diff options
42 files changed, 919 insertions, 643 deletions
diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index 16e932e293..3977f827d6 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -88,7 +88,7 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - - bash + - sh - "-c" - | set -x; diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index 787930a473..10894bd006 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,4 +17,4 @@ apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.2.1 +version: 13.2.3 diff --git a/kubernetes/common/common/templates/_cassOp.tpl b/kubernetes/common/common/templates/_cassOp.tpl index bdcf5caa02..588af1aa1a 100644 --- a/kubernetes/common/common/templates/_cassOp.tpl +++ b/kubernetes/common/common/templates/_cassOp.tpl @@ -1,5 +1,5 @@ {{/* -# Copyright © 2022 Deutsche Telekom AG +# Copyright © 2022-2024 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,6 +45,29 @@ spec: endpoint: address: 0.0.0.0 {{- end }} + podSecurityContext: + fsGroup: 1001 + runAsGroup: 1001 + runAsUser: 1001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + initContainerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW {{- end }} {{ if .Values.k8ssandraOperator.stargate.enabled -}} stargate: @@ -111,6 +134,44 @@ spec: name: {{ $datacenter.name }} size: {{ $datacenter.size }} {{- end }} + initContainers: + - name: server-config-init-base + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + - name: server-config-init + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + containers: + - name: cassandra + securityContext: + allowPrivilegeEscalation: false + #readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + - name: server-system-logger + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW podSecurityContext: fsGroup: 999 runAsGroup: 999 diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index 6e460d9267..505d80560d 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -27,10 +27,23 @@ true {{- end -}} {{/* + Calculate if we require a sidecar killer. +*/}} +{{- define "common.requireSidecarKiller" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if eq .Values.global.serviceMesh.engine "istio" }} +{{- if not (default false .Values.global.serviceMesh.nativeSidecars) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Kills the sidecar proxy associated with a pod. */}} {{- define "common.serviceMesh.killSidecar" -}} -{{- if (include "common.onServiceMesh" .) }} +{{- if (include "common.requireSidecarKiller" .) }} RCODE="$?"; echo "*** script finished with exit code $RCODE" ; echo "*** killing service mesh sidecar" ; @@ -47,7 +60,7 @@ exit "$RCODE" {{- define "common.waitForJobContainer" -}} {{- $dot := default . .dot -}} {{- $wait_for_job_container := default $dot.Values.wait_for_job_container .wait_for_job_container -}} -{{- if (include "common.onServiceMesh" .) }} +{{- if (include "common.requireSidecarKiller" .) }} - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $wait_for_job_container.name) (empty $wait_for_job_container.name) }}-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml index 6414785154..0ac3750bb1 100644 --- a/kubernetes/common/mariadb-init/Chart.yaml +++ b/kubernetes/common/mariadb-init/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera init job name: mariadb-init -version: 13.0.1 +version: 13.0.2 dependencies: - name: common diff --git a/kubernetes/common/mongodb-init/.helmignore b/kubernetes/common/mongodb-init/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/mongodb-init/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/mongodb-init/Chart.yaml b/kubernetes/common/mongodb-init/Chart.yaml new file mode 100644 index 0000000000..0cdeecf84b --- /dev/null +++ b/kubernetes/common/mongodb-init/Chart.yaml @@ -0,0 +1,32 @@ +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: Chart for MongoDB init job +name: mongodb-init +version: 13.0.2 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/mongodb-init/README.md b/kubernetes/common/mongodb-init/README.md new file mode 100644 index 0000000000..aa6c735744 --- /dev/null +++ b/kubernetes/common/mongodb-init/README.md @@ -0,0 +1,16 @@ +# mongodb-init + +## Introduction + +Initialization scripts for mongo database. + +- not part of ONAP OOM yet + +## Requirements + +mongodb-init needs the following ONAP projects to work: + +- common/common +- common/repositoryGenerator +- common/serviceAccount +- common/readinessCheck diff --git a/kubernetes/common/mongodb-init/resources/config/setup.sql b/kubernetes/common/mongodb-init/resources/config/setup.sql new file mode 100644 index 0000000000..452ee187df --- /dev/null +++ b/kubernetes/common/mongodb-init/resources/config/setup.sql @@ -0,0 +1,11 @@ +// Database Setup +use ${MONGO_DATABASE} + +// UserCreation Setup +db.createUser( + { + user: "${MONGODB_USER}", + pwd: "${MONGODB_PASSWORD}", + roles: [ { role: "readWrite", db: "${MONGO_DATABASE}" } ] + } +) diff --git a/kubernetes/common/mongodb-init/templates/configmap.yaml b/kubernetes/common/mongodb-init/templates/configmap.yaml new file mode 100644 index 0000000000..bde790f205 --- /dev/null +++ b/kubernetes/common/mongodb-init/templates/configmap.yaml @@ -0,0 +1,29 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/mongodb-init/templates/job.yaml b/kubernetes/common/mongodb-init/templates/job.yaml new file mode 100644 index 0000000000..5e232e26d3 --- /dev/null +++ b/kubernetes/common/mongodb-init/templates/job.yaml @@ -0,0 +1,129 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-config-job + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + name: {{ include "common.name" . }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + - name: {{ include "common.name" . }}-update-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + command: + - sh + args: + - -c + - | + function prepare_password { + echo -n $1 | sed -e "s/'/''/g" + } + export MONGODB_PASSWORD=`prepare_password $MONGODB_PASSWORD_INPUT`; + export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`; + export MONGODB_USER=`prepare_password $MONGODB_USER_INPUT`; + export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`; + {{- if include "common.onServiceMesh" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s; + {{- end }} + cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done; + env: + - name: MONGODB_HOST + value: "{{ .Values.global.mongodb.service.name }}" + - name: MONGODB_USER_INPUT + #value: "{{ .Values.config.mgUserName }}" + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "login") | indent 10 }} + - name: MONGODB_PASSWORD_INPUT + #value: "{{ .Values.config.mgUserPassword }}" + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "password") | indent 10 }} + - name: MONGO_DATABASE + value: "{{ .Values.config.mgDatabase }}" + - name: MONGODB_ROOT_USER_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootUserKey) | indent 10 }} + - name: MONGODB_ROOT_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootPasswordKey) | indent 10 }} + volumeMounts: + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: mgconf + containers: + - name: {{ include "common.name" . }}-setup-db + image: {{ include "repositoryGenerator.image.mongodbImage" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + command: + - sh + args: + - -c + - | + function prepare_password { + echo -n $1 | sed -e "s/'/''/g" + } + export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`; + export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`; + mongosh "mongodb://${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$MONGODB_HOST" < /config/setup.sql + env: + - name: MONGODB_HOST + value: "{{ .Values.global.mongodb.service.name }}" + - name: MONGODB_ROOT_USER_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_USER") | indent 10 }} + - name: MONGODB_ROOT_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_PASSWORD") | indent 10 }} + volumeMounts: + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: mgconf + resources: {{ include "common.resources" . | nindent 10 }} + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: config + configMap: + name: {{ include "common.fullname" . }} + - name: mgconf + emptyDir: + medium: Memory + sizeLimit: 64Mi + restartPolicy: Never + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/mongodb-init/templates/secrets.yaml b/kubernetes/common/mongodb-init/templates/secrets.yaml new file mode 100644 index 0000000000..577d9d581e --- /dev/null +++ b/kubernetes/common/mongodb-init/templates/secrets.yaml @@ -0,0 +1,15 @@ +{{/* +# ## Copyright © 2024 Deutsche Telekom +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/mongodb-init/values.yaml b/kubernetes/common/mongodb-init/values.yaml new file mode 100644 index 0000000000..478fab5cdd --- /dev/null +++ b/kubernetes/common/mongodb-init/values.yaml @@ -0,0 +1,108 @@ +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + mongodb: + service: + name: mgset + container: + name: mongodb + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: '{{ include "common.mongodb.secret.rootPassUID" . }}' + type: password + externalSecret: '{{ tpl (default "" .Values.config.mgExternalSecret) . }}' + password: '{{ .Values.config.mgRootPasswordKey }}' + - uid: '{{ .Values.config.mgDatabase }}' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.mgUserExternalSecret) . }}' + login: '{{ .Values.config.mgUserName }}' + password: '{{ .Values.config.mgUserPassword }}' + +################################################################# +# Application configuration defaults. +################################################################# + +pullPolicy: Always + +# application configuration +config: + mgUserName: testuser + mgUserPassword: testuser123 + mgDatabase: testdb + mgDataPath: data + #mgRootPasswordExternalSecret: '{{ include "common.namespace" . }}-mongodb-db-root-password' + mgExternalSecret: '{{ include "common.name" . }}-mongo-secrets' + mgRootUserKey: MONGODB_DATABASE_ADMIN_USER + mgRootPasswordKey: MONGODB_DATABASE_ADMIN_PASSWORD + mgUserExternalSecret: '{{ include "common.release" . }}-{{ include "common.name" . }}-mg-secret' + +nodeSelector: {} + +affinity: {} + +flavor: small + +#resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: "100m" + memory: "0.3Gi" + requests: + cpu: "10m" + memory: "0.09Gi" + large: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: mongodb-init + roles: + - read + +securityContext: + user_id: 100 + group_id: 65533 + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.mongodb.service.name }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-setup-db' diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml index be9ecc2f5f..342854c71a 100644 --- a/kubernetes/common/postgres-init/Chart.yaml +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -16,7 +16,7 @@ apiVersion: v2 description: Chart for Postgres init job name: postgres-init -version: 13.0.1 +version: 13.0.2 dependencies: diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 1da838a5b9..e708926049 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -2,6 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2021 AT&T # Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -139,6 +140,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "nginxImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.mongodbImage" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "mongodbImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.postgres" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "postgresImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index da10d82035..1c0909fce1 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -37,6 +37,7 @@ global: kubectlImage: bitnami/kubectl:1.22.4 loggingImage: beats/filebeat:5.5.0 mariadbImage: bitnami/mariadb:10.5.8 + mongodbImage: percona/percona-server-mongodb:7.0.5-3 nginxImage: bitnami/nginx:1.21.4 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 readinessImage: onap/oom/readiness:6.0.3 @@ -71,6 +72,7 @@ imageRepoMapping: kubectlImage: dockerHubRepository loggingImage: elasticRepository mariadbImage: dockerHubRepository + mongodbImage: dockerHubRepository nginxImage: dockerHubRepository postgresImage: dockerHubRepository readinessImage: repository diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index c37b0fcdbc..663712cac5 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -96,6 +96,10 @@ global: # mariadb client image mariadbImage: bitnami/mariadb:10.5.8 + # mongodb server image + + mongodbImage: percona/percona-server-mongodb:7.0.5-3 + # nginx server image nginxImage: bitnami/nginx:1.21.4 @@ -199,6 +203,9 @@ global: tls: true # be aware that linkerd is not well tested engine: "istio" # valid value: istio or linkerd + # if nativeSidecars are enabled in Istio, this value can be set to "true" + # and will disable the deployment of sidecar killer containers in jobs + nativeSidecars: false # Global Istio Authorization Policy configuration authorizationPolicies: diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index b305ef48e1..ca839f09cc 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2022, 2023, 2024 Nordix Foundation +# Modifications Copyright © 2021-2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -80,10 +80,6 @@ dependencies: version: ~14.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - - name: policy-gui - version: ~14.x-0 - repository: 'file://components/policy-gui' - condition: policy-gui.enabled - name: repositoryGenerator version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 9f225db1b6..b2389b963b 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -122,7 +122,6 @@ serviceMesh: authorizationPolicy: authorizedPrincipals: - serviceAccount: strimzi-kafka-read - - serviceAccount: policy-gui-read flavor: small resources: diff --git a/kubernetes/policy/components/policy-gui/Chart.yaml b/kubernetes/policy/components/policy-gui/Chart.yaml deleted file mode 100644 index 28972b59b0..0000000000 --- a/kubernetes/policy/components/policy-gui/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP Policy GUI -name: policy-gui -version: 14.0.0 - -dependencies: - - name: repositoryGenerator - version: ~13.x-0 - repository: '@local' - - name: serviceAccount - version: ~13.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-gui/resources/config/application.yml b/kubernetes/policy/components/policy-gui/resources/config/application.yml deleted file mode 100644 index f81a1b452a..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/application.yml +++ /dev/null @@ -1,19 +0,0 @@ -server: - port: 2443 - ssl: - enabled: false - -clamp: - url: - disable-ssl-validation: true - disable-ssl-hostname-check: true - -apex-editor: - upload-url: - upload-userid: - -management: - endpoints: - web: - exposure: - include: health, metrics, prometheus diff --git a/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml b/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 0b3951726b..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/policy/components/policy-gui/resources/config/logback.xml b/kubernetes/policy/components/policy-gui/resources/config/logback.xml deleted file mode 100644 index c20df8329d..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/logback.xml +++ /dev/null @@ -1,118 +0,0 @@ -<!-- - ============LICENSE_START======================================================= - policy-gui - ================================================================================ - Copyright (C) 2021-2022 Nordix Foundation. - ================================================================================ - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - ============LICENSE_END========================================================= - --> - -<configuration scan="true" scanPeriod="30 seconds" debug="false"> - <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> - <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> - <level>TRACE</level> - </filter> - <encoder> - <pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n - </pattern> - </encoder> - </appender> - - <appender name="ERROR" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${POLICY_LOGS}/error.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> - <fileNamePattern>${POLICY_LOGS}/error.%d{yyyy-MM-dd}.%i.log.zip - </fileNamePattern> - <maxFileSize>50MB</maxFileSize> - <maxHistory>30</maxHistory> - <totalSizeCap>10GB</totalSizeCap> - </rollingPolicy> - <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> - <level>TRACE</level> - </filter> - <encoder> - <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> - </encoder> - </appender> - - <appender name="asyncError" class="ch.qos.logback.classic.AsyncAppender"> - <appender-ref ref="ERROR" /> - </appender> - - <appender name="DEBUG" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${POLICY_LOGS}/debug.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> - <fileNamePattern>${POLICY_LOGS}/debug.%d{yyyy-MM-dd}.%i.log.zip - </fileNamePattern> - <maxFileSize>50MB</maxFileSize> - <maxHistory>30</maxHistory> - <totalSizeCap>10GB</totalSizeCap> - </rollingPolicy> - <encoder> - <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> - </encoder> - </appender> - - <appender name="asyncDebug" class="ch.qos.logback.classic.AsyncAppender"> - <appender-ref ref="DEBUG" /> - </appender> - - <appender name="NETWORK" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${POLICY_LOGS}/network.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> - <fileNamePattern>${POLICY_LOGS}/network.%d{yyyy-MM-dd}.%i.log.zip - </fileNamePattern> - <maxFileSize>50MB</maxFileSize> - <maxHistory>30</maxHistory> - <totalSizeCap>10GB</totalSizeCap> - </rollingPolicy> - <encoder> - <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n</pattern> - </encoder> - </appender> - - <appender name="asyncNetwork" class="ch.qos.logback.classic.AsyncAppender"> - <appender-ref ref="NETWORK" /> - </appender> - - <logger name="network" level="TRACE" additivity="false"> - <appender-ref ref="asyncNetwork" /> - </logger> - - <logger name="org.apache" level="TRACE" additivity="false"> - <appender-ref ref="DEBUG" /> - </logger> - - <!-- Spring related loggers --> - <logger name="org.springframework" level="TRACE" additivity="false"> - <appender-ref ref="DEBUG" /> - </logger> - - <!-- GUI related loggers --> - <logger name="org.onap.policy.gui" level="TRACE" additivity="false"> - <appender-ref ref="ERROR" /> - <appender-ref ref="DEBUG" /> - </logger> - - <!-- logback internals logging --> - <logger name="ch.qos.logback.classic" level="INFO" /> - <logger name="ch.qos.logback.core" level="INFO" /> - - <root level="TRACE"> - <appender-ref ref="asyncDebug" /> - <appender-ref ref="asyncError" /> - <appender-ref ref="asyncNetwork" /> - <appender-ref ref="STDOUT" /> - </root> -</configuration> diff --git a/kubernetes/policy/components/policy-gui/templates/NOTES.txt b/kubernetes/policy/components/policy-gui/templates/NOTES.txt deleted file mode 100644 index e44f333e11..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/NOTES.txt +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit https://127.0.0.1:8443 to use your application" - kubectl port-forward $POD_NAME 8443:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/policy/components/policy-gui/templates/configmap.yaml b/kubernetes/policy/components/policy-gui/templates/configmap.yaml deleted file mode 100644 index 9426b0f54f..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/configmap.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*.{xml,yaml,yml}").AsConfig . | indent 2 }} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml deleted file mode 100644 index a236d5f558..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml +++ /dev/null @@ -1,127 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: POLICY_LOGS - value: {{ .Values.log.path }} - volumeMounts: - - mountPath: /config-input - name: policy-gui-config - - mountPath: /config - name: policy-gui-config-processed - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - command: - - /app/ready.py - args: - - --service-name - - policy-clamp-runtime-acm - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" - containers: - # side car containers - {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} - # main container - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/opt/app/policy/gui/bin/policy-gui.sh"] - env: - - name: CLAMP_URL - value: http://policy-clamp-runtime-acm:6969 - ports: {{ include "common.containerPorts" . | nindent 12 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: logs - mountPath: {{ .Values.log.path }} - - mountPath: /opt/app/policy/gui/etc/application.yml - name: policy-gui-config-processed - subPath: application.yml - - mountPath: /opt/app/policy/gui/etc/logback.xml - name: policy-gui-config-processed - subPath: logback.xml - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - - name: logs - emptyDir: {} - {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} - - name: policy-gui-config - configMap: - name: {{ include "common.fullname" . }}-configmap - defaultMode: 0755 - - name: policy-gui-config-processed - emptyDir: - medium: Memory - {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-gui/templates/ingress.yaml b/kubernetes/policy/components/policy-gui/templates/ingress.yaml deleted file mode 100644 index e3dd7cb0f6..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/ingress.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.ingress" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/secrets.yaml b/kubernetes/policy/components/policy-gui/templates/secrets.yaml deleted file mode 100644 index 2af7fae2d9..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/secrets.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/service.yaml b/kubernetes/policy/components/policy-gui/templates/service.yaml deleted file mode 100644 index 36406228d5..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml deleted file mode 100644 index 1533f823a9..0000000000 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ /dev/null @@ -1,130 +0,0 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: # global defaults - nodePortPrefix: 304 - centralizedLoggingEnabled: true - -subChartsOnly: - enabled: true - -flavor: small - -# application image -image: onap/policy-gui:3.1.3 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# log configuration -log: - path: /var/log/onap/policy/gui - -################################################################# -# Application configuration defaults. -################################################################# -config: - log: - logstashServiceName: log-ls - logstashPort: 5044 - dataRootDir: /dockerdata-nfs - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - -service: - type: NodePort - name: policy-gui - internalPort: 2443 - ports: - - name: http - port: 2443 - nodePort: 43 - - # see https://wiki.onap.org/display/DW/OOM+NodePort+List - -ingress: - enabled: false - service: - - baseaddr: "policy-ui" - name: "policy-gui" - port: 2443 - config: - ssl: "redirect" - -serviceMesh: - authorizationPolicy: - authorizedPrincipals: - - serviceAccount: istio-ingress - namespace: istio-ingress - - #resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: "1" - memory: "700Mi" - requests: - cpu: "0.5" - memory: "700Mi" - large: - limits: - cpu: "2" - memory: "1.4Gi" - requests: - cpu: "1" - memory: "1.4Gi" - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: policy-gui - roles: - - read diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index cafaa8e57e..68ce42d103 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,6 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright (C) 2021-2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -157,10 +157,6 @@ policy-nexus: enabled: false config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -policy-gui: - enabled: false - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' ################################################################# # DB configuration defaults. diff --git a/kubernetes/uui/Chart.yaml b/kubernetes/uui/Chart.yaml index 7c4a5b78ca..900a6c97e1 100644 --- a/kubernetes/uui/Chart.yaml +++ b/kubernetes/uui/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP uui name: uui -version: 13.0.0 +version: 13.1.0 dependencies: - name: common @@ -39,3 +39,6 @@ dependencies: - name: uui-intent-analysis version: ~13.x-0 repository: 'file://components/uui-intent-analysis' + - name: uui-llm-adaptation + version: ~13.x-0 + repository: 'file://components/uui-llm-adaptation' diff --git a/kubernetes/uui/components/uui-llm-adaptation/.helmignore b/kubernetes/uui/components/uui-llm-adaptation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml new file mode 100644 index 0000000000..1c36c236ee --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml @@ -0,0 +1,35 @@ +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP uui llm adaptation +name: uui-llm-adaptation +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql b/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql new file mode 100644 index 0000000000..5379c73864 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql @@ -0,0 +1,23 @@ +-- +-- Copyright (C) 2024 CMCC, Inc. and others. All rights reserved. +-- +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + +create table if not exists intent( + intent_id varchar(255) primary key, + intent_name varchar(255), + intent_generateType VARCHAR (225) +);
\ No newline at end of file diff --git a/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh b/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh new file mode 100644 index 0000000000..f1dcefa168 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh @@ -0,0 +1,31 @@ +{{/* +# +# Copyright (C) 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +*/}} + +main_path="/home/uui" +echo @main_path@ $main_path + +JAVA_PATH="$JAVA_HOME/bin/java" +JAVA_OPTS="-Xms50m -Xmx128m" +echo @JAVA_PATH@ $JAVA_PATH +echo @JAVA_OPTS@ $JAVA_OPTS + +jar_path="$main_path/usecase-ui-llm-adaptation.jar" +echo @jar_path@ $jar_path + +echo "Starting usecase-ui-llm-adaptation..." +$JAVA_PATH $JAVA_OPTS -classpath $jar_path -jar $jar_path $SPRING_OPTS diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml new file mode 100644 index 0000000000..3583c416de --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml @@ -0,0 +1,31 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-entrypoint + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/entrypoint/*").AsConfig . | indent 2 }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml new file mode 100644 index 0000000000..d2824d1bbb --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml @@ -0,0 +1,74 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.pullPolicy }} + command: ["sh", "-c"] + args: + - ". /uui/run.sh" + ports: {{ include "common.containerPorts" . | nindent 10 }} + env: + - name: POSTGRES_IP + value: {{ .Values.postgres.service.name2 }} + - name: POSTGRES_PORT + value: "{{ .Values.postgres.service.externalPort }}" + - name: POSTGRES_DB_NAME + value: {{ .Values.postgres.config.pgDatabase }} + - name: POSTGRES_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} +{{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} +{{- end }} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + resources: {{ include "common.resources" . | nindent 10 }} +{{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} +{{- end }} +{{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} +{{- end }} + volumeMounts: + - mountPath: /uui/run.sh + name: entrypoint + subPath: run.sh + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: entrypoint + configMap: + name: {{ include "common.fullname" . }}-entrypoint + defaultMode: 0755 + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml new file mode 100644 index 0000000000..90d6d63dab --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml @@ -0,0 +1,82 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-init-postgres + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-job + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }}-job + release: {{ include "common.release" . }} + spec: + restartPolicy: Never + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - "{{ .Values.postgres.service.name2 }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }}-job + image: {{ include "repositoryGenerator.image.postgres" . }} + imagePullPolicy: {{ .Values.pullPolicy }} + env: + - name: PGUSER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + command: + - /bin/sh + - -c + - | + psql -h $(UUI_ADAPTATION_PG_PRIMARY_SERVICE_HOST) -f /aaa/init/llm-adaptation-init.sql -d {{ .Values.postgres.config.pgDatabase }} + volumeMounts: + - name: init-data + mountPath: /aaa/init/llm-adaptation-init.sql + subPath: llm-adaptation-init.sql + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: init-data + configMap: + name: {{ include "common.fullname" . }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml new file mode 100644 index 0000000000..638e02c1e5 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml index 7158c0263f..33e96ef8c4 100644 --- a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2023 Nordix Foundation +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/values.yaml b/kubernetes/uui/components/uui-llm-adaptation/values.yaml new file mode 100644 index 0000000000..9010bca0c1 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/values.yaml @@ -0,0 +1,126 @@ +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for uui llm adaptation. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + passwordStrength: long + +#Pods Service Account +serviceAccount: + nameOverride: uui-llm-adaptation + roles: + - read + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-uui-adaptation-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "uui-adaptation-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-uui-adaptation-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "uui-adaptation-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +image: onap/usecase-ui-llm-adaptation:14.0.0 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false +flavor: small +replicaCount: 1 +nodeSelector: {} +affinity: {} + +service: + type: ClusterIP + name: uui-llm-adaptation + ports: + - name: http-rest + port: &svc_port 8083 + +liveness: + initialDelaySeconds: 120 + port: *svc_port + periodSeconds: 10 + enabled: true + +readiness: + initialDelaySeconds: 60 + port: *svc_port + periodSeconds: 10 + +# application configuration override for postgres +postgres: + nameOverride: &postgresName uui-adaptation-postgres + service: + name: *postgresName + name2: uui-adaptation-pg-primary + name3: uui-adaptation-pg-replica + container: + name: + primary: uui-adaptation-pg-primary + replica: uui-adaptation-pg-replica + config: + pgUserName: uui + pgDatabase: uuiadaptation + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + persistence: + mountSubPath: uui/uuiadaptation/data + mountInitPath: uui + +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' + +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "200Mi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "2" + memory: "1Gi" + unlimited: {} + |