include "common.fullname" . }}-babel-secrets namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index c07b1245d0..2a57bb23cc 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -144,3 +144,15 @@ log: level: root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + artifactDataSizeLimit: 50Mi + babelLogsSizeLimit: 100Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 101 + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml index 1264d7398f..13315415f2 100644 --- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml +++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP AAI GraphAdmin name: aai-graphadmin -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml index 4e9bf7f7ff..04692fefcc 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml +++ b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml index ddf752b480..1a32d7b516 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml @@ -25,11 +25,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -47,11 +43,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-properties namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -68,11 +60,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "0" diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 6ac078b756..991727d7c6 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -23,20 +23,7 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if .Values.config.debug.enabled }} replicas: 1 @@ -54,19 +41,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: hostname: aai-graphadmin terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} @@ -207,11 +182,14 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: tmp-volume - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name: script-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.scriptlogSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: config configMap: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index 3f0c4e11e5..1cc431c94f 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -41,11 +41,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-db-backup namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "2" @@ -54,38 +50,19 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: {{- if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - - command: - - /bin/bash - - -c - - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-db-backup-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForCassandraService ) | indent 6 | trim}} {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index 5d7e9b6cce..19e62ae7c4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -40,18 +40,12 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-create-db-schema namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: initContainers: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 4ec2306eca..f6f2f8b1a7 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -41,11 +41,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} annotations: "helm.sh/hook": post-upgrade,post-rollback,post-install "helm.sh/hook-weight": "1" @@ -54,35 +50,12 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForWithSchemaService) | indent 6 | trim }} - command: - sh args: @@ -125,6 +98,7 @@ spec: echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} sh docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config @@ -172,11 +146,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-db-backup-job namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-db-backup-job - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "2" @@ -185,9 +155,7 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-db-backup-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 8 }} name: {{ include "common.name" . }} spec: initContainers: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml index 563b920c04..cd72d7f219 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml @@ -16,16 +16,13 @@ {{- if .Values.global.jobs.migration.enabled -}} {{- if eq "True" (include "common.needPV" .) -}} +{{- if not .Values.persistence.storageClass -}} kind: PersistentVolume apiVersion: v1 metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} name: {{ include "common.fullname" . }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -42,3 +39,4 @@ spec: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath1 }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml index bf8900686d..19c1016ca4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml @@ -20,11 +20,7 @@ apiVersion: v1 metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "-1" diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index 16924e9d5c..b7c09cfd0e 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -25,12 +25,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -58,6 +53,4 @@ spec: name: {{ .Values.service.actuatorPortName }} targetPort: {{ .Values.service.appPort }} {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index fab3423c42..a2727757cf 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -103,7 +103,7 @@ global: # global defaults clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1 # application image -image: onap/aai-graphadmin:1.15.1 +image: onap/aai-graphadmin:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small @@ -229,6 +229,23 @@ readinessCheck: services: - '{{ .Values.global.cassandra.serviceName }}' - aai-schema-service + waitForCassandra: + containers: + - aai-schema-service + apps: + - cassandra + waitForLocalCassandra: + containers: + - aai-schema-service + apps: + - aai-cassandra + waitForCassandraService: + services: + - '{{ .Values.global.cassandra.serviceName }}' + waitForWithSchemaService: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service service: type: ClusterIP @@ -291,8 +308,8 @@ resources: cpu: "1" memory: "4Gi" requests: - cpu: "0.5" - memory: "1.6Gi" + cpu: "500m" + memory: "1600Mi" large: limits: cpu: "2" @@ -319,9 +336,9 @@ metrics: selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' relabelings: [] @@ -369,3 +386,11 @@ kafkaUser: - name: AAI-EVENT type: topic operations: [Read, Write] + +volumes: + logSizeLimit: 64Mi + scriptlogSizeLimit: 300Mi + tmpSizeLimit: 500Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-modelloader/Chart.yaml b/kubernetes/aai/components/aai-modelloader/Chart.yaml index 23ce50a6c2..2f561334f5 100644 --- a/kubernetes/aai/components/aai-modelloader/Chart.yaml +++ b/kubernetes/aai/components/aai-modelloader/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI modelloader name: aai-modelloader -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml index d3fd509dcd..c2984626b6 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml @@ -19,11 +19,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-prop namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/model-loader.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/application.properties").AsConfig . | indent 2 }} @@ -33,10 +29,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/log/logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index 486ffbaa49..f3753d0040 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -19,20 +19,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if .Values.debug.enabled }} replicas: 1 @@ -51,17 +38,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -69,10 +46,12 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ @@ -90,8 +69,8 @@ spec: value: {{ .Values.debug.args | quote }} {{- end }} ports: - - containerPort: 9500 - name: http + - containerPort: {{ .Values.service.appPort }} + name: {{ .Values.service.appPortName }} {{- if .Values.debug.enabled }} - containerPort: {{ .Values.debug.port }} name: {{ .Values.debug.portName }} @@ -109,6 +88,8 @@ spec: name: prop-config - mountPath: {{ .Values.log.path }} name: logs + - mountPath: /tmp + name: tmp - mountPath: /opt/app/model-loader/logback.xml name: log-config subPath: logback.xml @@ -121,7 +102,11 @@ spec: configMap: name: {{ include "common.fullname" . }}-prop - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: log-config configMap: diff --git a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml index 1eb564ed72..961a850ee9 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml @@ -19,8 +19,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: {{ include "common.fullname" . }} - labels: - {{- include "common.labels" . | nindent 4 }} + labels: {{- include "common.labels" . | nindent 4 }} spec: selector: matchLabels: diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index d76b1d33a3..6c8cdb7d31 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -74,17 +74,22 @@ nodeSelector: {} affinity: {} +service: + # REST API port for the graphadmin microservice + appPortName: http + appPort: 9500 + # probe configuration parameters liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container enabled: true + path: /healthz + periodSeconds: 10 + initialDelaySeconds: 10 readiness: - initialDelaySeconds: 10 + path: /healthz periodSeconds: 10 + initialDelaySeconds: 10 resources: small: @@ -92,7 +97,7 @@ resources: cpu: "1" memory: "4Gi" requests: - cpu: "0.5" + cpu: "500m" memory: "1Gi" large: limits: @@ -135,3 +140,7 @@ log: level: root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + tmpSizeLimit: 100Mi diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml index 7d7075e3a5..c83a28671c 100644 --- a/kubernetes/aai/components/aai-resources/Chart.yaml +++ b/kubernetes/aai/components/aai-resources/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP AAI resources name: aai-resources -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -30,3 +30,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml index 6b703e7cdd..f6063a024d 100644 --- a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml +++ b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml index ed1f8e3ea8..29b191b68d 100644 --- a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml +++ b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml @@ -4,11 +4,7 @@ kind: HorizontalPodAutoscaler metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml index c3c2262ab9..8e13c8c90d 100644 --- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml @@ -20,11 +20,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml index 4c6c12b1f4..cb434ed2cd 100644 --- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml @@ -20,20 +20,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }} replicas: 1 @@ -53,19 +40,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} {{- if .Values.global.msbEnabled }} {{ $values := .Values }} msb.onap.org/service-info: '[ @@ -99,44 +74,20 @@ spec: spec: hostname: aai-resources terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - {{- if .Values.global.jobs.migration.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{- else }} - {{- if .Values.global.jobs.createSchema.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{- else }} - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - {{- end }} - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{- if .Values.global.jobs.migration.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }} + {{- else if .Values.global.jobs.createSchema.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }} + {{- else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: {{- if .Values.config.env }} {{- range $key,$value := .Values.config.env }} @@ -189,6 +140,8 @@ spec: - mountPath: /opt/app/aai-resources/resources/application-keycloak.properties name: {{ include "common.fullname" . }}-config subPath: application-keycloak.properties + - mountPath: /tmp + name: tmp ports: - containerPort: {{ .Values.service.resourcesPort }} name: {{ .Values.service.resourcesPortName }} @@ -252,7 +205,11 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml index 308dc052c8..605679ee52 100644 --- a/kubernetes/aai/components/aai-resources/templates/service.yaml +++ b/kubernetes/aai/components/aai-resources/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -54,8 +49,6 @@ spec: name: {{ .Values.service.metricsPortName }} targetPort: {{ .Values.service.metricsPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index 890276239d..7cba7a425e 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -134,7 +134,7 @@ aai_enpoints: url: external-system # application image -image: onap/aai-resources:1.15.1 +image: onap/aai-resources:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small @@ -354,9 +354,9 @@ metrics: ## selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -421,3 +421,26 @@ kafkaUser: - name: AAI-EVENT type: topic operations: [Read, Write] + +volumes: + logSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-schema-service/Chart.yaml b/kubernetes/aai/components/aai-schema-service/Chart.yaml index 512090d00a..b10eaa2e43 100644 --- a/kubernetes/aai/components/aai-schema-service/Chart.yaml +++ b/kubernetes/aai/components/aai-schema-service/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP AAI Schema Service name: aai-schema-service -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml index 957387158a..0490f4325a 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml @@ -19,11 +19,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/logback.xml").AsConfig . | indent 2 }} --- @@ -32,11 +28,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-localhost-access-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/localhost-access-logback.xml").AsConfig . | indent 2 }} --- @@ -45,11 +37,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-aaiconfig namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/aaiconfig.properties").AsConfig . | indent 2 }} --- @@ -58,11 +46,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-springapp namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/application.properties").AsConfig . | indent 2 }} --- @@ -71,10 +55,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-realm namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/realm.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml index 725467019f..9fadcd7077 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml @@ -19,20 +19,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "" "labels" .Values.labels "annotations" .Values.annotations ) | nindent 2 }} spec: {{- if .Values.debug.enabled }} replicas: 1 @@ -51,24 +38,30 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: ["cp", "-R", "/opt/app/aai-schema-service/.", "/opt/app/aai-schema-service_rw/"] + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: copy-base-folder + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 3m + memory: 20Mi + volumeMounts: + - mountPath: /opt/app/aai-schema-service_rw + name: aai-schema-service containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: {{- if .Values.profiling.enabled }} - name: PRE_JVM_ARGS @@ -79,6 +72,8 @@ spec: value: {{ .Values.debug.args | quote }} {{- end }} volumeMounts: + - mountPath: /opt/app/aai-schema-service + name: aai-schema-service - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties name: aaiconfig-conf subPath: aaiconfig.properties @@ -138,8 +133,12 @@ spec: - name: aai-common-aai-auth-mount secret: secretName: aai-common-aai-auth + - name: aai-schema-service + emptyDir: + sizeLimit: {{ .Values.volumes.aaiSizeLimit }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: log-conf configMap: diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml index 412b62c6fe..de0270f592 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -45,6 +40,4 @@ spec: name: {{ .Values.service.debugPortName }} targetPort: {{ .Values.service.debugPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index 0ffeb55dd5..3763db940e 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -178,3 +178,10 @@ log: level: root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 50Mi + aaiSizeLimit: 150Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml index 9c9185baf3..074e266228 100644 --- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml +++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI sparky-be name: aai-sparky-be -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -29,3 +29,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml index 7c958fa410..407850eb7f 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml @@ -17,13 +17,6 @@ --- apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 28fe1d5c99..ede5b60676 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -38,32 +38,14 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - aai - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: @@ -158,9 +140,11 @@ spec: configMap: name: {{ include "common.fullname" . }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: modeldir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.modeldirSizeLimit }} restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index c4b90d30ca..9cbe9e5fd2 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -128,23 +128,24 @@ serviceMesh: podAnnotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: "0.5" + cpu: "500m" memory: "4Gi" requests: - cpu: "0.25" + cpu: "250m" memory: "1Gi" large: limits: cpu: "1" memory: "8Gi" requests: - cpu: "0.5" + cpu: "500m" memory: "2Gi" unlimited: {} @@ -158,3 +159,16 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + modeldirSizeLimit: 64Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for: + services: + - aai diff --git a/kubernetes/aai/components/aai-traversal/Chart.yaml b/kubernetes/aai/components/aai-traversal/Chart.yaml index e9545b703f..f4e458f0fb 100644 --- a/kubernetes/aai/components/aai-traversal/Chart.yaml +++ b/kubernetes/aai/components/aai-traversal/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI traversal name: aai-traversal -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -29,3 +29,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml index 7c6a252315..966e5663f2 100644 --- a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml +++ b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiTravKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml index 76d2611f16..a14a9b5bda 100644 --- a/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml @@ -1,14 +1,7 @@ {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: scaleTargetRef: apiVersion: apps/v1 diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml index 905c21f4b3..e9415df278 100644 --- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml @@ -18,14 +18,7 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index 6d97b0e7e8..d12fc6b702 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -20,20 +20,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }} replicas: 1 @@ -53,19 +40,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} {{- if .Values.global.msbEnabled }} {{ $values := .Values }} msb.onap.org/service-info: '[ @@ -119,43 +94,19 @@ spec: hostname: aai-traversal terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} initContainers: - - command: - - /app/ready.py - args: {{- if .Values.global.jobs.migration.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{- else }} - {{- if .Values.global.jobs.createSchema.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{- else }} - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - {{- end }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }} + {{- else if .Values.global.jobs.createSchema.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }} + {{- else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }} {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: {{- if .Values.config.env }} {{- range $key,$value := .Values.config.env }} @@ -219,6 +170,8 @@ spec: - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties name: {{ include "common.fullname" . }}-config subPath: application-keycloak.properties + - mountPath: /tmp + name: tmp ports: - containerPort: {{ .Values.service.traversalPort }} name: {{ .Values.service.traversalPortName }} @@ -277,9 +230,14 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: {{ include "common.fullname" . }}-logs-misc - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logmiscSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index db90f824ef..3ea973fb99 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -24,11 +24,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-update-query-data namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{ if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": post-upgrade,post-rollback,post-install @@ -38,33 +34,12 @@ metadata: spec: template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --service-name - - aai - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_service) | nindent 6 }} - name: {{ include "common.name" . }}-wait-for-aai-haproxy image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -85,6 +60,16 @@ spec: requests: cpu: "3m" memory: "20Mi" + securityContext: + runAsUser: 100 + runAsGroup: 65533 + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -101,6 +86,7 @@ spec: sh -x /opt/app/aai-traversal/bin/install/updateQueryData.sh ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties @@ -127,9 +113,11 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name: {{ include "common.fullname" . }}-logs-misc - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logmiscSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml index 49ed56306a..60e8efc2ad 100644 --- a/kubernetes/aai/components/aai-traversal/templates/service.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -54,8 +49,6 @@ spec: name: {{ .Values.service.metricsPortName }} targetPort: {{ .Values.service.metricsPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index e19ea65b9c..fd8206865e 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -111,7 +111,7 @@ global: # global defaults someConfig: random # application image -image: onap/aai-traversal:1.15.1 +image: onap/aai-traversal:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small @@ -353,6 +353,9 @@ endpoints: info: enabled: true +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + metrics: serviceMonitor: enabled: true @@ -383,9 +386,9 @@ metrics: ## selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -418,6 +421,30 @@ log: root: INFO base: INFO # base package (org.onap.aai) logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 50Mi + logmiscSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + wait_for_service: + services: + - aai ################################################################# # Secrets metaconfig ################################################################# diff --git a/kubernetes/aai/resources/config/haproxy/resolvers.conf b/kubernetes/aai/resources/config/haproxy/resolvers.conf new file mode 100644 index 0000000000..c456e3526a --- /dev/null +++ b/kubernetes/aai/resources/config/haproxy/resolvers.conf @@ -0,0 +1,3 @@ +resolvers kubernetes + nameserver dns1 {{.Values.config.NAME_SERVER}}:53 + hold valid 1s diff --git a/kubernetes/aai/templates/authorizationpolicy.yaml b/kubernetes/aai/templates/authorizationpolicy.yaml index fa59f52f35..f48e06eab4 100644 --- a/kubernetes/aai/templates/authorizationpolicy.yaml +++ b/kubernetes/aai/templates/authorizationpolicy.yaml @@ -27,6 +27,7 @@ kind: AuthorizationPolicy metadata: name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} spec: selector: matchLabels: diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml index dac36d729d..c66af502ac 100644 --- a/kubernetes/aai/templates/configmap.yaml +++ b/kubernetes/aai/templates/configmap.yaml @@ -22,12 +22,9 @@ kind: ConfigMap metadata: name: aai-deployment-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: +{{ tpl (.Files.Glob "resources/config/haproxy/resolvers.conf").AsConfig . | indent 2 }} {{ if .Values.global.installSidecarSecurity }} {{ tpl (.Files.Glob "resources/config/haproxy/haproxy-pluggable-security.cfg").AsConfig . | indent 2 }} {{ else }} @@ -40,6 +37,7 @@ kind: Secret metadata: name: aai-fproxy-auth-certs namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/fproxy/auth/*").AsSecrets . | indent 2 }} @@ -49,6 +47,7 @@ kind: Secret metadata: name: aai-rproxy-auth-certs namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/rproxy/auth/*").AsSecrets . | indent 2 }} @@ -58,6 +57,7 @@ kind: Secret metadata: name: aai-rproxy-security-config namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/rproxy/security/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index 58bbc8af78..a743592036 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -18,20 +18,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: matchLabels: @@ -46,59 +33,48 @@ spec: maxSurge: {{ .Values.updateStrategy.maxSurge }} {{- end }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.release" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - aai-resources - - --service-name - - aai-traversal - - --service-name - - aai-graphadmin - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} + {{ include "common.readinessCheck.waitFor" . | indent 6 | trim}} + - command: ["/bin/sh","-c"] + args: ['cp -R /usr/local/etc/haproxy /usr/local/etc/haproxy_rw/'] + image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}' imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: copy-haproxy-config resources: - requests: - memory: {{ .Values.haproxy.initContainers.resources.memory }} - cpu: {{ .Values.haproxy.initContainers.resources.cpu }} limits: - memory: {{ .Values.haproxy.initContainers.resources.memory }} - cpu: {{ .Values.haproxy.initContainers.resources.cpu }} + cpu: 100m + memory: 200Mi + requests: + cpu: 2m + memory: 100Mi + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /usr/local/etc/haproxy_rw + name: haproxy-etc containers: - name: {{ include "common.name" . }} - image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}" + image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}' imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: + - mountPath: /usr/local/etc/haproxy + name: haproxy-etc + - mountPath: /usr/local/etc/haproxy/resolvers.conf + name: haproxy-config + subPath: resolvers.conf + readOnly: true - mountPath: /usr/local/etc/haproxy/haproxy.cfg {{ if .Values.global.installSidecarSecurity }} subPath: haproxy-pluggable-security.cfg {{ else }} subPath: haproxy.cfg {{ end }} - name: haproxy-cfg + name: haproxy-config ports: - containerPort: {{ .Values.service.internalPort }} name: {{ .Values.service.portName }} @@ -113,7 +89,11 @@ spec: initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} readinessProbe: + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} httpGet: path: /aai/util/echo port: {{ .Values.service.internalPort }} @@ -129,9 +109,6 @@ spec: value: OOM_ReadinessCheck_TID - name: Accept value: application/json - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -142,7 +119,10 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: haproxy-cfg - configMap: - name: aai-deployment-configmap + - name: haproxy-config + configMap: + name: aai-deployment-configmap + - name: haproxy-etc + emptyDir: + sizeLimit: {{ .Values.volumes.haProxySizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/templates/secret.yaml b/kubernetes/aai/templates/secret.yaml index d868b9582e..1a592a0801 100644 --- a/kubernetes/aai/templates/secret.yaml +++ b/kubernetes/aai/templates/secret.yaml @@ -19,11 +19,7 @@ kind: Secret metadata: name: aai-common-aai-auth namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} @@ -33,6 +29,7 @@ kind: Secret metadata: name: aai-common-truststore namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml index b5a8cc1a0d..1509311a2b 100644 --- a/kubernetes/aai/templates/service.yaml +++ b/kubernetes/aai/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - name: {{ .Values.service.portName }} @@ -36,8 +31,7 @@ spec: {{ end }} {{- end }} type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }} - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} sessionAffinity: {{ .Values.service.sessionAffinity }} --- apiVersion: v1 @@ -45,38 +39,26 @@ kind: Service metadata: name: {{ include "common.servicename" . }}-internal namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - name: {{ .Values.service.portName }} port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} type: ClusterIP - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} --- apiVersion: v1 kind: Service metadata: name: {{ include "common.servicename" . }}-metrics namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-metrics - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - port: {{ .Values.metricsService.externalPort }} targetPort: {{ .Values.metricsService.internalPort }} name: {{ .Values.metricsService.portName }} type: {{ .Values.metricsService.type }} - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index e129220e23..a000d2f934 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -309,7 +309,7 @@ aai-traversal: # application image dockerhubRepository: registry.hub.docker.com -image: onap/aai-haproxy:1.11.0 +image: onap/aai-haproxy:1.15.2 pullPolicy: Always flavor: small @@ -321,6 +321,9 @@ debugEnabled: false config: logstashServiceName: log-ls logstashPort: 5044 + # IP address of name server is needed in nginx configuration. The secure endpoint for logging with Keycloak need the ip address in the config file. + # You can find this ip address in the /etc/resolv.conf This file is generated by k8s. The name server ip address is in all k8s cluster the same. + NAME_SERVER: coredns.kube-system # default number of instances replicaCount: 1 @@ -408,9 +411,9 @@ metrics: selector: app: '{{ include "common.name" . }}-metrics' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' relabelings: [] @@ -459,15 +462,15 @@ resources: cpu: "2" memory: "4Gi" requests: - cpu: "1" - memory: "1.2Gi" + cpu: "500m" + memory: "1200Mi" large: limits: cpu: "4" memory: "8Gi" requests: - cpu: "2" - memory: "2.4Gi" + cpu: "1" + memory: "2400Mi" unlimited: {} #Pods Service Account @@ -475,3 +478,20 @@ serviceAccount: nameOverride: aai roles: - read + +securityContext: + user_id: 99 + group_id: 99 + +readinessCheck: + wait_for: + services: + - aai-resources + - aai-traversal + - aai-graphadmin + +volumes: + haProxySizeLimit: 20Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/authentication/Chart.yaml b/kubernetes/authentication/Chart.yaml index e8400aeb81..d178f38481 100644 --- a/kubernetes/authentication/Chart.yaml +++ b/kubernetes/authentication/Chart.yaml @@ -16,7 +16,7 @@ # limitations under the License. # ============LICENSE_END========================================================= apiVersion: v2 -version: 14.0.1 +version: 15.0.0 description: ONAP Realm creation, Oauth2Proxy installation and configuration name: authentication sources: @@ -31,8 +31,8 @@ dependencies: version: ~13.x-0 repository: '@local' - name: onap-keycloak-config-cli - version: 5.12.0 + version: 6.1.6 repository: 'file://components/keycloak-config-cli' - name: onap-oauth2-proxy - version: 7.5.4 + version: 7.8.0 repository: 'file://components/oauth2-proxy' diff --git a/kubernetes/authentication/README.md b/kubernetes/authentication/README.md index 306e2f9645..c2332b409a 100644 --- a/kubernetes/authentication/README.md +++ b/kubernetes/authentication/README.md @@ -27,20 +27,24 @@ This sections sets the realm general attributes shown in Keycloak realmSettings: - name: <Realm ID> - unique ID for a realm (e.g. "ONAP") displayName: <Display Name> - (optional) Keycloak Display Name (e.g. "ONAP Realm") + accessTokenLifespan: - (optional) Access Tolek Lifespan (default: 1900) + registrationAllowed: - (optional) Enable/disable the registration page (default: false) + resetPasswordAllowed: - (optional) Show a link on login page for user to click when they have forgotten their credentials (default: true) + sslRequired: - (optional) Is HTTPS required? ('None'|'External'|'All requests' (default: "external") themes: - (optional) Keycloak Theme settings login: <login theme> - (optional) Keycloak Theme for Login UI (e.g. "base") admin: <admin theme> - (optional) Keycloak Theme for Admin UI (e.g. "base") account: <account theme> - (optional) Keycloak Theme for Account UI (e.g. "base") email: <email theme> - (optional) Keycloak Theme for Email UI (e.g. "base") - attributes: - frontendUrl: "<Keycloak URL>" - External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/") + attributes: - (optional) + frontendUrl: "<Keycloak URL>" - (optional) External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/") ``` ### CLIENT definitions In this section each realm authentication client is defined e.g. portal-bff, oauth2-proxy, grafana -possible "attribute" settings (maybe more): +- possible "attributes" settings (maybe more): - id.token.as.detached.signature: "false" - exclude.session.state.from.auth.response: "false" - tls.client.certificate.bound.access.tokens: "false" @@ -89,6 +93,7 @@ possible "attribute" settings (maybe more): serviceAccountsEnabled: "<false|true>" - (optional) serviceAccountsEnabled (default: false) frontchannelLogout: "<false|true>" - (optional) frontend channel logout (default: true) surrogateAuthRequired: "<false|true>" - (optional) surrogate Auth Required (default: false) + authorizationServicesEnabled: "<false|true>" - (optional) enable Authorization Services (RBAC) (default: false) publicClient: "<false|true>" - (optional) public Client (default: false) attributes: - (optional) attributes settings (see code) post.logout.redirect.uris: '<url>' - example @@ -117,32 +122,79 @@ possible "attribute" settings (maybe more): - "http://localhost/*" webOrigins: - "https://argocd-$PARAM_BASE_URL" - defaultClientScopes: - - "web-origins" + defaultClientScopes: - (optional) definition of default client scopes + - "web-origins" - if used, has to contain the full scope list - "profile" - "acr" - "email" - "roles" - "groups" + optionalClientScopes: - (optional) definition of optional client scopes + - ... - if used, has to contain the full scope list ``` -### CLIENT SCOPE definitions +#### Authorization settings within Client section (optional) -Here additional scopes besides the default scopes can be defined and set as default client scope +Information about the Keycloak Authorization Services can be found under: <https://www.keycloak.org/docs/latest/authorization_services/index.html> -default scopes: +To enable Authorization the setting shown above needs to be: + - authorizationServicesEnabled: true - - roles - - groups - - acr - - profile - - address - - web-origin - - phone - - email - - offline_access - - role_list - - microprofile-jwt +```yaml + authorizationSettings: + allowRemoteResourceManagement: "<false|true>" - (optional) managed remotely by the resource server? (default: true) + policyEnforcementMode: "<ENFORCING|PERMISSIVE|DISABLED>"- (optional) dictates how policies are enforced (default: ENFORCING) + decisionStrategy: "<UNANIMOUS|AFFIRMATIVE>" - (optional) dictates how permissions are evaluated (default: UNANIMOUS) + resources: - resources definitions + - name: "<resource name>" - unique name for this resource + displayName: "<display name>" - (optional) user-friendly name for the resource + type: "<type>" - Type can be used to group different resource instances with the same type + ownerManagedAccess: <true|false> - (optional) access can be managed by the resource owner? (default: false) + attributes: {} - (optional) The attributes associated wth the resource + uris: - Set of URIs which are protected by resource + - "/*" + - ... + scopes: - The scopes associated with this resource + - name: "<scope name1>" + - ... + icon_uri: "<uri>" - (optional) A URI pointing to an icon. + - ... + policies: - policy definitions + - name: "<policy name>" - unique name for this policy + description: "<description>" - (optional) A description for this policy + type: "<role|client|...>" - Choose the policy type + logic: "<POSITIVE|NEGATIVE>" - dictates how the policy decision should be made + roles: - Specifies the client roles allowed by this policy + - id: "<role name>" - points to an existing role + required: <true|false> - decide, whether role is required + ... + - ... + permissions: - policy definitions + - name: "<permission name>" - unique name for this permission + description: "<description>" - (optional) A description for this permission + type: "<scope|resource>" - Choose the permission type + decisionStrategy: "<UNANIMOUS|AFFIRMATIVE|CONSENSUS>" - dictates how the policies associated with a given permission are evaluated + resources: - Specifies that this permission must be applied to a specific resource instance + - "<resource name>" - points to an existing resource + - ... + scopes: - Specifies that this permission must be applied to one or more scopes + - "<scope name>" - points to an existing scope + - ... + applyPolicies: - Specifies all the policies that must be applied to the scopes defined by this permission + - "<policy-name>" - points to an existing policy + - ... + - ... + scopes: - scope definitions + - name: "<scope name>" - unique name for this scope + iconUri: "<uri>" - (optional) A URI pointing to an icon. + displayName: "<display name>" - (optional) user-friendly name for the resource + - ... +``` + +### CLIENT SCOPE definitions + +Here additional scopes besides the default scopes can be defined and set as defaul client scope +default scopes: roles, groups, acr, profile, address, web-origin, phone, email, offline_access, role_list, microprofile-jwt ```yaml defaultClientScopes: @@ -176,13 +228,7 @@ default scopes: ### Access control definitions In this section additional roles (assignableRoles) besides the default roles can be set. - -default roles: - - user - - admin - - offline_access - - uma_authorization - - default-roles-<realm> +default roles: user, admin, offline_access, uma_authorization, default-roles-<realm> (optional) accessRoles can be defined. These access roles are used in the Ingress "Auhorization Policy" to restrict the access to certain services @@ -223,6 +269,8 @@ The access role is assigned to a realm client (e.g. oauth2_proxy) - type: password - (optional) initial password (<pwd>: encrypted password, <salt>: used salt) secretData: "{\"value\":\"<pwd>\",\"salt\":\"<salt>\"}" credentialData: "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" + requiredActions: - (optional) action, the user has to execute + - <action> - e.g. "UPDATE_PASSWORD", "UPDATE_PROFILE",... attributes: - (optional) additional attributes sdc_user: - example attribute - "cs0008" @@ -290,16 +338,9 @@ The access role is assigned to a realm client (e.g. oauth2_proxy) user: "onapsupport" ``` -## Ingress Authentication settings +## Requirements -Activating the Ingress Authentication (enabled: true) will create AuthorizationPolicy resources for each defined "accessControl.accessRoles" in a REALM definition. +authentication needs the following ONAP projects to work: -``` -ingressAuthentication: - enabled: false - exceptions: - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ui") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "minio-console") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "uui-server") }}' -``` +- common +- serviceAccount diff --git a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml index 80e5d27c9f..c196bcc6e2 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: onap-keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 5.12.0 -appVersion: 5.12.0 +version: 6.1.6 +appVersion: 6.1.6 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/authentication/components/keycloak-config-cli/values.yaml b/kubernetes/authentication/components/keycloak-config-cli/values.yaml index 46c67dd220..9574d148ec 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/values.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/values.yaml @@ -23,7 +23,7 @@ nameOverride: "" image: repository: adorsys/keycloak-config-cli - tag: "{{ .Chart.AppVersion }}-22.0.4" + tag: "{{ .Chart.AppVersion }}-25.0.6" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml index 3bcf687241..300ed0964b 100644 --- a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml @@ -1,7 +1,7 @@ name: onap-oauth2-proxy -version: 7.5.4 +version: 7.8.0 apiVersion: v2 -appVersion: 7.6.0 +appVersion: 7.7.1 home: https://oauth2-proxy.github.io/oauth2-proxy/ description: A reverse proxy that provides authentication with Google, Github or other providers keywords: @@ -14,7 +14,7 @@ keywords: - redis dependencies: - name: redis - version: 19.1.0 + version: 20.3.0 repository: https://charts.bitnami.com/bitnami alias: redis condition: redis.enabled @@ -38,11 +38,11 @@ maintainers: email: joel.speed@hotmail.co.uk - name: pierluigilenoci email: pierluigi.lenoci@gmail.com -kubeVersion: ">=1.9.0-0" +kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: changed - description: Wait for redis script fixes for cluster and sentinel + - kind: added + description: allow templates in annotations links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/issues/205 + url: https://github.com/oauth2-proxy/manifests/pull/256 diff --git a/kubernetes/authentication/components/oauth2-proxy/README.md b/kubernetes/authentication/components/oauth2-proxy/README.md index 55a5e44429..0dc6c13962 100644 --- a/kubernetes/authentication/components/oauth2-proxy/README.md +++ b/kubernetes/authentication/components/oauth2-proxy/README.md @@ -1,6 +1,6 @@ # oauth2-proxy -[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. +[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by e-mail, domain, or group. ## TL;DR; @@ -21,7 +21,8 @@ To install the chart with the release name `my-release`: $ helm install my-release oauth2-proxy/oauth2-proxy ``` -The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. +The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. +The [configuration](#configuration) section lists the parameters that can be configured during installation. ## Uninstalling the Chart @@ -35,34 +36,37 @@ The command removes all the Kubernetes components associated with the chart and ## Upgrading an existing Release to a new major version -A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an -incompatible breaking change needing manual actions. +A major chart version change (like v1.2.3 -> v2.0.0) indicates an incompatible breaking change needing manual actions. ### To 1.0.0 -This version upgrades oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade. +This version upgrades oauth2-proxy to v4.0.0. To upgrade, please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400). ### To 2.0.0 -Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. +Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by addressing the Deployment object apiVersion `apps/v1beta2` deprecation. +See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. -Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade` of this chart from versions earlier than 2.0.0. +Due to [this issue](https://github.com/helm/helm/issues/6583), errors may occur when performing a `helm upgrade` of this chart from versions earlier than 2.0.0. ### To 3.0.0 -Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false` +Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. +This is a breaking change since the service account is enabled by default. +To disable this behaviour set `serviceAccount.enabled` to `false` ### To 4.0.0 Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**. -Therefore the `ingress.extraPaths` parameter needs to be updated to the new format. +Therefore, the `ingress.extraPaths` parameter must be updated to the new format. See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information. For the same reason `service.port` was renamed to `service.portNumber`. ### To 5.0.0 -Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). This is a breaking change because many labels of all resources need to be updated to stay consistent. +Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). +This is a breaking change because many labels of all resources need to be updated to stay consistent. In order to upgrade, delete the Deployment before upgrading: @@ -80,140 +84,157 @@ For users who don't want downtime, you can perform these actions: ### To 6.0.0 -Version 6.0.0 bumps the version of the redis subchart from ~10.6.0 to ~16.4.0. You probably need to adjust your redis config. See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. +Version 6.0.0 bumps the version of the Redis subchart from ~10.6.0 to ~16.4.0. +You probably need to adjust your Redis configuration. +See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. + +### To 7.0.0 + +Version 7.0.0 introduces a new implementation to support multiple hostAliases. +You probably need to adjust your hostAliases config. +See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information. ## Configuration The following table lists the configurable parameters of the oauth2-proxy chart and their default values. -Parameter | Description | Default ---- | --- | --- -`affinity` | node/pod affinities | None -`authenticatedEmailsFile.enabled` | Enables authorize individual email addresses | `false` -`authenticatedEmailsFile.persistence` | Defines how the email addresses file will be projected, via a configmap or secret | `configmap` -`authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` -`authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the email addresses list | `""` -`authenticatedEmailsFile.restricted_access` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config | `""` -`authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` -`config.clientID` | oauth client ID | `""` -`config.clientSecret` | oauth client secret | `""` -`config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` -`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` -`config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` -`config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` -`config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` -`alphaConfig.enabled` | Flag to toggle any alpha config related logic | `false` -`alphaConfig.annotations` | Configmap annotations | `{}` -`alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` -`alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` -`alphaConfig.configData` | Arbitrary configuration data to append | `{}` -`alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` -`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` -`alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` -`customLabels` | Custom labels to add into metadata | `{}` | -`config.google.adminEmail` | user impersonated by the google service account | `""` -`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false` -`config.google.targetPrincipal` | service account to use/impersonate | `""` -`config.google.serviceAccountJson` | google service account json contents | `""` -`config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` -`config.google.groups` | restrict logins to members of these google groups | `[]` -`containerPort` | used to customise port on the deployment | `""` -`extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows to configure the same flag multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` -`extraContainers` | List of extra containers to be added to the pod | `[]` -`extraEnv` | key:value list of extra environment variables to give the binary | `[]` -`extraVolumes` | list of extra volumes | `[]` -`extraVolumeMounts` | list of extra volumeMounts | `[]` -`hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. -`htpasswdFile.enabled` | enable htpasswd-file option | `false` -`htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}` -`htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` -`httpScheme` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` -`image.pullPolicy` | Image pull policy | `IfNotPresent` -`image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` -`image.tag` | Image tag | `""` (defaults to appVersion) -`imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) -`ingress.enabled` | Enable Ingress | `false` -`ingress.className` | name referencing IngressClass | `nil` -`ingress.path` | Ingress accepted path | `/` -`ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` -`ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]` -`ingress.labels` | Ingress extra labels | `{}` -`ingress.annotations` | Ingress annotations | `nil` -`ingress.hosts` | Ingress accepted hostnames | `nil` -`ingress.tls` | Ingress TLS configuration | `nil` -`initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true` -`initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` -`initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` -`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` -`initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` -`initContainers.waitForRedis.timeout` | number of seconds | 180 -`initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` -`livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` -`livenessProbe.initialDelaySeconds` | number of seconds | 0 -`livenessProbe.timeoutSeconds` | number of seconds | 1 -`namespaceOverride` | Override the deployment namespace | `""` -`nodeSelector` | node labels for pod assignment | `{}` -`deploymentAnnotations` | annotations to add to the deployment | `{}` -`podAnnotations` | annotations to add to each pod | `{}` -`podLabels` | additional labesl to add to each pod | `{}` -`podDisruptionBudget.enabled`| Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true -`podDisruptionBudget.minAvailable`| minAvailable parameter for PodDisruptionBudget | 1 -`podSecurityContext` | Kubernetes security context to apply to pod | `{}` -`priorityClassName` | priorityClassName | `nil` -`readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` -`readinessProbe.initialDelaySeconds` | number of seconds | 0 -`readinessProbe.timeoutSeconds` | number of seconds | 5 -`readinessProbe.periodSeconds` | number of seconds | 10 -`readinessProbe.successThreshold` | number of successes | 1 -`replicaCount` | desired number of pods | `1` -`resources` | pod resource requests & limits | `{}` -`revisionHistoryLimit` | maximum number of revisions maintained | 10 -`service.portNumber` | port number for the service | `80` -`service.appProtocol` | application protocol on the port of the service | `http` -`service.type` | type of service | `ClusterIP` -`service.clusterIP` | cluster ip address | `nil` -`service.loadBalancerIP` | ip of load balancer | `nil` -`service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` -`service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` -`serviceAccount.enabled` | create a service account | `true` -`serviceAccount.name` | the service account name | `` -`serviceAccount.annotations` | (optional) annotations for the service account | `{}` -`strategy` | configure deployment strategy | `{}` -`tolerations` | list of node taints to tolerate | `[]` -`securityContext.enabled` | enable Kubernetes security context on container | `true` -`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` -`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie` -`sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` -`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from redis subchart secret if not set. sessionStorage.redis.existingSecret takes precedence | `nil` -`sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the redis password value | `redis-password` -`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` -`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set. | `""` -`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` -`sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` -`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil` -`sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the redis sentinel password value | `redis-sentinel-password` -`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` -`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` -`topologySpreadConstraints` | List of pod topology spread constraints | `[]` -`redis.enabled` | Enable the redis subchart deployment | `false` -`checkDeprecation` | Enable deprecation checks | `true` -`metrics.enabled` | Enable Prometheus metrics endpoint | `true` -`metrics.port` | Serve Prometheus metrics on this port | `44180` -`metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` -`metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` -`metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` -`metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` -`metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` -`metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` -`metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` -`metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}` -`metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.| `""` -`metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the endpoint. For example if using istio mTLS.| `{}` -`metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file.| `""` -`metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster| `{}` -`metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion.| `[]` -`metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion.| `[]` -`extraObjects` | Extra K8s manifests to deploy | `[]` +| Parameter | Description | Default | +|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------| +| `affinity` | node/pod affinities | None | +| `authenticatedEmailsFile.enabled` | Enables authorize individual e-mail addresses | `false` | +| `authenticatedEmailsFile.persistence` | Defines how the e-mail addresses file will be projected, via a configmap or secret | `configmap` | +| `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` | +| `authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the e-mail addresses list | `""` | +| `authenticatedEmailsFile.restricted_access` | [e-mail addresses](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/#email-authentication) list config | `""` | +| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | +| `config.clientID` | oauth client ID | `""` | +| `config.clientSecret` | oauth client secret | `""` | +| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | +| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | +| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | +| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | +| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | +| `autoscaling.enabled` | Deploy a Horizontal Pod Autoscaler. | `false` | +| `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for the Horizontal Pod Autoscaler. | `10` | +| `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | +| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | +| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | +| `alphaConfig.annotations` | Configmap annotations | `{}` | +| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | +| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | +| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | +| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | +| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `customLabels` | Custom labels to add into metadata | `{}` | +| `config.google.adminEmail` | user impersonated by the Google service account | `""` | +| `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | +| `config.google.targetPrincipal` | service account to use/impersonate | `""` | +| `config.google.serviceAccountJson` | Google service account JSON contents | `""` | +| `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` | +| `config.google.groups` | restrict logins to members of these Google groups | `[]` | +| `containerPort` | used to customize port on the deployment | `""` | +| `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` | +| `extraContainers` | List of extra containers to be added to the pod | `[]` | +| `extraEnv` | key:value list of extra environment variables to give the binary | `[]` | +| `extraVolumes` | list of extra volumes | `[]` | +| `extraVolumeMounts` | list of extra volumeMounts | `[]` | +| `hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. | | +| `htpasswdFile.enabled` | enable htpasswd-file option | `false` | +| `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options) | `{}` | +| `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` | +| `httpScheme` | `http` or `https`. `name` used for the port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.command` | Define command to be executed by container at startup | `[]` | +| `image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` | +| `image.tag` | Image tag | `""` (defaults to appVersion) | +| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `ingress.enabled` | Enable Ingress | `false` | +| `ingress.className` | name referencing IngressClass | `nil` | +| `ingress.path` | Ingress accepted path | `/` | +| `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` | +| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/). | `[]` | +| `ingress.labels` | Ingress extra labels | `{}` | +| `ingress.annotations` | Ingress annotations | `nil` | +| `ingress.hosts` | Ingress accepted hostnames | `nil` | +| `ingress.tls` | Ingress TLS configuration | `nil` | +| `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | +| `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | +| `initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` | +| `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` +| `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | +| `initContainers.waitForRedis.timeout` | number of seconds | 180 | +| `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` | +| `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | +| `livenessProbe.initialDelaySeconds` | number of seconds | 0 | +| `livenessProbe.timeoutSeconds` | number of seconds | 1 | +| `namespaceOverride` | Override the deployment namespace | `""` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `deploymentAnnotations` | annotations to add to the deployment | `{}` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `podLabels` | additional labels to add to each pod | `{}` | +| `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | +| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 | +| `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | +| `priorityClassName` | priorityClassName | `nil` | +| `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | +| `readinessProbe.initialDelaySeconds` | number of seconds | 0 | +| `readinessProbe.timeoutSeconds` | number of seconds | 5 | +| `readinessProbe.periodSeconds` | number of seconds | 10 | +| `readinessProbe.successThreshold` | number of successes | 1 | +| `replicaCount` | desired number of pods | `1` | +| `resources` | pod resource requests & limits | `{}` | +| `revisionHistoryLimit` | maximum number of revisions maintained | 10 | +| `service.portNumber` | port number for the service | `80` | +| `service.appProtocol` | application protocol on the port of the service | `http` | +| `service.externalTrafficPolicy` | denotes if the service desires to route external traffic to node-local or cluster-wide endpoints | `Cluster` | +| `service.internalTrafficPolicy` | denotes if the service desires to route internal traffic to node-local or cluster-wide endpoints | `Cluster` | +| `service.type` | type of service | `ClusterIP` | +| `service.clusterIP` | cluster ip address | `nil` | +| `service.loadBalancerIP` | ip of load balancer | `nil` | +| `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | +| `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | +| `serviceAccount.enabled` | create a service account | `true` | +| `serviceAccount.name` | the service account name | `` | +| `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | +| `strategy` | configure deployment strategy | `{}` | +| `tolerations` | list of node taints to tolerate | `[]` | +| `securityContext.enabled` | enable Kubernetes security context on container | `true` | +| `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` | +| `sessionStorage.type` | Session storage type which can be one of the following: cookie or Redis | `cookie` | +| `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` | +| `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` | +| `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` | +| `sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for the Redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` | +| `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` | +| `sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g., `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the Redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` | +| `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` | +| `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` | +| `sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` | +| `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `topologySpreadConstraints` | List of pod topology spread constraints | `[]` | +| `redis.enabled` | Enable the Redis subchart deployment | `false` | +| `checkDeprecation` | Enable deprecation checks | `true` | +| `metrics.enabled` | Enable Prometheus metrics endpoint | `true` | +| `metrics.port` | Serve Prometheus metrics on this port | `44180` | +| `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` | +| `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` | +| `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` | +| `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` | +| `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` | +| `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` | +| `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | +| `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` | +| `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` | +| `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` | +| `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` | +| `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` | +| `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` | +| `extraObjects` | Extra K8s manifests to deploy | `[]` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -232,7 +253,7 @@ $ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml ## TLS Configuration -See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls). +See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/). Use ```values.yaml``` like: ```yaml @@ -262,9 +283,8 @@ data: ``` ## Extra environment variable templating -The extraEnv value supports the tpl function which evaluate strings as templates inside the deployment template. -This is useful to pass a template string as a value to the chart's extra environment variables and to render external configuration environment values - +The extraEnv value supports the tpl function, which evaluates strings as templates inside the deployment template. +This is useful for passing a template string as a value to the chart's extra environment variables and rendering external configuration environment values. ```yaml ... @@ -315,13 +335,14 @@ extraObjects: </body> </html> ``` + ## Multi whitelist-domain configuration -For using multi whitelist-domain configuration for one Oauth2-proxy instance, you have to use the config.configFile section. +You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance. -It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` configuration file. -In this example, Google provider is used, but you can find all other provider configuration here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/) +It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file). +In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/). -```yaml +``` config: ... clientID="$YOUR_GOOGLE_CLIENT_ID" @@ -332,7 +353,7 @@ config: email_domains = [ "*" ] upstreams = [ "file:///dev/null" ] cookie_secure = "false" - cookie_domains = [ ".domain.com", ".otherdomain.io" ] - whitelist_domains = [ ".domain.com", ".otherdomain.io"] + cookie_domains = [ ".domain.com", ".example.io" ] + whitelist_domains = [ ".domain.com", ".example.io"] provider = "google" ``` diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml new file mode 100644 index 0000000000..fd1a0060fe --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml @@ -0,0 +1,5 @@ +# Enables Horizontal Pod Autoscaler and removes replica count in deployment +autoscaling: + enabled: true + annotations: + test-annotations/test: "true" diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml index 65977d921b..d217653086 100644 --- a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml @@ -8,6 +8,8 @@ ingress: tls: - hosts: - "{{ $.Release.Name }}.local" + annotations: + test-annotations/test: "{{ $.Release.Name }}" oauth2-proxy: checkDeprecation: false config: @@ -19,3 +21,42 @@ pass_authorization_header: "true" extraArgs: pass-authorization-header: "{{ $.Values.pass_authorization_header }}" + +extraVolumes: + - name: "{{ $.Release.Name }}-secret" + secret: + secretName: "{{ .Release.Name }}-secret" + items: + - key: secret + path: secret + +authenticatedEmailsFile: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +config: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +deploymentAnnotations: + test-annotations/test: "{{ $.Release.Name }}" + +autoscaling: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +alphaConfig: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +service: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +serviceAccount: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +serviceMonitor: + annotations: + test-annotations/test: "{{ $.Release.Name }}" diff --git a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh index 24e628f426..62dd9b684f 100644..100755 --- a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh +++ b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh @@ -24,7 +24,16 @@ check_redis() { # For parsing and checking connections parse_and_check() { url=$1 - clean_url=${url#redis://} + + # Strip either redis:// or rediss:// + if [ $url = "rediss://*" ]; then + clean_url=${url#rediss://} + echo "Using secure Rediss connection..." + else + clean_url=${url#redis://} + echo "Using standard Redis connection..." + fi + host=$(echo $clean_url | cut -d':' -f1) port=$(echo $clean_url | cut -d':' -f2) check_redis $host $port diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml index d9f9cffef7..68c9d76629 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml @@ -6,9 +6,9 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.authenticatedEmailsFile.annotations }} +{{- with .Values.authenticatedEmailsFile.annotations }} annotations: -{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist namespace: {{ template "oauth2-proxy.namespace" $ }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml index 94d7806d2e..0f164d230c 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml @@ -3,9 +3,9 @@ apiVersion: v1 kind: ConfigMap metadata: -{{- if .Values.config.annotations }} +{{- with .Values.config.annotations }} annotations: -{{ toYaml .Values.config.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml index 1a626d1ab8..bd5c2c923d 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml @@ -4,14 +4,16 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} - {{- if .Values.deploymentAnnotations }} + {{- with .Values.deploymentAnnotations }} annotations: -{{ toYaml .Values.deploymentAnnotations | indent 8 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} spec: + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- with .Values.strategy }} strategy: @@ -23,7 +25,9 @@ spec: template: metadata: annotations: + {{- if .Values.config.configFile }} checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} + {{- end }} {{- if .Values.alphaConfig.enabled }} checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} {{- end }} @@ -102,6 +106,12 @@ spec: image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.image.command }} + command: + {{- range .Values.image.command }} + - {{ . | quote }} + {{- end }} + {{- end }} args: {{- if .Values.alphaConfig.enabled }} - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml @@ -136,7 +146,7 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} {{- else }} - - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list + - --authenticated-emails-file=/etc/oauth2-proxy/{{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} {{- end }} {{- with .Values.config.google }} @@ -333,7 +343,7 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} path: {{ .Values.authenticatedEmailsFile.template }} {{- else }} - path: authenticated-emails-list + path: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} {{- if .Values.authenticatedEmailsFile.template }} secretName: {{ .Values.authenticatedEmailsFile.template }} @@ -367,7 +377,7 @@ spec: {{- end }} {{- end }} {{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} +{{ tpl (toYaml .Values.extraVolumes) . | indent 6 }} {{- end }} {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} - configMap: @@ -381,26 +391,28 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} path: {{ .Values.authenticatedEmailsFile.template }} {{- else }} - path: authenticated-emails-list + path: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} name: configaccesslist {{- end }} - {{- if .Values.imagePullSecrets }} + {{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }} imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} - {{- if .Values.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} affinity: -{{ toYaml .Values.affinity | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.nodeSelector }} + {{- with .Values.nodeSelector }} nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + {{ toYaml . | nindent 8 }} {{- end }} + {{- with .Values.tolerations }} tolerations: -{{ toYaml .Values.tolerations | indent 8 }} - {{- with .Values.topologySpreadConstraints }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml new file mode 100644 index 0000000000..a6d7461797 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + {{- with .Values.autoscaling.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 8 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "oauth2-proxy.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml index 5323820487..8cc7953ee9 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml @@ -17,7 +17,7 @@ metadata: namespace: {{ template "oauth2-proxy.namespace" $ }} {{- with .Values.ingress.annotations }} annotations: -{{ toYaml . | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} spec: {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml index 15bb89338e..ba2c02d5aa 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml @@ -7,8 +7,9 @@ apiVersion: v1 kind: Secret metadata: -{{- if .Values.alphaConfig.annotations }} - annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }} +{{- with .Values.alphaConfig.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml index 95f85a8006..9b607dd34a 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml @@ -7,9 +7,9 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.authenticatedEmailsFile.annotations }} +{{- with .Values.authenticatedEmailsFile.annotations }} annotations: -{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist namespace: {{ template "oauth2-proxy.namespace" $ }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml index f3364e95a9..a041843484 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: Secret metadata: -{{- if .Values.config.annotations }} +{{- with .Values.config.annotations }} annotations: -{{ toYaml .Values.config.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml index d16120ee91..e8d02aeba8 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml @@ -6,9 +6,9 @@ metadata: {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} -{{- if .Values.service.annotations }} +{{- with .Values.service.annotations }} annotations: -{{ toYaml .Values.service.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} spec: {{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} @@ -28,6 +28,12 @@ spec: {{- else }} type: {{ .Values.service.type }} {{- end }} +{{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} +{{- if .Values.service.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }} +{{- end }} ports: - port: {{ .Values.service.portNumber }} targetPort: {{ .Values.httpScheme }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml index 2a89c4b9e3..e38cd7a7a6 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ kind: ServiceAccount metadata: {{- with .Values.serviceAccount.annotations }} annotations: - {{- toYaml . | nindent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ $name }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml index 3802666be0..99d62fd4ad 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml @@ -4,7 +4,7 @@ kind: ServiceMonitor metadata: {{- with .Values.metrics.serviceMonitor.annotations }} annotations: - {{- toYaml . | nindent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} {{- if .Values.metrics.serviceMonitor.namespace }} diff --git a/kubernetes/authentication/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml index f49cb638fa..14ea469fa8 100644 --- a/kubernetes/authentication/components/oauth2-proxy/values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/values.yaml @@ -83,6 +83,7 @@ image: # appVersion is used by default tag: "" pullPolicy: "IfNotPresent" + command: [] # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. @@ -153,6 +154,10 @@ service: appProtocol: http annotations: {} # foo.io/bar: "true" + # configure externalTrafficPolicy + externalTrafficPolicy: "" + # configure internalTrafficPolicy + internalTrafficPolicy: "" ## Create or use ServiceAccount serviceAccount: @@ -289,6 +294,16 @@ podDisruptionBudget: enabled: true minAvailable: 1 +## Horizontal Pod Autoscaling +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 +# targetMemoryUtilizationPercentage: 80 + annotations: {} + # Configure Kubernetes security context for pod # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ podSecurityContext: {} diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl index 806f96164a..4606611159 100644 --- a/kubernetes/authentication/templates/_utils.tpl +++ b/kubernetes/authentication/templates/_utils.tpl @@ -25,9 +25,10 @@ Usage: realm: {{ $realm.name }} {{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }} id: {{ $realm.name }} -accessTokenLifespan: 1900 -registrationAllowed: false -resetPasswordAllowed: true +accessTokenLifespan: {{ default "1900" $realm.accessTokenLifespan }} +registrationAllowed: {{ default false $realm.registrationAllowed }} +resetPasswordAllowed: {{ default true $realm.resetPasswordAllowed }} +sslRequired: {{ default "external" $realm.sslRequired }} enabled: true {{ if $realm.themes }} {{ if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }} @@ -159,6 +160,7 @@ clients: baseUrl: {{ tpl $client.baseUrl $dot }} {{- end }} surrogateAuthRequired: {{ default false $client.surrogateAuthRequired }} + authorizationServicesEnabled: {{ default false $client.authorizationServicesEnabled }} enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: {{ default "client-secret" $client.clientAuthenticatorType }} @@ -211,33 +213,136 @@ clients: {{ toYaml $mapper.config | nindent 10 }} {{- end }} {{- end }} + {{- if $client.defaultClientScopes }} defaultClientScopes: - {{- if $client.defaultClientScopes }} - {{- range $index2, $scope := $client.defaultClientScopes }} + {{- range $index2, $scope := $client.defaultClientScopes }} - {{ $scope }} - {{- end }} - {{- else }} - - web-origins - - profile - - acr - - email {{- end }} + {{- end }} + {{- if $client.optionalClientScopes }} optionalClientScopes: - {{- if $client.optionalClientScopes }} - {{- range $index2, $scope := $client.optionalClientScopes }} + {{- range $index2, $scope := $client.optionalClientScopes }} - {{ $scope }} + {{- end }} + {{- end }} + {{- if $client.authorizationSettings }} + authorizationSettings: {{ include "auth._authorizationSettings" (dict "dot" $client.authorizationSettings ) | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Renders the authorizationSettings in the client section in a realm. +Usage: +{{ include "auth._authorizationSettings" ( dict "dot" .Values) }} +*/}} +{{- define "auth._authorizationSettings" -}} +{{- $dot := default . .dot -}} +allowRemoteResourceManagement: "{{ default true $dot.allowRemoteResourceManagement }}" +policyEnforcementMode: "{{ default "ENFORCING" $dot.policyEnforcementMode }}" +decisionStrategy: "{{ default "UNANIMOUS" $dot.decisionStrategy }}" +resources: + {{- range $index, $resource := $dot.resources }} + - name: {{ $resource.name }} + type: {{ (default "" $resource.type) | quote }} + displayName: {{ (default "" $resource.displayName) | quote }} + ownerManagedAccess: {{ default false $resource.ownerManagedAccess }} + {{- if $resource.attributes }} + attributes: + {{- range $key,$value := $resource.attributes }} + {{ $key }}: {{ $value }} {{- end }} - {{- else }} - - address - - phone - - offline_access - - microprofile-jwt + {{- end }} + {{- if $resource.uris }} + uris: + {{- range $index2, $url := $resource.uris }} + - {{ $url }} + {{- end }} + {{- end }} + {{- if $resource.scopes }} + scopes: + {{- range $index3, $scope := $resource.scopes }} + - {{ $scope | toYaml }} + {{- end }} + {{- end }} + icon_uri: {{ (default "" $resource.icon_uri) | quote }} + {{- end }} +policies: + {{- range $index4, $policy := $dot.policies }} + - name: {{ $policy.name }} + type: {{ (default "" $policy.type) | quote }} + description: {{ (default "" $policy.description) | quote }} + logic: {{ default "POSITIVE" $policy.logic }} + decisionStrategy: {{ default "UNANIMOUS" $dot.decisionStrategy }} + config: + roles: {{ include "auth._policyRoles" (dict "dot" $policy.roles) | toJson }} + {{- end }} + {{- range $index6, $permission := $dot.permissions }} + - name: {{ $permission.name }} + type: {{ (default "" $permission.type) | quote }} + description: {{ (default "" $permission.description) | quote }} + logic: {{ default "POSITIVE" $permission.logic }} + decisionStrategy: {{ default "UNANIMOUS" $permission.decisionStrategy }} + config: + {{- if $permission.resources }} + resources: {{ include "auth._permissionResources" (dict "dot" $permission.resources) | toJson }} + {{- end }} + {{- if $permission.scopes }} + scopes: {{ include "auth._permissionScopes" (dict "dot" $permission.scopes) | toJson }} + {{- end }} + {{- if $permission.applyPolicies }} + applyPolicies: {{ include "auth._permissionApplyPolicies" (dict "dot" $permission.applyPolicies) | toJson }} {{- end }} {{- end }} +scopes: + {{- range $index, $scope := $dot.scopes }} + - name: {{ $scope.name }} + iconUri: {{ (default "" $scope.icon_uri) | quote }} + displayName: {{ (default "" $scope.displayName) | quote }} + {{- end }} +{{- end }} + +{{/* +Renders the roles in a policy. +Usage: +{{ include "auth._policyRoles" ( dict "dot" .Values) }} +*/}} +{{- define "auth._policyRoles" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$role := $dot }}{"id":"{{ $role.id }}","required":{{ $role.required }}}{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] {{- end }} {{/* -Renders the defaulDefaultClientScopes section in a realm. +Renders the resources in a permission. +Usage: +{{ include "auth._permissionResources" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionResources" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$resource := $dot }}"{{ $resource }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the scopes in a permission. +Usage: +{{ include "auth._permissionScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionScopes" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$scope := $dot }}"{{ $scope }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the applyPolicies in a permission. +Usage: +{{ include "auth._permissionApplyPolicies" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionApplyPolicies" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$policy := $dot }}"{{ $policy }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} +{{/* +Renders the defaultDefaultClientScopes section in a realm. Usage: {{ include "auth._defaultClientScopes" ( dict "dot" .Values) }} */}} @@ -262,15 +367,15 @@ clientScopes: {{- if $dot.additionalClientScopes }} {{- range $index, $scope := $dot.additionalClientScopes }} - name: {{ $scope.name }} - description: "{{ default "" $scope.description }}" + description: {{ (default "" $scope.description) | quote }} protocol: openid-connect attributes: include.in.token.scope: 'false' display.on.consent.screen: 'true' gui.order: '' consent.screen.text: "${rolesScopeConsentText}" + {{- if $scope.protocolMappers }} protocolMappers: - {{- if $scope.protocolMappers }} {{- range $index2, $mapper := $scope.protocolMappers }} - name: {{ $mapper.name }} protocol: "openid-connect" @@ -279,8 +384,7 @@ clientScopes: config: {{ toYaml $mapper.config | nindent 8 }} {{- end }} - {{- end }} - + {{- end }} {{- end }} {{- end }} - name: roles @@ -719,7 +823,14 @@ users: {{ toYaml $user.credentials | nindent 6 }} {{- end }} disableableCredentialTypes: [] + {{- if $user.requiredActions }} + requiredActions: + {{- range $index2, $action := $user.requiredActions }} + - "{{ $action }}" + {{- end }} + {{- else }} requiredActions: [] + {{- end }} {{- if $user.realmRoles }} realmRoles: {{- range $index2, $realmRole := $user.realmRoles }} @@ -805,7 +916,11 @@ Usage: {{- define "auth._attributes" -}} {{- $dot := default . .dot -}} {{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +{{- if $realm.attributes }} attributes: +{{- if $realm.attributes.frontendUrl }} frontendUrl: {{ tpl $realm.attributes.frontendUrl $dot }} +{{- end }} acr.loa.map: "{\"ABC\":\"5\"}" {{- end }} +{{- end }} diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml index ba99879e87..124bc18c8d 100644 --- a/kubernetes/authentication/values.yaml +++ b/kubernetes/authentication/values.yaml @@ -26,7 +26,7 @@ global: postaddr: "" keycloak: - intURL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/" + intURL: "http://keycloak-http.keycloak.svc.cluster.local/" relativePath: "auth/" ingressAuthentication: enabled: false @@ -38,12 +38,16 @@ ingressAuthentication: onap-keycloak-config-cli: image: + # "edge" is the latest build release and need to be replaced with a new version + # compatible with keycloak 26.x.y + tag: edge + #tag: "6.1.6-25.0.1" pullSecrets: - name: onap-docker-registry-key #existingSecret: "keycloak-keycloakx-admin-creds" env: # internal KC URL plus relative path - KEYCLOAK_URL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/" + KEYCLOAK_URL: "http://keycloak-http.keycloak.svc.cluster.local/auth/" KEYCLOAK_SSLVERIFY: "false" KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" secrets: @@ -71,6 +75,11 @@ onap-keycloak-config-cli: memory: 10Mi onap-oauth2-proxy: + + # Addition for oauth2-proxy deployment + imagePullSecrets: + - name: '{{ include "common.namespace" . }}-docker-registry-key' + securityContext: capabilities: drop: @@ -309,24 +318,24 @@ realmSettings: - name: "Client Host" protocolMapper: "oidc-usersessionmodel-note-mapper" config: - user.session.note : "clientHost" - id.token.claim : "true" - access.token.claim : "true" - claim.name : "clientHost" - jsonType.label : "String" + user.session.note: "clientHost" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "clientHost" + jsonType.label: "String" - name: "Client IP Address" protocolMapper: "oidc-usersessionmodel-note-mapper" config: - user.session.note : "clientAddress" - id.token.claim : "true" - access.token.claim : "true" - claim.name : "clientAddress" - jsonType.label : "String" + user.session.note: "clientAddress" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "clientAddress" + jsonType.label: "String" defaultClientScopes: - "onap_roles" additionalClientScopes: - name: onap_roles - description: OpenID Connect scope for add user onap roles to the access token + description: "OpenID Connect scope for add user onap roles to the access token" protocolMappers: - name: aud protocol: openid-connect diff --git a/kubernetes/cds/Chart.yaml b/kubernetes/cds/Chart.yaml index d8b6cc7de0..f179afd6e9 100644 --- a/kubernetes/cds/Chart.yaml +++ b/kubernetes/cds/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP Controller Design Studio (CDS) name: cds -version: 13.0.2 +version: 13.0.3 dependencies: - name: common diff --git a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml index e4fc011880..cfe5c7371b 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP CDS Blueprints Processor name: cds-blueprints-processor -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties index b99bae7197..004a9909ab 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties @@ -44,7 +44,7 @@ blueprintsprocessor.httpPort=8080 blueprintsprocessor.grpcPort=9111 # db -blueprintsprocessor.db.url=jdbc:mysql://{{.Values.config.cdsDB.dbServer}}:{{.Values.config.cdsDB.dbPort}}/{{.Values.config.cdsDB.dbName}} +blueprintsprocessor.db.url=jdbc:mariadb://{{.Values.config.cdsDB.dbServer}}:{{.Values.config.cdsDB.dbPort}}/{{.Values.config.cdsDB.dbName}} blueprintsprocessor.db.username=${CDS_DB_USERNAME} blueprintsprocessor.db.password=${CDS_DB_PASSWORD} blueprintsprocessor.db.driverClassName=org.mariadb.jdbc.Driver @@ -55,7 +55,7 @@ blueprintsprocessor.db.hibernateDialect=org.hibernate.dialect.MySQL5InnoDBDialec # processor-db endpoint blueprintsprocessor.db.processor-db.type=maria-db -blueprintsprocessor.db.processor-db.url=jdbc:mysql://{{ .Values.config.sdncDB.dbService }}:{{ .Values.config.sdncDB.dbPort }}/{{.Values.config.sdncDB.dbName}} +blueprintsprocessor.db.processor-db.url=jdbc:mariadb://{{ .Values.config.sdncDB.dbService }}:{{ .Values.config.sdncDB.dbPort }}/{{.Values.config.sdncDB.dbName}} blueprintsprocessor.db.processor-db.username=${SDNC_DB_USERNAME} blueprintsprocessor.db.processor-db.password=${SDNC_DB_PASSWORD} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index b0812f26b8..469e40f4bd 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -77,7 +77,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-blueprintsprocessor:1.5.3 +image: onap/ccsdk-blueprintsprocessor:1.7.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index 842c268c8a..e69d30592e 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -29,7 +29,7 @@ global: # global defaults enableServiceAccount: false k8ssandraOperator: - cassandraVersion: 4.1.3 + cassandraVersion: 4.1.6 persistence: #storageClassName: default size: 10Gi diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index 6fa292639e..6fce57f83b 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -17,4 +17,4 @@ apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.2.6 +version: 13.2.11 diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index ca23c75896..4d762c72f5 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -744,11 +744,7 @@ metadata: name: {{ include "common.fullname" $dot }}-ingress annotations: {{ include "ingress.config.annotations" $dot }} - labels: - app: {{ $dot.Chart.Name }} - chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $dot }} - heritage: {{ $dot.Release.Service }} + labels: {{- include "common.labels" $dot | nindent 4 }} spec: rules: {{ include "ingress.config.port" $dot | trim }} diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl index a690acd141..df5cab932d 100644 --- a/kubernetes/common/common/templates/_labels.tpl +++ b/kubernetes/common/common/templates/_labels.tpl @@ -22,11 +22,13 @@ Common labels The function takes several arguments (inside a dictionary): - .dot : environment (.) - .labels : labels to add (dict) + - .suffix : name suffix */}} {{- define "common.labels" -}} {{- $dot := default . .dot -}} -app.kubernetes.io/name: {{ include "common.name" $dot }} -app: {{ include "common.name" $dot }} +{{- $suffix := .suffix -}} +app.kubernetes.io/name: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }} +app: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }} {{- if $dot.Chart.AppVersion }} version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" {{- else }} diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index 0e46e5ef26..c1447cd0ac 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -312,6 +312,7 @@ spec: authDelegatorRoleName: {{ $dbinst }}-auth gracefulShutdownTimeout: 5s securityContext: + readOnlyFileSystem: true allowPrivilegeEscalation: false capabilities: drop: @@ -320,11 +321,8 @@ spec: privileged: false runAsNonRoot: true runAsUser: 10001 - seccompProfile: - type: RuntimeDefault primary: automaticFailover: true - podIndex: 0 recovery: enabled: true clusterHealthyTimeout: 30s @@ -344,8 +342,6 @@ spec: privileged: false runAsNonRoot: true runAsUser: 10001 - seccompProfile: - type: RuntimeDefault config: reuseStorageVolume: false volumeClaimTemplate: diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index 743e3db1df..6feb91bd0c 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -98,12 +98,12 @@ securityContext: privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }} allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }} runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }} -{{- if .Values.containerSecurityContext.runAsUser }} +{{- if hasKey .Values.containerSecurityContext "runAsUser" }} runAsUser: {{ .Values.containerSecurityContext.runAsUser }} {{- end }} -{{- if .Values.containerSecurityContext.runAsGroup }} +{{- if hasKey .Values.containerSecurityContext "runAsGroup" }} runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} -{{ end }} +{{- end }} {{- end }} capabilities: drop: diff --git a/kubernetes/common/common/templates/_secret.tpl b/kubernetes/common/common/templates/_secret.tpl index 9d284de500..9eb47d7093 100644 --- a/kubernetes/common/common/templates/_secret.tpl +++ b/kubernetes/common/common/templates/_secret.tpl @@ -19,7 +19,7 @@ Generates a secret header with given name and desired labels. - The template takes two arguments: + The template takes three arguments: - .global: environment (.) - .name: name of the secret - .annotations: annotations which should be used @@ -29,17 +29,14 @@ */}} {{- define "common.secret._header" -}} {{- $global := .global }} + {{- $name := .name }} apiVersion: v1 kind: Secret metadata: name: {{ $name }} namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $global }} - heritage: {{ $global.Release.Service }} + labels: {{- include "common.labels" $global | nindent 4 }} {{- if .annotations }} annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }} {{- end }} diff --git a/kubernetes/common/common/templates/_serviceMonitor.tpl b/kubernetes/common/common/templates/_serviceMonitor.tpl index 907d9c6a9c..5b80c18ac4 100644 --- a/kubernetes/common/common/templates/_serviceMonitor.tpl +++ b/kubernetes/common/common/templates/_serviceMonitor.tpl @@ -52,11 +52,7 @@ ## ServiceMonitor selector labels ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration ## - selector: - app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + selector: {{- include "common.matchLabels" . | nindent 4 }} ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig diff --git a/kubernetes/common/common/templates/_strimzikafka.tpl b/kubernetes/common/common/templates/_strimzikafka.tpl index a2e9c90a4f..a48b444cfc 100644 --- a/kubernetes/common/common/templates/_strimzikafka.tpl +++ b/kubernetes/common/common/templates/_strimzikafka.tpl @@ -56,6 +56,7 @@ kind: KafkaUser metadata: name: {{ include "common.name" . }}-ku labels: + {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: @@ -118,6 +119,7 @@ metadata: name: {{ ($topic.name) | lower }}-kt {{- end }} labels: + {{- include "common.labels" $ | nindent 4 }} strimzi.io/cluster: {{ include "common.release" $ }}-strimzi spec: {{- if (hasKey $topic "partitions") }} diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index 41d11a646e..552f6cc67d 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 13.2.2 +version: 13.2.3 keywords: - mariadb - mysql diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 66ce8abc6e..3011d93e5a 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -39,50 +39,24 @@ spec: initContainers: # we shouldn't need this but for unknown reason, it's fsGroup is not # applied - - name: fix-permission + {{- if .Values.mariadbConfiguration }} + - name: copy-config command: - /bin/sh args: - -c - | - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /bootstrap/ - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /tmp/ - {{- if .Values.mariadbConfiguration }} cp /config/my.cnf /actual/my.cnf - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /actual - {{- end }} image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - CAP_NET_RAW - add: - - CHOWN - - SYS_CHROOT - runAsGroup: {{ .Values.securityContext.group_id }} - readOnlyRootFilesystem: false - runAsUser: 0 - runAsNonRoot: false - seccompProfile: - type: RuntimeDefault + {{ include "common.containerSecurityContext" . | indent 10 | trim }} volumeMounts: - - name: previous-boot - mountPath: /bootstrap - - name: mariadb-tmp-folder - mountPath: /tmp - - name: {{ include "common.fullname" . }} - mountPath: /data - {{- if .Values.mariadbConfiguration }} - name: mariadb-galera-starting-config mountPath: /config/my.cnf subPath: my.cnf - name: mariadb-galera-actual-config mountPath: /actual - {{- end }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -185,6 +159,8 @@ spec: {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: + - name: tmp + mountPath: /tmp - name: previous-boot mountPath: /opt/bitnami/mariadb/.bootstrap - name: {{ include "common.fullname" . }} @@ -258,13 +234,19 @@ spec: tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" .) | nindent 8 }} {{- end }} volumes: + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: previous-boot - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.bootSizeLimit }} - name: mariadb-tmp-folder - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpMariaDBSizeLimit }} {{- if .Values.mariadbConfiguration }} - name: mariadb-galera-actual-config - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.configSizeLimit }} - name: mariadb-galera-starting-config configMap: name: {{ printf "%s-configuration" (include "common.fullname" .) }} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index faab7af1b3..6684d6dcb3 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -609,6 +609,12 @@ resources: memory: "3Gi" unlimited: {} +volumes: + bootSizeLimit: 50Mi + tmpSizeLimit: 200Mi + configSizeLimit: 50Mi + tmpMariaDBSizeLimit: 100Mi + ## MariaDB Galera containers' liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -689,6 +695,7 @@ metrics: requests: cpu: "0.5" memory: "200Mi" + ## MariaDB Galera metrics container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/nginx/.helmignore b/kubernetes/common/nginx/.helmignore new file mode 100644 index 0000000000..207983f368 --- /dev/null +++ b/kubernetes/common/nginx/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/kubernetes/common/nginx/Chart.yaml b/kubernetes/common/nginx/Chart.yaml new file mode 100644 index 0000000000..f44876fc66 --- /dev/null +++ b/kubernetes/common/nginx/Chart.yaml @@ -0,0 +1,36 @@ +annotations: + category: Infrastructure + images: | + - name: git + image: docker.io/bitnami/git:2.48.0-debian-12-r0 + - name: nginx + image: docker.io/bitnami/nginx:1.27.3-debian-12-r5 + - name: nginx-exporter + image: docker.io/bitnami/nginx-exporter:1.4.1-debian-12-r0 + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 1.27.3 +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: NGINX Open Source is a web server that can be also used as a reverse + proxy, load balancer, and HTTP cache. Recommended for high-demanding sites due to + its ability to provide faster content. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/nginx/img/nginx-stack-220x234.png +keywords: +- nginx +- http +- web +- www +- reverse proxy +maintainers: +- name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: nginx +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/nginx +version: 18.3.5 diff --git a/kubernetes/common/nginx/README.md b/kubernetes/common/nginx/README.md new file mode 100644 index 0000000000..afe71051ce --- /dev/null +++ b/kubernetes/common/nginx/README.md @@ -0,0 +1,557 @@ +<!--- app-name: NGINX Open Source --> + +# Bitnami package for NGINX Open Source + +NGINX Open Source is a web server that can be also used as a reverse proxy, load balancer, and HTTP cache. Recommended for high-demanding sites due to its ability to provide faster content. + +[Overview of NGINX Open Source](http://nginx.org) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/nginx +``` + +Looking to use NGINX Open Source in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads. + +This chart bootstraps a [NGINX Open Source](https://github.com/bitnami/containers/tree/main/bitnami/nginx) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/nginx +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +These commands deploy NGINX Open Source on the Kubernetes cluster in the default configuration. + +> **Tip**: List all releases using `helm list` + +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### Prometheus metrics + +This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [nginx-prometheus-exporter](https://github.com/nginxinc/nginx-prometheus-exporter) in all pods and will expose it via the Nginx service. This service will be have the necessary annotations to be automatically scraped by Prometheus. + +#### Prometheus requirements + +It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster. + +#### Integration with Prometheus Operator + +The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error: + +```text +no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" +``` + +Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator. + +### Securing traffic using TLS + +Nginx can encrypt communications by setting `tls.enabled=true`. The chart allows two configuration options: + +- Provide your own secret using the `tls.certificatesSecret` value. Also set the correct name of the certificate files using the `tls.certFilename`, `tls.certKeyFilename` and `tls.certCAFilename` values. +- Have the chart auto-generate the certificates using `tls.autoGenerated=true`. + +### [Rolling VS Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use a different NGINX version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### Backup and restore + +To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. Find the instructions for using Velero in [this guide](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-deployments-velero-index.html). + +### Deploying your custom web application + +The NGINX chart allows you to deploy a custom web application using one of the following methods: + +- Cloning from a git repository: Set `cloneStaticSiteFromGit.enabled` to `true` and set the repository and branch using the `cloneStaticSiteFromGit.repository` and `cloneStaticSiteFromGit.branch` parameters. A sidecar will also pull the latest changes in an interval set by `cloneStaticSitesFromGit.interval`. +- Providing a ConfigMap: Set the `staticSiteConfigmap` value to mount a ConfigMap in the NGINX html folder. +- Using an existing PVC: Set the `staticSitePVC` value to mount an PersistentVolumeClaim with the static site content. + +You can deploy a example web application using git deploying the chart with the following parameters: + +```console +cloneStaticSiteFromGit.enabled=true +cloneStaticSiteFromGit.repository=https://github.com/mdn/beginner-html-site-styled.git +cloneStaticSiteFromGit.branch=master +``` + +### Providing a custom server block + +This helm chart supports using custom custom server block for NGINX to use. + +You can use the `serverBlock` or `streamServerBlock` value to provide a custom server block for NGINX to use. To do this, create a values files with your server block and install the chart using it: + +```yaml +serverBlock: |- + server { + listen 0.0.0.0:8080; + location / { + return 200 "hello!"; + } + } +``` + +> Warning: The above example is not compatible with enabling Prometheus metrics since it affects the `/status` endpoint. + +In addition, you can also set an external ConfigMap with the configuration file. This is done by setting the `existingServerBlockConfigmap` parameter. Note that this will override the previous option. + +### Adding extra environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinity) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +### Deploying extra resources + +There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter. + +### Ingress + +This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application. + +To enable ingress integration, please set `ingress.enabled` to `true`. + +#### Hosts + +Most likely you will only want to have one hostname that maps to this NGINX installation. If that's your case, the property `ingress.hostname` will set it. However, it is possible to have more than one host. To facilitate this, the `ingress.extraHosts` object can be specified as an array. You can also use `ingress.extraTLS` to add the TLS configuration for extra hosts. + +For each host indicated at `ingress.extraHosts`, please indicate a `name`, `path`, and any `annotations` that you may want the ingress controller to know about. + +For annotations, please see [this document](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------ | --------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override nginx.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override nginx.fullname template | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | +| `extraDeploy` | Extra objects to deploy (value evaluated as a template) | `[]` | +| `commonLabels` | Add labels to all the deployed resources | `{}` | +| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the the deployment(s)/statefulset(s) | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the the deployment(s)/statefulset(s) | `["infinity"]` | + +### NGINX parameters + +| Name | Description | Value | +| ------------------------------ | ----------------------------------------------------------------------------------------------------- | ----------------------- | +| `image.registry` | NGINX image registry | `REGISTRY_NAME` | +| `image.repository` | NGINX image repository | `REPOSITORY_NAME/nginx` | +| `image.digest` | NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | NGINX image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Deployment pod host aliases | `[]` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraEnvVars` | Extra environment variables to be set on NGINX containers | `[]` | +| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `extraEnvVarsSecret` | Secret with extra environment variables | `""` | + +### NGINX deployment parameters + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of NGINX replicas to deploy | `1` | +| `revisionHistoryLimit` | The number of old history to retain to allow rollback | `10` | +| `updateStrategy.type` | NGINX deployment strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate` | NGINX deployment rolling update configuration parameters | `{}` | +| `podLabels` | Additional labels for NGINX pods | `{}` | +| `podAnnotations` | Annotations for NGINX pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `hostNetwork` | Specify if host network should be enabled for NGINX pod | `false` | +| `hostIPC` | Specify if host IPC should be enabled for NGINX pod | `false` | +| `dnsPolicy` | Specifies the DNS policy for the NGINX pod | `""` | +| `dnsConfig` | Allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` | +| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | +| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` | +| `priorityClassName` | NGINX pods' priorityClassName | `""` | +| `schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `terminationGracePeriodSeconds` | In seconds, time the given to the NGINX pod needs to terminate gracefully | `""` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `tls.enabled` | Enable TLS transport | `true` | +| `tls.autoGenerated` | Auto-generate self-signed certificates | `true` | +| `tls.existingSecret` | Name of a secret containing the certificates | `""` | +| `tls.certFilename` | Path of the certificate file when mounted as a secret | `tls.crt` | +| `tls.certKeyFilename` | Path of the certificate key file when mounted as a secret | `tls.key` | +| `tls.certCAFilename` | Path of the certificate CA file when mounted as a secret | `ca.crt` | +| `tls.cert` | Content of the certificate to be added to the secret | `""` | +| `tls.key` | Content of the certificate key to be added to the secret | `""` | +| `tls.ca` | Content of the certificate CA to be added to the secret | `""` | +| `podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the NGINX pods | `[]` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `containerPorts.http` | Sets http port inside NGINX container | `8080` | +| `containerPorts.https` | Sets https port inside NGINX container | `8443` | +| `extraContainerPorts` | Array of additional container ports for the Nginx container | `[]` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `lifecycleHooks` | Optional lifecycleHooks for the NGINX container | `{}` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.path` | Request path for livenessProbe | `/` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `customStartupProbe` | Custom liveness probe for the Web component | `{}` | +| `customLivenessProbe` | Override default liveness probe | `{}` | +| `customReadinessProbe` | Override default readiness probe | `{}` | +| `autoscaling.enabled` | Enable autoscaling for NGINX deployment | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `""` | +| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `""` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` | +| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` | +| `extraVolumes` | Array to add extra volumes | `[]` | +| `extraVolumeMounts` | Array to add extra mount | `[]` | +| `serviceAccount.create` | Enable creation of ServiceAccount for nginx pod | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` | +| `serviceAccount.automountServiceAccountToken` | Auto-mount the service account token in the pod | `false` | +| `sidecars` | Sidecar parameters | `[]` | +| `sidecarSingleProcessNamespace` | Enable sharing the process namespace with sidecars | `false` | +| `initContainers` | Extra init containers | `[]` | +| `pdb.create` | Created a PodDisruptionBudget | `true` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction. | `""` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction. | `""` | + +### Custom NGINX application parameters + +| Name | Description | Value | +| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `cloneStaticSiteFromGit.enabled` | Get the server static content from a Git repository | `false` | +| `cloneStaticSiteFromGit.image.registry` | Git image registry | `REGISTRY_NAME` | +| `cloneStaticSiteFromGit.image.repository` | Git image repository | `REPOSITORY_NAME/git` | +| `cloneStaticSiteFromGit.image.digest` | Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `cloneStaticSiteFromGit.image.pullPolicy` | Git image pull policy | `IfNotPresent` | +| `cloneStaticSiteFromGit.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `cloneStaticSiteFromGit.repository` | Git Repository to clone static content from | `""` | +| `cloneStaticSiteFromGit.branch` | Git branch to checkout | `""` | +| `cloneStaticSiteFromGit.interval` | Interval for sidecar container pull from the Git repository | `60` | +| `cloneStaticSiteFromGit.gitClone.command` | Override default container command for git-clone-repository | `[]` | +| `cloneStaticSiteFromGit.gitClone.args` | Override default container args for git-clone-repository | `[]` | +| `cloneStaticSiteFromGit.gitSync.command` | Override default container command for git-repo-syncer | `[]` | +| `cloneStaticSiteFromGit.gitSync.args` | Override default container args for git-repo-syncer | `[]` | +| `cloneStaticSiteFromGit.gitSync.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if cloneStaticSiteFromGit.gitSync.resources is set (cloneStaticSiteFromGit.gitSync.resources is recommended for production). | `nano` | +| `cloneStaticSiteFromGit.gitSync.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `cloneStaticSiteFromGit.extraEnvVars` | Additional environment variables to set for the in the containers that clone static site from git | `[]` | +| `cloneStaticSiteFromGit.extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `cloneStaticSiteFromGit.extraVolumeMounts` | Add extra volume mounts for the Git containers | `[]` | +| `serverBlock` | Custom server block to be added to NGINX configuration | `""` | +| `streamServerBlock` | Custom stream server block to be added to NGINX configuration | `""` | +| `existingServerBlockConfigmap` | ConfigMap with custom server block to be added to NGINX configuration | `""` | +| `existingStreamServerBlockConfigmap` | ConfigMap with custom stream server block to be added to NGINX configuration | `""` | +| `staticSiteConfigmap` | Name of existing ConfigMap with the server static site content | `""` | +| `staticSitePVC` | Name of existing PVC with the server static site content | `""` | + +### Traffic Exposure parameters + +| Name | Description | Value | +| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | Service type | `LoadBalancer` | +| `service.ports.http` | Service HTTP port | `80` | +| `service.ports.https` | Service HTTPS port | `443` | +| `service.nodePorts` | Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. | `{}` | +| `service.targetPort` | Target port reference value for the Loadbalancer service types can be specified explicitly. | `{}` | +| `service.clusterIP` | NGINX service Cluster IP | `""` | +| `service.loadBalancerIP` | LoadBalancer service IP address | `""` | +| `service.loadBalancerSourceRanges` | NGINX service Load Balancer sources | `[]` | +| `service.loadBalancerClass` | service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.annotations` | Service annotations | `{}` | +| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `ingress.enabled` | Set to true to enable ingress record generation | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.hostname` | Default host for the ingress resource | `nginx.local` | +| `ingress.path` | The Path to Nginx. You may need to set this to '/*' in order to use this with ALB ingress controllers. | `/` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.ingressClassName` | Set the ingerssClassName on the ingress record for k8s 1.18+ | `""` | +| `ingress.tls` | Create TLS Secret | `false` | +| `ingress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` | +| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` | +| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | +| `ingress.extraRules` | The list of additional rules to be added to this ingress record. Evaluated as a template | `[]` | +| `healthIngress.enabled` | Set to true to enable health ingress record generation | `false` | +| `healthIngress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `healthIngress.pathType` | Ingress path type | `ImplementationSpecific` | +| `healthIngress.hostname` | When the health ingress is enabled, a host pointing to this will be created | `example.local` | +| `healthIngress.path` | Default path for the ingress record | `/` | +| `healthIngress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `healthIngress.tls` | Enable TLS configuration for the hostname defined at `healthIngress.hostname` parameter | `false` | +| `healthIngress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `healthIngress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `healthIngress.extraTls` | TLS configuration for additional hostnames to be covered | `[]` | +| `healthIngress.secrets` | TLS Secret configuration | `[]` | +| `healthIngress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `healthIngress.extraRules` | The list of additional rules to be added to this ingress record. Evaluated as a template | `[]` | + +### Metrics parameters + +| Name | Description | Value | +| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a Prometheus exporter sidecar container | `false` | +| `metrics.image.registry` | NGINX Prometheus exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | NGINX Prometheus exporter image repository | `REPOSITORY_NAME/nginx-exporter` | +| `metrics.image.digest` | NGINX Prometheus exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | NGINX Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.port` | NGINX Container Status Port scraped by Prometheus Exporter | `""` | +| `metrics.extraArgs` | Extra arguments for Prometheus exporter | `[]` | +| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9113` | +| `metrics.podAnnotations` | Additional annotations for NGINX Prometheus exporter pod(s) | `{}` | +| `metrics.securityContext.enabled` | Enabled NGINX Exporter containers' Security Context | `false` | +| `metrics.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.securityContext.runAsUser` | Set NGINX Exporter container's Security Context runAsUser | `1001` | +| `metrics.service.port` | NGINX Prometheus exporter service port | `9113` | +| `metrics.service.annotations` | Annotations for the Prometheus exporter service | `{}` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.serviceMonitor.enabled` | Creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | +| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so PodMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set imagePullPolicy=Always \ + oci://REGISTRY_NAME/REPOSITORY_NAME/nginx +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the `imagePullPolicy` to `Always`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/nginx +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/nginx/values.yaml) + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +### To 18.3.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + +### To 16.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + +### To 11.0.0 + +This major release renames several values in this chart and adds missing features, in order to be aligned with the rest of the assets in the Bitnami charts repository. + +Affected values: + +- `service.port` was renamed as `service.ports.http`. +- `service.httpsPort` was deprecated. We recommend using `service.ports.https`. +- `serviceAccount.autoMount` was renamed as `serviceAccount.automountServiceAccountToken` +- `metrics.serviceMonitor.additionalLabels` was renamed as `metrics.serviceMonitor.labels` + +### To 10.0.0 + +This major release no longer uses the bitnami/nginx-ldap-auth-daemon container as a dependency since its upstream project is not actively maintained. + +*2022-04-12 edit*: + +[Bitnami's reference implementation](https://www.nginx.com/blog/nginx-plus-authenticate-users/). + +On 9 April 2022, security vulnerabilities in the [NGINX LDAP reference implementation](https://github.com/nginxinc/nginx-ldap-auth) were publicly shared. **Although the deprecation of this container from the Bitnami catalog was not related to this security issue, [here](https://docs.bitnami.com/general/security/) you can find more information from the Bitnami security team.** + +### To 8.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- <https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-resolve-helm2-helm3-post-migration-issues-index.html> +- <https://helm.sh/docs/topics/v2_v3_migration/> +- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/> + +### To 7.0.0 + +- This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. +- Ingress configuration was also adapted to follow the Helm charts best practices. + +> Note: There is no backwards compatibility due to the above mentioned changes. It's necessary to install a new release of the chart, and migrate your existing application to the new NGINX instances. + +### To 5.6.0 + +Added support for the use of LDAP. + +### To 5.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is nginx: + +```console +kubectl delete deployment nginx --cascade=false +helm upgrade nginx oci://REGISTRY_NAME/REPOSITORY_NAME/nginx +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +### To 1.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is nginx: + +```console +kubectl patch deployment nginx --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +``` + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +<http://www.apache.org/licenses/LICENSE-2.0> + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License.
\ No newline at end of file diff --git a/kubernetes/common/nginx/templates/NOTES.txt b/kubernetes/common/nginx/templates/NOTES.txt new file mode 100644 index 0000000000..f8c92f647e --- /dev/null +++ b/kubernetes/common/nginx/templates/NOTES.txt @@ -0,0 +1,77 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information. + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ template "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ template "common.names.namespace" . }} -ti <NAME OF THE POD> -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/nginx/entrypoint.sh /opt/bitnami/scripts/nginx/run.sh + +{{- else }} +NGINX can be accessed through the following DNS name from within your cluster: + + {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} (port {{ .Values.service.ports.http }}) + +To access NGINX from outside the cluster, follow the steps below: + +{{- if .Values.ingress.enabled }} + +1. Get the NGINX URL and associate its hostname to your cluster external IP: + + export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters + echo "NGINX URL: http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.hostname }}" + echo "$CLUSTER_IP {{ .Values.ingress.hostname }}" | sudo tee -a /etc/hosts + +{{- else }} + +1. Get the NGINX URL by running these commands: + +{{- if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}' + + export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }}) + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo "http://${SERVICE_IP}:${SERVICE_PORT}" + +{{- else if contains "ClusterIP" .Values.service.type }} + + export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }}) + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} ${SERVICE_PORT}:${SERVICE_PORT} & + echo "http://127.0.0.1:${SERVICE_PORT}" + +{{- else if contains "NodePort" .Values.service.type }} + + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo "http://${NODE_IP}:${NODE_PORT}" + +{{- end }} +{{- end }} + +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.cloneStaticSiteFromGit.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- include "nginx.validateValues" . }} +{{- end }} +{{- include "common.warnings.resources" (dict "sections" (list "cloneStaticSiteFromGit.gitSync" "metrics" "") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.metrics.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.metrics.image) "context" $) }} diff --git a/kubernetes/common/nginx/templates/_helpers.tpl b/kubernetes/common/nginx/templates/_helpers.tpl new file mode 100644 index 0000000000..4900d9cfd1 --- /dev/null +++ b/kubernetes/common/nginx/templates/_helpers.tpl @@ -0,0 +1,123 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper NGINX image name +*/}} +{{- define "nginx.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper GIT image name +*/}} +{{- define "nginx.cloneStaticSiteFromGit.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.cloneStaticSiteFromGit.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Prometheus metrics image name +*/}} +{{- define "nginx.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "nginx.imagePullSecrets" -}} +{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.metrics.image) "context" $) }} +{{- end -}} + +{{/* +Return true if a static site should be mounted in the NGINX container +*/}} +{{- define "nginx.useStaticSite" -}} +{{- if or .Values.cloneStaticSiteFromGit.enabled .Values.staticSiteConfigmap .Values.staticSitePVC }} + {- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the volume to use to mount the static site in the NGINX container +*/}} +{{- define "nginx.staticSiteVolume" -}} +{{- if .Values.cloneStaticSiteFromGit.enabled }} +emptyDir: {} +{{- else if .Values.staticSiteConfigmap }} +configMap: + name: {{ printf "%s" (tpl .Values.staticSiteConfigmap $) -}} +{{- else if .Values.staticSitePVC }} +persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.staticSitePVC $) -}} +{{- end }} +{{- end -}} + +{{/* +Return the custom NGINX server block configmap. +*/}} +{{- define "nginx.serverBlockConfigmapName" -}} +{{- if .Values.existingServerBlockConfigmap -}} + {{- printf "%s" (tpl .Values.existingServerBlockConfigmap $) -}} +{{- else -}} + {{- printf "%s-server-block" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the custom NGINX stream server block configmap. +*/}} +{{- define "nginx.streamServerBlockConfigmapName" -}} +{{- if .Values.existingStreamServerBlockConfigmap -}} + {{- printf "%s" (tpl .Values.existingStreamServerBlockConfigmap $) -}} +{{- else -}} + {{- printf "%s-stream-server-block" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "nginx.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "nginx.validateValues.cloneStaticSiteFromGit" .) -}} +{{- $messages := append $messages (include "nginx.validateValues.extraVolumes" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of NGINX - Clone StaticSite from Git configuration */}} +{{- define "nginx.validateValues.cloneStaticSiteFromGit" -}} +{{- if and .Values.cloneStaticSiteFromGit.enabled (or (not .Values.cloneStaticSiteFromGit.repository) (not .Values.cloneStaticSiteFromGit.branch)) -}} +nginx: cloneStaticSiteFromGit + When enabling cloing a static site from a Git repository, both the Git repository and the Git branch must be provided. + Please provide them by setting the `cloneStaticSiteFromGit.repository` and `cloneStaticSiteFromGit.branch` parameters. +{{- end -}} +{{- end -}} + +{{/* Validate values of NGINX - Incorrect extra volume settings */}} +{{- define "nginx.validateValues.extraVolumes" -}} +{{- if and (.Values.extraVolumes) (not (or .Values.extraVolumeMounts .Values.cloneStaticSiteFromGit.extraVolumeMounts)) -}} +nginx: missing-extra-volume-mounts + You specified extra volumes but not mount points for them. Please set + the extraVolumeMounts value +{{- end -}} +{{- end -}} + +{{/* + Create the name of the service account to use + */}} +{{- define "nginx.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/templates/deployment.yaml b/kubernetes/common/nginx/templates/deployment.yaml new file mode 100644 index 0000000000..0d8b990e14 --- /dev/null +++ b/kubernetes/common/nginx/templates/deployment.yaml @@ -0,0 +1,417 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.updateStrategy }} + strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + annotations: + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }} + checksum/server-block-configuration: {{ include (print $.Template.BasePath "/server-block-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if and .Values.streamServerBlock (not .Values.existingServerBlockConfigmap) }} + checksum/stream-server-block-configuration: {{ include (print $.Template.BasePath "/stream-server-block-configmap.yaml") . | sha256sum }} + {{- end }} + spec: + {{- include "nginx.imagePullSecrets" . | nindent 6 }} + shareProcessNamespace: {{ .Values.sidecarSingleProcessNamespace }} + serviceAccountName: {{ template "nginx.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + hostNetwork: {{ .Values.hostNetwork }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" $) | nindent 8 }} + {{- end }} + hostIPC: {{ .Values.hostIPC }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if or .Values.containerSecurityContext.readOnlyRootFilesystem .Values.cloneStaticSiteFromGit.enabled .Values.initContainers }} + initContainers: + {{- if .Values.containerSecurityContext.readOnlyRootFilesystem }} + - name: preserve-logs-symlinks + image: {{ include "nginx.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + . /opt/bitnami/scripts/libfs.sh + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/nginx/logs; then + cp -r /opt/bitnami/nginx/logs /emptydir/app-logs-dir + fi + volumeMounts: + - name: empty-dir + mountPath: /emptydir + {{- end }} + {{- if or .Values.cloneStaticSiteFromGit.enabled .Values.initContainers }} + {{- if .Values.cloneStaticSiteFromGit.enabled }} + - name: git-clone-repository + image: {{ include "nginx.cloneStaticSiteFromGit.image" . }} + imagePullPolicy: {{ .Values.cloneStaticSiteFromGit.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitClone.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.gitClone.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + - | + [[ -f "/opt/bitnami/scripts/git/entrypoint.sh" ]] && source "/opt/bitnami/scripts/git/entrypoint.sh" + git clone {{ .Values.cloneStaticSiteFromGit.repository }} --branch {{ .Values.cloneStaticSiteFromGit.branch }} /tmp/app + [[ "$?" -eq 0 ]] && shopt -s dotglob && rm -rf /app/* && mv /tmp/app/* /app/ + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitClone.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.gitClone.args "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /etc/ssh + subPath: etc-ssh-dir + - name: empty-dir + mountPath: /.ssh + subPath: ssh-dir + - name: staticsite + mountPath: /app + {{- if .Values.cloneStaticSiteFromGit.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.extraEnvVars }} + env: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.extraEnvVarsSecret }} + envFrom: + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} + containers: + {{- if .Values.cloneStaticSiteFromGit.enabled }} + - name: git-repo-syncer + image: {{ include "nginx.cloneStaticSiteFromGit.image" . }} + imagePullPolicy: {{ .Values.cloneStaticSiteFromGit.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitSync.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.gitSync.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + - | + [[ -f "/opt/bitnami/scripts/git/entrypoint.sh" ]] && source "/opt/bitnami/scripts/git/entrypoint.sh" + while true; do + cd /app && git -c safe.directory=/app pull origin {{ .Values.cloneStaticSiteFromGit.branch }} + sleep {{ .Values.cloneStaticSiteFromGit.interval }} + done + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitSync.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.gitSync.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitSync.resources }} + resources: {{- toYaml .Values.cloneStaticSiteFromGit.gitSync.resources | nindent 12 }} + {{- else if ne .Values.cloneStaticSiteFromGit.gitSync.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.cloneStaticSiteFromGit.gitSync.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /etc/ssh + subPath: etc-ssh-dir + - name: empty-dir + mountPath: /.ssh + subPath: ssh-dir + - name: staticsite + mountPath: /app + {{- if .Values.cloneStaticSiteFromGit.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.extraEnvVars }} + env: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.extraEnvVarsSecret }} + envFrom: + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + - name: nginx + image: {{ include "nginx.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + {{- if .Values.containerPorts.http }} + - name: NGINX_HTTP_PORT_NUMBER + value: {{ .Values.containerPorts.http | quote }} + {{- end }} + {{- if .Values.containerPorts.https }} + - name: NGINX_HTTPS_PORT_NUMBER + value: {{ .Values.containerPorts.https | quote }} + {{- end }} + {{- if or .Values.streamServerBlock .Values.existingStreamServerBlockConfigmap }} + - name: NGINX_ENABLE_STREAM + value: "true" + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + ports: + {{- if .Values.containerPorts.http }} + - name: http + containerPort: {{ .Values.containerPorts.http }} + {{- end }} + {{- if .Values.containerPorts.https }} + - name: https + containerPort: {{ .Values.containerPorts.https }} + {{- end }} + {{- if .Values.extraContainerPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: {{ ternary "https" "http" (and (empty .Values.containerPorts.http) (not (empty .Values.containerPorts.https))) }} + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled" "path") "context" $) | nindent 12 }} + httpGet: + path: {{ .Values.readinessProbe.path }} + port: {{ ternary "https" "http" (and (empty .Values.containerPorts.http) (not (empty .Values.containerPorts.https))) }} + {{- end }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: {{ ternary "https" "http" (and (empty .Values.containerPorts.http) (not (empty .Values.containerPorts.https))) }} + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/nginx/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/nginx/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/nginx/tmp + subPath: app-tmp-dir + {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }} + - name: nginx-server-block + mountPath: /opt/bitnami/nginx/conf/server_blocks + {{- end }} + {{- if or .Values.streamServerBlock .Values.existingStreamServerBlockConfigmap }} + - name: nginx-stream-server-block + mountPath: /opt/bitnami/nginx/conf/stream_server_blocks + {{- end }} + {{- if (include "nginx.useStaticSite" .) }} + - name: staticsite + mountPath: /app + {{- end }} + {{- if .Values.tls.enabled }} + - name: certificate + mountPath: /certs + {{- else }} + - name: empty-dir + mountPath: /certs + subPath: app-tls-dir + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "nginx.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.securityContext "context" $) | nindent 12 }} + {{- end }} + command: + - exporter + args: + - --nginx.scrape-uri + - {{ printf "http://127.0.0.1:%d/status" (int (default .Values.containerPorts.http .Values.metrics.port)) | quote }} + - --web.listen-address + - {{ printf ":%d" (int .Values.metrics.containerPorts.metrics) | quote }} + {{- if .Values.metrics.extraArgs }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraArgs "context" $ ) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + livenessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: 15 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: 5 + timeoutSeconds: 1 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if .Values.tls.enabled }} + - name: certificate + secret: + {{- if .Values.tls.existingSecret }} + secretName: {{ .Values.tls.existingSecret }} + {{- else }} + secretName: {{ printf "%s-tls" (include "common.names.fullname" .) }} + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + {{- end }} + {{- end }} + {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }} + - name: nginx-server-block + configMap: + name: {{ include "nginx.serverBlockConfigmapName" . }} + {{- end }} + {{- if or .Values.streamServerBlock .Values.existingStreamServerBlockConfigmap }} + - name: nginx-stream-server-block + configMap: + name: {{ include "nginx.streamServerBlockConfigmapName" . }} + {{- end }} + {{- if (include "nginx.useStaticSite" .) }} + - name: staticsite + {{- include "nginx.staticSiteVolume" . | nindent 10 }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/kubernetes/common/nginx/templates/extra-list.yaml b/kubernetes/common/nginx/templates/extra-list.yaml new file mode 100644 index 0000000000..329f5c653a --- /dev/null +++ b/kubernetes/common/nginx/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/health-ingress.yaml b/kubernetes/common/nginx/templates/health-ingress.yaml new file mode 100644 index 0000000000..5df37e018e --- /dev/null +++ b/kubernetes/common/nginx/templates/health-ingress.yaml @@ -0,0 +1,59 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.healthIngress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ include "common.names.fullname" . }}-health + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.healthIngress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.healthIngress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.healthIngress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.healthIngress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.healthIngress.hostname }} + - host: {{ .Values.healthIngress.hostname }} + http: + paths: + {{- if .Values.healthIngress.extraPaths }} + {{- toYaml .Values.healthIngress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.healthIngress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.healthIngress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" (ternary "http" "https" (not .Values.containerPorts.https)) "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.healthIngress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" (ternary "http" "https" (not $.Values.containerPorts.https)) "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.healthIngress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.healthIngress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.healthIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.healthIngress.annotations )) .Values.healthIngress.selfSigned (not (empty .Values.healthIngress.secrets)))) .Values.healthIngress.extraTls }} + tls: + {{- if and .Values.healthIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.healthIngress.annotations )) .Values.healthIngress.selfSigned (not (empty .Values.healthIngress.secrets))) }} + - hosts: + - {{ .Values.healthIngress.hostname | quote }} + secretName: {{ printf "%s-health-tls" .Values.healthIngress.hostname }} + {{- end }} + {{- if .Values.healthIngress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.healthIngress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/hpa.yaml b/kubernetes/common/nginx/templates/hpa.yaml new file mode 100644 index 0000000000..44b5395f20 --- /dev/null +++ b/kubernetes/common/nginx/templates/hpa.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/ingress-tls-secret.yaml b/kubernetes/common/nginx/templates/ingress-tls-secret.yaml new file mode 100644 index 0000000000..d2943767c5 --- /dev/null +++ b/kubernetes/common/nginx/templates/ingress-tls-secret.yaml @@ -0,0 +1,83 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.ingress.enabled }} +{{- if .Values.ingress.secrets }} +{{- range .Values.ingress.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} + namespace: {{ include "common.names.namespace" $ | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ .certificate | b64enc }} + tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- else if and .Values.ingress.tls .Values.ingress.selfSigned }} +{{- $secretName := printf "%s-tls" .Values.ingress.hostname }} +{{- $ca := genCA "nginx-ca" 365 }} +{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} +--- +{{- end }} +{{- end }} +{{- if .Values.healthIngress.enabled }} +{{- if .Values.healthIngress.secrets }} +{{- range .Values.healthIngress.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} + namespace: {{ include "common.names.namespace" $ | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ .certificate | b64enc }} + tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- else if and .Values.healthIngress.tls .Values.healthIngress.selfSigned }} +{{- $secretName := printf "%s-tls" .Values.healthIngress.hostname }} +{{- $ca := genCA "nginx-health-ca" 365 }} +{{- $cert := genSignedCert .Values.healthIngress.hostname nil (list .Values.healthIngress.hostname) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/ingress.yaml b/kubernetes/common/nginx/templates/ingress.yaml new file mode 100644 index 0000000000..b49f86b46f --- /dev/null +++ b/kubernetes/common/nginx/templates/ingress.yaml @@ -0,0 +1,73 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ .Values.ingress.hostname | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- else if .Values.ingress.path }} + - http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned (not (empty .Values.ingress.secrets)))) .Values.ingress.extraTls }} + tls: + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned (not (empty .Values.ingress.secrets))) }} + - hosts: + - {{ .Values.ingress.hostname | quote }} + {{- if and (or (.Values.ingress.tlsWwwPrefix) (eq (index .Values.ingress.annotations "nginx.ingress.kubernetes.io/from-to-www-redirect") "true" )) (not (contains "www." .Values.ingress.hostname)) }} + - {{ printf "www.%s" (tpl .Values.ingress.hostname $) | quote }} + {{- end }} + secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/networkpolicy.yaml b/kubernetes/common/nginx/templates/networkpolicy.yaml new file mode 100644 index 0000000000..327e1fa37f --- /dev/null +++ b/kubernetes/common/nginx/templates/networkpolicy.yaml @@ -0,0 +1,71 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + {{- if .Values.networkPolicy.allowExternalEgress }} + - {} + {{- else }} + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + {{- if .Values.containerPorts.https }} + - port: {{ .Values.containerPorts.https }} + {{- end }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/pdb.yaml b/kubernetes/common/nginx/templates/pdb.yaml new file mode 100644 index 0000000000..821b4f9f70 --- /dev/null +++ b/kubernetes/common/nginx/templates/pdb.yaml @@ -0,0 +1,26 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable)}} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/prometheusrules.yaml b/kubernetes/common/nginx/templates/prometheusrules.yaml new file mode 100644 index 0000000000..d2d728ff24 --- /dev/null +++ b/kubernetes/common/nginx/templates/prometheusrules.yaml @@ -0,0 +1,24 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "common.names.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 6 }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/server-block-configmap.yaml b/kubernetes/common/nginx/templates/server-block-configmap.yaml new file mode 100644 index 0000000000..940c50ec79 --- /dev/null +++ b/kubernetes/common/nginx/templates/server-block-configmap.yaml @@ -0,0 +1,19 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-server-block + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + server-block.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.serverBlock "context" $ ) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/serviceaccount.yaml b/kubernetes/common/nginx/templates/serviceaccount.yaml new file mode 100644 index 0000000000..20fb4928f3 --- /dev/null +++ b/kubernetes/common/nginx/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/kubernetes/common/nginx/templates/servicemonitor.yaml b/kubernetes/common/nginx/templates/servicemonitor.yaml new file mode 100644 index 0000000000..d597e06be0 --- /dev/null +++ b/kubernetes/common/nginx/templates/servicemonitor.yaml @@ -0,0 +1,45 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + endpoints: + - port: metrics + path: /metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/stream-server-block-configmap.yaml b/kubernetes/common/nginx/templates/stream-server-block-configmap.yaml new file mode 100644 index 0000000000..11b39d404b --- /dev/null +++ b/kubernetes/common/nginx/templates/stream-server-block-configmap.yaml @@ -0,0 +1,19 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.streamServerBlock (not .Values.existingStreamServerBlockConfigmap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-stream-server-block + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + stream-server-block.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.streamServerBlock "context" $ ) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/svc.yaml b/kubernetes/common/nginx/templates/svc.yaml new file mode 100644 index 0000000000..e86926fa49 --- /dev/null +++ b/kubernetes/common/nginx/templates/svc.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + annotations: + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} + ports: + {{- if .Values.containerPorts.http }} + - name: http + port: {{ .Values.service.ports.http }} + targetPort: {{ .Values.service.targetPort.http }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http)) }} + nodePort: {{ .Values.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.containerPorts.https }} + - name: https + port: {{ .Values.service.ports.https }} + targetPort: {{ .Values.service.targetPort.https }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https)) }} + nodePort: {{ .Values.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + port: {{ .Values.metrics.service.port }} + targetPort: metrics + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/kubernetes/common/nginx/templates/tls-secret.yaml b/kubernetes/common/nginx/templates/tls-secret.yaml new file mode 100644 index 0000000000..4a265f5243 --- /dev/null +++ b/kubernetes/common/nginx/templates/tls-secret.yaml @@ -0,0 +1,35 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) }} +{{- $ca := genCA "nginx-ca" 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-tls" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + {{- if .Values.tls.autoGenerated }} + {{- $cert := genSignedCert (include "common.names.fullname" .) nil (list (include "common.names.fullname" .) (printf "%s.%s" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain)) 365 $ca }} + {{ .Values.tls.certFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certFilename "defaultValue" $cert.Cert "context" $) }} + {{ .Values.tls.certKeyFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certKeyFilename "defaultValue" $cert.Key "context" $) }} + {{ .Values.tls.certCAFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certCAFilename "defaultValue" $ca.Cert "context" $) }} + {{- else }} + {{- if .Values.tls.cert }} + {{ .Values.tls.certFilename }}: {{ .Values.tls.cert | b64enc }} + {{- end }} + {{- if .Values.tls.key }} + {{ .Values.tls.certKeyFilename }}: {{ .Values.tls.key | b64enc }} + {{- end }} + {{- if .Values.tls.ca }} + {{ .Values.tls.certCAFilename }}: {{ .Values.tls.ca | b64enc }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/values.schema.json b/kubernetes/common/nginx/values.schema.json new file mode 100644 index 0000000000..ccb7bcd848 --- /dev/null +++ b/kubernetes/common/nginx/values.schema.json @@ -0,0 +1,125 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "ingress": { + "type": "object", + "form": true, + "title": "Ingress details", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Use a custom hostname", + "description": "Enable the ingress resource that allows you to access the NGINX installation." + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "hidden": { + "value": false, + "path": "ingress/enabled" + } + } + } + }, + "service": { + "type": "object", + "form": true, + "title": "Service Configuration", + "properties": { + "type": { + "type": "string", + "form": true, + "title": "Service Type", + "description": "Allowed values: \"ClusterIP\", \"NodePort\" and \"LoadBalancer\"" + } + } + }, + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of replicas", + "description": "Number of replicas to deploy" + }, + "serverBlock": { + "type": "string", + "form": true, + "title": "Custom server block", + "description": "Custom server block to be added to NGINX configuration" + }, + "streamServerBlock": { + "type": "string", + "form": true, + "title": "Custom stream server block", + "description": "Custom stream server block to be added to NGINX configuration" + }, + "containerSecurityContext": { + "type": "object", + "form": true, + "title": "NGINX containers' Security Context", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Security Context", + "description": "Whether to enable NGINX containers' Security Context" + }, + "runAsUser": { + "type": "integer", + "form": true, + "title": "ID of the user", + "description": "The UID of the user NGINX containers will run as" + } + } + }, + "podSecurityContext": { + "type": "object", + "form": true, + "title": "NGINX pods' Security Context", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Security Context", + "description": "Whether to enable NGINX pods' Security Context" + }, + "fsGroup": { + "type": "integer", + "form": true, + "title": "ID of the group", + "description": "The GID of the group NGINX pods will run as" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/kubernetes/common/nginx/values.yaml b/kubernetes/common/nginx/values.yaml new file mode 100644 index 0000000000..d794acb936 --- /dev/null +++ b/kubernetes/common/nginx/values.yaml @@ -0,0 +1,1094 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + ## + allowInsecureImages: false + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters + +## @param nameOverride String to partially override nginx.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override nginx.fullname template +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param extraDeploy Extra objects to deploy (value evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## Enable diagnostic mode in the deployment(s)/statefulset(s) +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the the deployment(s)/statefulset(s) + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the the deployment(s)/statefulset(s) + ## + args: + - infinity +## @section NGINX parameters + +## Bitnami NGINX image version +## ref: https://hub.docker.com/r/bitnami/nginx/tags/ +## @param image.registry [default: REGISTRY_NAME] NGINX image registry +## @param image.repository [default: REPOSITORY_NAME/nginx] NGINX image repository +## @skip image.tag NGINX image tag (immutable tags are recommended) +## @param image.digest NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy NGINX image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Set to true if you would like to see extra information on logs +## +image: + registry: docker.io + repository: bitnami/nginx + tag: 1.27.3-debian-12-r5 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## E.g.: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## Command and args for running the container (set to default if not set). Use array form +## @param command Override default container command (useful when using custom images) +## @param args Override default container args (useful when using custom images) +## +command: [] +args: [] +## @param extraEnvVars Extra environment variables to be set on NGINX containers +## E.g: +## extraEnvVars: +## - name: FOO +## value: BAR +## +extraEnvVars: [] +## @param extraEnvVarsCM ConfigMap with extra environment variables +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Secret with extra environment variables +## +extraEnvVarsSecret: "" +## @section NGINX deployment parameters + +## @param replicaCount Number of NGINX replicas to deploy +## +replicaCount: 1 +## @param revisionHistoryLimit The number of old history to retain to allow rollback +## +revisionHistoryLimit: 10 +## @param updateStrategy.type NGINX deployment strategy type +## @param updateStrategy.rollingUpdate NGINX deployment rolling update configuration parameters +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## +updateStrategy: + type: RollingUpdate + rollingUpdate: {} +## @param podLabels Additional labels for NGINX pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for NGINX pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param hostNetwork Specify if host network should be enabled for NGINX pod +## +hostNetwork: false +## @param hostIPC Specify if host IPC should be enabled for NGINX pod +## +hostIPC: false +## DNS-Pod services +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## @param dnsPolicy Specifies the DNS policy for the NGINX pod +## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies. +## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" +## @param dnsConfig Allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` +## The dnsConfig field is optional and it can work with any dnsPolicy settings. +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +## E.g. +## dnsConfig: +## nameservers: +## - 192.0.2.1 # this is an example +## searches: +## - ns1.svc.cluster-domain.example +## - my.dns.search.suffix +## options: +## - name: ndots +## value: "2" +## - name: edns0 +dnsConfig: {} +## @param nodeSelector Node labels for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param priorityClassName NGINX pods' priorityClassName +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the NGINX pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] +## TLS settings +## +tls: + ## @param tls.enabled Enable TLS transport + ## + enabled: true + ## @param tls.autoGenerated Auto-generate self-signed certificates + ## + autoGenerated: true + ## @param tls.existingSecret Name of a secret containing the certificates + ## + existingSecret: "" + ## @param tls.certFilename Path of the certificate file when mounted as a secret + ## + certFilename: tls.crt + ## @param tls.certKeyFilename Path of the certificate key file when mounted as a secret + ## + certKeyFilename: tls.key + ## @param tls.certCAFilename Path of the certificate CA file when mounted as a secret + ## + certCAFilename: ca.crt + ## @param tls.cert Content of the certificate to be added to the secret + ## + cert: "" + ## @param tls.key Content of the certificate key to be added to the secret + ## + key: "" + ## @param tls.ca Content of the certificate CA to be added to the secret + ## + ca: "" +## NGINX pods' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled NGINX pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set NGINX pod's Security Context fsGroup +## @param podSecurityContext.sysctls sysctl settings of the NGINX pods +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] +## NGINX containers' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## Configures the ports NGINX listens on +## @param containerPorts.http Sets http port inside NGINX container +## @param containerPorts.https Sets https port inside NGINX container +## +containerPorts: + http: 8080 + https: 8443 +## @param extraContainerPorts Array of additional container ports for the Nginx container +## e.g: +## extraContainerPorts: +## - name: grpc +## containerPort: 4317 +## +extraContainerPorts: [] +## NGINX containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "nano" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## NGINX containers' lifecycleHooks +## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ +## If you do want to specify lifecycleHooks, uncomment the following +## lines, adjust them as necessary, and remove the curly braces on 'lifecycle:{}'. +## @param lifecycleHooks Optional lifecycleHooks for the NGINX container +lifecycleHooks: {} +## Example: +## postStart: +## exec: +## command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] +## Example: +## preStop: +## exec: +## command: ["/bin/sleep", "20"] +## command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"] + +## NGINX containers' startup probe. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 +## NGINX containers' liveness probe. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 +## NGINX containers' readiness probe. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.path Request path for livenessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + path: / + initialDelaySeconds: 5 + timeoutSeconds: 3 + periodSeconds: 5 + failureThreshold: 3 + successThreshold: 1 +## @param customStartupProbe Custom liveness probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Override default liveness probe +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe +## +customReadinessProbe: {} +## Autoscaling parameters +## @param autoscaling.enabled Enable autoscaling for NGINX deployment +## @param autoscaling.minReplicas Minimum number of replicas to scale back +## @param autoscaling.maxReplicas Maximum number of replicas to scale out +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: "" + maxReplicas: "" + targetCPU: "" + targetMemory: "" +## @param extraVolumes Array to add extra volumes +## +extraVolumes: [] +## @param extraVolumeMounts Array to add extra mount +## +extraVolumeMounts: [] +## Pods Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for nginx pod + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the `common.names.fullname` template + name: "" + ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. + ## Only used if `create` is `true`. + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod + ## + automountServiceAccountToken: false +## @param sidecars Sidecar parameters +## e.g: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @param sidecarSingleProcessNamespace Enable sharing the process namespace with sidecars +## This will switch pod.spec.shareProcessNamespace parameter +## +sidecarSingleProcessNamespace: false +## @param initContainers Extra init containers +## +initContainers: [] +## Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Created a PodDisruptionBudget + ## + create: true + ## @param pdb.minAvailable Min number of pods that must still be available after the eviction. + ## You can specify an integer or a percentage by setting the value to a string representation of a percentage (eg. "50%"). It will be disabled if set to 0 + ## + minAvailable: "" + ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction. + ## You can specify an integer or a percentage by setting the value to a string representation of a percentage (eg. "50%"). It will be disabled if set to 0. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. + ## + maxUnavailable: "" +## @section Custom NGINX application parameters + +## Get the server static content from a git repository +## NOTE: This will override staticSiteConfigmap and staticSitePVC +## +cloneStaticSiteFromGit: + ## @param cloneStaticSiteFromGit.enabled Get the server static content from a Git repository + ## + enabled: false + ## Bitnami Git image version + ## ref: https://hub.docker.com/r/bitnami/git/tags/ + ## @param cloneStaticSiteFromGit.image.registry [default: REGISTRY_NAME] Git image registry + ## @param cloneStaticSiteFromGit.image.repository [default: REPOSITORY_NAME/git] Git image repository + ## @skip cloneStaticSiteFromGit.image.tag Git image tag (immutable tags are recommended) + ## @param cloneStaticSiteFromGit.image.digest Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param cloneStaticSiteFromGit.image.pullPolicy Git image pull policy + ## @param cloneStaticSiteFromGit.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/git + tag: 2.48.0-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param cloneStaticSiteFromGit.repository Git Repository to clone static content from + ## + repository: "" + ## @param cloneStaticSiteFromGit.branch Git branch to checkout + ## + branch: "" + ## @param cloneStaticSiteFromGit.interval Interval for sidecar container pull from the Git repository + ## + interval: 60 + ## Additional configuration for git-clone-repository initContainer + ## + gitClone: + ## @param cloneStaticSiteFromGit.gitClone.command Override default container command for git-clone-repository + ## + command: [] + ## @param cloneStaticSiteFromGit.gitClone.args Override default container args for git-clone-repository + ## + args: [] + ## Additional configuration for the git-repo-syncer container + ## + gitSync: + ## @param cloneStaticSiteFromGit.gitSync.command Override default container command for git-repo-syncer + ## + command: [] + ## @param cloneStaticSiteFromGit.gitSync.args Override default container args for git-repo-syncer + ## + args: [] + ## git-repo-syncer resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param cloneStaticSiteFromGit.gitSync.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if cloneStaticSiteFromGit.gitSync.resources is set (cloneStaticSiteFromGit.gitSync.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param cloneStaticSiteFromGit.gitSync.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param cloneStaticSiteFromGit.extraEnvVars Additional environment variables to set for the in the containers that clone static site from git + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param cloneStaticSiteFromGit.extraEnvVarsSecret Secret with extra environment variables + ## + extraEnvVarsSecret: "" + ## @param cloneStaticSiteFromGit.extraVolumeMounts Add extra volume mounts for the Git containers + ## Useful to mount keys to connect through ssh. (normally used with extraVolumes) + ## E.g: + ## extraVolumeMounts: + ## - name: ssh-dir + ## mountPath: /root/.ssh/ + ## + extraVolumeMounts: [] +## @param serverBlock Custom server block to be added to NGINX configuration +## PHP-FPM example server block: +## serverBlock: |- +## server { +## listen 0.0.0.0:8080; +## root /app; +## location / { +## index index.html index.php; +## } +## location ~ \.php$ { +## fastcgi_pass phpfpm-server:9000; +## fastcgi_index index.php; +## include fastcgi.conf; +## } +## } +## +serverBlock: "" +## @param streamServerBlock Custom stream server block to be added to NGINX configuration +## streamServerBlock: |- +## server { +## listen 0.0.0.0:8080 udp; +## proxy_pass localhost:9000; +## } +## +streamServerBlock: "" +## @param existingServerBlockConfigmap ConfigMap with custom server block to be added to NGINX configuration +## NOTE: This will override serverBlock +## +existingServerBlockConfigmap: "" +## @param existingStreamServerBlockConfigmap ConfigMap with custom stream server block to be added to NGINX configuration +## NOTE: This will override streamServerBlock +## +existingStreamServerBlockConfigmap: "" +## @param staticSiteConfigmap Name of existing ConfigMap with the server static site content +## +staticSiteConfigmap: "" +## @param staticSitePVC Name of existing PVC with the server static site content +## NOTE: This will override staticSiteConfigmap +## +staticSitePVC: "" +## @section Traffic Exposure parameters + +## NGINX Service properties +## +service: + ## @param service.type Service type + ## + type: LoadBalancer + ## @param service.ports.http Service HTTP port + ## @param service.ports.https Service HTTPS port + ## + ports: + http: 80 + https: 443 + ## + ## @param service.nodePorts [object] Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: "" + https: "" + ## @param service.targetPort [object] Target port reference value for the Loadbalancer service types can be specified explicitly. + ## Listeners for the Loadbalancer can be custom mapped to the http or https service. + ## Example: Mapping the https listener to targetPort http [http: https] + ## + targetPort: + http: http + https: https + ## @param service.clusterIP NGINX service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP LoadBalancer service IP address + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges NGINX service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.loadBalancerClass service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param service.annotations Service annotations + ## This can be used to set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## Configure the ingress resource that allows you to access the +## Nginx installation. Set up the URL +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Set to true to enable ingress record generation + ## + enabled: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: nginx.local + ## @param ingress.path The Path to Nginx. You may need to set this to '/*' in order to use this with ALB ingress controllers. + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.ingressClassName Set the ingerssClassName on the ingress record for k8s 1.18+ + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.tls Create TLS Secret + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: false + ## @param ingress.tlsWwwPrefix Adds www subdomain to default cert + ## Creates tls host with ingress.hostname: {{ print "www.%s" .Values.ingress.hostname }} + ## Is enabled if "nginx.ingress.kubernetes.io/from-to-www-redirect" is "true" + tlsWwwPrefix: false + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: nginx.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - nginx.local + ## secretName: nginx.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: nginx.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template + ## Useful when looking for additional customization, such as using different backend + ## + extraRules: [] +## Health Ingress parameters +## +healthIngress: + ## @param healthIngress.enabled Set to true to enable health ingress record generation + ## + enabled: false + ## @param healthIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param healthIngress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param healthIngress.hostname When the health ingress is enabled, a host pointing to this will be created + ## + hostname: example.local + ## @param healthIngress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param healthIngress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param healthIngress.tls Enable TLS configuration for the hostname defined at `healthIngress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.healthIngress.hostname }} + ## You can use the healthIngress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or + ## let the chart create self-signed certificates for you + ## + tls: false + ## @param healthIngress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: example.local + ## path: / + ## + extraHosts: [] + ## @param healthIngress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param healthIngress.extraTls TLS configuration for additional hostnames to be covered + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## E.g. + ## extraTls: + ## - hosts: + ## - example.local + ## secretName: example.local-tls + ## + extraTls: [] + ## @param healthIngress.secrets TLS Secret configuration + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- + ## name should line up with a secretName set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## + ## E.g. + ## secrets: + ## - name: example.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param healthIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param healthIngress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template + ## Useful when looking for additional customization, such as using different backend + ## + extraRules: [] +## @section Metrics parameters + +## Prometheus Exporter / Metrics +## +metrics: + ## @param metrics.enabled Start a Prometheus exporter sidecar container + ## + enabled: false + ## Bitnami NGINX Prometheus Exporter image + ## ref: https://hub.docker.com/r/bitnami/nginx-exporter/tags/ + ## @param metrics.image.registry [default: REGISTRY_NAME] NGINX Prometheus exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/nginx-exporter] NGINX Prometheus exporter image repository + ## @skip metrics.image.tag NGINX Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest NGINX Prometheus exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy NGINX Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/nginx-exporter + tag: 1.4.1-debian-12-r0 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.port NGINX Container Status Port scraped by Prometheus Exporter + ## Defaults to specified http port + ## + port: "" + ## @param metrics.extraArgs Extra arguments for Prometheus exporter + ## e.g: + ## extraArgs: + ## - --nginx.timeout + ## - 5s + ## + extraArgs: [] + ## @param metrics.containerPorts.metrics Prometheus exporter container port + ## + containerPorts: + metrics: 9113 + ## @param metrics.podAnnotations Additional annotations for NGINX Prometheus exporter pod(s) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param metrics.securityContext.enabled Enabled NGINX Exporter containers' Security Context + ## @param metrics.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param metrics.securityContext.runAsUser Set NGINX Exporter container's Security Context runAsUser + ## + securityContext: + enabled: false + seLinuxOptions: {} + runAsUser: 1001 + ## Prometheus exporter service parameters + ## + service: + ## @param metrics.service.port NGINX Prometheus exporter service port + ## + port: 9113 + ## @param metrics.service.annotations [object] Annotations for the Prometheus exporter service + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.port }}" + ## NGINX Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running + ## + namespace: "" + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param metrics.serviceMonitor.labels Additional labels that can be used so PodMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Prometheus Operator PrometheusRule configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Prometheus Rule definitions + ## - alert: LowInstance + ## expr: up{service="{{ template "common.names.fullname" . }}"} < 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: Service {{ template "common.names.fullname" . }} Tomcat is down since 1m. + ## summary: Tomcat instance is down. + ## + rules: [] diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index b691c40903..3e0e6c2eaa 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Template used to create the right Service Accounts / Role / RoleBinding name: serviceAccount -version: 13.0.1 +version: 13.0.2 dependencies: - name: common diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index d6d041f916..90708854ff 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -47,95 +47,14 @@ metadata: namespace: {{ include "common.namespace" $dot }} rules: {{- if eq $role_type "read" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - endpoints - - services - - nodes - - pods - - deployments - - deployments/status - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - verbs: - - get - - watch - - list +{{- with $dot.Values.role.read }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- else }} {{- if eq $role_type "create" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - deployments/status - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - - secrets - - services - verbs: - - get - - watch - - list -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - statefulsets - - configmaps - verbs: - - patch -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - deployments - - secrets - - services - - pods - verbs: - - create -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods - - persistentvolumeclaims - - secrets - - deployments - - services - verbs: - - delete -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods/exec - verbs: - - create - - get -- apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - create - - delete +{{- with $dot.Values.role.create }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- else }} # if you don't match read or create, then you're not allowed to use API # except to see basic information about yourself diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index 4c9f75f38d..5d20e45f58 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -22,8 +22,8 @@ global: # if "createDefaultRoles=false" roles: - nothing -# - read -# - create + # - read + # - create # Flag to enable the creation of default roles instead of using # common roles-wrapper @@ -43,3 +43,116 @@ new_roles_definitions: {} # - "get" # - "watch" # - "list" + +role: + read: + - apiGroups: + - "" # "" indicates the core API group + resources: + - services + - pods + - endpoints + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs/status + verbs: + - get + - apiGroups: + - apps + resources: + - statefulsets + - replicasets + - deployments + - statefulsets + - daemonsets + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - replicasets/status + - deployments/status + - statefulsets/status + verbs: + - get + create: + - apiGroups: + - "" # "" indicates the core API group + - apps + - batchs + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + verbs: + - get + - watch + - list + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + - services + - pods + verbs: + - create + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - services + verbs: + - delete + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create + - get + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete diff --git a/kubernetes/dcaegen2-services/Chart.yaml b/kubernetes/dcaegen2-services/Chart.yaml index 83b344b303..83732e8298 100644 --- a/kubernetes/dcaegen2-services/Chart.yaml +++ b/kubernetes/dcaegen2-services/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 appVersion: "Oslo" description: DCAE Microservices name: dcaegen2-services -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 5e39d51844..183cde0024 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -85,7 +85,7 @@ This template generates a list of volumes associated with the pod, based on information provided in .Values.externalVolumes. This template works in conjunction with dcaegen2-services-common._externalVolumeMounts to give the microservice access to data in volumes created else. -This initial implementation supports ConfigMaps only, as this is the only +This implementation supports ConfigMaps & EmptyDirs only, as this is the only external volume mounting required by current microservices. .Values.externalVolumes is a list of objects. Each object has 3 required fields and 2 optional fields: @@ -94,7 +94,7 @@ external volume mounting required by current microservices. names of resources are sometimes set at deployment time (for instance, to prefix the Helm release to the name), the string can be a Helm template fragment that will be expanded at deployment time. - - type: the type of the resource (in the current implementation, only "ConfigMap" is supported). + - type: the type of the resource (in the current implementation, only "ConfigMap" & "emptyDir" is supported). The value is a case-INsensitive string. - mountPoint: the path to the mount point for the volume in the container file system. The value is a case-sensitive string. @@ -113,7 +113,7 @@ externalVolumes: type: configmap mountPath: /opt/app/config - name: '{{ include "common.release" . }}-another-example' - type: configmap + type: emptyDir mountPath: /opt/app/otherconfig optional: false */}} @@ -121,14 +121,18 @@ externalVolumes: {{- $global := . -}} {{- if .Values.externalVolumes }} {{- range $vol := .Values.externalVolumes }} + {{- $vname := (tpl $vol.name $global) -}} {{- if eq (lower $vol.type) "configmap" }} - {{- $vname := (tpl $vol.name $global) -}} {{- $opt := hasKey $vol "optional" | ternary $vol.optional true }} - configMap: defaultMode: 420 name: {{ $vname }} optional: {{ $opt }} name: {{ $vname }} + {{- else if eq (lower $vol.type) "emptydir" }} +- name: {{ $vname }} + emptyDir: + sizeLimit: {{ $vol.sizeLimit }} {{- end }} {{- end }} {{- end }} @@ -141,7 +145,7 @@ This template generates a list of volume mounts for the microservice container, based on information provided in .Values.externalVolumes. This template works in conjunction with dcaegen2-services-common._externalVolumes to give the microservice access to data in volumes created else. -This initial implementation supports ConfigMaps only, as this is the only +This initial implementation supports ConfigMaps & EmptyDirs, as this is the only external volume mounting required by current microservices. See the documentation for dcaegen2-services-common._externalVolumes for @@ -152,16 +156,20 @@ the microservice. {{- $global := . -}} {{- if .Values.externalVolumes }} {{- range $vol := .Values.externalVolumes }} + {{- $vname := (tpl $vol.name $global) -}} {{- if eq (lower $vol.type) "configmap" }} - {{- $vname := (tpl $vol.name $global) -}} {{- $readOnly := $vol.readOnly | default false }} - mountPath: {{ $vol.mountPath }} name: {{ $vname }} readOnly: {{ $readOnly }} + {{- else if eq (lower $vol.type) "emptydir" }} +- mountPath: {{ $vol.mountPath }} + name: {{ $vname }} {{- end }} {{- end }} {{- end }} {{- end }} + {{/* dcaegen2-services-common.microserviceDeployment: This template produces a Kubernetes Deployment for a DCAE microservice. @@ -236,6 +244,7 @@ post-processing. {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $log := default dict .Values.log -}} {{- $logDir := default "" $log.path -}} +{{- $ves := default false .Values.ves -}} {{- $certDir := (eq "true" (include "common.needTLS" .)) | ternary (default "" .Values.certDirectory . ) "" -}} {{- $commonRelease := print (include "common.release" .) -}} {{- $policy := default dict .Values.policies -}} @@ -253,9 +262,15 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: + + {{- if $ves }} + {{- include "dcaegen2-ves-collector.vesCollectorCopyEtc" . | nindent 6 }} + {{- end }} {{- if .Values.readinessCheck }} - {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} {{- end }} {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} @@ -263,6 +278,8 @@ spec: - image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 10 }} env: {{- range $cred := .Values.credentials }} - name: {{ $cred.name }} @@ -307,6 +324,26 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.liveness }} + livenessProbe: + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds | default 5 }} + periodSeconds: {{ .Values.liveness.periodSeconds | default 15 }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds | default 1 }} + {{- $probeType := .Values.liveness.type | default "httpGet" -}} + {{- if eq $probeType "httpGet" }} + httpGet: + scheme: {{ .Values.liveness.scheme }} + path: {{ .Values.liveness.path }} + port: {{ .Values.liveness.port }} + {{- end }} + {{- if eq $probeType "exec" }} + exec: + command: + {{- range $cmd := .Values.liveness.command }} + - {{ $cmd }} + {{- end }} + {{- end }} + {{- end }} resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /app-config @@ -314,7 +351,7 @@ spec: - mountPath: /app-config-input name: app-config-input - mountPath: /tmp - name: tmp-volume + name: tmp {{- if $logDir }} - mountPath: {{ $logDir}} name: logs @@ -387,12 +424,13 @@ spec: - emptyDir: medium: Memory name: app-config - - name: tmp-volume + - name: tmp emptyDir: sizeLimit: 128Mi {{- if $logDir }} - - emptyDir: {} - name: logs + - name: logs + emptyDir: + sizeLimit: 128Mi {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} {{- end }} {{- if $certDir }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl new file mode 100644 index 0000000000..a3a724741f --- /dev/null +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl @@ -0,0 +1,26 @@ +{{- define "dcaegen2-ves-collector.vesCollectorCopyEtc" -}} +- name: dcae-ves-collector-copy-etc + command: ["cp", "-R", "/opt/app/VESCollector/etc/.", "/opt/app/VESCollector/etc_rw/"] + image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} + imagePullPolicy: Always + resources: + limits: + cpu: {{ .Values.copyEtc.resources.limits.cpu }} + memory: {{ .Values.copyEtc.resources.limits.memory }} + requests: + cpu: {{ .Values.copyEtc.resources.requests.cpu }} + memory: {{ .Values.copyEtc.resources.requests.memory }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/app/VESCollector/etc_rw + name: ves-collector-etc +{{- end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml index fefc06e805..408c0a9300 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml @@ -19,10 +19,10 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "NewDelhi" +appVersion: "Oslo" description: DCAE PRH name: dcae-prh -version: 13.1.0 +version: 13.1.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index 11cb72690c..2c9612f4e0 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -55,7 +55,14 @@ secrets: # probe configuration readiness: - initialDelaySeconds: 5 + initialDelaySeconds: 25 + periodSeconds: 15 + path: /heartbeat + scheme: HTTP + port: 8100 + timeoutSeconds: 30 +liveness: + initialDelaySeconds: 25 periodSeconds: 15 path: /heartbeat scheme: HTTP @@ -197,3 +204,32 @@ serviceAccount: nameOverride: dcae-prh roles: - read + +# Pod Security context +podSecurityContext: + runAsGroup: 1414 + runAsUser: 1414 + fsGroup: 1414 + seccompProfile: + type: RuntimeDefault + +# Container Security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + +# PRH volumes +externalVolumes: + - name: prh-logs + mountPath: /var/log/ONAP/prh/prh-app-server/ + type: emptyDir + sizeLimit: 64Mi + +# PRH pod annotations +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml index 61a5f03b7e..6c03c1a6b2 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml @@ -19,10 +19,10 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "NewDelhi" +appVersion: "Oslo" description: DCAE VES Collector name: dcae-ves-collector -version: 13.1.0 +version: 13.1.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index ae75bacb57..0007b9cd52 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -85,6 +85,12 @@ readiness: path: /healthcheck scheme: HTTP port: 8080 +liveness: + initialDelaySeconds: 5 + periodSeconds: 15 + path: /healthcheck + scheme: HTTP + port: 8080 # service configuration service: @@ -288,3 +294,45 @@ serviceAccount: nameOverride: dcae-ves-collector roles: - read + +# Pod Security context +podSecurityContext: + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + +# Container Security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + +# Flag which can be used to put VES-COLLECTOR specific properties in template +ves: true + +# VES-COLLECTOR volumes +externalVolumes: + - name: ves-collector-etc + type: emptyDir + sizeLimit: 50Mi + mountPath: /opt/app/VESCollector/etc + +# VES-COLLECTOR pod annotations +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + +# Resources for init container copy-etc +copyEtc: + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 30m + memory: 32Mi diff --git a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml index af62dc30ca..cae85bfb90 100644 --- a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml +++ b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml @@ -70,7 +70,7 @@ output.logstash: #ssl.key_passphrase: $ssl.key_passphrase logging: - level: debug + level: info # enable file rotation with default configuration to_files: true diff --git a/kubernetes/multicloud/Chart.yaml b/kubernetes/multicloud/Chart.yaml index cecef8c2e2..fd028a718f 100644 --- a/kubernetes/multicloud/Chart.yaml +++ b/kubernetes/multicloud/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ apiVersion: v2 description: ONAP multicloud broker name: multicloud -version: 15.0.0 +version: 15.0.2 dependencies: - name: common diff --git a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml index b825f67969..64c8d5a7fe 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml @@ -1,5 +1,6 @@ # Copyright (c) 2019, CMCC Technologies Co., Ltd. # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml index 5dc375290a..046f940d40 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml @@ -1,6 +1,7 @@ # Copyright 2019 Intel Corporation, Inc # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +18,7 @@ apiVersion: v2 description: ONAP Multicloud Kubernetes Plugin name: multicloud-k8s -version: 13.1.0 +version: 13.1.2 dependencies: - name: common diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json index d6fa40d471..08c228f2eb 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json +++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json @@ -8,4 +8,4 @@ "database-address": "multicloud-k8s-mongo", "etcd-ip": "multicloud-k8s-etcd", "plugin-dir": "/opt/multicloud/k8splugin/plugins" -}
\ No newline at end of file +} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml index 9881a13615..6ed5dee8ee 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +24,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -30,6 +32,7 @@ spec: command: ["/opt/multicloud/k8splugin/k8plugin"] workingDir: /opt/multicloud/k8splugin ports: {{ include "common.containerPorts" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: @@ -43,9 +46,11 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /opt/multicloud/k8splugin/k8sconfig.json - name: {{ include "common.name" .}} - subPath: k8sconfig.json + - mountPath: /tmp + name: tmp-dir-k8s + - mountPath: /opt/multicloud/k8splugin/k8sconfig.json + name: {{ include "common.name" .}} + subPath: k8sconfig.json resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -60,10 +65,28 @@ spec: name: framework-artifactbroker command: ["/opt/app/distribution/bin/artifact-dist.sh"] args: ["/opt/app/distribution/etc/mounted/config.json"] + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} ports: - containerPort: {{ .Values.artifactbroker.internalPort }} protocol: TCP + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.artifactbroker.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.artifactbroker.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: + - mountPath: /tmp + name: tmp-dir-broker + - mountPath: "{{ .Values.log.path }}" + name: framework-log - mountPath: /opt/app/distribution/etc/mounted/config.json name: {{ include "common.name" .}} subPath: config.json @@ -77,9 +100,19 @@ spec: key: sasl.jaas.config serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: tmp-dir-k8s + emptyDir: + sizeLimit: {{ .Values.volumes.tmpK8SSizeLimit }} + - name: tmp-dir-broker + emptyDir: + sizeLimit: {{ .Values.volumes.tmpBrokerSizeLimit }} + - name: framework-log + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name : {{ include "common.name" . }} configMap: name: {{ include "common.fullname" . }} - name: artifact-data - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/values.yaml b/kubernetes/multicloud/components/multicloud-k8s/values.yaml index 5c9c0ad864..f22dfa7644 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/values.yaml @@ -1,4 +1,5 @@ # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -59,6 +60,16 @@ nodeSelector: {} affinity: {} +securityContext: + user_id: 999 + group_id: 999 + +volumes: + tmpK8SSizeLimit: 100Mi + tmpBrokerSizeLimit: 100Mi + artifactDataSizeLimit: 100Mi + logSizeLimit: 100Mi + # probe configuration parameters liveness: initialDelaySeconds: 10 @@ -70,6 +81,7 @@ liveness: readiness: initialDelaySeconds: 10 periodSeconds: 30 + enabled: true service: type: NodePort @@ -181,3 +193,7 @@ serviceAccount: nameOverride: multicloud-k8s roles: - read + +#Log configuration +log: + path: /var/log/onap diff --git a/kubernetes/multicloud/templates/deployment.yaml b/kubernetes/multicloud/templates/deployment.yaml index 80a09c73b8..a03a6d02b7 100644 --- a/kubernetes/multicloud/templates/deployment.yaml +++ b/kubernetes/multicloud/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,6 +25,23 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - name: {{ include "common.name" . }}-copy-pub + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["cp", "-R", "/opt/multivimbroker/multivimbroker/pub/.", "/opt/multivimbroker/multivimbroker/pub_rw/"] + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 10m + memory: 100Mi + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: /opt/multivimbroker/multivimbroker/pub_rw + name: framework-pub containers: - env: - name: MSB_PROTO @@ -50,9 +68,12 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} volumeMounts: - mountPath: "{{ .Values.log.path }}" name: framework-log + - mountPath: /opt/multivimbroker/multivimbroker/pub + name: framework-pub - mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml name: framework-logconfig subPath: log.yml @@ -62,25 +83,34 @@ spec: ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} + {{ if .Values.liveness.enabled }} livenessProbe: httpGet: - path: /api/multicloud/v0/swagger.json port: {{ .Values.service.internalPort }} - scheme: "HTTP" + path: {{ .Values.liveness.path }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - + {{ end }} + {{ if .Values.readiness.enabled }} + readinessProbe: + httpGet: + port: {{ .Values.service.internalPort }} + path: {{ .Values.readiness.path }} + scheme: HTTP + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + {{ end }} # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: framework-log - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: framework-pub + emptyDir: + sizeLimit: {{ .Values.volumes.pubSizeLimit }} - name: provider-plugin configMap: name: {{ include "common.fullname" . }}-provider-plugin-configmap diff --git a/kubernetes/multicloud/values.yaml b/kubernetes/multicloud/values.yaml index 69063906ba..0579cb9e7b 100644 --- a/kubernetes/multicloud/values.yaml +++ b/kubernetes/multicloud/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,14 +58,26 @@ nodeSelector: {} affinity: {} +securityContext: + user_id: 100 + group_id: 65533 + +volumes: + logSizeLimit: 50Mi + pubSizeLimit: 50Mi + # probe configuration parameters liveness: + enabled: true + path: /api/multicloud/v0/swagger.json initialDelaySeconds: 30 periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 + +readiness: enabled: true + path: /api/multicloud/v0/swagger.json + initialDelaySeconds: 10 + periodSeconds: 30 service: type: NodePort diff --git a/kubernetes/onap/Chart.yaml b/kubernetes/onap/Chart.yaml index dd1f432d3a..c0f1a770b8 100644 --- a/kubernetes/onap/Chart.yaml +++ b/kubernetes/onap/Chart.yaml @@ -1,5 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021,2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ kubeVersion: ">=1.19.11-0" dependencies: - name: authentication - version: ~14.x-0 + version: ~15.x-0 repository: '@local' condition: authentication:enabled - name: aai @@ -61,7 +61,7 @@ dependencies: repository: '@local' condition: multicloud.enabled - name: policy - version: ~14.x-0 + version: ~16.x-0 repository: '@local' condition: policy.enabled - name: portal-ng @@ -88,7 +88,7 @@ dependencies: repository: '@local' condition: sdnc.enabled - name: so - version: ~13.x-0 + version: ~15.x-0 repository: '@local' condition: so.enabled - name: strimzi @@ -96,7 +96,7 @@ dependencies: repository: '@local' condition: strimzi.enabled - name: uui - version: ~13.x-0 + version: ~15.x-0 repository: '@local' condition: uui.enabled - name: platform diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index 9b631c7af5..65a46799a3 100755..100644 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2024 Nordix Foundation +# Modifications Copyright © 2021-2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -19,66 +19,66 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 14.0.5 +version: 16.0.0 dependencies: - name: common version: ~13.x-0 repository: '@local' - - name: mariadb-galera - version: ~13.x-0 - repository: '@local' - condition: global.mariadbGalera.useInPolicy,global.mariadbGalera.localCluster - name: policy-nexus - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-nexus' condition: policy-nexus.enabled - name: policy-api - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-api' condition: policy-api.enabled - name: policy-pap - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-pap' condition: policy-pap.enabled - name: policy-xacml-pdp - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-xacml-pdp' condition: policy-xacml-pdp.enabled - name: policy-apex-pdp - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-apex-pdp' condition: policy-apex-pdp.enabled - name: policy-drools-pdp - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled + - name: policy-opa-pdp + version: ~15.x-0 + repository: 'file://components/policy-opa-pdp' + condition: policy-opa-pdp.enabled - name: policy-distribution - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-distribution' condition: policy-distribution.enabled - name: policy-clamp-ac-k8s-ppnt - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-k8s-ppnt' condition: policy-clamp-ac-k8s-ppnt.enabled - name: policy-clamp-ac-http-ppnt - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-http-ppnt' condition: policy-clamp-ac-http-ppnt.enabled - name: policy-clamp-ac-a1pms-ppnt - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-a1pms-ppnt' condition: policy-clamp-ac-a1pms-ppnt.enabled - name: policy-clamp-ac-kserve-ppnt - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-kserve-ppnt' condition: policy-clamp-ac-kserve-ppnt.enabled - name: policy-clamp-ac-pf-ppnt - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-pf-ppnt' condition: policy-clamp-ac-pf-ppnt.enabled - name: policy-clamp-runtime-acm - version: ~14.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - name: repositoryGenerator @@ -93,4 +93,4 @@ dependencies: - name: postgres version: ~13.x-0 repository: '@local' - condition: global.postgres.useInPolicy,global.postgres.localCluster + condition: global.postgres.localCluster diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index 4ec4725860..2ca9b30c11 100755..100644 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation # Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 14.0.1 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 0c83a55651..bad63184bf 100755..100644 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022, 2025 Nordix Foundation # Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -47,7 +47,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:3.1.3 +image: onap/policy-apex-pdp:4.1.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index f5c876646b..859c343900 100755..100644 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation # Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 14.0.2 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index c39a27bdeb..fac24347a2 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2022 Bell Canada. All rights reserved. # Modifications Copyright (C) 2022 AT&T Intellectual Property. # Modification (C) 2023 Deutsche Telekom. All rights reserved. -# Modifications Copyright © 2024 Nordix Foundation. +# Modifications Copyright © 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,23 +32,6 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: -{{ if .Values.global.mariadbGalera.useInPolicy }} - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin - driverClassName: org.mariadb.jdbc.Driver - username: "${SQL_USER}" - password: "${SQL_PASSWORD}" - hikari: - maximumPoolSize: 20 - jpa: - properties: - hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect - hibernate: - ddl-auto: none - naming: - physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl - implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy -{{ else }} url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin driverClassName: org.postgresql.Driver username: "${SQL_USER}" @@ -64,25 +47,11 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy - properties: - hibernate: - dialect: org.hibernate.dialect.PostgreSQLDialect - format_sql: true -{{ end }} policy-api: name: ApiGroup aaf: false -database: - name: PolicyProviderParameterGroup - implementation: org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl - driver: org.mariadb.jdbc.Driver - url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin - user: "${SQL_USER}" - password: "${SQL_PASSWORD}" - persistenceUnit: PolicyDb - policy-preload: policyTypes: - policytypes/onap.policies.monitoring.tcagen2.yaml diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index f89945f90e..063bc80445 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,11 +33,7 @@ spec: - /app/ready.py args: - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 902268f41a..7e3aa51318 100755..100644 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. # Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. -# Modifications Copyright © 2024 Nordix Foundation. +# Modifications Copyright © 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,10 +25,6 @@ global: nodePortPrefix: 304 persistence: {} - postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true ################################################################# # Secrets metaconfig @@ -51,7 +47,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:3.1.3 +image: onap/policy-api:4.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -62,9 +58,7 @@ db: user: policy-user password: policy_user service: - name: policy-mariadb pgName: policy-pg-primary - internalPort: 3306 internalPgPort: 5432 restServer: diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml index a9d27d60a8..665b301ff5 100755..100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2022-2024 Nordix Foundation. All rights reserved. +# Copyright (C) 2022-2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp A1PMS Participant name: policy-clamp-ac-a1pms-ppnt -version: 14.0.1 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml index 5bfa825e18..0404a8a68c 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# Copyright (C) 2022,2024 Nordix Foundation. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,6 +32,9 @@ security: participant: intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c00 @@ -40,7 +43,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -50,11 +53,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml index a23e732c8b..cee5eb8e92 100755..100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2022-2023 Nordix Foundation. +# Copyright (C) 2022-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,8 +23,10 @@ global: persistence: {} kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -41,7 +43,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-a1pms-ppnt:7.1.3 +image: onap/policy-clamp-ac-a1pms-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-a1pms-ppnt @@ -147,6 +149,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index 979aa4f598..0bdc6b6cab 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022, 2024 Nordix Foundation. +# Copyright (C) 2021-2022, 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 14.0.1 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml index d447360dd9..8b877ffc0d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,6 +32,9 @@ security: participant: intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c01 @@ -40,7 +43,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -50,11 +53,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 8593a3d316..a422386ffc 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2023, 2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,8 +24,10 @@ global: persistence: {} #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -42,7 +44,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:7.1.3 +image: onap/policy-clamp-ac-http-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-http-ppnt @@ -138,6 +140,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index 5a1cb6e80b..9abe71d998 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# Copyright (C) 2021, 2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2022, 2024 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 14.0.1 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml index 14deab557b..4616d6643a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. All rights reserved. +# Copyright (C) 2021-2022,2024 Nordix Foundation. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +34,9 @@ participant: localChartDirectory: /home/policy/local-charts infoFileName: CHART_INFO.json intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c02 @@ -42,7 +45,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -52,11 +55,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index 5e43b94965..c9f3f9bdc3 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -25,8 +25,10 @@ global: persistence: {} #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -43,7 +45,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:7.1.3 +image: onap/policy-clamp-ac-k8s-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-k8s-ppnt @@ -153,6 +155,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml index 863d07952f..49a6e4dc2e 100755..100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2023-2024 Nordix Foundation. All rights reserved. +# Copyright (C) 2023-2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Kserve Participant name: policy-clamp-ac-kserve-ppnt -version: 14.0.1 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml index 6613235050..55aa8eb641 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml @@ -39,6 +39,9 @@ security: participant: intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c04 @@ -47,7 +50,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -57,11 +60,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml index 6f9868bc0d..61cc461b41 100755..100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2023 Nordix Foundation. +# Copyright (C) 2023, 2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,8 +24,10 @@ global: persistence: {} #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -42,7 +44,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-kserve-ppnt:7.1.3 +image: onap/policy-clamp-ac-kserve-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-kserve-ppnt @@ -137,6 +139,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index 4460c18fcd..5945f3b74a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022, 2024 Nordix Foundation. +# Copyright (C) 2021-2022, 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 14.0.1 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml index 729a455d07..1e7edea091 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -50,6 +50,9 @@ participant: useHttps: "false" allowSelfSignedCerts: true intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c03 @@ -58,7 +61,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -68,11 +71,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index 97bebd00d2..2bdbaa456a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,8 +24,10 @@ global: persistence: {} #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -54,7 +56,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:7.1.3 +image: onap/policy-clamp-ac-pf-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-pf-ppnt @@ -159,6 +161,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index ef9a7494ec..5d26bfdad9 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved. +# Copyright (C) 2021, 2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2024 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 14.0.2 +version: 16.0.0 dependencies: - name: common @@ -33,4 +33,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index 2e09397806..a296e8c7a4 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,13 +25,8 @@ spring: converters: preferred-json-mapper: gson datasource: - {{ if .Values.global.mariadbGalera.useInPolicy }} - url: jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/clampacm - driverClassName: org.mariadb.jdbc.Driver - {{ else }} url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/clampacm driverClassName: org.postgresql.Driver - {{ end }} username: ${SQL_USER} password: ${SQL_PASSWORD} hikari: @@ -47,11 +42,7 @@ spring: implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy properties: hibernate: - {{ if .Values.global.mariadbGalera.useInPolicy }} - dialect: org.hibernate.dialect.MariaDBDialect - {{ else }} dialect: org.hibernate.dialect.PostgreSQLDialect - {{ end }} format_sql: true metrics: @@ -71,6 +62,9 @@ server: enabled: false runtime: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} participantParameters: heartBeatMs: 120000 maxMessageAgeMs: 600000 @@ -83,7 +77,7 @@ runtime: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -97,7 +91,19 @@ runtime: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -114,4 +120,4 @@ management: endpoints: web: exposure: - include: health, metrics, prometheus
\ No newline at end of file + include: health, metrics, prometheus diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index 5a206b996e..c09a3616b0 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -34,11 +34,7 @@ spec: - /app/ready.py args: - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index eb974d6ed2..00bd0acdbd 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,14 +23,12 @@ global: nodePortPrefixExt: 304 persistence: {} - postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -53,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:7.1.3 +image: onap/policy-clamp-runtime-acm:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-runtime-acm @@ -78,19 +76,21 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] kafkaTopic: - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + - name: *acRuntimeSyncTopic db: user: policy-user password: policy_user service: - mariadbName: policy-mariadb - mariadbPort: 3306 pgName: policy-pg-primary pgPort: 5432 diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml index b2d1cde724..a11ab99849 100755..100644 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 14.0.1 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index f93dffe1ee..d10cf1991d 100755..100644 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. -# Modifications Copyright (C) 2023 Nordix Foundation +# Modifications Copyright (C) 2023, 2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -59,7 +59,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:3.1.3 +image: onap/policy-distribution:4.1.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 25060ae593..50c84c0567 100755..100644 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T Intellectual Property # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 14.0.2 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index dc7f788405..b1a7f04b58 100644 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -2,7 +2,7 @@ # Copyright © 2017-2018 Amdocs, Bell Canada. # Modifications Copyright (C) 2018-2020, 2022 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. -# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,21 +41,11 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}} # Relational (SQL) DB access -{{ if .Values.global.mariadbGalera.useInPolicy }} -SQL_HOST={{ .Values.db.mariadbName }} -SQL_PORT={{ .Values.db.mariadbPort }} -JDBC_URL=jdbc:mariadb://{{ .Values.db.mariadbName }}:{{ .Values.db.mariadbPort }}/ -JDBC_OPTS= -JDBC_DRIVER=org.mariadb.jdbc.Driver -MYSQL_CMD= -{{ else }} SQL_HOST={{ .Values.db.pgName }} SQL_PORT={{ .Values.db.pgPort }} JDBC_URL=jdbc:postgresql://{{ .Values.db.pgName }}:{{ .Values.db.pgPort }}/ JDBC_OPTS= JDBC_DRIVER=org.postgresql.Driver -MYSQL_CMD= -{{ end }} # Liveness LIVENESS_CONTROLLERS=* @@ -136,9 +126,9 @@ VFC_CONTEXT_URI=api/nslcm/v1/ SDNC_HOST=sdnc.{{.Release.Namespace}} SDNC_PORT=8282 -SDNC_CONTEXT_URI=restconf/operations/ +SDNC_CONTEXT_URI=rests/operations/ # CDS CDS_GRPC_HOST={{.Values.cds.grpc.svcName}} -CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}}
\ No newline at end of file +CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}} diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties index d4577b577a..64ac22100f 100644 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties @@ -2,7 +2,7 @@ # ============LICENSE_START======================================================= # ONAP # ================================================================================ -# Copyright (C) 2024 Nordix Foundation. +# Copyright (C) 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,17 +19,10 @@ ### #Database properties -{{ if .Values.global.mariadbGalera.useInPolicy }} -jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver -jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} -jakarta.persistence.jdbc.user=${envd:SQL_USER} -jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} -{{ else }} jakarta.persistence.jdbc.driver=org.postgresql.Driver jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} jakarta.persistence.jdbc.user=${envd:SQL_USER} jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} -{{ end }} # default property values are commented out #distributed.locking.expire.check.seconds=900 diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml index a24476cc74..e8c0a5edea 100644 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -1,7 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property -# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,11 +33,7 @@ spec: - /app/ready.py args: - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index f22d642e95..e367cfca6d 100644 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs # Copyright © 2017, 2021 Bell Canada # Modifications Copyright © 2018-2022 AT&T Intellectual Property -# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -21,10 +21,7 @@ ################################################################# global: nodePortPrefix: 302 - postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true + ################################################################# # Secrets metaconfig ################################################################# @@ -47,7 +44,7 @@ secrets: ################################################################# # application image # The newest images have been tested with SASL and Postgres. The images released next will have the relevant fixes -image: onap/policy-pdpd-cl:2.1.3 +image: onap/policy-pdpd-cl:3.1.0 pullPolicy: Always @@ -107,11 +104,8 @@ nexus: offline: true db: - mariadbName: policy-mariadb pgName: policy-pg-primary - mariadbPort: 3306 pgPort: 5432 - user: policy-user password: policy_user pap: diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index dcb3c3ac72..eb6c92e75b 100755..100644 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 14.0.2 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml index cc75a9fe15..cc75a9fe15 100755..100644 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml diff --git a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml new file mode 100644 index 0000000000..6416e5016e --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml @@ -0,0 +1,33 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy OPA PDP (PDP-O) +name: policy-opa-pdp +version: 15.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json new file mode 100755 index 0000000000..e978b84186 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json @@ -0,0 +1,43 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +{ + "logging": { + "level": "debug" + }, + "services": [ + { + "name": "opa-bundle-server", + "url": "http://policy-opa-pdp:8282/opa/bundles" + } + ], + "bundles": { + "opabundle": { + "service": "opa-bundle-server", + "resource": "bundle.tar.gz", + "polling": { + "min_delay_seconds": 60, + "max_delay_seconds": 120 + } + } + }, + "decision_logs": { + "console": true + } +} diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz b/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz Binary files differnew file mode 100644 index 0000000000..fa841c0191 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml new file mode 100755 index 0000000000..e2b4537dc8 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml new file mode 100755 index 0000000000..cc08af6937 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml @@ -0,0 +1,42 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap-config + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap-policies-data + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +{{- with .Files.Glob "resources/policies/*" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml new file mode 100755 index 0000000000..6c25bac01c --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml @@ -0,0 +1,137 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: + - /bin/sh + args: + - -c + - | + echo "*** set right permissions to the different folders" + chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log; + chmod -R 755 /var/log + chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/; + chmod -R 755 /opt/* + tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/ + image: {{ include "repositoryGenerator.image.busybox" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-readiness + volumeMounts: + - name: logs + mountPath: /var/log + - name: tmp-policies-data + mountPath: /tmp/policies + - name : opa-policies-data + mountPath: /opt/ + + containers: + - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + env: + - name: UseSASLForKAFKA + value: "{{ .Values.kafka.useSASL }}" + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: GROUPID + value: "{{ .Values.kafka.groupid }}" + - name: LOG_LEVEL + value: "{{ .Values.log.loglevel }}" + - name: PAP_TOPIC + value: "{{ .Values.kafka.topic }}" + - name: API_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }} + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + + - name: opa-policies-data + mountPath: /opt + - name: opa-config + mountPath: /app/config + - name: opa-bundles + mountPath: /app/bundles + - name: logs + mountPath: /var/log + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: tmp-policies-data + configMap: + name: {{ include "common.fullname" . }}-configmap-policies-data + defaultMode: 0755 + - name: opa-policies-data + persistentVolumeClaim: + claimName: {{ include "common.fullname" . }}-policies-data + - name: opa-config + configMap: + name: {{ include "common.fullname" . }}-configmap-config + defaultMode: 0755 + - name: opa-bundles + emptyDir: + sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml new file mode 100755 index 0000000000..faf315356c --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml @@ -0,0 +1,20 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml new file mode 100755 index 0000000000..5a1e9e3450 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml @@ -0,0 +1,38 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} + +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "common.fullname" . }}-policies-data + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistence.accessMode }} + resources: + requests: + storage: {{ .Values.persistence.logsSize }} + storageClassName: {{ include "common.storageClass" . }} + volumeMode: Filesystem + +{{- end }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml new file mode 100755 index 0000000000..0c47a8bd77 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml new file mode 100755 index 0000000000..1d45a0baef --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml new file mode 100755 index 0000000000..96774208de --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml @@ -0,0 +1,23 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2024 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{- if .Values.global.prometheusEnabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} diff --git a/kubernetes/policy/components/policy-opa-pdp/values.yaml b/kubernetes/policy/components/policy-opa-pdp/values.yaml new file mode 100644 index 0000000000..20c7e513bc --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/values.yaml @@ -0,0 +1,253 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: api-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}' + login: '{{ .Values.apiServer.user }}' + password: '{{ .Values.apiServer.password }}' + passwordPolicy: required + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-opa-pdp:1.0.0 +pullPolicy: Always + +componentName: &componentName policy-opa-pdp + +# flag to enable debugging - application support required +debugEnabled: false + +log: + loglevel: "debug" + + +# application configuration + +permissions: + uid: 100 + gid: 102 + +restServer: + user: healthcheck + password: zb!XztG34 + +apiServer: + user: policyadmin + password: zb!XztG34 + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-opa-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +securityContext: + user_id: 0 + group_id : 0 + runAsNonRoot: false + + +containerSecurityContext: + enabled: true + privileged: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + + +kafka: + groupid: "policy-opa-pdp" + topic: "policy-pdp-pap" + useSASL: "true" + brokers: "onap-strimzi-kafka-bootstrap.onap:9092" + +persistence: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteMany + logsSize: 1Gi + mountPath: /dockerdata-nfs + mountSubPath: policy/opapdp + storageClass: "cinder-os" + enableDefaultStorageclass: false + parameters: {} + storageclassProvisioner: cinder-os + + + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 20 + periodSeconds: 10 + +service: + type: ClusterIP + name: *componentName + internalPort: 8282 + ports: + - name: http + port: 8282 + +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datafile-collector-read + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read + - serviceAccount: dcae-heartbeat-read + - serviceAccount: dcae-hv-ves-collector-read + - serviceAccount: dcae-kpi-ms-read + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: dcae-pmsh-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-restconf-collector-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-snmptrap-collector-read + - serviceAccount: dcae-son-handler-read + - serviceAccount: dcae-tcagen2-read + - serviceAccount: dcae-ves-collector-read + - serviceAccount: dcae-ves-mapper-read + - serviceAccount: dcae-ves-openapi-manager-read + - serviceAccount: strimzi-kafka-read + - serviceAccount: oof-read + - serviceAccount: sdnc-read + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + policyDir: + sizeLimit: 100Mi + bundleDir: + sizeLimit: 5Gi + + +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - read + +metrics: + serviceMonitor: + # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. + # The default operator for prometheus enforces the below label. + labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' + release: prometheus + enabled: true + port: policy-opa-pdp + interval: 60s + isHttps: false + basicAuth: + enabled: true + externalSecretNameSuffix: policy-opa-pdp-restserver-creds + externalSecretUserKey: login + externalSecretPasswordKey: password + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ include "common.release" . }}' + heritage: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-opa-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-opa-pdp + type: group + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 2122e6fb3f..58ecf66e3a 100755..100644 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019 Nordix Foundation. # Modified Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,7 +23,7 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 14.0.2 +version: 16.0.0 dependencies: - name: common @@ -34,4 +34,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 58dfc9f497..72c8ad5fc3 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022-2024 Nordix Foundation +# Modifications Copyright © 2022-2025 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,20 +26,6 @@ spring: converters: preferred-json-mapper: gson datasource: -{{ if .Values.global.mariadbGalera.useInPolicy }} - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin - driverClassName: org.mariadb.jdbc.Driver - username: "${SQL_USER}" - password: "${SQL_PASSWORD}" - hikari: - maximumPoolSize: 20 - jpa: - hibernate: - ddl-auto: none - naming: - physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl - implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy -{{- else }} url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin driverClassName: org.postgresql.Driver username: "${SQL_USER}" @@ -55,7 +41,6 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy -{{ end }} server: port: 6969 diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index f7c400865f..e94e82764d 100644 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -2,7 +2,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. -# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -36,11 +36,7 @@ spec: - /app/ready.py args: - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 4c6f5355e0..345f061b83 100755..100644 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019 Nordix Foundation. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022-2024 Nordix Foundation +# Modifications Copyright © 2022-2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -26,10 +26,6 @@ global: nodePortPrefixExt: 304 persistence: {} - postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true ################################################################# # Secrets metaconfig @@ -71,7 +67,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:3.1.3 +image: onap/policy-pap:4.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -83,9 +79,7 @@ db: user: policy-user password: policy_user service: - name: policy-mariadb pgName: policy-pg-primary - internalPort: 3306 internalPgPort: 5432 restServer: diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index a02171ef31..a8236dc68a 100755..100644 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 14.0.3 +version: 16.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties index 3df3578fd2..46d6b2a842 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2024 Nordix Foundation. All rights reserved. +# Copyright (C) 2024-2025 Nordix Foundation. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -67,14 +67,8 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome # # JPA Properties # -{{ if .Values.global.mariadbGalera.useInPolicy }} -eclipselink.target-database=MySQL -jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver -jakarta.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/operationshistory -{{ else }} eclipselink.target-database=PostgreSQL jakarta.persistence.jdbc.driver=org.postgresql.Driver jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/operationhistory -{{ end }} jakarta.persistence.jdbc.user=${SQL_USER} -jakarta.persistence.jdbc.password=${SQL_PASSWORD}
\ No newline at end of file +jakarta.persistence.jdbc.password=${SQL_PASSWORD} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index 828f6ec2c7..4411762ff7 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. -# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -35,11 +35,7 @@ spec: - /app/ready.py args: - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index b20ab89370..4ec53223b5 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,10 +23,7 @@ ################################################################# global: persistence: {} - postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true + ################################################################# # Secrets metaconfig ################################################################# @@ -54,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:3.1.3 +image: onap/policy-xacml-pdp:4.1.0 pullPolicy: Always componentName: &componentName policy-xacml-pdp @@ -68,8 +65,6 @@ db: user: policy-user password: policy_user service: - mariadbName: policy-mariadb - mariadbPort: 3306 pgName: policy-pg-primary pgPort: 5432 diff --git a/kubernetes/policy/resources/config/db-pg.sh b/kubernetes/policy/resources/config/db-pg.sh index 913ccc7728..a7fc088d55 100644 --- a/kubernetes/policy/resources/config/db-pg.sh +++ b/kubernetes/policy/resources/config/db-pg.sh @@ -20,10 +20,15 @@ export PGPASSWORD=${PG_ADMIN_PASSWORD}; +echo "Create user ${PG_USER} is created in Host ${PG_HOST}" psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER \"${PG_USER}\" WITH PASSWORD '${PG_USER_PASSWORD}'" for db in migration pooling policyadmin policyclamp operationshistory clampacm do + echo "Create DB ${db}" psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};" + echo "Grant privileges to DB ${db} for user ${PG_USER}" psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO \"${PG_USER}\";" -done
\ No newline at end of file + echo "Grant privileges to SCHEMA public for user ${PG_USER}" + psql -h ${PG_HOST} -p ${PG_PORT} -d ${db} -U postgres --command "GRANT ALL ON SCHEMA public TO \"${PG_USER}\";" +done diff --git a/kubernetes/policy/resources/config/db.sh b/kubernetes/policy/resources/config/db.sh deleted file mode 100755 index d793a024df..0000000000 --- a/kubernetes/policy/resources/config/db.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh -{{/* -# Copyright © 2017 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2018, 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021 Nordix Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -mysqlcmd() { mysql -h ${MYSQL_HOST} -P ${MYSQL_PORT} "$@"; }; - -i=5 -RESULT_VARIABLE=0 -echo "Check if user ${MYSQL_USER} is created in DB ${MYSQL_HOST}" -while [ $i -gt 0 ] && [ "$RESULT_VARIABLE" != 1 ] -do - i=$(( i-1 )) - RESULT_VARIABLE="$(mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" -se "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '${MYSQL_USER}')")" - if [ "$RESULT_VARIABLE" = 1 ]; then - echo "User ${MYSQL_USER} exists" - else - echo "User ${MYSQL_USER} does not exist" - sleep 10 - fi -done -if [ "$RESULT_VARIABLE" != 1 ]; then - exit 1 -fi -for db in migration pooling policyadmin policyclamp operationshistory clampacm -do - echo "Create DB ${db}" - mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" - echo "Grand access for user ${MYSQL_USER}" - mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" -done -echo "Flush privileges" -mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 3886a85d11..6fde5069c2 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -1,7 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2022-2024 Nordix Foundation. +# Modifications Copyright (C) 2022-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -17,92 +17,6 @@ # limitations under the License. */}} -{{ if .Values.global.mariadbGalera.useInPolicy }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-galera-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-galera-init - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-galera-init - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-galera-init - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim }} - {{- include "common.imagePullSecrets" . | nindent 6 }} - initContainers: - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_mariadb ) | indent 6 | trim }} - containers: - - name: {{ include "common.name" . }}-galera-config - image: {{ include "repositoryGenerator.image.mariadb" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - volumeMounts: - - mountPath: /dbcmd-config/db.sh - name: {{ include "common.fullname" . }}-config - subPath: db.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.requireSidecarKiller" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db.sh - env: - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 10 }} - - name: MYSQL_HOST - value: "{{ index .Values "mariadb-galera" "service" "name" }}" - - name: MYSQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: MYSQL_PORT - value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" - resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.requireSidecarKiller" .) }} - - name: policy-service-mesh-wait-for-job-container - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-config -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - resources: - limits: - cpu: 100m - memory: 500Mi - requests: - cpu: 10m - memory: 10Mi - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db.sh - path: db.sh -{{ end }} - -{{ if .Values.global.postgres.useInPolicy }} --- apiVersion: batch/v1 kind: Job @@ -188,114 +102,8 @@ spec: items: - key: db-pg.sh path: db-pg.sh -{{ end }} --- -{{ if .Values.global.mariadbGalera.useInPolicy }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-galera-migrator-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-galera-migrator-config - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-galera-migrator-config - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-galera-migrator-config - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim }} - {{- include "common.imagePullSecrets" . | nindent 6 }} - initContainers: - - name: {{ include "common.name" . }}-init-readiness - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-galera-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" - containers: - - name: {{ include "common.name" . }}-galera-db-migrator - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/policy/etc/db/ - name: {{ include "common.fullname" . }}-migration-writable - - mountPath: /dbcmd-config/db_migrator_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_policy_init.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.requireSidecarKiller" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_policy_init.sh - env: - - name: SQL_HOST - value: "{{ index .Values "mariadb-galera" "service" "name" }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schemas }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "sql" - resources: {{ include "common.resources" . | nindent 12 }} - {{- if (include "common.requireSidecarKiller" .) }} - - name: policy-service-mesh-wait-for-job-container - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-migration-writable - emptyDir: {} - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db_migrator_policy_init.sh - path: db_migrator_policy_init.sh -{{ end }} -{{ if .Values.global.postgres.useInPolicy }} + --- apiVersion: batch/v1 kind: Job @@ -402,4 +210,3 @@ spec: items: - key: db_migrator_pg_policy_init.sh path: db_migrator_pg_policy_init.sh -{{ end }}
\ No newline at end of file diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 67f4dbd1e5..407d990400 100644 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,6 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2024 Nordix Foundation. +# Modifications Copyright (C) 2021-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -19,39 +19,28 @@ # Global configuration defaults. ################################################################# global: - mariadbGalera: - # flag to enable the DB creation via mariadb-operator - useOperator: true - # if useOperator set to "true", set "enableServiceAccount to "false" - # as the SA is created by the Operator - enableServiceAccount: false - localCluster: true - # '&mariadbConfig' means we "store" the values for later use in the file - # with '*mariadbConfig' pointer. - config: &mariadbConfig - mysqlDatabase: policyadmin - service: &mariadbService policy-mariadb - internalPort: 3306 - nameOverride: *mariadbService - # (optional) if localCluster=false and an external secret is used set this variable - #userRootSecret: <secretName> - useInPolicy: true prometheusEnabled: false postgres: - localCluster: false + localCluster: true + # flag to enable the DB creation via pgo-operator + useOperator: false service: name: pgset name2: tcp-pgset-primary name3: tcp-pgset-replica container: name: postgres - useInPolicy: false + nameOverride: "policy-postgres" + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: <secretName> kafkaBootstrap: strimzi-kafka-bootstrap:9092 policyKafkaUser: policy-kafka-user useStrimziKafka: true kafkaTopics: - acRuntimeTopic: - name: policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: policy-acruntime-participant + acRuntimeSyncTopic: + name: acm-ppnt-sync ################################################################# # Secrets metaconfig ################################################################# @@ -59,27 +48,29 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ or .Values.global.postgres.useInPolicy .Values.global.mariadbGalera.useInPolicy | ternary ( - ( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | - ternary - "" - (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) - ) - ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | - ternary - .Values.global.mariadbGalera.userRootSecret - (include "common.mariadb.secret.rootPassSecretName" - (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + externalSecret: '{{ .Values.global.postgres.localCluster | ternary + ( hasSuffix "policy-db-root-password" (index .Values "postgres" "config" "pgRootPasswordExternalSecret") | ternary + "" + (tpl (default "" (index .Values "postgres" "config" "pgRootPasswordExternalSecret")) .) + ) + ( not (empty (default "" .Values.global.postgres.userRootSecret)) | ternary + .Values.global.postgres.userRootSecret + (include "common.postgres.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.postgres.nameOverride) ) - ) }}' - password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' + ) + }}' + password: '{{ (index .Values "postgres" "config" "pgRootPassword") }}' policy: generate - uid: db-secret name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret' type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}' - login: '{{ index .Values "mariadb-galera" "db" "user" }}' - password: '{{ index .Values "mariadb-galera" "db" "password" }}' + externalSecret: '{{ hasSuffix "policy-db-secret" (index .Values "postgres" "config" "pgUserExternalSecret") | ternary + "" + (tpl (default "" (index .Values "postgres" "config" "pgUserExternalSecret")) .) + }}' + login: '{{ (index .Values "postgres" "config" "pgUserName") }}' + password: '{{ (index .Values "postgres" "config" "pgUserPassword") }}' passwordPolicy: generate - uid: policy-app-user-creds name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds' @@ -132,10 +123,14 @@ policy-apex-pdp: config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-drools-pdp: - enabled: false + enabled: true db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' +policy-opa-pdp: + enabled: true + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-distribution: enabled: true db: *dbSecretsHook @@ -167,11 +162,8 @@ policy-nexus: ################################################################# dbmigrator: - # New released image will allow full SASL and Postgres (drools included). Tested with snapshot. Release to come later. - image: onap/policy-db-migrator:3.1.3 - # These schemas will be required with the new version of db-migrator - # schemas: "policyadmin clampacm pooling operationshistory" - schemas: "policyadmin" + image: onap/policy-db-migrator:4.1.0 + schemas: "policyadmin clampacm pooling operationshistory" policy_home: "/opt/app/policy" subChartsOnly: @@ -183,9 +175,9 @@ debugEnabled: false # default number of instances replicaCount: 1 -nodeSelector: {} +nodeSelector: { } -affinity: {} +affinity: { } # probe configuration parameters liveness: @@ -199,7 +191,6 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 - config: policyAppUserName: runtimeUser policyPdpPapTopic: @@ -225,30 +216,7 @@ config: groupId: policy-group someConfig: blah -mariadb-galera: - # mariadb-galera.config and global.mariadbGalera.config must be equals - db: - user: policy-user - # password: - externalSecret: *dbSecretName - name: &mysqlDbName policyadmin - rootUser: - externalSecret: *dbRootPassSecretName - nameOverride: *mariadbService - # mariadb-galera.service and global.mariadbGalera.service must be equals - service: - name: *mariadbService - replicaCount: 1 - mariadbOperator: - galera: - enabled: false - persistence: - enabled: true - mountSubPath: policy/maria/data - serviceAccount: - nameOverride: *mariadbService - -postgresImage: library/postgres:latest +postgresImage: library/postgres:17.2 # application configuration override for postgres postgres: nameOverride: &postgresName policy-postgres @@ -256,6 +224,7 @@ postgres: name: *postgresName name2: policy-pg-primary name3: policy-pg-replica + internalPort: 5432 container: name: primary: policy-pg-primary @@ -263,6 +232,7 @@ postgres: persistence: mountSubPath: policy/postgres/data mountInitPath: policy + size: 3Gi config: pgUserName: policy-user pgDatabase: policyadmin @@ -273,9 +243,6 @@ readinessCheck: wait_for_postgres: services: - '{{ .Values.global.postgres.service.name2 }}' - wait_for_mariadb: - services: - - '{{ include "common.mariadbService" . }}' restServer: policyPapUserName: policyadmin @@ -301,7 +268,7 @@ resources: requests: cpu: "200m" memory: "2Gi" - unlimited: {} + unlimited: { } securityContext: user_id: 100 @@ -311,4 +278,4 @@ securityContext: serviceAccount: nameOverride: policy roles: - - read
\ No newline at end of file + - read diff --git a/kubernetes/sdc/Chart.yaml b/kubernetes/sdc/Chart.yaml index 86d3408f0e..54b71b4794 100644 --- a/kubernetes/sdc/Chart.yaml +++ b/kubernetes/sdc/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Service Design and Creation Umbrella Helm charts name: sdc -version: 13.0.1 +version: 13.0.4 dependencies: - name: common diff --git a/kubernetes/sdc/components/sdc-be/Chart.yaml b/kubernetes/sdc/components/sdc-be/Chart.yaml index e93607c017..bb385a058e 100644 --- a/kubernetes/sdc/components/sdc-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-be/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Service Design and Creation Backend API name: sdc-be -version: 13.0.0 +version: 13.0.3 dependencies: - name: common diff --git a/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/configuration.yaml b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/configuration.yaml new file mode 100644 index 0000000000..8103700bd9 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/configuration.yaml @@ -0,0 +1,1253 @@ +identificationHeaderFields: + - HTTP_IV_USER + - HTTP_CSP_FIRSTNAME + - HTTP_CSP_LASTNAME + - HTTP_IV_REMOTE_ADDRESS + - HTTP_CSP_WSTYPE + + +# catalog backend hostname +beFqdn: {{ .Values.beFqdn }} + +# catalog backend http port +beHttpPort: {{ .Values.beHttpPort }} + +# catalog backend http context +beContext: /sdc/rest/config/get + +# catalog backend protocol +beProtocol: http + +tlsCert: {{ .Values.tlsCert }} +tlsKey: {{ .Values.tlsKey }} +caCert: {{ .Values.caCert }} + +# catalog backend ssl port +beSslPort: {{ .Values.beSslPort }} +version: 1.1.0 +released: 2012-11-30 +toscaConformanceLevel: 11.0 +minToscaConformanceLevel: 3.0 + +janusGraphCfgFile: {{ .Values.janusGraphCfgFile }} +janusGraphInMemoryGraph: false +janusGraphLockTimeout: 1800 +#startup: connect to JanusGraph DB when it is down during ASDC--More-- (2% of 27930 bytes) +janusGraphReconnectIntervalInSeconds: 3 + +# The read timeout towards JanusGraph DB when health check is invoked: +janusGraphHealthCheckReadTimeout: 1 + + #startup: connect to Elasticsearch when it is down during ASDC--More-- (3% of 27930 bytes) + +uebHealthCheckReconnectIntervalInSeconds: 15 +uebHealthCheckReadTimeout: 4 + +# Protocols +protocols: + - http + - https + +# Default imports +defaultImports: + - nodes: + file: nodes.yml + - datatypes: + file: data.yml + - capabilities: + file: capabilities.yml + - relationships: + file: relationships.yml + - groups: + file: groups.yml + - policies: + file: policies.yml + - annotations: + file: annotations.yml + +# Global CSAR Import Files +globalCsarImports: + - annotations.yml + - artifacts.yml + - capabilities.yml + - data.yml + - groups.yml + - interfaces.yml + - nodes.yml + - policies.yml + - relationships.yml + +# Users +users: + tom: passwd + bob: passwd + +basicAuth: + enabled: {{ .Values.basicAuthConfig.enabled }} + userName: {{ .Values.basicAuth.userName }} + userPass: {{ .Values.basicAuth.userPass }} + excludedUrls: "/sdc2/rest/healthCheck" + + +cassandraConfig: + cassandraHosts: [{{ .Values.cassandra.hostname }}] + cassandraPort: {{ .Values.cassandra.port }} + localDataCenter: {{ .Values.cassandra.datacenterName }} + reconnectTimeout : 30000 + socketReadTimeout: {{ .Values.cassandraConfig.socketReadTimeout }} + socketConnectTimeout: {{ .Values.cassandraConfig.socketConnectTimeout }} + authenticate: true + username: {{ .Values.cassandra.cassandraUsername }} + password: {{ .Values.cassandra.cassandraPassword }} + ssl: {{ .Values.cassandraConfig.ssl }} + keystorePath: {{ .Values.cassandraConfig.keystorePath }} + keystorePassword: {{ .Values.cassandraConfig.keystorePassword }} + truststorePath: {{ .Values.cassandraConfig.truststorePath }} + truststorePassword: {{ .Values.cassandraConfig.truststorePassword }} + keySpaces: + - { name: dox, replicationStrategy: NetworkTopologyStrategy, replicationInfo: [{{ if .Values.pairEnvName }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}','{{ .Values.cassandra.clusterName }}{{ .Values.pairEnvName }}','{{ .Values.cassandra.replicationFactor }}'{{ else }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}'{{ end }}]} + - { name: sdcaudit, replicationStrategy: NetworkTopologyStrategy, replicationInfo: [{{ if .Values.pairEnvName }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}','{{ .Values.cassandra.clusterName }}{{ .Values.pairEnvName }}','{{ .Values.cassandra.replicationFactor }}'{{ else }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}'{{ end }}]} + - { name: sdcartifact, replicationStrategy: NetworkTopologyStrategy, replicationInfo: [{{ if .Values.pairEnvName }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}','{{ .Values.cassandra.clusterName }}{{ .Values.pairEnvName }}','{{ .Values.cassandra.replicationFactor }}'{{ else }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}'{{ end }}]} + - { name: sdccomponent, replicationStrategy: NetworkTopologyStrategy, replicationInfo: [{{ if .Values.pairEnvName }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}','{{ .Values.cassandra.clusterName }}{{ .Values.pairEnvName }}','{{ .Values.cassandra.replicationFactor }}'{{ else }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}'{{ end }}]} + - { name: sdcrepository, replicationStrategy: NetworkTopologyStrategy, replicationInfo: [{{ if .Values.pairEnvName }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}','{{ .Values.cassandra.clusterName }}{{ .Values.pairEnvName }}','{{ .Values.cassandra.replicationFactor }}'{{ else }}'{{ .Values.cassandra.datacenterName }}','{{ .Values.cassandra.replicationFactor }}'{{ end }}]} +licenseTypes: + - User + - Installation + - CPU + +#Deployment artifacts placeHolder +resourceTypes: &allResourceTypes + - VFC + - CP + - VL + - VF + - CR + - VFCMT + - Abstract + - CVFC + - Configuration + - ServiceProxy + - PNF + +componentAllowedInstanceTypes: + Resource: + VF: + - VFC + - VF + - CR + - CP + - PNF + - CVFC + - VL + - Configuration + - ServiceProxy + - Abstract + CVFC: + - VFC + - VF + - CR + - CP + - PNF + - CVFC + - VL + - ServiceProxy + - Abstract + PNF: + - VF + - CR + - CP + - PNF + - CVFC + - VL + - Configuration + - ServiceProxy + - Abstract + CR: + - VF + - CR + - CP + - PNF + - CVFC + - VL + - Configuration + - ServiceProxy + - Abstract + VL: + - VL + Service: + "*": + - VF + - VFC + - CR + - CP + - PNF + - CVFC + - VL + - Configuration + - ServiceProxy + - Abstract + +artifacts: + - type: CONTROLLER_BLUEPRINT_ARCHIVE + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - zip + - type: HELM + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - tgz + - type: YANG_XML + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - SERVICE + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: VNF_CATALOG + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: MODEL_INVENTORY_PROFILE + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: MODEL_QUERY_SPEC + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: UCPE_LAYER_2_CONFIGURATION + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + #AAI Artifacts + - type: AAI_SERVICE_MODEL + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: AAI_VF_MODULE_MODEL + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: AAI_VF_INSTANCE_MODEL + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + #Plan + - type: PLAN + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: + - VF + - VFC + acceptedTypes: + - xml + - type: WORKFLOW + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - RESOURCE + resourceTypes: + - VFC + - CP + - VL + - VF + - CR + - VFCMT + - Abstract + - CVFC + - PNF + acceptedTypes: + - type: HEAT + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - yaml + - yml + - type: HEAT_VOL + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - yaml + - yml + - type: HEAT_NET + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - yaml + - yml + - type: HEAT_NESTED + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - yaml + - yml + - type: HEAT_ARTIFACT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: CLOUD_TECHNOLOGY_SPECIFIC_ARTIFACT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - zip + - tgz + - csar + - type: VNF_CATALOG + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: VF_LICENSE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: VENDOR_LICENSE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: MODEL_INVENTORY_PROFILE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: MODEL_QUERY_SPEC + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: LIFECYCLE_OPERATIONS + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFC + acceptedTypes: + - yaml + - yml + - type: VES_EVENTS + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: + - VFC + - CP + - VL + - VF + - CR + - VFCMT + - Abstract + - CVFC + - PNF + acceptedTypes: + - yaml + - yml + - type: PERFORMANCE_COUNTER + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: *allResourceTypes + acceptedTypes: + - csv + - type: APPC_CONFIG + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + acceptedTypes: + - type: DCAE_TOSCA + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - yml + - yaml + - type: DCAE_JSON + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - json + - type: DCAE_POLICY + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - emf + - type: DCAE_DOC + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - type: DCAE_EVENT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - type: AAI_VF_MODEL + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + acceptedTypes: + - xml + - type: AAI_VF_MODULE_MODEL + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + acceptedTypes: + - xml + - type: OTHER + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: + - VFC + - CVFC + - CP + - VL + - VF + - VFCMT + - Abstract + - PNF + acceptedTypes: + - type: SNMP_POLL + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: SNMP_TRAP + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: PM_DICTIONARY + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - yaml + - yml + - type: YANG_MODULE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - yang + - type: ANSIBLE_PLAYBOOK + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - yaml + - yml + - type: ONBOARDED_PACKAGE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - csar + - zip + - type: ETSI_PACKAGE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - csar + - zip + - type: ASD_PACKAGE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - csar + - zip + - type: HEAT_ENV + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - env + - type: VF_MODULES_METADATA + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - json + - type: DCAE_INVENTORY_TOSCA + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - yml + - yaml + - type: DCAE_INVENTORY_JSON + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - json + - type: DCAE_INVENTORY_POLICY + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - emf + - type: DCAE_INVENTORY_DOC + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - type: DCAE_INVENTORY_BLUEPRINT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - type: DCAE_INVENTORY_EVENT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - type: CHEF + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: PUPPET + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: SHELL + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: YANG + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: BPEL + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: DG_XML + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: MURANO_PKG + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: PNF_SW_INFORMATION + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: + - PNF + acceptedTypes: + - yaml + - yml + - type: GUIDE + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFC + - CVFC + - PNF + acceptedTypes: + - yaml + - yml + - type: FLOW + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: SHELL_SCRIPT + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - SERVICE_INSTANCE + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: *allResourceTypes + acceptedTypes: + - sh + - type: TOSCA_CSAR + categories: + - TOSCA + componentTypes: + resourceTypes: + acceptedTypes: + - csar + - type: TOSCA_TEMPLATE + categories: + - TOSCA + componentTypes: + resourceTypes: + acceptedTypes: + - yml + - yaml + - type: NETWORK_CALL_FLOW + categories: + componentTypes: + resourceTypes: + acceptedTypes: + - type: ICON + categories: + componentTypes: + resourceTypes: + acceptedTypes: + +deploymentResourceArtifacts: + +deploymentResourceInstanceArtifacts: + heatEnv: + displayName: "HEAT ENV" + type: HEAT_ENV + description: "Auto-generated HEAT Environment deployment artifact" + fileExtension: "env" + VfHeatEnv: + displayName: "VF HEAT ENV" + type: HEAT_ENV + description: "VF Auto-generated HEAT Environment deployment artifact" + fileExtension: "env" + +#tosca artifacts placeholders +toscaArtifacts: + assetToscaTemplate: + artifactName: -template.yml + displayName: Tosca Template + type: TOSCA_TEMPLATE + description: TOSCA representation of the asset + assetToscaCsar: + artifactName: -csar.csar + displayName: Tosca Model + type: TOSCA_CSAR + description: TOSCA definition package of the asset + +#Informational artifacts placeHolder +excludeResourceCategory: + - Generic +excludeResourceType: + - PNF + - CR +informationalResourceArtifacts: + features: + displayName: Features + type: OTHER + capacity: + displayName: Capacity + type: OTHER + vendorTestResult: + displayName: Vendor Test Result + type: OTHER + testScripts: + displayName: Test Scripts + type: OTHER + CloudQuestionnaire: + displayName: Cloud Questionnaire (completed) + type: OTHER + HEATTemplateFromVendor: + displayName: HEAT Template from Vendor + type: HEAT + resourceSecurityTemplate: + displayName: Resource Security Template + type: OTHER + +excludeServiceCategory: + +informationalServiceArtifacts: + serviceArtifactPlan: + displayName: Service Artifact Plan + type: OTHER + summaryOfImpactsToECOMPElements: + displayName: Summary of impacts to ECOMP elements,OSSs, BSSs + type: OTHER + automationCompositionFunctions: + displayName: Automation Composition Functions + type: OTHER + dimensioningInfo: + displayName: Dimensioning Info + type: OTHER + affinityRules: + displayName: Affinity Rules + type: OTHER + operationalPolicies: + displayName: Operational Policies + type: OTHER + serviceSpecificPolicies: + displayName: Service-specific Policies + type: OTHER + engineeringRules: + displayName: Engineering Rules (ERD) + type: OTHER + distributionInstructions: + displayName: Distribution Instructions + type: OTHER + certificationTestResults: + displayName: TD Certification Test Results + type: OTHER + deploymentVotingRecord: + displayName: Deployment Voting Record + type: OTHER + serviceQuestionnaire: + displayName: Service Questionnaire + type: OTHER + serviceSecurityTemplate: + displayName: Service Security Template + type: OTHER + +serviceApiArtifacts: + configuration: + displayName: Configuration + type: OTHER + instantiation: + displayName: Instantiation + type: OTHER + monitoring: + displayName: Monitoring + type: OTHER + reporting: + displayName: Reporting + type: OTHER + logging: + displayName: Logging + type: OTHER + testing: + displayName: Testing + type: OTHER + +additionalInformationMaxNumberOfKeys: 50 + +systemMonitoring: + enabled: false + isProxy: false + probeIntervalInSeconds: 15 +heatArtifactDeploymentTimeout: + defaultMinutes: 30 + minMinutes: 1 + maxMinutes: 120 + +unLoggedUrls: + - /sdc2/rest/monitoring + - /sdc2/rest/healthCheck + +cleanComponentsConfiguration: + cleanIntervalInMinutes: 1440 + componentsToClean: + - Resource + - Service + +artifactsIndex: resources + +heatEnvArtifactHeader: "" +heatEnvArtifactFooter: "" + +onboarding: + host: {{ .Values.ONBOARDING_BE.host }} + protocol: {{ if .Values.disableHttp }}https{{ else }}http{{ end }} + port: {{ if .Values.disableHttp }}{{ .Values.ONBOARDING_BE.httpsPort }}{{ else }}{{ .Values.ONBOARDING_BE.httpPort }}{{ end }} + getVspPackageUri: "/onboarding-api/v1.0/vendor-software-products/packages/%s?versionId=%s" # /onboarding-api/v1.0/vendor-software-products/packages/:vspId?versionId=:vspVersionId + getLatestVspPackageUri: "/onboarding-api/v1.0/vendor-software-products/packages/%s" # /onboarding-api/v1.0/vendor-software-products/packages/:vspId + getVspUri: "/onboarding-api/v1.0/vendor-software-products/%s/versions/%s" # /onboarding-api/v1.0/vendor-software-products/:vspId/versions/:vspVersionId + getLatestVspUri: "/onboarding-api/v1.0/vendor-software-products/%s" # /onboarding-api/v1.0/vendor-software-products/:vspId + healthCheckUri: "/onboarding-api/v1.0/healthcheck" + +# #GSS IDNS +switchoverDetector: + gBeFqdn: + gFeFqdn: + beVip: 1.2.3.4 + feVip: 1.2.3.4 + beResolveAttempts: 3 + feResolveAttempts: 3 + enabled: false + interval: 60 + changePriorityUser: ecompasdc + changePriorityPassword: ecompasdc123 + publishNetworkUrl: + publishNetworkBody: '{"note":"comment"}' + groups: + beSet: { changePriorityUrl: "", changePriorityBody: '{"name":"","uri":"","no_ad_redirection":false,"v4groups":{"failover_groups":["","","failover_policy":["FAILALL"]},"comment":"","intended_app_proto":"DNS"}'} + feSet: { changePriorityUrl: "", changePriorityBody: '{"name":"","uri":"","no_ad_redirection":false,"v4groups":{"failover_groups":["",""],"failover_policy":["FAILALL"]},"comment":"","intended_app_proto":"DNS"}'} +applicationL1Cache: + datatypes: + enabled: true + firstRunDelay: 10 + pollIntervalInSec: 60 + +applicationL2Cache: + enabled: false + catalogL1Cache: + enabled: false + resourcesSizeInCache: 300 + servicesSizeInCache: 200 + productsSizeInCache: 100 + queue: + syncIntervalInSecondes: 43200 + waitOnShutDownInMinutes: 10 + numberOfCacheWorkers: 4 + +toscaValidators: + stringMaxLength: 2500 + +disableAudit: false + +vfModuleProperties: + min_vf_module_instances: + forBaseModule: 1 + forNonBaseModule: 0 + max_vf_module_instances: + forBaseModule: 1 + forNonBaseModule: + initial_count: + forBaseModule: 1 + forNonBaseModule: 0 + vf_module_type: + forBaseModule: Base + forNonBaseModule: Expansion + +genericAssetNodeTypes: + VFC: org.openecomp.resource.abstract.nodes.VFC + CVFC: org.openecomp.resource.abstract.nodes.VFC + VF : org.openecomp.resource.abstract.nodes.VF + CR : org.openecomp.resource.abstract.nodes.CR + PNF: org.openecomp.resource.abstract.nodes.PNF + Service: org.openecomp.resource.abstract.nodes.service + ETSI NFV Network Service: tosca.nodes.nfv.NS + +# Defines the base types for Services +# <category name>: +# required: <boolean> //if the base type is mandatory or not +# baseTypes: <list of TOSCA types> //the base types. Required if the base type is required. +# If not provided, the category will have no base type. +serviceBaseNodeTypes: + ETSI NFV Network Service: + required: true + baseTypes: + - tosca.nodes.nfv.NS + AutomationComposition: + required: false + +workloadContext: Production + +environmentContext: + defaultValue: General_Revenue-Bearing + validValues: + - Critical_Revenue-Bearing + - Vital_Revenue-Bearing + - Essential_Revenue-Bearing + - Important_Revenue-Bearing + - Needed_Revenue-Bearing + - Useful_Revenue-Bearing + - General_Revenue-Bearing + - Critical_Non-Revenue + - Vital_Non-Revenue + - Essential_Non-Revenue + - Important_Non-Revenue + - Needed_Non-Revenue + - Useful_Non-Revenue + - General_Non-Revenue + +gabConfig: + - artifactType: 'VES_EVENTS' + pathsAndNamesDefinitions: + - + friendlyName: "Action" + path: "event.action[2]" + searchable: true + - + friendlyName: "Comment" + path: "event.comment" + searchable: true + - + friendlyName: "Alarm Additional Information" + path: "event.structure.faultFields.structure.alarmAdditionalInformation.comment" + searchable: true + - artifactType: 'PM_DICTIONARY' + pathsAndNamesDefinitions: + - + friendlyName: "measType" + path: "pmMetaData.pmFields.measType" + searchable: true + - + friendlyName: "measDescription" + path: "pmMetaData.pmFields.measDescription" + searchable: true + - + friendlyName: "measCondition" + path: "pmMetaData.pmFields.measCondition" + searchable: false + - + friendlyName: "measResultUnits" + path: "pmMetaData.pmFields.measResultUnits" + searchable: false + - + friendlyName: "measResultRange" + path: "pmMetaData.pmFields.measResultRange" + searchable: false + - + friendlyName: "measObjClass" + path: "pmMetaData.pmFields.measObjClass" + searchable: true + - + friendlyName: "measCollectionMethod" + path: "pmMetaData.pmFields.measCollectionMethod" + searchable: false + - + friendlyName: "measInfoId" + path: "pmMetaData.pmFields.measInfoId" + searchable: true + - + friendlyName: "iMeasInfoId" + path: "pmMetaData.pmFields.iMeasInfoId" + searchable: false +dmaapConsumerConfiguration: + active: {{ .Values.dmaapConsumerConfiguration.active }} + hosts: localhost:3905 + consumerGroup: sdc + consumerId: mama + timeoutMs: 15000 + limit: 1 + pollingInterval: 2 + topic: topic + latitude: 32.109333 + longitude: 34.855499 + version: 1.0 + serviceName: localhost/events + environment: TEST + partner: BOT_R + routeOffer: MR1 + protocol: https + contenttype: application/json + dme2TraceOn: true + aftEnvironment: AFTUAT + aftDme2ConnectionTimeoutMs: 15000 + aftDme2RoundtripTimeoutMs: 240000 + aftDme2ReadTimeoutMs: 50000 + dme2preferredRouterFilePath: DME2preferredRouter.txt + timeLimitForNotificationHandleMs: 120000 + credential: + username: user + password: + aftDme2SslEnable: true + aftDme2ClientSslCertAlias: certman + +dmaapProducerConfiguration: + active: true + hosts: {{ .Values.dmaapProducerConfiguration.hosts }} + consumerGroup: sdc-{{ .Values.chefEnvironment }}-1730226683 + consumerId: sdc-{{ .Values.chefEnvironment }}1-1730226683 + timeoutMs: 15000 + limit: 1 + pollingInterval: 2 + topic: {{ .Values.dmaapProducerConfiguration.topic }} + latitude: 32.109333 + longitude: 34.855499 + version: 1.0 + serviceName: {{ .Values.dmaapProducerConfiguration.serviceName }} + environment: {{ .Values.dmaapProducerConfiguration.environment }} + partner: BOT_R + routeOffer: MR1 + protocol: {{ .Values.dmaapProducerConfiguration.protocol }} + contenttype: application/json + dme2TraceOn: true + aftEnvironment: {{ .Values.dmaapProducerConfiguration.aftEnvironment }} + aftDme2ConnectionTimeoutMs: 15000 + aftDme2RoundtripTimeoutMs: 240000 + aftDme2ReadTimeoutMs: 50000 + dme2preferredRouterFilePath: {{ .Values.dmaapProducerConfiguration.dme2preferredRouterFilePath }} + timeLimitForNotificationHandleMs: 120000 + credential: + username: {{ .Values.dmaapProducerConfiguration.username }} + password: {{ .Values.dmaapProducerConfiguration.password }} + aftDme2SslEnable: true + aftDme2ClientSslCertAlias: certman + +# ToDo: AF - had to remove due to configuration laod class failure +#dmeConfiguration: +# lookupUriFormat: "http://DME2RESOLVE/service=%s/version=1.0.0/envContext=%s/routeOffer=DEFAULT" +# dme2Search: DME2SEARCH +# dme2Resolve: DME2RESOLVE + +excludedPolicyTypesMapping: +# VF: +# - a.b.c +# - c.d.e +#CR: +# - x.y.z + +excludedGroupTypesMapping: + CR: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - org.openecomp.groups.Group + - tosca.groups.Root + PNF: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - org.openecomp.groups.Group + - tosca.groups.Root + VF: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - org.openecomp.groups.Group + - tosca.groups.Root + Service: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - org.openecomp.groups.Group + - tosca.groups.Root + +healthStatusExclude: + - DE + - DMAAP + - DMAAP_PRODUCER + - ON_BOARDING + - DCAE + - PORTAL + - External API + +#Auto Healing +enableAutoHealing: false +appVersion: {{ .Values.appVersion }} + +artifactGeneratorConfig: Artifact-Generator.properties +resourcesForUpgrade: + 8.0: + - org.openecomp.resource.cp.extCP + - tosca.nodes.network.Network + - tosca.nodes.network.Port + - org.openecomp.resource.cp.nodes.network.SubInterface +skipUpgradeFailedVfs: true +skipUpgradeVSPs: true +autoHealingOwner: jh0003 +supportAllottedResourcesAndProxy: true +deleteLockTimeoutInSeconds: 60 +maxDeleteComponents: 10 + +# This configuration entry lists all node type names prefix that shall be allowed on SDC. +definedResourceNamespace: + - org.openecomp.resource. + - org.onap.policy.clamp.acm. + - tosca.nodes. + +# This configuration entry lists all Directives values that shall be allowed on SDC. +directives: + - select + - selectable + - substitute + - substitutable + +externalCsarStore: + storageType: NONE # NONE, MINIO + endpoint: + host: 127.0.0.1 + port: 9000 + secure: false + credentials: + accessKey: "login" + secretKey: "password" + tempPath: "/home/onap/temp/" + uploadPartSize: 200000000 + +#This configuration specifies the delimiter used to differentiate instance name and count +componentInstanceCounterDelimiter: " " + +# Comma separated list of excluded URLs by the DataValidatorFilter +dataValidatorFilterExcludedUrls: "/healthCheck,/followed,/authorize" + +#Space separated list of permitted ancestors +permittedAncestors: {{ .Values.permittedAncestors }} diff --git a/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/distribution-engine-configuration.yaml b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/distribution-engine-configuration.yaml new file mode 100644 index 0000000000..f096b13fcc --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/distribution-engine-configuration.yaml @@ -0,0 +1,84 @@ +uebServers: + - no-message-router.onap + - no-message-router.onap + +uebPublicKey: {{ .Values.uebPublicKey }} +uebSecretKey: {{ .Values.uebSecretKey }} + +distributionNotifTopicName: {{ if .Values.distributionNotifTopicName }}{{ .Values.distributionNotifTopicName }}{{- else }}SDC-DISTR-NOTIF-TOPIC{{- end }} + +distributionStatusTopicName: {{ if .Values.distributionStatusTopicName }}{{ .Values.distributionStatusTopicName }}{{- else }}SDC-DISTR-STATUS-TOPIC{{- end }} + +kafkaBootStrapServers: {{ .Values.kafkaBootStrapServers }} + +initRetryIntervalSec: 5 +initMaxIntervalSec: 60 + +distribNotifServiceArtifactTypes: + info: + - MURANO-PKG + +distribNotifResourceArtifactTypes: + lifecycle: + - HEAT + - DG-XML + +environments: + - {{ .Values.chefEnvironment }} + +distributionStatusTopic: + pollingIntervalSec: 60 + fetchTimeSec: 15 + consumerGroup: sdc-{{ .Values.chefEnvironment }} + consumerId: sdc-{{ .Values.chefEnvironment }}1 + + +distributionNotificationTopic: + minThreadPoolSize: 0 + maxThreadPoolSize: 10 + maxWaitingAfterSendingSeconds: 5 + +createTopic: + partitionCount: 1 + replicationCount: 1 + +startDistributionEngine: true + +#This is false by default, since ONAP Dmaap currently doesn't support https +useHttpsWithDmaap: false +opEnvRecoveryIntervalSec: 180 +allowedTimeBeforeStaleSec: 300 + +aaiConfig: + httpRequestConfig: + serverRootUrl: https://localhost:8443 + resourceNamespaces: + operationalEnvironments: /aai/v12/cloud-infrastructure/operational-environments + + httpClientConfig: + timeouts: + readTimeoutMs: 5000 + connectTimeoutMs: 1000 + clientCertificate: + keyStore: /app/jetty/base/be/etc/non-prod.jks + keyStorePassword: hmXYcznAljMSisdy8zgcag== + headers: + X-FromAppId: asdc + numOfRetries: 3 + +msoConfig: + httpRequestConfig: + serverRootUrl: http://127.0.0.1:8080/onap/mso/infra/modelDistributions/v1 + resourceNamespaces: + distributions: /distributions + + httpClientConfig: + timeouts: + readTimeoutMs: 2000 + connectTimeoutMs: 500 + basicAuthorization: + userName: asdc + password: OTLEp5lfVhYdyw5EAtTUBQ== + numOfRetries: 3 + +currentArtifactInstallationTimeout: 120 diff --git a/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/janusgraph.properties b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/janusgraph.properties new file mode 100644 index 0000000000..a08f7bd77a --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/janusgraph.properties @@ -0,0 +1,39 @@ +storage.backend=cql +storage.hostname={{ .Values.cassandra.hostname }} +storage.port={{ .Values.cassandra.port }} +storage.username={{ .Values.cassandra.cassandraUsername }} +storage.password={{ .Values.cassandra.cassandraPassword }} +storage.connection-timeout={{ .Values.cassandra.connectionTimeout }} +storage.cql.keyspace=sdctitan + +storage.cql.ssl.enabled={{ .Values.cassandra.cassandraSslEnabled }} +storage.cql.ssl.keystore.location={{ .Values.cassandra.keystoreLocation }} +storage.cql.ssl.keystore.password={{ .Values.cassandra.keystorePassword }} +storage.cql.ssl.truststore.location={{ .Values.cassandra.truststoreLocation }} +storage.cql.ssl.truststore.password={{ .Values.cassandra.truststorePassword }} + +storage.cql.read-consistency-level={{ .Values.cassandra.readConsistencyLevel }} +storage.cql.write-consistency-level={{ .Values.cassandra.writeConsistencyLevel }} +storage.cql.replication-strategy-class=NetworkTopologyStrategy + + +{{- $replicationStrategyOptions := "" -}} +{{- if .Values.pairEnvName | eq "" }} +{{- $replicationStrategyOptions = printf "%s,%d" .Values.cassandra.datacenterName (int .Values.cassandra.replicationFactor) -}} +{{- else }} +{{- $replicationStrategyOptions = printf "%s,%d,%s%s,%d" .Values.cassandra.datacenterName (int .Values.cassandra.replicationFactor) .Values.cassandra.cluster_name .Values.pairEnvName (int .Values.cassandra.replicationFactor) -}} +{{- end }} + +storage.cql.replication-strategy-options={{ $replicationStrategyOptions }} + +storage.cql.local-datacenter={{ .Values.cassandra.datacenterName }} + +cache.db-cache ={{ .Values.cassandra.db_cache }} +cache.db-cache-clean-wait = 20 +cache.db-cache-time = 180000 +cache.db-cache-size = 0.5 + +cache.tx-cache-size = 1000000 + +storage.lock.retries=5 +graph.replace-instance-if-exists=true diff --git a/kubernetes/sdc/components/sdc-be/resources/config/ready-probe.sh b/kubernetes/sdc/components/sdc-be/resources/config/ready-probe.sh new file mode 100644 index 0000000000..4bad479d91 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/ready-probe.sh @@ -0,0 +1,9 @@ +#!/bin/sh +health_check_http_code=$(curl -k --max-time 5 -o /dev/null -w '%{http_code}' {{ if .Values.global.disableHttp }}https://127.0.0.1:{{ .Values.beSslPort }}{{- else -}}http://127.0.0.1:{{ .Values.beHttpPort }}{{- end -}}/sdc2/rest/healthCheck) + +if [ "$health_check_http_code" -eq 200 ]; then + exit 0 +else + echo "Health check http status: $health_check_http_code" + exit 1 +fi diff --git a/kubernetes/sdc/components/sdc-be/resources/config/resource/key.properties b/kubernetes/sdc/components/sdc-be/resources/config/resource/key.properties new file mode 100644 index 0000000000..72fd2f6440 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/resource/key.properties @@ -0,0 +1,41 @@ +### +# ============LICENSE_START========================================== +# ONAP Portal SDK +# =================================================================== +# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the ?License?); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the ?License?); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# +### + +# Properties read by the ECOMP Framework library (epsdk-fw) + +cipher.enc.key = AGLDdG4D04BKm2IxIWEr8o== diff --git a/kubernetes/sdc/components/sdc-be/resources/config/resource/portal.properties b/kubernetes/sdc/components/sdc-be/resources/config/resource/portal.properties new file mode 100644 index 0000000000..c3ba1b1aa0 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/resource/portal.properties @@ -0,0 +1,89 @@ +### +# ============LICENSE_START========================================== +# ONAP Portal SDK +# =================================================================== +# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the ?License?); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the ?License?); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# +### +# Properties read by ECOMP Framework library, ecompFW.jar + +########################################################################## +# The following properties should NOT be changed by partner applications. +########################################################################## + +portal.api.prefix = /api +max.idle.time = 5 +user.attribute.name = user_attribute + +#Use REST API instead of UEB to fetch the functional menu data +use_rest_for_functional_menu=true + + +########################################################################## +# The following properties MUST be changed by partner applications. +########################################################################## + +# Name of java class that implements the OnBoardingApiService interface. +portal.api.impl.class = org.openecomp.sdc.be.ecomp.PortalRestApiCentralServiceImpl +role_access_centralized = remote + +# Cookie set by CSP-SSO +#csp_cookie_name = onapCsp + +# CSP setting, most use PROD; DEV also recognized +csp_gate_keeper_prod_key = PROD + +# URL of the Portal where this app is onboarded +ecomp_redirect_url = https://portal-app.onap:30225/ONAPPORTAL/login.htm + +# URL of the ECOMP Portal REST API +ecomp_rest_url = https://portal-app.onap:8443/ONAPPORTAL/auxapi + +# Connection and Read timeout values +ext_req_connection_timeout = 15000 +ext_req_read_timeout = 20000 + +# Name of java class that implements the OnBoardingApiService interface. +portal.api.impl.class = org.openecomp.sdc.be.ecomp.PortalRestApiCentralServiceImpl + +#Portal user & key +portal_app_name = Ipwxi2oLvDxctMA1royaRw1W0jhucLx+grHzci3ePIA= +portal_pass = j85yNhyIs7zKYbR1VlwEfNhS6b7Om4l0Gx5O8931sCI= +portal_user = Ipwxi2oLvDxctMA1royaRw1W0jhucLx+grHzci3ePIA= + + +# UEB key generated while on-boarding +ueb_app_key = "" + +# Applications do not need to run a UEB listener after 1607. +ueb_listeners_enable = false diff --git a/kubernetes/sdc/components/sdc-be/resources/config/start.d/http.ini b/kubernetes/sdc/components/sdc-be/resources/config/start.d/http.ini new file mode 100644 index 0000000000..e637e2378d --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/start.d/http.ini @@ -0,0 +1,29 @@ +# --------------------------------------- +# Module: http +--module=http + +### HTTP Connector Configuration + +## Connector host/address to bind to +# jetty.http.host=0.0.0.0 + +## Connector port to listen on +jetty.http.port= {{ .Values.jetty.httpPort }} + +## Connector idle timeout in milliseconds +jetty.http.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.http.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.http.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.http.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.http.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.http.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-be/resources/config/start.d/https.ini b/kubernetes/sdc/components/sdc-be/resources/config/start.d/https.ini new file mode 100644 index 0000000000..68c36e8c57 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/start.d/https.ini @@ -0,0 +1,29 @@ +# --------------------------------------- +# Module: https +--module=https + +### HTTPS Connector Configuration + +## Connector host/address to bind to +# jetty.https.host=0.0.0.0 + +## Connector port to listen on +jetty.https.port={{ .Values.jetty.httpsPort }} + +## Connector idle timeout in milliseconds +jetty.https.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.https.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.https.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.https.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.https.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.https.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-be/resources/config/start.d/ssl.ini b/kubernetes/sdc/components/sdc-be/resources/config/start.d/ssl.ini new file mode 100644 index 0000000000..43941594de --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/start.d/ssl.ini @@ -0,0 +1,100 @@ +# --------------------------------------- +# Module: ssl +--module=ssl + +### TLS(SSL) Connector Configuration + +## Connector host/address to bind to +# jetty.ssl.host=0.0.0.0 + +## Connector port to listen on +jetty.ssl.port={{ .Values.jetty.httpsPort }} + +## Connector idle timeout in milliseconds +# jetty.ssl.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.ssl.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.ssl.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.ssl.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.ssl.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.ssl.acceptorPriorityDelta=0 + +## Whether request host names are checked to match any SNI names +# jetty.ssl.sniHostCheck=true + +## max age in seconds for a Strict-Transport-Security response header (default -1) +# jetty.ssl.stsMaxAgeSeconds=31536000 + +## include subdomain property in any Strict-Transport-Security header (default false) +# jetty.ssl.stsIncludeSubdomains=true + +### SslContextFactory Configuration +## Note that OBF passwords are not secure, just protected from casual observation +## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html + +## Keystore file path (relative to $jetty.base) +{{- if .Values.jetty.keystorePath }} +jetty.sslContext.keyStorePath={{ .Values.jetty.keystorePath }} +{{- end }} + +## Truststore file path (relative to $jetty.base) +{{- if .Values.jetty.truststorePath }} +i +jetty.sslContext.trustStorePath={{ .Values.jetty.truststorePath }} +{{- end }} + +## Keystore password +{{- if .Values.jetty.keystorePassword }} +jetty.sslContext.keyStorePassword={{ .Values.jetty.keystorePassword }} +{{- end }} + +## Keystore type and provider +# jetty.sslContext.keyStoreType=JKS +# jetty.sslContext.keyStoreProvider= + +## KeyManager password +{{- if .Values.jetty.keystorePassword }} +jetty.sslContext.keyManagerPassword={{ .Values.jetty.keystorePassword }} +{{- end }} + +## Truststore password +# tp{{ .Values.jetty.truststorePassword }}end +# kp{{ .Values.jetty.keystorePassword }}end +{{- if .Values.jetty.truststorePassword }} +jetty.sslContext.trustStorePassword={{ .Values.jetty.truststorePassword }} +{{- end }} + +## Truststore type and provider +# jetty.sslContext.trustStoreType=JKS +# jetty.sslContext.trustStoreProvider= + +## whether client certificate authentication is required +jetty.sslContext.needClientAuth={{ .Values.jetty.truststorePassword | quote | default "false" | not | toString }} + +## Whether client certificate authentication is desired +# jetty.sslContext.wantClientAuth=false + +## Whether cipher order is significant (since java 8 only) +# jetty.sslContext.useCipherSuitesOrder=true + +## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at +## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites + +## Set the size of the SslSession cache +# jetty.sslContext.sslSessionCacheSize=-1 + +## Set the timeout (in seconds) of the SslSession cache timeout +# jetty.sslContext.sslSessionTimeout=-1 + +## Allow SSL renegotiation +# jetty.sslContext.renegotiationAllowed=true +# jetty.sslContext.renegotiationLimit=5 diff --git a/kubernetes/sdc/components/sdc-be/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-be/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-be/templates/configmap.yaml b/kubernetes/sdc/components/sdc-be/templates/configmap.yaml index 332cd74661..77b70a2c81 100644 --- a/kubernetes/sdc/components/sdc-be/templates/configmap.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/configmap.yaml @@ -27,5 +27,81 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/logging/*").AsConfig . | indent 2 }} - - +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-http-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/http.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-https-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/https.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-ssl-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/ssl.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-catalog-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/catalog-be/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-catalog-be-resource-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/resource/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-be-ready-probe-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/ready-probe.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml index 229d4233cc..7854175623 100644 --- a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml @@ -20,7 +20,16 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: @@ -107,12 +116,26 @@ spec: failureThreshold: {{ .Values.startup.failureThreshold }} resources: {{ include "common.resources" . | nindent 12 }} env: - - name: ENVNAME - value: {{ .Values.env.name }} - name: JAVA_OPTIONS value: {{ .Values.config.javaOptions }} - name: cassandra_ssl_enabled value: {{ .Values.config.cassandraSslEnabled | quote }} + - name: TLS_CERT + value: {{ .Values.be.tlsCert }} + - name: TLS_KEY + value: {{ .Values.be.tlsKey }} + - name: TLS_PASSWORD + value: {{ .Values.be.tlsPassword }} + - name: KEYSTORE_PATH + value: {{ .Values.be.keystorePath }} + - name: KEYSTORE_PASSWORD + value: {{ .Values.be.keystorePassword }} + - name: CA_CERT + value: {{ .Values.be.caCert }} + - name: TRUSTSTORE_PATH + value: {{ .Values.be.truststorePath }} + - name: TRUSTSTORE_PASSWORD + value: {{ .Values.be.truststorePassword }} - name: HOST_IP valueFrom: fieldRef: @@ -127,17 +150,43 @@ spec: value: {{ .Values.global.kafka.useKafka | quote }} {{- end }} volumeMounts: - - name: sdc-environments - mountPath: /app/jetty/chef-solo/environments/ - name: logs mountPath: /var/log/onap - name: logback mountPath: /tmp/logback.xml subPath: logback.xml + - name: http-config + mountPath: /app/jetty/start.d/http.ini + subPath: http.ini + - name: https-config + mountPath: /app/jetty/start.d/https.ini + subPath: https.ini + - name: ssl-config + mountPath: /app/jetty/start.d/ssl.ini + subPath: ssl.ini + - name: catalog-be-config + mountPath: /app/jetty/config/catalog-be/janusgraph.properties + subPath: janusgraph.properties + - name: catalog-be-config + mountPath: /app/jetty/config/catalog-be/distribution-engine-configuration.yaml + subPath: distribution-engine-configuration.yaml + - name: catalog-be-config + mountPath: /app/jetty/config/catalog-be/configuration.yaml + subPath: configuration.yaml + - name: catalog-be-resource-config + mountPath: /app/jetty/resources/key.properties + subPath: key.properties + - name: catalog-be-resource-config + mountPath: /app/jetty/resources/portal.properties + subPath: portal.properties + - name: ready-probe-config + mountPath: /app/jetty/ready-probe.sh + subPath: ready-probe.sh + lifecycle: postStart: exec: - command: ["/bin/sh", "-c", "export LOG=wait_logback.log; touch $LOG; export SRC=/tmp/logback.xml; export DST=/app/jetty/config/catalog-be/; while [ ! -e $DST ]; do echo 'Waiting for $DST...' >> $LOG; sleep 5; done; sleep 2; /bin/cp -f $SRC $DST; echo 'Done' >> $LOG"] + command: ["/bin/sh", "-c", "export SRC=/tmp/logback.xml; export DST=/app/jetty/config/catalog-be/; while [ ! -e $DST ]; do echo 'Waiting for $DST...'; sleep 5; done; sleep 2; /bin/cp -f $SRC $DST; echo 'Done copying logback.xml' ; echo 'Running BE_3_setup_key_and_trust_store.sh...' ; /app/jetty/BE_3_setup_key_and_trust_store.sh ; echo 'BE_3_setup_key_and_trust_store.sh completed' "] # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -146,10 +195,30 @@ spec: - name: logback configMap: name : {{ include "common.fullname" . }}-logging-configmap - - name: sdc-environments - configMap: - name: {{ include "common.release" . }}-sdc-environments-configmap - defaultMode: 0755 - name: logs emptyDir: {} + - name: http-config + configMap: + name: {{ include "common.release" . }}-sdc-http-be-configmap + defaultMode: 0755 + - name: https-config + configMap: + name: {{ include "common.release" . }}-sdc-https-be-configmap + defaultMode: 0755 + - name: ssl-config + configMap: + name: {{ include "common.release" . }}-sdc-ssl-be-configmap + defaultMode: 0755 + - name: catalog-be-config + configMap: + name: {{ include "common.release" . }}-sdc-catalog-be-configmap + defaultMode: 0755 + - name: catalog-be-resource-config + configMap: + name: {{ include "common.release" . }}-sdc-catalog-be-resource-configmap + defaultMode: 0755 + - name: ready-probe-config + configMap: + name: {{ include "common.release" . }}-sdc-be-ready-probe-configmap + defaultMode: 0755 {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/job.yaml b/kubernetes/sdc/components/sdc-be/templates/job.yaml index 30400a80b7..02d04154e9 100644 --- a/kubernetes/sdc/components/sdc-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/job.yaml @@ -57,6 +57,13 @@ spec: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.backendInitImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + /home/onap/create_consumer_and_user.sh + /home/onap/check_backend.sh + /home/onap/import_normatives.sh volumeMounts: - name: {{ include "common.fullname" . }}-environments mountPath: /home/onap/chef-solo/environments/ @@ -69,6 +76,28 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + - name: BE_IP + value: {{ .Values.beInit.beIp }} + - name: DISABLE_HTTP + value: {{ .Values.disableHttp | quote }} + - name: BE_HTTPS_PORT + value: {{ .Values.beSslPort | quote }} + - name: BE_HTTP_PORT + value: {{ .Values.beHttpPort | quote }} + - name: TLS_CERT + value: {{ .Values.beInit.tlsCert }} + - name: TLS_KEY + value: {{ .Values.beInit.tlsKey }} + - name: TLS_KEY_PW + value: {{ .Values.beInit.tlsKeyPw }} + - name: CA_CERT + value: {{ .Values.beInit.caCert }} + - name: BASIC_AUTH_ENABLED + value: {{ .Values.basicAuth.enabled | quote }} + - name: BASIC_AUTH_USER + value: {{ .Values.basicAuth.userName }} + - name: BASIC_AUTH_PASS + value: {{ .Values.basicAuth.userPass }} resources: limits: cpu: "800m" diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index 752fc2cc15..3f82c98c98 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -39,8 +39,8 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/sdc-backend-all-plugins:1.13.6 -backendInitImage: onap/sdc-backend-init:1.13.6 +image: onap/sdc-backend-all-plugins:1.13.9 +backendInitImage: onap/sdc-backend-init:1.13.9 pullPolicy: Always @@ -191,3 +191,127 @@ wait_for_job_container: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +####### +####### +pairEnvName: "" + + +cassandra: + hostname: cassandra-dc1-service.onap + port: 9042 + cassandraPassword: Aa1234%^! + cassandraUsername: asdc_user + connectionTimeout: 10000 + cassandraSslEnabled: false + keystoreLocation: "" + keystorePassword: "" + truststoreLocation: "" + truststorePassword: "" + clusterName: SDC-CS- + readConsistencyLevel: ONE + writeConsistencyLevel: ALL + #replication_strategy_options: dc1,3 + datacenterName: dc1 + replicationFactor: 3 + db_cache: true + +cassandraConfig: + cassandraHosts: [cassandra-dc1-service.onap] + cassandraPort: 9042 + localDataCenter: dc1 + socketReadTimeout: 20000 + socketConnectTimeout: 20000 + username: asdc_user + password: Aa1234%^! + ssl: false + keystorePath: "" + keystorePassword: false + truststorePath: "" + truststorePassword: "" +dmaapConsumerConfiguration: + active: false +permittedAncestors: "" +tlsCert: "" +tlsKey: "" +caCert: "" +janusGraphCfgFile: /app/jetty/config/catalog-be/janusgraph.properties +ONBOARDING_BE: + host: sdc-onboarding-be.onap + httpPort: 8081 + httpsPort: 8445 +dmaapProducerConfiguration: + hosts: olsd004.com:3905 + topic: SDC-FACADE-NOTIF-v1 + serviceName: dmaap.com:3905/events + environment: TEST + protocol: "" + aftEnvironment: "" + dme2preferredRouterFilePath: "" + username: user1@sdc.com + password: password== +appVersion: "" + +# Distrubution +uebPublicKey: iPIxkpAMI8qTcQj8 +uebSecretKey: Ehq3WyT4bkif4zwgEbvshGal +#distributionNotifTopicName: SDC-DISTR-NOTIF-TOPIC +#distributionStatusTopicName: SDC-DISTR-STATUS-TOPIC +kafkaBootStrapServers: onap-strimzi-kafka-bootstrap:9092 +chefEnvironment: AUTO + +jetty: + httpPort: 8080 + httpsPort: 8443 + keystorePath: "" + truststorePath: "" + keystorePassword: "" + truststorePassword: "" + +disableHttp: false +beFqdn: sdc-be.onap +beHttpPort: 8080 +beSslPort: 8443 +basicAuth: + enabled: true + userName: testName + userPass: testPass + +basicAuthConfig: + enabled: false +beInit: + beIp: sdc-be.onap + tlsCert: "" + tlsKey: "" + tlsKeyPw: "" + caCert: "" + + +be: + tlsCert: "" + tlsKey: "" + tlsPassword: "" + keystorePath: "" + keystorePassword: "" + caCert: "" + truststorePath: "" + truststorePassword: "" + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 +#END diff --git a/kubernetes/sdc/components/sdc-cs/Chart.yaml b/kubernetes/sdc/components/sdc-cs/Chart.yaml index f0bbbca1d9..8edbfbbb84 100644 --- a/kubernetes/sdc/components/sdc-cs/Chart.yaml +++ b/kubernetes/sdc/components/sdc-cs/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Service Design and Creation Cassandra name: sdc-cs -version: 13.0.0 +version: 13.0.2 dependencies: - name: common diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml index b8986ee104..b475488e74 100644 --- a/kubernetes/sdc/components/sdc-cs/values.yaml +++ b/kubernetes/sdc/components/sdc-cs/values.yaml @@ -73,8 +73,8 @@ cassandra: # application image repository: nexus3.onap.org:10001 -image: onap/sdc-cassandra:1.13.6 -cassandraInitImage: onap/sdc-cassandra-init:1.13.6 +image: onap/sdc-cassandra:1.13.9 +cassandraInitImage: onap/sdc-cassandra-init:1.13.9 pullPolicy: Always config: diff --git a/kubernetes/sdc/components/sdc-fe/Chart.yaml b/kubernetes/sdc/components/sdc-fe/Chart.yaml index 5c05fdaba6..3f8ae42a3b 100644 --- a/kubernetes/sdc/components/sdc-fe/Chart.yaml +++ b/kubernetes/sdc/components/sdc-fe/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Service Design and Creation Front End name: sdc-fe -version: 13.0.0 +version: 13.0.3 dependencies: - name: repositoryGenerator diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/combined-liveness.sh b/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/combined-liveness.sh new file mode 100644 index 0000000000..28ad30aef5 --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/combined-liveness.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Variables + +INTERNAL_PORT=8181 +HEALTHCHECK_URL="http://localhost:8181/sdc1/rest/healthCheck" + +# 1. TCP Socket Check for Internal Port + +nc -z localhost $INTERNAL_PORT +TCP_STATUS=$? + +if [ $TCP_STATUS -ne 0 ]; then + echo "TCP check failed: Internal port $INTERNAL_PORT is not open." + exit 1 +fi + +# 2. Cassandra Health Check from API Response using jq + +CASSANDRA_STATUS=$(curl -s $HEALTHCHECK_URL | jq -r '.componentsInfo[] | select(.healthCheckComponent == "CASSANDRA") | .healthCheckStatus') + +if [ "$CASSANDRA_STATUS" != "UP" ]; then + echo "Cassandra API check failed: HealthCheck status is $CASSANDRA_STATUS, not UP." + exit 1 +fi + +echo "Liveness check passed: Internal port $INTERNAL_PORT is open, and Cassandra is healthy." +exit 0 diff --git a/kubernetes/sdc/components/sdc-fe/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-fe/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/configmap.yaml b/kubernetes/sdc/components/sdc-fe/templates/configmap.yaml index 948a3fee99..1d4243e6fa 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/configmap.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/configmap.yaml @@ -40,3 +40,12 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/plugins/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-readiness-liveness-probe + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/readyProbe/*").AsConfig . | indent 2 }} diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index 5745f06be2..72c048cd48 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -23,7 +23,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/sdc-frontend:1.13.6 +image: onap/sdc-frontend:1.13.9 pullPolicy: Always config: @@ -57,7 +57,7 @@ affinity: {} liveness: initialDelaySeconds: 1 periodSeconds: 10 - timeoutSeconds: 15 + timeoutSeconds: 30 successThreshold: 1 failureThreshold: 3 # necessary to disable liveness probe when setting breakpoints @@ -67,7 +67,7 @@ liveness: readiness: initialDelaySeconds: 1 periodSeconds: 10 - timeoutSeconds: 15 + timeoutSeconds: 30 successThreshold: 1 failureThreshold: 3 @@ -146,3 +146,21 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 diff --git a/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml b/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml index 0e998b7765..a41f386b8d 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Service Design and Creation Onboarding API name: sdc-onboarding-be -version: 13.0.0 +version: 13.0.3 dependencies: - name: repositoryGenerator diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/logging/logback.xml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/logging/logback.xml index ee22ff2cfd..dad7ce5e85 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/logging/logback.xml +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/logging/logback.xml @@ -1,223 +1,223 @@ -<?xml version="1.0" encoding="utf-8"?>
-<!--
-# Copyright © 2018 Amdocs, Bell Canada, AT&T, ZTE
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
--->
-<configuration scan="true" scanPeriod="3 seconds">
- <property name="logDir" value="/var/log/onap"/>
- <property name="componentName" scope="system" value="sdc"/>
- <property name="subComponentName" scope="system" value="sdc-onboarding-be"/>
- <property name="logDirectory" value="${logDir}/${componentName}/${subComponentName}"/>
- <property file="${config.home}/catalog-be/configuration.yaml"/>
- <property name="enable-all-log" scope="context" value="false"/>
- <!-- log file names -->
- <property name="errorLogName" value="error"/>
- <property name="metricsLogName" value="metrics"/>
- <property name="auditLogName" value="audit"/>
- <property name="debugLogName" value="debug"/>
- <property name="transactionLogName" value="transaction"/>
- <property name="allLogName" value="all"/>
- <property name="queueSize" value="256"/>
- <property name="maxFileSize" value="50MB"/>
- <property name="maxHistory" value="30"/>
- <property name="totalSizeCap" value="10GB"/>
- <property name="pattern"
- value="%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}\t[%thread]\t%-5level\t%logger{36}\t%replace(%replace(%replace(%mdc){'\t','\\\\t'}){', ','\t'}){'\n', '\\\\n'}\t%replace(%replace(%msg){'\n', '\\\\n'}){'\t','\\\\t'}%n"/>
-
- <!-- STDOUT -->
- <appender class="ch.qos.logback.core.ConsoleAppender" name="STDOUT">
- <encoder>
- <pattern>${pattern}</pattern>
- </encoder>
- </appender>
-
- <!-- STDERR -->
- <appender class="ch.qos.logback.core.ConsoleAppender" name="STDERR">
- <filter class="ch.qos.logback.classic.filter.LevelFilter">
- <level>ERROR</level>
- <onMatch>ACCEPT</onMatch>
- <onMismatch>DENY</onMismatch>
- </filter>
- <encoder>
- <pattern>"%d [%thread] %-5level %logger{1024} - %msg%n"</pattern>
- </encoder>
- </appender>
-
- <!-- All log -->
- <if condition='property("enable-all-log").equalsIgnoreCase("true")'>
- <then>
- <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="ALL_ROLLING">
- <file>${logDirectory}/${allLogName}.log</file>
- <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${allLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern>
- <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
- <maxFileSize>${maxFileSize}</maxFileSize>
- </timeBasedFileNamingAndTriggeringPolicy>
- <maxHistory>${maxHistory}</maxHistory>
- <totalSizeCap>${totalSizeCap}</totalSizeCap>
- </rollingPolicy>
- <encoder>
- <pattern>${pattern}</pattern>
- </encoder>
- </appender>
- <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_ALL">
- <appender-ref ref="ALL_ROLLING"/>
- </appender>
- </then>
- </if>
- <!-- Error log -->
- <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="ERROR_ROLLING">
- <file>${logDirectory}/${errorLogName}.log</file>
- <!-- Audit messages filter - deny audit messages -->
- <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
- <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator">
- <marker>AUDIT_MARKER</marker>
- </evaluator>
- <onMismatch>NEUTRAL</onMismatch>
- <onMatch>DENY</onMatch>
- </filter>
- <!-- Transaction messages filter - deny Transaction messages -->
- <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
- <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator">
- <marker>TRANSACTION_MARKER</marker>
- </evaluator>
- <onMismatch>NEUTRAL</onMismatch>
- <onMatch>DENY</onMatch>
- </filter>
- <!-- deny all events with a level below INFO, that is TRACE and DEBUG -->
- <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
- <level>INFO</level>
- </filter>
- <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern>
- <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
- <maxFileSize>${maxFileSize}</maxFileSize>
- </timeBasedFileNamingAndTriggeringPolicy>
- <maxHistory>${maxHistory}</maxHistory>
- <totalSizeCap>${totalSizeCap}</totalSizeCap>
- </rollingPolicy>
- <encoder>
- <pattern>${pattern}</pattern>
- </encoder>
- </appender>
- <!-- Debug log -->
- <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="DEBUG_ROLLING">
- <file>${logDirectory}/${debugLogName}.log</file>
- <!-- No need to deny audit messages - they are INFO only, will be denied anyway -->
- <!-- Transaction messages filter - deny Transaction messages, there are some DEBUG level messages among them -->
- <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
- <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator">
- <marker>TRANSACTION_MARKER</marker>
- </evaluator>
- <onMismatch>NEUTRAL</onMismatch>
- <onMatch>DENY</onMatch>
- </filter>
- <!-- accept DEBUG and TRACE level -->
- <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
- <evaluator class="ch.qos.logback.classic.boolex.GEventEvaluator">
- <expression>e.level.toInt() <= DEBUG.toInt()</expression>
- </evaluator>
- <OnMismatch>DENY</OnMismatch>
- <OnMatch>NEUTRAL</OnMatch>
- </filter>
- <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern>
- <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
- <maxFileSize>${maxFileSize}</maxFileSize>
- </timeBasedFileNamingAndTriggeringPolicy>
- <maxHistory>${maxHistory}</maxHistory>
- <totalSizeCap>${totalSizeCap}</totalSizeCap>
- </rollingPolicy>
- <encoder>
- <pattern>${pattern}</pattern>
- </encoder>
- </appender>
- <!-- Audit log -->
- <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="AUDIT_ROLLING">
- <file>${logDirectory}/${auditLogName}.log</file>
- <!-- Audit messages filter - accept audit messages -->
- <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
- <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator">
- <marker>AUDIT_MARKER</marker>
- </evaluator>
- <onMismatch>DENY</onMismatch>
- <onMatch>ACCEPT</onMatch>
- </filter>
- <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern>
- <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
- <maxFileSize>${maxFileSize}</maxFileSize>
- </timeBasedFileNamingAndTriggeringPolicy>
- <maxHistory>${maxHistory}</maxHistory>
- <totalSizeCap>${totalSizeCap}</totalSizeCap>
- </rollingPolicy>
- <encoder>
- <pattern>${pattern}</pattern>
- </encoder>
- </appender>
- <!-- SdncTransaction log -->
- <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="TRANSACTION_ROLLING">
- <file>${logDirectory}/${transactionLogName}.log</file>
- <!-- Transaction messages filter - accept audit messages -->
- <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
- <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator">
- <marker>TRANSACTION_MARKER</marker>
- </evaluator>
- <onMismatch>DENY</onMismatch>
- <onMatch>ACCEPT</onMatch>
- </filter>
- <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${transactionLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern>
- <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
- <maxFileSize>${maxFileSize}</maxFileSize>
- </timeBasedFileNamingAndTriggeringPolicy>
- <maxHistory>${maxHistory}</maxHistory>
- <totalSizeCap>${totalSizeCap}</totalSizeCap>
- </rollingPolicy>
- <encoder>
- <pattern>${pattern}</pattern>
- </encoder>
- </appender>
- <!-- Asynchronicity Configurations -->
- <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_DEBUG">
- <queueSize>${queueSize}</queueSize>
- <appender-ref ref="DEBUG_ROLLING"/>
- </appender>
- <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_TRANSACTION">
- <queueSize>${queueSize}</queueSize>
- <appender-ref ref="TRANSACTION_ROLLING"/>
- </appender>
- <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_ERROR">
- <queueSize>${queueSize}</queueSize>
- <appender-ref ref="ERROR_ROLLING"/>
- </appender>
- <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_AUDIT">
- <queueSize>${queueSize}</queueSize>
- <appender-ref ref="AUDIT_ROLLING"/>
- </appender>
- <root level="INFO">
- <appender-ref ref="ASYNC_ERROR"/>
- <appender-ref ref="ASYNC_DEBUG"/>
- <appender-ref ref="ASYNC_AUDIT"/>
- <appender-ref ref="ASYNC_TRANSACTION"/>
- <if condition='property("enable-all-log").equalsIgnoreCase("true")'>
- <then>
- <appender-ref ref="ALL_ROLLING"/>
- </then>
- </if>
- <appender-ref ref="STDOUT"/>
- <appender-ref ref="STDERR"/>
- </root>
- <logger level="INFO" name="org.openecomp.sdc"/>
-</configuration>
+<?xml version="1.0" encoding="utf-8"?> +<!-- +# Copyright © 2018 Amdocs, Bell Canada, AT&T, ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--> +<configuration scan="true" scanPeriod="3 seconds"> + <property name="logDir" value="/var/log/onap"/> + <property name="componentName" scope="system" value="sdc"/> + <property name="subComponentName" scope="system" value="sdc-onboarding-be"/> + <property name="logDirectory" value="${logDir}/${componentName}/${subComponentName}"/> + <property file="${config.home}/catalog-be/configuration.yaml"/> + <property name="enable-all-log" scope="context" value="false"/> + <!-- log file names --> + <property name="errorLogName" value="error"/> + <property name="metricsLogName" value="metrics"/> + <property name="auditLogName" value="audit"/> + <property name="debugLogName" value="debug"/> + <property name="transactionLogName" value="transaction"/> + <property name="allLogName" value="all"/> + <property name="queueSize" value="256"/> + <property name="maxFileSize" value="50MB"/> + <property name="maxHistory" value="30"/> + <property name="totalSizeCap" value="10GB"/> + <property name="pattern" + value="%d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}\t[%thread]\t%-5level\t%logger{36}\t%replace(%replace(%replace(%mdc){'\t','\\\\t'}){', ','\t'}){'\n', '\\\\n'}\t%replace(%replace(%msg){'\n', '\\\\n'}){'\t','\\\\t'}%n"/> + + <!-- STDOUT --> + <appender class="ch.qos.logback.core.ConsoleAppender" name="STDOUT"> + <encoder> + <pattern>${pattern}</pattern> + </encoder> + </appender> + + <!-- STDERR --> + <appender class="ch.qos.logback.core.ConsoleAppender" name="STDERR"> + <filter class="ch.qos.logback.classic.filter.LevelFilter"> + <level>ERROR</level> + <onMatch>ACCEPT</onMatch> + <onMismatch>DENY</onMismatch> + </filter> + <encoder> + <pattern>"%d [%thread] %-5level %logger{1024} - %msg%n"</pattern> + </encoder> + </appender> + + <!-- All log --> + <if condition='property("enable-all-log").equalsIgnoreCase("true")'> + <then> + <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="ALL_ROLLING"> + <file>${logDirectory}/${allLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${allLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern> + <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP"> + <maxFileSize>${maxFileSize}</maxFileSize> + </timeBasedFileNamingAndTriggeringPolicy> + <maxHistory>${maxHistory}</maxHistory> + <totalSizeCap>${totalSizeCap}</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>${pattern}</pattern> + </encoder> + </appender> + <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_ALL"> + <appender-ref ref="ALL_ROLLING"/> + </appender> + </then> + </if> + <!-- Error log --> + <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="ERROR_ROLLING"> + <file>${logDirectory}/${errorLogName}.log</file> + <!-- Audit messages filter - deny audit messages --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator"> + <marker>AUDIT_MARKER</marker> + </evaluator> + <onMismatch>NEUTRAL</onMismatch> + <onMatch>DENY</onMatch> + </filter> + <!-- Transaction messages filter - deny Transaction messages --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator"> + <marker>TRANSACTION_MARKER</marker> + </evaluator> + <onMismatch>NEUTRAL</onMismatch> + <onMatch>DENY</onMatch> + </filter> + <!-- deny all events with a level below INFO, that is TRACE and DEBUG --> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>INFO</level> + </filter> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern> + <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP"> + <maxFileSize>${maxFileSize}</maxFileSize> + </timeBasedFileNamingAndTriggeringPolicy> + <maxHistory>${maxHistory}</maxHistory> + <totalSizeCap>${totalSizeCap}</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>${pattern}</pattern> + </encoder> + </appender> + <!-- Debug log --> + <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="DEBUG_ROLLING"> + <file>${logDirectory}/${debugLogName}.log</file> + <!-- No need to deny audit messages - they are INFO only, will be denied anyway --> + <!-- Transaction messages filter - deny Transaction messages, there are some DEBUG level messages among them --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator"> + <marker>TRANSACTION_MARKER</marker> + </evaluator> + <onMismatch>NEUTRAL</onMismatch> + <onMatch>DENY</onMatch> + </filter> + <!-- accept DEBUG and TRACE level --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator class="ch.qos.logback.classic.boolex.GEventEvaluator"> + <expression>e.level.toInt() <= DEBUG.toInt()</expression> + </evaluator> + <OnMismatch>DENY</OnMismatch> + <OnMatch>NEUTRAL</OnMatch> + </filter> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern> + <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP"> + <maxFileSize>${maxFileSize}</maxFileSize> + </timeBasedFileNamingAndTriggeringPolicy> + <maxHistory>${maxHistory}</maxHistory> + <totalSizeCap>${totalSizeCap}</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>${pattern}</pattern> + </encoder> + </appender> + <!-- Audit log --> + <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="AUDIT_ROLLING"> + <file>${logDirectory}/${auditLogName}.log</file> + <!-- Audit messages filter - accept audit messages --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator"> + <marker>AUDIT_MARKER</marker> + </evaluator> + <onMismatch>DENY</onMismatch> + <onMatch>ACCEPT</onMatch> + </filter> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern> + <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP"> + <maxFileSize>${maxFileSize}</maxFileSize> + </timeBasedFileNamingAndTriggeringPolicy> + <maxHistory>${maxHistory}</maxHistory> + <totalSizeCap>${totalSizeCap}</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>${pattern}</pattern> + </encoder> + </appender> + <!-- SdncTransaction log --> + <appender class="ch.qos.logback.core.rolling.RollingFileAppender" name="TRANSACTION_ROLLING"> + <file>${logDirectory}/${transactionLogName}.log</file> + <!-- Transaction messages filter - accept audit messages --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator"> + <marker>TRANSACTION_MARKER</marker> + </evaluator> + <onMismatch>DENY</onMismatch> + <onMatch>ACCEPT</onMatch> + </filter> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${transactionLogName}.%d{yyyy-MM-dd}.%i.log</fileNamePattern> + <timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP"> + <maxFileSize>${maxFileSize}</maxFileSize> + </timeBasedFileNamingAndTriggeringPolicy> + <maxHistory>${maxHistory}</maxHistory> + <totalSizeCap>${totalSizeCap}</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>${pattern}</pattern> + </encoder> + </appender> + <!-- Asynchronicity Configurations --> + <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_DEBUG"> + <queueSize>${queueSize}</queueSize> + <appender-ref ref="DEBUG_ROLLING"/> + </appender> + <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_TRANSACTION"> + <queueSize>${queueSize}</queueSize> + <appender-ref ref="TRANSACTION_ROLLING"/> + </appender> + <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_ERROR"> + <queueSize>${queueSize}</queueSize> + <appender-ref ref="ERROR_ROLLING"/> + </appender> + <appender class="ch.qos.logback.classic.AsyncAppender" name="ASYNC_AUDIT"> + <queueSize>${queueSize}</queueSize> + <appender-ref ref="AUDIT_ROLLING"/> + </appender> + <root level="INFO"> + <appender-ref ref="ASYNC_ERROR"/> + <appender-ref ref="ASYNC_DEBUG"/> + <appender-ref ref="ASYNC_AUDIT"/> + <appender-ref ref="ASYNC_TRANSACTION"/> + <if condition='property("enable-all-log").equalsIgnoreCase("true")'> + <then> + <appender-ref ref="ALL_ROLLING"/> + </then> + </if> + <appender-ref ref="STDOUT"/> + <appender-ref ref="STDERR"/> + </root> + <logger level="INFO" name="org.openecomp.sdc"/> +</configuration> diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-helmvalidator.yaml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-helmvalidator.yaml new file mode 100644 index 0000000000..fe132179ee --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-helmvalidator.yaml @@ -0,0 +1,6 @@ +hValidatorEnabled: {{ .Values.sdcHelmValidator.enabled }} +hValidatorUrl: {{ .Values.sdcHelmValidator.url }} +hValidatorVersion: {{ .Values.sdcHelmValidator.helmVersion }} +hValidatorDeployable: {{ .Values.sdcHelmValidator.deployable }} +hValidatorLintable: {{ .Values.sdcHelmValidator.lintable }} +hValidatorStrictLintable: {{ .Values.sdcHelmValidator.strictLintable }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-vnfrepo.yaml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-vnfrepo.yaml new file mode 100644 index 0000000000..8b8bdec476 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-vnfrepo.yaml @@ -0,0 +1,4 @@ +vnfRepoPort: {{ .Values.VnfRepo.vnfRepoPort }} +vnfRepoHost: refrepo.{{include "common.namespace" .}} +getVnfUri: /onapapi/vnfsdk-marketplace/v1/PackageResource/csars +downloadVnfUri: /onapapi/vnfsdk-marketplace/v1/PackageResource/csars/%s/files/app/jetty/config/onboarding-be diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/externaltesting-configuration.yaml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/externaltesting-configuration.yaml new file mode 100644 index 0000000000..a617f13968 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/externaltesting-configuration.yaml @@ -0,0 +1,5 @@ +client: + enabled: true +endpoints: + - {{ .Values.EXTTEST.ep1_config }} + - {{ .Values.EXTTEST.ep2_config }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/features.properties b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/features.properties new file mode 100644 index 0000000000..54c4dea02b --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/features.properties @@ -0,0 +1 @@ +EXTERNAL_LICENSE=true diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/onboarding_configuration.yaml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/onboarding_configuration.yaml new file mode 100644 index 0000000000..665d891c83 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/onboarding_configuration.yaml @@ -0,0 +1,72 @@ +catalogNotificationsConfig: + # catalog backend protocol + catalogBeProtocol: {{ if .Values.global.disableHttp }}https{{- else }}http{{- end }} + catalogBeHttpPort: {{ (.Values.global.BE).http_port }} + catalogBeSslPort: {{ (.Values.global.BE).https_port }} + catalogBeFqdn: sdc-be.{{ include "common.namespace" . }} + # do not remove the "" from catalog_notification_url. it is escaping % characters coming from AUTO.json + catalogNotificationUrl: {{ .Values.ONBOARDING_BE.catalog_notification_url | quote }} + +notifications: + pollingIntervalMsec: 2000 + selectionSize: 100 + beHost: sdc-onboarding-be.{{ include "common.namespace" . }} + beHttpPort: {{ .Values.ONBOARDING_BE.http_port }} + +cassandraConfig: + cassandraHosts: [ {{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }} ] + cassandraPort: {{ .Values.cassandra.cassandra_port }} + localDataCenter: {{ .Values.global.sdc_cassandra.dataCenter }} + reconnectTimeout: 30000 + socketReadTimeout: {{ .Values.cassandra.socket_read_timeout }} + socketConnectTimeout: {{ .Values.cassandra.socket_connect_timeout }} + authenticate: true + username: {{ .Values.cassandra.cassandra_user }} + password: {{ .Values.cassandra.cassandra_password }} + ssl: {{ .Values.config.cassandraSslEnabled }} + truststorePath: {{ .Values.JETTY_BASE }}/etc/truststore + truststorePassword: {{ .Values.cassandra.truststore_password }} + +authCookie: + securityKey: MlB1WHFpSHNVTWdJZU1PcQ== + maxSessionTimeOut: 86400000 + sessionIdleTimeOut: 3600000 + cookieName: "AuthenticationCookie" + path: / + domain: "" + isHttpOnly: true + # redirect variable name from portal.properties file + redirectURL: "redirect_url" + excludedUrls: [ '/.*' ] + onboardingExcludedUrls: [ '/.*' ] + +basicAuth: + enabled: {{ .Values.basic_auth.enabled }} + userName: {{ .Values.basic_auth.user_name }} + userPass: {{ .Values.basic_auth.user_pass }} + excludedUrls: "/v1.0/healthcheck" + +zipValidation: + ignoreManifest: false + +externalCsarStore: + storageType: NONE # NONE, MINIO + endpoint: + host: 127.0.0.1 + port: 9000 + secure: false + credentials: + accessKey: "login" + secretKey: "password" + foldersToStrip: + - Files/images + sizeLimit: 10000000 + thresholdEntries: 10000 + tempPath: "/home/onap/temp/" + uploadPartSize: 200000000 + +#Space separated list of permitted ancestors +permittedAncestors: {{ .Values.permittedAncestors | join " " }} + +# Comma separated list of excluded URLs by the DataValidatorFilter +dataValidatorFilterExcludedUrls: "/healthCheck,/followed,/authorize" diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/ready-probe.sh b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/ready-probe.sh new file mode 100644 index 0000000000..54ed6960df --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/ready-probe.sh @@ -0,0 +1,8 @@ +#!/bin/sh +health_check_http_code=$(curl -k --max-time 5 -o /dev/null -w '%{http_code}' -X GET --header "Accept: application/json" "{{ if .Values.global.disableHttp }}https://127.0.0.1:{{ .Values.ONBOARDING_BE.https_port }}{{- else -}}http://127.0.0.1:{{ .Values.ONBOARDING_BE.http_port }}{{- end -}}/onboarding-api/v1.0/healthcheck") +if [ "$health_check_http_code" -eq 200 ]; then + exit 0 +else + echo "Health check http status: $health_check_http_code" + exit 1 +fi diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/http.ini b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/http.ini new file mode 100644 index 0000000000..e4e66c5387 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/http.ini @@ -0,0 +1,29 @@ +# Module: http +--module=http + +### HTTP Connector Configuration + +## Connector host/address to bind to +# jetty.http.host=0.0.0.0 + +## Connector port to listen on +#jetty.http.port=8081 +jetty.http.port= {{ .Values.ONBOARDING_BE.http_port }} + +## Connector idle timeout in milliseconds +jetty.http.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.http.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.http.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.http.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.http.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.http.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/https.ini b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/https.ini new file mode 100644 index 0000000000..ec92157dd2 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/https.ini @@ -0,0 +1,31 @@ +# --------------------------------------- +# Module: https +--module=https + +### HTTPS Connector Configuration + +## Connector host/address to bind to +# jetty.https.host=0.0.0.0 + +## Connector port to listen on + +#jetty.https.port=8445 +jetty.https.port= {{ .Values.ONBOARDING_BE.https_port }} + +## Connector idle timeout in milliseconds +jetty.https.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.https.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.https.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.https.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.https.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.https.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/ssl.ini b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/ssl.ini new file mode 100644 index 0000000000..70ceffb631 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/ssl.ini @@ -0,0 +1,98 @@ +# --------------------------------------- +# Module: ssl +--module=ssl + +### TLS(SSL) Connector Configuration + +## Connector host/address to bind to +# jetty.ssl.host=0.0.0.0 + +## Connector port to listen on + +#jetty.ssl.port=8445 +jetty.ssl.port = {{ .Values.ONBOARDING_BE.https_port }} + +## Connector idle timeout in milliseconds +# jetty.ssl.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.ssl.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.ssl.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.ssl.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.ssl.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.ssl.acceptorPriorityDelta=0 + +## Whether request host names are checked to match any SNI names +# jetty.ssl.sniHostCheck=true + +## max age in seconds for a Strict-Transport-Security response header (default -1) +# jetty.ssl.stsMaxAgeSeconds=31536000 + +## include subdomain property in any Strict-Transport-Security header (default false) +# jetty.ssl.stsIncludeSubdomains=true + +### SslContextFactory Configuration +## Note that OBF passwords are not secure, just protected from casual observation +## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html + +## Keystore file path (relative to $jetty.base) +jetty.sslContext.keyStorePath=etc/org.onap.sdc.p12 + +## Truststore file path (relative to $jetty.base) +jetty.sslContext.trustStorePath=etc/org.onap.sdc.trust.jks + +## Keystore password +# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 + +#jetty.sslContext.keyStorePassword=?(kP!Yur![*!Y5!E^f(ZKc31 +jetty.sslContext.keyStorePassword= {{ .Values.jetty.keyStorePassword }} + +## Keystore type and provider +# jetty.sslContext.keyStoreType=JKS +# jetty.sslContext.keyStoreProvider= + +## KeyManager password +# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g + +#jetty.sslContext.keyManagerPassword=?(kP!Yur![*!Y5!E^f(ZKc31 +jetty.sslContext.keyManagerPassword= {{ .Values.jetty.keyManagerPassword }} + +## Truststore password +# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 + +#jetty.sslContext.trustStorePassword=z+KEj;t+,KN^iimSiS89e#p0 +jetty.sslContext.trustStorePassword= {{ .Values.jetty.trustStorePassword }} + +## Truststore type and provider +# jetty.sslContext.trustStoreType=JKS +# jetty.sslContext.trustStoreProvider= + +## whether client certificate authentication is required +# jetty.sslContext.needClientAuth=false + +## Whether client certificate authentication is desired +# jetty.sslContext.wantClientAuth=false + +## Whether cipher order is significant (since java 8 only) +# jetty.sslContext.useCipherSuitesOrder=true + +## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at +## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites + +## Set the size of the SslSession cache +# jetty.sslContext.sslSessionCacheSize=-1 + +## Set the timeout (in seconds) of the SslSession cache timeout +# jetty.sslContext.sslSessionTimeout=-1 + +## Allow SSL renegotiation +# jetty.sslContext.renegotiationAllowed=true +# jetty.sslContext.renegotiationLimit=5 diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/configmap.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/configmap.yaml index aa632f33f4..06e6b79956 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/configmap.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/configmap.yaml @@ -27,3 +27,68 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/logging/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-onboarding-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/onboarding-config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-http-04-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/http.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-https-04-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/https.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-ssl-04-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/ssl.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-ready-probe-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/ready-probe.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 24715bcaec..744869736c 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -21,7 +21,16 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: @@ -104,13 +113,38 @@ spec: - name: SDC_CERT_DIR value: "" volumeMounts: - - name: sdc-environments - mountPath: /app/jetty/chef-solo/environments/ - name: logs mountPath: /var/log/onap - name: logback mountPath: /tmp/logback.xml subPath: logback.xml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/config-vnfrepo.yaml + subPath: config-vnfrepo.yaml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/onboarding_configuration.yaml + subPath: onboarding_configuration.yaml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/config-helmvalidator.yaml + subPath: config-helmvalidator.yaml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/externaltesting-configuration.yaml + subPath: externaltesting-configuration.yaml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/features.properties + subPath: features.properties + - name: http-config + mountPath: /app/jetty/start.d/http.ini + subPath: http.ini + - name: https-config + mountPath: /app/jetty/start.d/https.ini + subPath: https.ini + - name: ssl-config + mountPath: /app/jetty/start.d/ssl.ini + subPath: ssl.ini + - name: ready-probe-config + mountPath: /app/jetty/ready-probe.sh + subPath: ready-probe.sh lifecycle: postStart: exec: @@ -123,10 +157,27 @@ spec: - name: logback configMap: name : {{ include "common.fullname" . }}-logging-configmap - - name: sdc-environments + - name: onboarding-conf configMap: - name: {{ include "common.release" . }}-sdc-environments-configmap + name: {{ include "common.release" . }}-sdc-onboarding-be-configmap + defaultMode: 0755 + - name: http-config + configMap: + name: {{ include "common.release" . }}-sdc-http-04-configmap + defaultMode: 0755 + - name: https-config + configMap: + name: {{ include "common.release" . }}-sdc-https-04-configmap + defaultMode: 0755 + - name: ssl-config + configMap: + name: {{ include "common.release" . }}-sdc-ssl-04-configmap + defaultMode: 0755 + - name: ready-probe-config + configMap: + name: {{ include "common.release" . }}-sdc-ready-probe-configmap defaultMode: 0755 - name: logs emptyDir: {} {{- include "common.imagePullSecrets" . | nindent 6 }} + diff --git a/kubernetes/policy/resources/config/db_migrator_policy_init.sh b/kubernetes/sdc/components/sdc-onboarding-be/templates/servicemonitor.yaml index a1d8fd89ea..937f5ef974 100644 --- a/kubernetes/policy/resources/config/db_migrator_policy_init.sh +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/servicemonitor.yaml @@ -1,6 +1,5 @@ -#!/bin/sh {{/* -# Copyright (C) 2021, 2024 Nordix Foundation. +# Copyright © 2024 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,20 +14,6 @@ # limitations under the License. */}} -for schema in ${SQL_DB}; do - echo "Initializing $schema..." - /opt/app/policy/bin/prepare_upgrade.sh ${schema} - - /opt/app/policy/bin/db-migrator -s ${schema} -o report - - /opt/app/policy/bin/db-migrator -s ${schema} -o upgrade - rc=$? - - /opt/app/policy/bin/db-migrator -s ${schema} -o report - - if [ "$rc" != 0 ]; then - break - fi -done - -exit $rc
\ No newline at end of file +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index a55565676c..07e3bead35 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -35,8 +35,8 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/sdc-onboard-backend:1.13.6 -onboardingInitImage: onap/sdc-onboard-cassandra-init:1.13.6 +image: onap/sdc-onboard-backend:1.13.9 +onboardingInitImage: onap/sdc-onboard-cassandra-init:1.13.9 pullPolicy: Always # flag to enable debugging - application support required @@ -159,3 +159,79 @@ wait_for_job_container: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +################################################################# +# Settings from Default.rb +################################################################# +ONBOARDING_BE: + http_port: 8081 + https_port: 8445 + catalog_notification_url: "%s://%s:%s/sdc2/rest/v1/catalog/notif/vsp/" +FE: + http_port: 8181 + https_port: 9443 +disableHttp: true +cassandra: + truststore_password: Aa123456 + cassandra_port: 9042 + datacenter_name: DC- + cluster_name: SDC-CS- + socket_read_timeout: 20000 + socket_connect_timeout: 20000 + janusgraph_connection_timeout: 10000 + cassandra_user: asdc_user + cassandra_password: Aa1234%^! +sdcHelmValidator: + enabled: true + helmVersion: 3.5.2 + deployable: true + lintable: false + strictLintable: false + url: http://sdc-helm-validator:8080/validate +VnfRepo: + vnfRepoPort: 8703 + vnfRepoHost: refrepo +jetty: + trustStorePassword: "z+KEj;t+,KN^iimSiS89e#p0" + keyManagerPassword: "?(kP!Yur![*!Y5!E^f(ZKc31" + keyStorePassword: "?(kP!Yur![*!Y5!E^f(ZKc31" +basic_auth: + enabled: true + user_name: testName + user_pass: testPass + excludedUrls: /v1.0/healthcheck + +EXTTEST: + ep1_config: vtp,VTP,true,http://refrepo:8702/onapapi/vnfsdk-marketplace,onap.* + ep2_config: repository,Repository,false,,.* + +#Addiding extra Envs +permittedAncestors: "" +JETTY_BASE: "/app/jetty" +http_option: http_option + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 + +metrics: + serviceMonitor: + enabled: true + targetPort: 8081 + path: /onboarding-api/v1.0/actuator/prometheus + basicAuth: + enabled: false diff --git a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml index 8a1a8b34b9..ea2d0f2443 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP Service Design and Creation Workflow Designer backend name: sdc-wfd-be -version: 13.0.0 +version: 13.0.1 dependencies: - name: repositoryGenerator diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml index 59ebb02675..cbbfe21a6d 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml @@ -21,7 +21,16 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml index cc85176748..4d39ce02d5 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -153,3 +153,21 @@ serviceAccount: wait_for_job_container: containers: - '{{ include "common.name" . }}-job' + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 diff --git a/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml index 79ff34a906..6aeee841e1 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP Service Design and Creation Workflow Designer frontend name: sdc-wfd-fe -version: 13.0.0 +version: 13.0.1 dependencies: - name: repositoryGenerator diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml index ad031dabf9..fcf1398d02 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml @@ -19,7 +19,16 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml index e33cf4827d..e82e1d9a9b 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml @@ -138,3 +138,21 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index 9cfae6ac66..fb6da37cec 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -37,7 +37,7 @@ global: #serviceName: cassandra #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled #to match with its own cluster replica - #see "cassandra: replicaCount" in file sdc-cs/values.yaml) + #see "cassandra: replicaCount" in file sdc-cs/values.yaml replicaCount: 3 dbCache: true readConsistencyLevel: ONE @@ -49,6 +49,10 @@ global: #and cassandra 4.1.* must be "3.4.6" cqlVersion: "3.4.6" + BE: + http_port: 8080 + https_port: 8443 + centralizedLoggingEnabled: true # global Kafka config passed to sdc-be chart kafka: @@ -94,3 +98,26 @@ sdcHelmValidator: lintable: false strictLintable: false url: http://sdc-helm-validator:8080/validate + +ONBOARDING_BE: + http_port: 8081 + https_port: 8445 + catalog_notification_url: "%s://%s:%s/sdc2/rest/v1/catalog/notif/vsp/" +cassandra: + cassandra_port: 9042 + concurrent_reads: 32 + num_tokens: 256 + data_dir: /var/lib/cassandra/data + hinted_handoff_enabled: true + cassandra_user: asdc_user + cassandra_password: Aa1234%^! + concurrent_writes: 32 + multithreaded_compaction: false + cache_dir: "/var/lib/cassandra/saved_caches" + log_file: "/var/lib/cassandra/log/system.log" + phi_convict_threshold: 8 + commitlog_dir: "/var/lib/cassandra/commitlog" + socket_read_timeout: 20000 + socket_connect_timeout: 20000 + janusgraph_connection_timeout: 10000 + diff --git a/kubernetes/sdnc/Chart.yaml b/kubernetes/sdnc/Chart.yaml index 5916455c73..2e0aa6ed8b 100644 --- a/kubernetes/sdnc/Chart.yaml +++ b/kubernetes/sdnc/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: SDN Controller name: sdnc -version: 15.0.0 +version: 15.1.0 dependencies: - name: common @@ -35,7 +35,7 @@ dependencies: repository: '@local' condition: network-name-gen.enabled - name: dgbuilder - version: ~14.x-0 + version: ~15.x-0 repository: '@local' condition: dgbuilder.enabled - name: sdnc-prom @@ -52,15 +52,15 @@ dependencies: condition: sdnc.elasticsearch.enabled,elasticsearch.enabled # conditions for sdnc-subcharts - name: ueb-listener - version: ~14.x-0 + version: ~15.x-0 repository: '@local' condition: sdnc.ueb-listener.enabled,ueb-listener.enabled - name: sdnc-ansible-server - version: ~14.x-0 + version: ~15.x-0 repository: '@local' condition: sdnc.sdnc-ansible-server.enabled,sdnc-ansible-server.enabled - name: sdnc-web - version: ~14.x-0 + version: ~15.x-0 repository: '@local' condition: sdnc.sdnc-web.enabled,sdnc-web.enabled - name: repositoryGenerator diff --git a/kubernetes/sdnc/components/dgbuilder/Chart.yaml b/kubernetes/sdnc/components/dgbuilder/Chart.yaml index 517bc393e5..31089ad91e 100644 --- a/kubernetes/sdnc/components/dgbuilder/Chart.yaml +++ b/kubernetes/sdnc/components/dgbuilder/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: D.G. Builder application name: dgbuilder -version: 14.0.0 +version: 15.1.0 dependencies: - name: common @@ -28,4 +28,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js b/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js index abaab57254..372a0ca4c9 100644 --- a/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js +++ b/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js @@ -35,7 +35,7 @@ module.exports={ "dbUser": "${DB_USER}", "dbPassword": "${DB_PASSWORD}", "gitLocalRepository": "", - "restConfUrl": "http://localhost:8181/restconf/operations/SLI-API:execute-graph", + "restConfUrl": "http://localhost:8181/rests/operations/SLI-API:execute-graph", "restConfUser": "${REST_CONF_USER}", "restConfPassword": "${REST_CONF_PASSWORD}", "formatXML": "Y", diff --git a/kubernetes/sdnc/components/dgbuilder/values.yaml b/kubernetes/sdnc/components/dgbuilder/values.yaml index d22b25e5b2..754c632d42 100644 --- a/kubernetes/sdnc/components/dgbuilder/values.yaml +++ b/kubernetes/sdnc/components/dgbuilder/values.yaml @@ -69,7 +69,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-dgbuilder-image:1.6.2 +image: onap/ccsdk-dgbuilder-image:2.0.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml index 12fbd85c15..a9abeef711 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: SDN-C Ansible Server name: sdnc-ansible-server -version: 14.0.0 +version: 15.1.0 dependencies: - name: common diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml index 13e7023808..19f0f79046 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml @@ -51,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ansible-server-image:2.6.1 +image: onap/sdnc-ansible-server-image:3.0.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh index c36d2e3e9f..e579e62231 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh @@ -19,7 +19,7 @@ set -e primary=${SDNC_IS_PRIMARY_CLUSTER:-true} -url=http://sdnc:8282/restconf/operations/cluster-admin:change-member-voting-states-for-all-shards +url=http://sdnc:8282/rests/operations/cluster-admin:change-member-voting-states-for-all-shards username="${ODL_USERNAME:-{{.Values.odl.restconf.username}}}" password="${ODL_PASSWORD:-{{.Values.odl.restconf.password}}}" LOGFILE="/app/geo.log" diff --git a/kubernetes/sdnc/components/sdnc-web/Chart.yaml b/kubernetes/sdnc/components/sdnc-web/Chart.yaml index 6ffc9768a2..cf46600161 100644 --- a/kubernetes/sdnc/components/sdnc-web/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-web/Chart.yaml @@ -16,7 +16,7 @@ apiVersion: v2 description: SDN-C Web Server name: sdnc-web -version: 14.0.0 +version: 15.1.0 dependencies: - name: common diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml index 79de4c235e..51136a26ad 100644 --- a/kubernetes/sdnc/components/sdnc-web/values.yaml +++ b/kubernetes/sdnc/components/sdnc-web/values.yaml @@ -22,7 +22,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: "onap/sdnc-web-image:2.6.1" +image: "onap/sdnc-web-image:3.0.2" pullPolicy: Always config: diff --git a/kubernetes/sdnc/components/ueb-listener/Chart.yaml b/kubernetes/sdnc/components/ueb-listener/Chart.yaml index 58cc32a4e7..53ba47d093 100644 --- a/kubernetes/sdnc/components/ueb-listener/Chart.yaml +++ b/kubernetes/sdnc/components/ueb-listener/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: SDNC UEB Listener name: ueb-listener -version: 14.0.0 +version: 15.1.0 dependencies: - name: common diff --git a/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties b/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties index e27ef36bee..580e939f70 100644 --- a/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties +++ b/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties @@ -9,7 +9,7 @@ org.onap.ccsdk.sli.northbound.uebclient.password=${UEB_PASSWORD} org.onap.ccsdk.sli.northbound.uebclient.user=${UEB_USER} org.onap.ccsdk.sli.northbound.uebclient.sdnc-user=${ODL_USER} org.onap.ccsdk.sli.northbound.uebclient.sdnc-passwd=${ODL_PASSWORD} -org.onap.ccsdk.sli.northbound.uebclient.asdc-api-base-url=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations/ +org.onap.ccsdk.sli.northbound.uebclient.asdc-api-base-url=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/rests/operations/ org.onap.ccsdk.sli.northbound.uebclient.asdc-api-namespace=org:onap:ccsdk org.onap.ccsdk.sli.northbound.uebclient.spool.incoming=/opt/onap/sdnc/ueb-listener/spool/incoming org.onap.ccsdk.sli.northbound.uebclient.spool.archive=/opt/onap/sdnc/ueb-listener/spool/archive diff --git a/kubernetes/sdnc/components/ueb-listener/values.yaml b/kubernetes/sdnc/components/ueb-listener/values.yaml index d38f18639c..c5b2fbb213 100644 --- a/kubernetes/sdnc/components/ueb-listener/values.yaml +++ b/kubernetes/sdnc/components/ueb-listener/values.yaml @@ -57,7 +57,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ueb-listener-image:2.6.1 +image: onap/sdnc-ueb-listener-image:3.0.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/resources/config/conf/aaiclient.properties b/kubernetes/sdnc/resources/config/conf/aaiclient.properties index 971a446d64..f7694d5b3f 100755 --- a/kubernetes/sdnc/resources/config/conf/aaiclient.properties +++ b/kubernetes/sdnc/resources/config/conf/aaiclient.properties @@ -55,8 +55,8 @@ org.onap.ccsdk.sli.adaptors.aai.update=/aai/v13/actions/update # UBB Notify org.onap.ccsdk.sli.adaptors.aai.path.notify=/aai/v13/actions/notify -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=<%= @ubbUri %>/restconf/config/L3SDN-API:services/layer3-service-list/{service-instance-id} -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=<%= @ubbUri %>/restconf/config/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information +org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=<%= @ubbUri %>/rests/data/L3SDN-API:services/layer3-service-list/{service-instance-id} +org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=<%= @ubbUri %>/rests/data/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information # P-Interfaces org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterfaces=/aai/v13/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces diff --git a/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties b/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties index 4ce1851658..ada4d7b1cc 100644 --- a/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties +++ b/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties @@ -34,4 +34,4 @@ org.onap.ccsdk.features.blueprints.adaptors.restconf.type=generic org.onap.ccsdk.features.blueprints.adaptors.restconf.enable=true org.onap.ccsdk.features.blueprints.adaptors.restconf.user=${RESTCONF_USER} org.onap.ccsdk.features.blueprints.adaptors.restconf.passwd=${RESTCONF_PASSWORD} -org.onap.ccsdk.features.blueprints.adaptors.restconf.url=http://sdnc:8282/restconf/ +org.onap.ccsdk.features.blueprints.adaptors.restconf.url=http://sdnc:8282/rests/ diff --git a/kubernetes/sdnc/resources/config/conf/generic-resource-api-dg.properties b/kubernetes/sdnc/resources/config/conf/generic-resource-api-dg.properties new file mode 100644 index 0000000000..89b9c1c45b --- /dev/null +++ b/kubernetes/sdnc/resources/config/conf/generic-resource-api-dg.properties @@ -0,0 +1,106 @@ +restapi.templateDir=/opt/onap/sdnc/restapi/templates +controller.url=http://localhost:8181 +controller.user=${ODL_USER} +controller.pwd=${ODL_PASSWORD} +honeycomb.url=http://{honeycomb-instance-ip}:8183 +honeycomb.user=${HONEYCOMB_USER} +honeycomb.pwd=${HONEYCOMB_PASSWORD} +restapi.trustStoreFileName=/opt/onap/sdnc/data/stores/truststore.openecomp.client.jks +restapi.trustStorePassword=${TRUSTSTORE_PASSWORD} +restapi.keyStoreFileName=/opt/onap/sdnc/data/stores/sdnc.p12 +restapi.keyStorePassword=${KEYSTORE_PASSWORD} +restapi.connection-oof-url=http://oof-osdf:8698/api/oof/v1/route +naming.gen-name.url=http://neng-serv:8080 +naming.gen-name.user=${NENG_NAME} +naming.gen-name.pwd=${NENG_PASSWORD} +so.user=${SO_USER} +so.pwd=${SO_PASSWORD} +cds.url=http://cds-blueprints-processor-http:8080 +cds.user=${CDS_USER} +cds.pwd=${CDS_PASSWORD} + +# Templates +restapi.sz.templatefile=security-zone-allotted-resource.json +restapi.cr.templatefile=contrail-route-allotted-resource.json +restapi.brg.templatefile=brg-allotted-resource.json +restapi.vpp.vxlan-tunnel.templatefile=vcpe-vxlan-tunnel.json +restapi.vpp.bridge-domain.templatefile=vcpe-vpp-bridge-domain.json +restapi.vpp.xconnect.templatefile=vcpe-l2-interface.json +restapi.tx.templatefile=tunnelxconn-allotted-resource.json +restapi.parentsvc.templatefile=parent-provided-allotted-resource.json +restapi.network-ar.templatefile=network-provided-allotted-resources.json +restapi.vnf-ar.templatefile=vnf-provided-allotted-resources.json +restapi.services.templatefile=vcpe-services-service.json +restapi.services.vnf.vfmodule.templatefile=vfmodule-vim-parameters.vgw.json +restapi.sotn-attachment.templatefile=sotn-attachment-allotted-resource.json +restapi.sdwan-attachment.templatefile=sdwan-attachment-allotted-resource.json +restapi.oof-getpath.templatefile=oof-getpath.json +restapi.transport-slice-creation.templatefile=ts-allocate-tn-slice.json +restapi.transport-sliceA-list-creation.templatefile=ts-allocate-tn-sliceA-list.json +restapi.transport-sliceB-list-creation.templatefile=ts-allocate-tn-sliceB-list.json +restapi.transport-sliceG-list-creation.templatefile=ts-allocate-tn-sliceG-list.json +restapi.ts-otn-src-domain-creation.templatefile=ts-otn-tunnel-src-domain.json +restapi.ts-otn-dst-domain-creation.templatefile=ts-otn-tunnel-dst-domain.json +restapi.ts-otn-domainG-creation.templatefile=ts-otn-tunnel-domainG.json +restapi.ts-ethernet-service.templatefile=ts-ethernet-service.json +restapi.ts-coloring-uni-port.templatefile=ts-coloring-uni-port.json +restapi.p2p-otn-src-domain-creation.templatefile=p2p-otn-tunnel-src-domain.json +restapi.p2p-otn-dst-domain-creation.templatefile=p2p-otn-tunnel-dst-domain.json +restapi.p2p-otn-domainG-creation.templatefile=p2p-otn-tunnel-domainG.json +restapi.p2p-ethernet-service.templatefile=p2p-ethernet-service.json +restapi.p2p-ethernet-service-vlan.templatefile=p2p-ethernet-service-vlan.json +restapi.p2p-ethernet-service-same-domain.templatefile=p2p-ethernet-service-same-domain.json +restapi.p2p-ethernet-service-modify.templatefile=p2p-ethernet-service-modify.json +restapi.p2p-subscribe-notification.templatefile=p2p-subscribe-notification.json +restapi.p2p-terminate-notification.templatefile=p2p-terminate-notification.json +restapi.p2p-create-pm-data.templatefile=p2p-create-pm-data.json +restapi.p2p-call-ves.templatefile=p2p-call-ves.json +restapi.cll-ethernet-service-loop.templatefile=cll-ethernet-service-loop.json +restapi.cll-ethernet-service-loop-protection.templatefile=cll-ethernet-service-loop-protection.json +restapi.cll-otn-src-domain-creation.templatefile=cll-otn-tunnel-src-domain.json +restapi.cll-otn-dst-domain-creation.templatefile=cll-otn-tunnel-dst-domain.json +restapi.cll-otn-domainG-creation.templatefile=cll-otn-tunnel-domainG.json +restapi.cll-subscribe-notification.templatefile=cll-subscribe-notification.json +restapi.cll-terminate-notification.templatefile=cll-terminate-notification.json +restapi.cll-create-pm-data.templatefile=cll-create-pm-data.json +restapi.cll-call-ves.templatefile=cll-call-ves.json +restapi.naming.gen-name.templatefile=naming-ms-post-gen-name.json +restapi.ss.pnf.templatefile=self-serve-pnf-assignments.json +restapi.ss.vnf.templatefile=self-serve-vnf-assignments.json +restapi.ss.vfmodule.templatefile=self-serve-vfmodule-assignments.json +restapi.ss.mS.vlan.tag.assign.templatefile=self-serve-mS-vlan-tag-assignments.json +restapi.ss.mS.vlan.tag.unassign.templatefile=self-serve-mS-vlan-tag-unassignments.json +restapi.ss.mS.mac.address.assign.templatefile=self-serve-mS-mac-address-assign.json +restapi.ss.mS.mac.address.unassign.templatefile=self-serve-mS-mac-address-unassign.json + +# Default cloud owner +cloud-region.cloud-owner=CloudOwner + +# URLs +restapi.cr-allottedresource=/rests/data/GENERIC-RESOURCE-API:contrail-route-allotted-resources/contrail-route-allotted-resource={allotted-resource-id} +restapi.sz-allottedresource=/rests/data/GENERIC-RESOURCE-API:security-zone-allotted-resources/security-zone-allotted-resource={allotted-resource-id} +restapi.brg-allottedresource=/rests/data/GENERIC-RESOURCE-API:brg-allotted-resources/brg-allotted-resource={allotted-resource-id} +restapi.vpp-honeycomb=/rests/data/ietf-interfaces:interfaces/interface={tunnel-name} +restapi.tx-allottedresource=/rests/data/GENERIC-RESOURCE-API:tunnelxconn-allotted-resources/tunnelxconn-allotted-resource={allotted-resource-id} +restapi.vnf-provided-allottedresource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vnf-provided-allotted-resources +restapi.network-provided-allottedresource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vnf-provided-allotted-resources +restapi.pm-configuration=/rests/data/GENERIC-RESOURCE-API:port-mirror-configurations/port-mirror-configuration={configuration-id} +restapi.network=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/networks +restapi.vnf=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs +restapi.vnf-api.service-information=/rests/data/VNF-API:vnfs/vnf-list={vnf-id}/service-data +restapi.parent-provided-resource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/provided-allotted-resources/provided-allotted-resource={allotted-resource-id} +restapi.network-provided-resource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/networks/network={network-id}/network-data/network-provided-allotted-resources +restapi.services=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id} +restapi.service.vnf.vfmodule-resource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vf-modules/vf-module={vf-module-id} +restapi.connection-attachment-allottedresource=/rests/data/GENERIC-RESOURCE-API:connection-attachment-allotted-resources/connection-attachment-allotted-resource={allotted-resource-id} +restapi.naming.gen-name.service=/web/service/v1/genNetworkElementName +restapi.ss-pnf-assignments=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/pnfs/pnf={pnf-id} +restapi.ss-vnf-assignments=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id} +restapi.ss-vfmodule-assignments=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vf-modules/vf-module={vf-module-id} +restapi.ss-mS-vlan-tag-assign=/vlantagapi/v1/{action} +restapi.ss-mS-mac-address-assign=/api/macaddress/v1/service/assign +restapi.ss-mS-mac-address-unassign=/api/macaddress/v1/service/unassign +restapi.preload-network=/rests/data/GENERIC-RESOURCE-API:preload-information/preload-list={network-name}/network/preload-data/preload-network-topology-information +restapi.preloadinformation=/rests/data/GENERIC-RESOURCE-API:preload-information/preload-list= +restapi.vf-module=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vf-modules/vf-module={vf-module-id} +restapi.vnf-assign=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}
\ No newline at end of file diff --git a/kubernetes/sdnc/resources/config/conf/lcm-dg.properties b/kubernetes/sdnc/resources/config/conf/lcm-dg.properties index 44ee0b998f..17dea78908 100644 --- a/kubernetes/sdnc/resources/config/conf/lcm-dg.properties +++ b/kubernetes/sdnc/resources/config/conf/lcm-dg.properties @@ -21,8 +21,8 @@ restapi.templateDir=/opt/onap/sdnc/restapi/templates #RESTCONF lcm.restconf.configscaleout.templatefile=lcm-restconf-configscaleout.json -lcm.restconf.configscaleout.urlpath=/restconf/config/vlb-business-vnf-onap-plugin:vlb-business-vnf-onap-plugin/vdns-instances/vdns-instance/ -lcm.restconf.configscaleout.geturlpath=/restconf/operational/health-vnf-onap-plugin:health-vnf-onap-plugin-state/health-check +lcm.restconf.configscaleout.urlpath=/rests/data/vlb-business-vnf-onap-plugin:vlb-business-vnf-onap-plugin/vdns-instances/vdns-instance/ +lcm.restconf.configscaleout.geturlpath=/rests/data/health-vnf-onap-plugin:health-vnf-onap-plugin-state/health-check lcm.restconf.configscaleout.user=${SCALEOUT_USER} lcm.restconf.configscaleout.password=${SCALEOUT_PASSWORD} lcm.restconf.user=${RESTCONF_USER} diff --git a/kubernetes/sdnc/resources/geo/bin/switchVoting.sh b/kubernetes/sdnc/resources/geo/bin/switchVoting.sh index a276854d5c..0ff065666f 100755 --- a/kubernetes/sdnc/resources/geo/bin/switchVoting.sh +++ b/kubernetes/sdnc/resources/geo/bin/switchVoting.sh @@ -33,11 +33,11 @@ PASSWORD=`awk '/odlPassword/ {print $2}' $dir/../../../values.yaml | head -1` case "$1" in primary) - status=$(curl -u $USERNAME:$PASSWORD -o /dev/null -H "Content-Type: application/json" -H "Accept: application/json" -X POST http://localhost:30202/restconf/operations/cluster-admin:change-member-voting-states-for-all-shards -d '{ "input" : { "member-voting-state" : [ { "member-name" : "member-1", "voting":true}, { "member-name" : "member-2", "voting":true}, { "member-name" : "member-3", "voting":true},{ "member-name" : "member-4", "voting":false},{ "member-name" : "member-5", "voting":false},{ "member-name" : "member-6", "voting":false}] } }' -w "%{http_code}\n" $url 2> /dev/null) + status=$(curl -u $USERNAME:$PASSWORD -o /dev/null -H "Content-Type: application/json" -H "Accept: application/json" -X POST http://localhost:30202/rests/operations/cluster-admin:change-member-voting-states-for-all-shards -d '{ "input" : { "member-voting-state" : [ { "member-name" : "member-1", "voting":true}, { "member-name" : "member-2", "voting":true}, { "member-name" : "member-3", "voting":true},{ "member-name" : "member-4", "voting":false},{ "member-name" : "member-5", "voting":false},{ "member-name" : "member-6", "voting":false}] } }' -w "%{http_code}\n" $url 2> /dev/null) ;; secondary) - status=$(curl -u $USERNAME:$PASSWORD -o /dev/null -H "Content-Type: application/json" -H "Accept: application/json" -X POST http://localhost:30202/restconf/operations/cluster-admin:change-member-voting-states-for-all-shards -d '{ "input" : { "member-voting-state" : [ { "member-name" : "member-1", "voting":false}, { "member-name" : "member-2", "voting":false}, { "member-name" : "member-3", "voting":false},{ "member-name" : "member-4", "voting":true},{ "member-name" : "member-5", "voting":true},{ "member-name" : "member-6", "voting":true}] } }' -w "%{http_code}\n" $url 2> /dev/null) + status=$(curl -u $USERNAME:$PASSWORD -o /dev/null -H "Content-Type: application/json" -H "Accept: application/json" -X POST http://localhost:30202/rests/operations/cluster-admin:change-member-voting-states-for-all-shards -d '{ "input" : { "member-voting-state" : [ { "member-name" : "member-1", "voting":false}, { "member-name" : "member-2", "voting":false}, { "member-name" : "member-3", "voting":false},{ "member-name" : "member-4", "voting":true},{ "member-name" : "member-5", "voting":true},{ "member-name" : "member-6", "voting":true}] } }' -w "%{http_code}\n" $url 2> /dev/null) ;; *) diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 666a8ada12..5d2503089c 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -394,6 +394,9 @@ spec: - mountPath: {{ .Values.config.configDir }}/dblib.properties name: properties subPath: dblib.properties + - mountPath: {{ .Values.config.configDir }}/generic-api-dg.properties + name: properties + subPath: generic-api-dg.properties - mountPath: {{ .Values.config.configDir }}/lcm-dg.properties name: properties subPath: lcm-dg.properties diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 3708bd1cdd..7060cae475 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -216,7 +216,7 @@ certificates: # application images pullPolicy: Always -image: onap/sdnc-image:2.6.1 +image: onap/sdnc-image:3.0.2 # flag to enable debugging - application support required debugEnabled: false @@ -316,8 +316,8 @@ config: maxGCPauseMillis: 100 parallelGCThreads : 3 numberGCLogFiles: 10 - minMemory: 512m - maxMemory: 2048m + minMemory: 1028m + maxMemory: 6144m gcLogOptions: "" # Next line enables gc logging # gcLogOptions: "-Xlog:gc=trace:file={{.Values.config.odl.gcLogDir}}/gc-%t.log}:time,level,tags:filecount={{.Values.config.odl.javaOptions.numberGCLogFiles}}" diff --git a/kubernetes/so/Chart.yaml b/kubernetes/so/Chart.yaml index 83419673fe..0c6b4a2f60 100755 --- a/kubernetes/so/Chart.yaml +++ b/kubernetes/so/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP Service Orchestrator name: so -version: 13.0.2 +version: 15.0.0 dependencies: - name: common @@ -44,7 +44,7 @@ dependencies: repository: 'file://components/so-admin-cockpit' condition: so-admin-cockpit.enabled - name: so-bpmn-infra - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/so-bpmn-infra' - name: so-catalog-db-adapter version: ~13.x-0 @@ -78,17 +78,17 @@ dependencies: repository: 'file://components/so-oof-adapter' condition: so-oof-adapter.enabled - name: so-openstack-adapter - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/so-openstack-adapter' condition: so-openstack-adapter.enabled - name: so-request-db-adapter - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/so-request-db-adapter' - name: so-sdc-controller - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/so-sdc-controller' - name: so-sdnc-adapter - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/so-sdnc-adapter' condition: so-sdnc-adapter.enabled - name: so-ve-vnfm-adapter diff --git a/kubernetes/so/components/so-bpmn-infra/Chart.yaml b/kubernetes/so/components/so-bpmn-infra/Chart.yaml index 6f52dfaef3..b379037bcf 100755 --- a/kubernetes/so/components/so-bpmn-infra/Chart.yaml +++ b/kubernetes/so/components/so-bpmn-infra/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for SO Bpmn Infra name: so-bpmn-infra -version: 13.1.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml index eebc71a11a..cab991c2e0 100755 --- a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml @@ -299,7 +299,7 @@ policy: sdnc: auth: Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== host: http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }} - path: /restconf/operations/GENERIC-RESOURCE-API + path: /rests/operations/GENERIC-RESOURCE-API si: svc: types: PORT-MIRROR,PPROBE @@ -311,7 +311,7 @@ sdnc: callback: timeout: PT5M lcm: - path: '/restconf/operations/LCM:' + path: '/rests/operations/LCM:' actionTimeout: 300000 dmapp: readTopic: SDNC-LCM-WRITE diff --git a/kubernetes/so/components/so-bpmn-infra/values.yaml b/kubernetes/so/components/so-bpmn-infra/values.yaml index d5cee518db..136c9ad0b8 100755 --- a/kubernetes/so/components/so-bpmn-infra/values.yaml +++ b/kubernetes/so/components/so-bpmn-infra/values.yaml @@ -60,7 +60,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/bpmn-infra:1.13.0 +image: onap/so/bpmn-infra:1.15.0 pullPolicy: Always kafkaUser: diff --git a/kubernetes/so/components/so-openstack-adapter/Chart.yaml b/kubernetes/so/components/so-openstack-adapter/Chart.yaml index 1129cf23a2..4051b0bd03 100755 --- a/kubernetes/so/components/so-openstack-adapter/Chart.yaml +++ b/kubernetes/so/components/so-openstack-adapter/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-openstack-adapter -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/so/components/so-openstack-adapter/values.yaml b/kubernetes/so/components/so-openstack-adapter/values.yaml index 15074b5712..0721c76db7 100755 --- a/kubernetes/so/components/so-openstack-adapter/values.yaml +++ b/kubernetes/so/components/so-openstack-adapter/values.yaml @@ -54,7 +54,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/openstack-adapter:1.12.2 +image: onap/so/openstack-adapter:1.15.0 pullPolicy: Always # Local mariadb galera instance default name diff --git a/kubernetes/so/components/so-request-db-adapter/Chart.yaml b/kubernetes/so/components/so-request-db-adapter/Chart.yaml index 32095c29b7..7ce788960d 100755 --- a/kubernetes/so/components/so-request-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-request-db-adapter/Chart.yaml @@ -16,7 +16,7 @@ apiVersion: v2 description: A Helm chart for request-db-adapter name: so-request-db-adapter -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/so/components/so-request-db-adapter/values.yaml b/kubernetes/so/components/so-request-db-adapter/values.yaml index 9eecb245c7..0e12f5150f 100755 --- a/kubernetes/so/components/so-request-db-adapter/values.yaml +++ b/kubernetes/so/components/so-request-db-adapter/values.yaml @@ -54,7 +54,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/request-db-adapter:1.12.2 +image: onap/so/request-db-adapter:1.15.0 pullPolicy: Always # Local mariadb galera instance default name diff --git a/kubernetes/so/components/so-sdc-controller/Chart.yaml b/kubernetes/so/components/so-sdc-controller/Chart.yaml index fc5496cc3a..b710b37ae6 100755 --- a/kubernetes/so/components/so-sdc-controller/Chart.yaml +++ b/kubernetes/so/components/so-sdc-controller/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-sdc-controller -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/so/components/so-sdc-controller/values.yaml b/kubernetes/so/components/so-sdc-controller/values.yaml index 1fe5b50cf7..f7a838a8d9 100755 --- a/kubernetes/so/components/so-sdc-controller/values.yaml +++ b/kubernetes/so/components/so-sdc-controller/values.yaml @@ -55,7 +55,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdc-controller:1.12.2 +image: onap/so/sdc-controller:1.15.0 pullPolicy: Always # Local mariadb galera instance default name diff --git a/kubernetes/so/components/so-sdnc-adapter/Chart.yaml b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml index c43cad7624..a1c886cac9 100755 --- a/kubernetes/so/components/so-sdnc-adapter/Chart.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-sdnc-adapter -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml index 55dc11526d..8c44ad7a8a 100755 --- a/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml @@ -160,16 +160,16 @@ org: bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage sdncauth: {{ .Values.org.onap.so.adapters.sdnc.sdncauth }} sdncconnecttime: 5000 - sdncurl10: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/GENERIC-RESOURCE-API:' - sdncurl11: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/VNFTOPOLOGYAIC-API:' + sdncurl10: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/GENERIC-RESOURCE-API:' + sdncurl11: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/VNFTOPOLOGYAIC-API:' sdncurl12: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/' - sdncurl13: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/opticalservice:' - sdncurl5: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/config' - sdncurl6: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/VNF-API:' - sdncurl7: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/L3UCPE-API:' - sdncurl8: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/NBNC-API:' - sdncurl9: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/NORTHBOUND-API:service-topology-operation' - sdncurl20: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/LCM:' + sdncurl13: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/opticalservice:' + sdncurl5: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/data' + sdncurl6: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/VNF-API:' + sdncurl7: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/L3UCPE-API:' + sdncurl8: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/NBNC-API:' + sdncurl9: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/NORTHBOUND-API:service-topology-operation' + sdncurl20: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/LCM:' service: infra: service-topology-infra-activate-operation: POST|90000|sdncurl9|sdnc-request-header|com:att:sdnctl:northbound-api:v1 diff --git a/kubernetes/so/components/so-sdnc-adapter/values.yaml b/kubernetes/so/components/so-sdnc-adapter/values.yaml index 61ec096111..c228366ad8 100755 --- a/kubernetes/so/components/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/values.yaml @@ -61,7 +61,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdnc-adapter:1.12.2 +image: onap/so/sdnc-adapter:1.15.0 pullPolicy: Always org: diff --git a/kubernetes/so/resources/config/mso/mso-docker.json b/kubernetes/so/resources/config/mso/mso-docker.json index 119a31304a..9a8284c3e9 100755 --- a/kubernetes/so/resources/config/mso/mso-docker.json +++ b/kubernetes/so/resources/config/mso/mso-docker.json @@ -58,15 +58,15 @@ { "sdncurls": [ - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/L3SDN-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/config/L3SDN-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/Firewall-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/config", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/VNF-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/NBNC-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/NORTHBOUND-API:service-topology-operation", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/GENERIC-RESOURCE-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/VNFTOPOLOGYAIC-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/L3SDN-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/data/L3SDN-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/Firewall-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/data", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/VNF-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/NBNC-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/NORTHBOUND-API:service-topology-operation", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/GENERIC-RESOURCE-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/VNFTOPOLOGYAIC-API:", "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/" ], diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 0d53ea3aa8..8742059f85 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -154,7 +154,7 @@ dbCreds: userName: so_user adminName: so_admin -image: onap/so/api-handler-infra:1.12.2 +image: onap/so/api-handler-infra:1.15.0 server: aai: diff --git a/kubernetes/uui/Chart.yaml b/kubernetes/uui/Chart.yaml index 900a6c97e1..0d1d7f2f6f 100644 --- a/kubernetes/uui/Chart.yaml +++ b/kubernetes/uui/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP uui name: uui -version: 13.1.0 +version: 15.0.0 dependencies: - name: common @@ -31,14 +31,17 @@ dependencies: version: ~13.x-0 repository: '@local' - name: uui-server - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/uui-server' - name: uui-nlp version: ~13.x-0 repository: 'file://components/uui-nlp' - name: uui-intent-analysis - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/uui-intent-analysis' - name: uui-llm-adaptation - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/uui-llm-adaptation' + - name: nginx + version: ~18.3.x-0 + repository: '@local' diff --git a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml index bd1f6eedab..25fa9459c5 100644 --- a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP uui intent analysis name: uui-intent-analysis -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/uui/components/uui-intent-analysis/values.yaml b/kubernetes/uui/components/uui-intent-analysis/values.yaml index 73903ceae9..a930e50b1c 100644 --- a/kubernetes/uui/components/uui-intent-analysis/values.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/values.yaml @@ -40,7 +40,7 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -image: onap/usecase-ui-intent-analysis:14.0.0 +image: onap/usecase-ui-intent-analysis:15.0.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml index 1c36c236ee..2391ac35f1 100644 --- a/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml +++ b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP uui llm adaptation name: uui-llm-adaptation -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/uui/components/uui-llm-adaptation/values.yaml b/kubernetes/uui/components/uui-llm-adaptation/values.yaml index f5804efb20..cda22163db 100644 --- a/kubernetes/uui/components/uui-llm-adaptation/values.yaml +++ b/kubernetes/uui/components/uui-llm-adaptation/values.yaml @@ -40,7 +40,7 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -image: onap/usecase-ui-llm-adaptation:14.0.0 +image: onap/usecase-ui-llm-adaptation:15.0.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/uui/components/uui-server/Chart.yaml b/kubernetes/uui/components/uui-server/Chart.yaml index 82e395ed45..034768256f 100644 --- a/kubernetes/uui/components/uui-server/Chart.yaml +++ b/kubernetes/uui/components/uui-server/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP uui server name: uui-server -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/uui/components/uui-server/resources/config/application.properties b/kubernetes/uui/components/uui-server/resources/config/application.properties index 36308c0313..67b0ff08c9 100644 --- a/kubernetes/uui/components/uui-server/resources/config/application.properties +++ b/kubernetes/uui/components/uui-server/resources/config/application.properties @@ -14,6 +14,7 @@ ## limitations under the License. ## ## General App Properties +spring.application.name=uui-server server.servlet.contextPath=/api/usecaseui-server/v1 server.port=8082 spring.http.multipart.max-file-size=128MB diff --git a/kubernetes/uui/components/uui-server/resources/entrypoint/run.sh b/kubernetes/uui/components/uui-server/resources/entrypoint/run.sh index 283d55b741..6f585273a8 100644 --- a/kubernetes/uui/components/uui-server/resources/entrypoint/run.sh +++ b/kubernetes/uui/components/uui-server/resources/entrypoint/run.sh @@ -32,7 +32,7 @@ $dbScript 127.0.0.1 5432 postgres uui echo "usecase-ui database init script finished normally..." JAVA_PATH="$JAVA_HOME/bin/java" -JAVA_OPTS="-Xms50m -Xmx128m" +JAVA_OPTS="-XX:MaxRAMPercentage=${MAX_RAM_PERCENTAGE:-70}" echo @JAVA_PATH@ $JAVA_PATH echo @JAVA_OPTS@ $JAVA_OPTS diff --git a/kubernetes/uui/components/uui-server/templates/deployment.yaml b/kubernetes/uui/components/uui-server/templates/deployment.yaml index ae08054d88..d19f180f4e 100644 --- a/kubernetes/uui/components/uui-server/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-server/templates/deployment.yaml @@ -100,6 +100,8 @@ spec: value: {{tpl .Values.msbaddr .}} - name: MR_ADDR value: {{tpl .Values.mraddr .}} + - name: AAI_ADDR + value: {{tpl .Values.aaiaddr .}} - name: POSTGRES_IP value: {{.Values.postgres.service.name2}} - name: POSTGRES_PORT diff --git a/kubernetes/uui/components/uui-server/values.yaml b/kubernetes/uui/components/uui-server/values.yaml index 6e715bd7a9..15cce631ca 100644 --- a/kubernetes/uui/components/uui-server/values.yaml +++ b/kubernetes/uui/components/uui-server/values.yaml @@ -48,13 +48,14 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui-server:14.0.0 +image: onap/usecase-ui-server:15.0.0 pullPolicy: Always # application configuration msbaddr: msb-iag.{{include "common.namespace" .}}:80 mraddr: message-router.{{include "common.namespace" .}}:3904 +aaiaddr: aai.{{include "common.namespace" .}}:80 # application configuration override for postgres postgres: diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index 2cc0837f41..c9a0331350 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -25,7 +25,7 @@ subChartsOnly: flavor: small # application image -image: onap/usecase-ui:14.0.0 +image: onap/usecase-ui:15.0.0 pullPolicy: Always # application configuration @@ -80,11 +80,11 @@ service: ]{{ end }} ingress: - enabled: false + enabled: true service: - - baseaddr: "uui-ui" - name: "uui" - port: 8080 + - baseaddr: uui + name: uui-proxy + port: 80 config: ssl: "redirect" @@ -114,3 +114,34 @@ resources: cpu: "500m" memory: "1Gi" unlimited: {} + +nginx: + fullnameOverride: uui-proxy + serverBlock: |- + server { + listen 8080; + listen [::]:8080; + + # Redirect root path to /usecase-ui + location = / { + return 301 /usecase-ui; + } + + # frontend + location /usecase-ui { + proxy_pass http://uui:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # backend + location /api { + proxy_pass http://uui-server:8082; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + } @@ -9,7 +9,7 @@ envlist = skipsdist=true [doc8] -ignore-path-errors=docs/helm-search.txt;D001 +ignore-path-errors=docs/sections/resources/helm/helm-search.txt;D001 [testenv:doc8] basepython = python3.8 |