5 files changed, 51 insertions, 91 deletions

diff --git a/kubernetes/aai/templates/authorizationpolicy.yaml b/kubernetes/aai/templates/authorizationpolicy.yaml
index fa59f52f35..f48e06eab4 100644
--- a/kubernetes/aai/templates/authorizationpolicy.yaml
+++ b/kubernetes/aai/templates/authorizationpolicy.yaml
@@ -27,6 +27,7 @@ kind: AuthorizationPolicy
 metadata:
   name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}}
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml
index dac36d729d..c66af502ac 100644
--- a/kubernetes/aai/templates/configmap.yaml
+++ b/kubernetes/aai/templates/configmap.yaml
@@ -22,12 +22,9 @@ kind: ConfigMap
 metadata:
   name: aai-deployment-configmap
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
+{{ tpl (.Files.Glob "resources/config/haproxy/resolvers.conf").AsConfig . | indent 2 }}
 {{ if .Values.global.installSidecarSecurity }}
 {{ tpl (.Files.Glob "resources/config/haproxy/haproxy-pluggable-security.cfg").AsConfig . | indent 2 }}
 {{ else }}
@@ -40,6 +37,7 @@ kind: Secret
 metadata:
   name: aai-fproxy-auth-certs
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/fproxy/auth/*").AsSecrets . | indent 2 }}
@@ -49,6 +47,7 @@ kind: Secret
 metadata:
   name: aai-rproxy-auth-certs
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/rproxy/auth/*").AsSecrets . | indent 2 }}
@@ -58,6 +57,7 @@ kind: Secret
 metadata:
   name: aai-rproxy-security-config
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/rproxy/security/*").AsSecrets . | indent 2 }}
diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml
index 58bbc8af78..a743592036 100644
--- a/kubernetes/aai/templates/deployment.yaml
+++ b/kubernetes/aai/templates/deployment.yaml
@@ -18,20 +18,7 @@
 
 apiVersion: apps/v1
 kind: Deployment
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    {{- if .Chart.AppVersion }}
-    version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-    {{- else }}
-    version: "{{ .Chart.Version | replace "+" "_" }}"
-    {{- end }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 spec:
   selector:
     matchLabels:
@@ -46,59 +33,48 @@ spec:
       maxSurge: {{ .Values.updateStrategy.maxSurge }}
     {{- end }}
   template:
-    metadata:
-      labels:
-        app: {{ include "common.name" . }}
-        release: {{ include "common.release" . }}
-        app.kubernetes.io/name: {{ include "common.name" . }}
-        {{- if .Chart.AppVersion }}
-        version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-        {{- else }}
-        version: "{{ .Chart.Version | replace "+" "_" }}"
-        {{- end }}
-      name: {{ include "common.release" . }}
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
       terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
-      - command:
-        - /app/ready.py
-        args:
-        - --service-name
-        - aai-resources
-        - --service-name
-        - aai-traversal
-        - --service-name
-        - aai-graphadmin
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: {{ include "repositoryGenerator.image.readiness" . }}
+      {{ include "common.readinessCheck.waitFor" . | indent 6 | trim}}
+      - command: ["/bin/sh","-c"]
+        args: ['cp -R /usr/local/etc/haproxy /usr/local/etc/haproxy_rw/']
+        image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}'
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        name: {{ include "common.name" . }}-readiness
+        name: copy-haproxy-config
         resources:
-          requests:
-            memory: {{ .Values.haproxy.initContainers.resources.memory }}
-            cpu: {{ .Values.haproxy.initContainers.resources.cpu }}
           limits:
-            memory: {{ .Values.haproxy.initContainers.resources.memory }}
-            cpu: {{ .Values.haproxy.initContainers.resources.cpu }}
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 2m
+            memory: 100Mi
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /usr/local/etc/haproxy_rw
+          name: haproxy-etc
       containers:
       - name: {{ include "common.name" . }}
-        image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}"
+        image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}'
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         volumeMounts:
+        - mountPath: /usr/local/etc/haproxy
+          name: haproxy-etc
+        - mountPath: /usr/local/etc/haproxy/resolvers.conf
+          name: haproxy-config
+          subPath: resolvers.conf
+          readOnly: true
         - mountPath: /usr/local/etc/haproxy/haproxy.cfg
         {{ if .Values.global.installSidecarSecurity }}
           subPath: haproxy-pluggable-security.cfg
         {{ else }}
           subPath: haproxy.cfg
         {{ end }}
-          name: haproxy-cfg
+          name: haproxy-config
         ports:
         - containerPort: {{ .Values.service.internalPort }}
           name: {{ .Values.service.portName }}
@@ -113,7 +89,11 @@ spec:
           initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
           periodSeconds: {{ .Values.liveness.periodSeconds }}
         {{ end -}}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        resources: {{ include "common.resources" . | nindent 10 }}
         readinessProbe:
+          initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readiness.periodSeconds }}
           httpGet:
             path: /aai/util/echo
             port: {{ .Values.service.internalPort }}
@@ -129,9 +109,6 @@ spec:
               value: OOM_ReadinessCheck_TID
             - name: Accept
               value: application/json
-          initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
-          periodSeconds: {{ .Values.readiness.periodSeconds }}
-        resources: {{ include "common.resources" . | nindent 10 }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
@@ -142,7 +119,10 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
-        - name: haproxy-cfg
-          configMap:
-            name: aai-deployment-configmap
+      - name: haproxy-config
+        configMap:
+          name: aai-deployment-configmap
+      - name: haproxy-etc
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.haProxySizeLimit }}
       {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/aai/templates/secret.yaml b/kubernetes/aai/templates/secret.yaml
index d868b9582e..1a592a0801 100644
--- a/kubernetes/aai/templates/secret.yaml
+++ b/kubernetes/aai/templates/secret.yaml
@@ -19,11 +19,7 @@ kind: Secret
 metadata:
   name: aai-common-aai-auth
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
@@ -33,6 +29,7 @@ kind: Secret
 metadata:
   name: aai-common-truststore
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }}
diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml
index b5a8cc1a0d..1509311a2b 100644
--- a/kubernetes/aai/templates/service.yaml
+++ b/kubernetes/aai/templates/service.yaml
@@ -19,12 +19,7 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   ports:
   - name: {{ .Values.service.portName }}
@@ -36,8 +31,7 @@ spec:
     {{    end }}
     {{- end }}
   type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }}
-  selector:
-    app: {{ include "common.name" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
   sessionAffinity: {{ .Values.service.sessionAffinity }}
 ---
 apiVersion: v1
@@ -45,38 +39,26 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}-internal
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   ports:
     - name: {{ .Values.service.portName }}
       port: {{ .Values.service.externalPort }}
       targetPort: {{ .Values.service.internalPort }}
   type: ClusterIP
-  selector:
-    app: {{ include "common.name" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "common.servicename" . }}-metrics
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}-metrics
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   ports:
     - port: {{ .Values.metricsService.externalPort }}
       targetPort: {{ .Values.metricsService.internalPort }}
       name: {{ .Values.metricsService.portName }}
   type: {{ .Values.metricsService.type }}
-  selector:
-    app: {{ include "common.name" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
   clusterIP: None