diff options
30 files changed, 300 insertions, 222 deletions
diff --git a/docs/requirements-docs.txt b/docs/requirements-docs.txt index 9c104de61c..be92e5dcea 100644 --- a/docs/requirements-docs.txt +++ b/docs/requirements-docs.txt @@ -6,3 +6,4 @@ sphinxcontrib-swaggerdoc sphinxcontrib-spelling sphinxcontrib-plantuml sphinx_toolbox>=3.2.0 +six
\ No newline at end of file diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst index 4c21217c23..f25f4e716c 100644 --- a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst +++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst @@ -358,7 +358,7 @@ Keycloak Installation - create keycloak namespace:: > kubectl create namespace keycloak - > kubectl label namespace keycloak istio-injection=enabled + > kubectl label namespace keycloak istio-injection=disabled Install Keycloak-Database ^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -388,7 +388,21 @@ Configure Keycloak - Install keycloak:: - > helm -n keycloak upgrade -i keycloak codecentric/keycloak --values ./keycloak-server-values.yaml + > helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml The required Ingress entry and REALM will be provided by the ONAP "Platform" component. + +- Create Ingress gateway entry for the keycloak web interface + using the configured Ingress <base-url> (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: keycloak-ingress.yaml + + .. include:: ../../resources/yaml/keycloak-ingress.yaml + :code: yaml + +- Add the Ingress entry for Keycloak:: + + > kubectl -n keycloak apply -f keycloak-ingress.yaml + diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst index dc206e0548..3b198cf1d6 100644 --- a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst @@ -36,5 +36,5 @@ Internal traffic encryption will be ensured by using Istio ServiceMesh. .. figure:: ../../resources/images/servicemesh/ServiceMesh.png :align: center -For external access we start to establish Authentication via Oauth2-proxy -and Keycloak which will be completed in the coming release. +For external access we propose to establish Authentication via Oauth2-proxy +and Keycloak which is described in this document. diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst index 4eefdafbf3..dbb965dd86 100644 --- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst @@ -60,7 +60,7 @@ The versions of software that are supported and tested by OOM are as follows: ============== ====== ============ ============== London 1.17.2 v0.6.2 19.0.3-legacy Montreal 1.19.3 v1.0.0 19.0.3-legacy - New Delhi 1.19.3 v1.0.0 19.0.3-legacy + New Delhi 1.19.3 v1.0.0 22.0.4 ============== ====== ============ ============== .. table:: OOM Software Requirements (optional) diff --git a/docs/sections/resources/yaml/keycloak-ingress.yaml b/docs/sections/resources/yaml/keycloak-ingress.yaml new file mode 100644 index 0000000000..91fc34f381 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-ingress.yaml @@ -0,0 +1,55 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-80 + rules: + Filters: + Request Redirect: + Port: 443 + Scheme: https + Status Code: 301 + Type: RequestRedirect + Matches: + Path: + Type: PathPrefix + Value: /auth +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-443 + rules: + - backendRefs: + - group: "" + kind: Service + name: keycloak-keycloakx-http + port: 80 + weight: 1 + matches: + - path: + type: PathPrefix + value: /auth diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml index 7eaecbedfc..0160ce86e8 100644 --- a/docs/sections/resources/yaml/keycloak-server-values.yaml +++ b/docs/sections/resources/yaml/keycloak-server-values.yaml @@ -1,53 +1,48 @@ -image: - # The Keycloak image repository - repository: quay.io/keycloak/keycloak - # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "19.0.3-legacy" - -postgresql: - # If `true`, the Postgresql dependency is enabled - enabled: false +--- +command: + - "/opt/keycloak/bin/kc.sh" + - "--verbose" + - "start" + - "--http-enabled=true" + - "--http-port=8080" + - "--hostname-strict=false" + - "--hostname-strict-https=false" + - "--spi-events-listener-jboss-logging-success-level=info" + - "--spi-events-listener-jboss-logging-error-level=warn" extraEnv: | - - name: KEYCLOAK_USER + - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: {{ include "keycloak.fullname" . }}-admin-creds key: user - - name: KEYCLOAK_PASSWORD + - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: {{ include "keycloak.fullname" . }}-admin-creds key: password - - name: DB_VENDOR - value: postgres - - name: DB_ADDR - value: keycloak-db-postgresql - - name: DB_PORT - value: "5432" - - name: DB_DATABASE - value: keycloak - - name: DB_USER - value: dbusername - - name: DB_PASSWORD_FILE - value: /secrets/db-creds/password + - name: JAVA_OPTS_APPEND + value: >- + -XX:+UseContainerSupport + -XX:MaxRAMPercentage=50.0 + -Djava.awt.headless=true + -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless - name: PROXY_ADDRESS_FORWARDING value: "true" -extraVolumeMounts: | - - name: db-creds - mountPath: /secrets/db-creds - readOnly: true +dbchecker: + enabled: true -extraVolumes: | - - name: db-creds - secret: - secretName: keycloak-db-postgresql +database: + vendor: postgres + hostname: keycloak-db-postgresql + port: 5432 + username: dbusername + password: dbpassword + database: keycloak secrets: admin-creds: - annotations: - my-test-annotation: Test secret for {{ include "keycloak.fullname" . }} stringData: user: admin - password: secret
\ No newline at end of file + password: secret diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml index 6033d41884..7f00c2f002 100644 --- a/kubernetes/aai/Chart.yaml +++ b/kubernetes/aai/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Active and Available Inventory name: aai -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml index 54fa70c056..3594492675 100644 --- a/kubernetes/aai/components/aai-resources/Chart.yaml +++ b/kubernetes/aai/components/aai-resources/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP AAI resources name: aai-resources -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index cf8d17ba2b..007c60e19e 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -123,7 +123,7 @@ aai_enpoints: url: external-system # application image -image: onap/aai-resources:1.12.3 +image: onap/aai-resources:1.13.0 pullPolicy: Always restartPolicy: Always flavor: small diff --git a/kubernetes/cds/Chart.yaml b/kubernetes/cds/Chart.yaml index ede21d2edb..d8b6cc7de0 100644 --- a/kubernetes/cds/Chart.yaml +++ b/kubernetes/cds/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP Controller Design Studio (CDS) name: cds -version: 13.0.0 +version: 13.0.2 dependencies: - name: common @@ -26,6 +26,7 @@ dependencies: - name: mariadb-galera version: ~13.x-0 repository: '@local' + condition: global.mariadbGalera.localCluster - name: cds-blueprints-processor version: ~13.x-0 repository: 'file://components/cds-blueprints-processor' diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index 199c438863..ae3137c4dc 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -23,6 +23,20 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: true + globalCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: <secretName> + ################################################################# # Secrets metaconfig @@ -87,126 +101,6 @@ mariadb-galera: serviceAccount: nameOverride: *dbServer - mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin - - [mysqld] - lower_case_table_names = 1 - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 - - ## Character set - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 - - ## MyISAM - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP - - ## Safety - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY - sysdate_is_now=1 - - ## Binary Logging - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row - - ## Caches and Limits - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 - - ## InnoDB - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda - - ## Logging - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 - - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem - - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON - - [mariadb] - plugin_load_add=auth_pam - - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON - - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 - - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON - cds-blueprints-processor: enabled: true config: diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index b38a7f1105..810350bfa6 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -45,6 +45,9 @@ - containerPort: {{ default $port.plain_port $port.internal_plain_port }} name: {{ $port.name }}-plain {{- end }} +{{- if $port.l4_protocol }} + protocol: {{ $port.l4_protocol }} +{{- end }} {{- end }} {{- end -}} diff --git a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml index 72da92fd86..81b81341e5 100644 --- a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml @@ -38,7 +38,7 @@ spring: security: # comma-separated uri patterns which do not require authorization - permit-uri: /actuator/**,/swagger-ui/**,/swagger-resources/**,/api-docs + permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs/** auth: username: ${CPS_USERNAME} password: ${CPS_PASSWORD} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml index 3c9261191b..2b68b6c04f 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml @@ -37,7 +37,7 @@ sdnc: security: # comma-separated uri patterns which do not require authorization - permit-uri: /actuator/**,/swagger-ui/**,/swagger-resources/**,/v3/api-docs + permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs auth: username: ${DMI_PLUGIN_USERNAME} password: ${DMI_PLUGIN_PASSWORD} diff --git a/kubernetes/dcaegen2-services/Chart.yaml b/kubernetes/dcaegen2-services/Chart.yaml index 9abe66af13..cd6893ea08 100644 --- a/kubernetes/dcaegen2-services/Chart.yaml +++ b/kubernetes/dcaegen2-services/Chart.yaml @@ -1,8 +1,9 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2020 J. F. Lucas. All rights reserved. +# Copyright (c) 2020, 2024 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,10 +19,10 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE Microservices name: dcaegen2-services -version: 13.0.0 +version: 13.0.2 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml index dade6c34fb..5f2eb49546 100644 --- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Copyright (c) 2024 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,10 +19,10 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE SNMPTrap Collector name: dcae-snmptrap-collector -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml index 01d4316d46..ab768efe6a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml @@ -35,7 +35,7 @@ filebeatConfig: # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.7 +image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.8 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -80,7 +80,7 @@ applicationConfig: dns_cache_ttl_seconds: 60 services_calls: {} snmptrapd: - version: '2.0.4' + version: '2.0.8' title: ONAP SNMP Trap Receiver sw_interval_in_seconds: 60 streams_publishes: @@ -88,8 +88,8 @@ applicationConfig: dmaap_info: topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP type: message_router - aaf_password: null - aaf_username: null + aaf_password: "" + aaf_username: "" files: runtime_base_dir: "/opt/app/snmptrap" log_dir: logs diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml index 0eebf3f725..2f4baac11c 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,10 +19,10 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE VES Collector name: dcae-ves-collector -version: 13.0.0 +version: 13.1.0 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml new file mode 100644 index 0000000000..4d82cf3b47 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index ab538fd4a6..67b8824740 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021-2022 Nokia. All rights reserved. # Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2022 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2024 Deutsche Telekom Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,7 +42,7 @@ certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice- # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.3 +image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.4 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -121,6 +122,77 @@ serviceMesh: applicationEnv: CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' + BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' + JAAS_CONFIG: + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' + key: sasl.jaas.config + +# Strimzi Kafka config +kafkaUser: + acls: + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.VES_NOTIFICATION_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_HEARTBEAT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_OTHER_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_FAULT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.VES_MEASUREMENT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + +kafkaTopic: + - name: unauthenticated.VES_PNFREG_OUTPUT + strimziTopicName: unauthenticated.ves-pnfreg-output + - name: unauthenticated.VES_NOTIFICATION_OUTPUT + strimziTopicName: unauthenticated.ves-notification-output + - name: unauthenticated.SEC_HEARTBEAT_OUTPUT + strimziTopicName: unauthenticated.sec-heartbeat-output + - name: unauthenticated.SEC_OTHER_OUTPUT + strimziTopicName: unauthenticated.sec-other-output + - name: unauthenticated.SEC_FAULT_OUTPUT + strimziTopicName: unauthenticated.sec-fault-output + - name: unauthenticated.VES_MEASUREMENT_OUTPUT + strimziTopicName: unauthenticated.ves-measurment-output + - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-faultsupervision-output + - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-provisioning-output + - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-heartbeat-output + - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-performanceassurance-output # initial application configuration applicationConfig: diff --git a/kubernetes/platform/Chart.yaml b/kubernetes/platform/Chart.yaml index 19acda10fd..aec56cf9a1 100644 --- a/kubernetes/platform/Chart.yaml +++ b/kubernetes/platform/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP platform components name: platform -version: 13.0.0 +version: 13.0.1 dependencies: - name: oom-cert-service diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/platform/components/keycloak-init/Chart.yaml index b7bde042b2..44ac9f5213 100644 --- a/kubernetes/platform/components/keycloak-init/Chart.yaml +++ b/kubernetes/platform/components/keycloak-init/Chart.yaml @@ -16,7 +16,7 @@ # limitations under the License. # ============LICENSE_END========================================================= apiVersion: v2 -version: 13.0.0 +version: 13.0.1 description: ONAP Realm creation and configuration name: keycloak-init sources: @@ -31,5 +31,5 @@ dependencies: version: ~13.x-0 repository: '@local' - name: onap-keycloak-config-cli - version: 5.6.1 + version: 5.10.0 repository: 'file://components/keycloak-config-cli' diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml index e4c4619d2a..abcf889834 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: onap-keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 5.6.1 -appVersion: 5.6.1 +version: 5.10.0 +appVersion: 5.10.0 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml index 14870e6542..46c67dd220 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml @@ -23,7 +23,7 @@ nameOverride: "" image: repository: adorsys/keycloak-config-cli - tag: "{{ .Chart.AppVersion }}-19.0.3" + tag: "{{ .Chart.AppVersion }}-22.0.4" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/kubernetes/platform/components/keycloak-init/templates/ingress.yaml b/kubernetes/platform/components/keycloak-init/templates/ingress.yaml deleted file mode 100644 index 6ca7ceccd3..0000000000 --- a/kubernetes/platform/components/keycloak-init/templates/ingress.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2022 Deutsche Telekom -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.ingress" . }}
\ No newline at end of file diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml index 9fbaedcf67..a33ef2c932 100644 --- a/kubernetes/platform/components/keycloak-init/values.yaml +++ b/kubernetes/platform/components/keycloak-init/values.yaml @@ -23,26 +23,18 @@ KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/" PORTAL_URL: "https://portal-ui.simpledemo.onap.org" onap-keycloak-config-cli: + image: + pullSecrets: + - name: onap-docker-registry-key #existingSecret: "keycloak-keycloakx-admin-creds" env: - KEYCLOAK_URL: http://keycloak-http.keycloak.svc.cluster.local/auth/ + KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/ KEYCLOAK_SSLVERIFY: "false" KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" secrets: KEYCLOAK_PASSWORD: secret existingConfigSecret: "keycloak-config-cli-config-realms" -ingress: - service: - - baseaddr: "keycloak-ui" - name: "keycloak-http.keycloak.svc.cluster.local" - path: "/auth" - port: 80 - # If `true`, an Ingress is created - enabled: false - config: - ssl: "redirect" - serviceAccount: nameOverride: keycloak-init roles: diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index 3544a8ac50..19b7a1979b 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 13.0.0 +version: 13.0.1 dependencies: - name: common @@ -27,7 +27,7 @@ dependencies: - name: mariadb-galera version: ~13.x-0 repository: '@local' - condition: global.mariadb.localCluster + condition: global.mariadbGalera.localCluster - name: policy-nexus version: ~13.x-0 repository: 'file://components/policy-nexus' diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 47ced8afd8..5628ade48a 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -18,7 +18,12 @@ # Global configuration defaults. ################################################################# global: - mariadb: + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false localCluster: true # '&mariadbConfig' means we "store" the values for later use in the file # with '*mariadbConfig' pointer. @@ -27,6 +32,9 @@ global: service: &mariadbService name: &policy-mariadb policy-mariadb internalPort: 3306 + nameOverride: *policy-mariadb + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: <secretName> prometheusEnabled: false postgres: localCluster: false @@ -53,7 +61,19 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}' + externalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' policy: generate - uid: db-secret @@ -210,7 +230,7 @@ config: someConfig: blah mariadb-galera: - # mariadb-galera.config and global.mariadb.config must be equals + # mariadb-galera.config and global.mariadbGalera.config must be equals db: user: policy-user # password: @@ -219,7 +239,7 @@ mariadb-galera: rootUser: externalSecret: *dbRootPassSecretName nameOverride: *policy-mariadb - # mariadb-galera.service and global.mariadb.service must be equals + # mariadb-galera.service and global.mariadbGalera.service must be equals service: *mariadbService replicaCount: 1 mariadbOperator: |