aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/aai
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/aai')
-rw-r--r--kubernetes/aai/components/aai-babel/requirements.yaml3
-rw-r--r--kubernetes/aai/components/aai-babel/resources/config/application.properties25
-rw-r--r--kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystorebin2483 -> 0 bytes
-rw-r--r--kubernetes/aai/components/aai-babel/resources/config/logback.xml76
-rw-r--r--kubernetes/aai/components/aai-babel/templates/deployment.yaml52
-rw-r--r--kubernetes/aai/components/aai-babel/templates/secrets.yaml15
-rw-r--r--kubernetes/aai/components/aai-babel/values.yaml40
-rw-r--r--kubernetes/aai/components/aai-graphadmin/requirements.yaml3
-rw-r--r--kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties9
-rw-r--r--kubernetes/aai/components/aai-graphadmin/resources/config/application.properties27
-rw-r--r--kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml10
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml26
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml92
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml104
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml110
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml238
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/service.yaml1
-rw-r--r--kubernetes/aai/components/aai-graphadmin/values.yaml70
-rw-r--r--kubernetes/aai/components/aai-modelloader/requirements.yaml3
-rw-r--r--kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12bin2817 -> 0 bytes
-rw-r--r--kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystorebin2483 -> 0 bytes
-rw-r--r--kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml31
-rw-r--r--kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties11
-rw-r--r--kubernetes/aai/components/aai-modelloader/templates/deployment.yaml77
-rw-r--r--kubernetes/aai/components/aai-modelloader/templates/ingress.yaml1
-rw-r--r--kubernetes/aai/components/aai-modelloader/templates/service.yaml45
-rw-r--r--kubernetes/aai/components/aai-modelloader/values.yaml63
-rw-r--r--kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties8
-rw-r--r--kubernetes/aai/components/aai-schema-service/config/application.properties10
-rw-r--r--kubernetes/aai/components/aai-schema-service/config/logback.xml5
-rw-r--r--kubernetes/aai/components/aai-schema-service/config/realm.properties1
-rw-r--r--kubernetes/aai/components/aai-schema-service/requirements.yaml3
-rw-r--r--kubernetes/aai/components/aai-schema-service/templates/configmap.yaml8
-rw-r--r--kubernetes/aai/components/aai-schema-service/templates/deployment.yaml70
-rw-r--r--kubernetes/aai/components/aai-schema-service/values.yaml53
-rw-r--r--kubernetes/aai/components/aai-sparky-be/values.yaml2
-rw-r--r--kubernetes/aai/resources/config/aai/aai_keystorebin3846 -> 3636 bytes
-rw-r--r--kubernetes/aai/values.yaml4
38 files changed, 828 insertions, 468 deletions
diff --git a/kubernetes/aai/components/aai-babel/requirements.yaml b/kubernetes/aai/components/aai-babel/requirements.yaml
index a725a4ef30..7a434fc276 100644
--- a/kubernetes/aai/components/aai-babel/requirements.yaml
+++ b/kubernetes/aai/components/aai-babel/requirements.yaml
@@ -21,6 +21,9 @@ dependencies:
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties
index 21ed6cd9ee..6a3a74c0a6 100644
--- a/kubernetes/aai/components/aai-babel/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties
@@ -1,14 +1,33 @@
+{{/*
+# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
server.port=9516
{{ if ( include "common.needTLS" .) }}
-server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+server.ssl.key-store-password=${KEYSTORE_PASSWORD}
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
server.ssl.client-auth=need
+server.ssl.key-store-type=PKCS12
{{ else }}
security.require-ssl=false
server.ssl.enabled=false
{{ end }}
+spring.main.allow-bean-definition-overriding=true
server.servlet.context-path=/services/babel-service
-
logging.config=${CONFIG_HOME}/logback.xml
-
tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json
diff --git a/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore b/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore
deleted file mode 100644
index e1d24d9b4d..0000000000
--- a/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/components/aai-babel/resources/config/logback.xml b/kubernetes/aai/components/aai-babel/resources/config/logback.xml
index c29da77d84..125731cf6e 100644
--- a/kubernetes/aai/components/aai-babel/resources/config/logback.xml
+++ b/kubernetes/aai/components/aai-babel/resources/config/logback.xml
@@ -1,6 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,25 +28,20 @@
<property name="auditLogName" value="audit" />
<property name="debugLogName" value="debug" />
- <property name="errorLogPattern"
- value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%.-5level|%logger|%mdc{ClassName}|%msg%n" />
+ <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%.-5level|%logger|%mdc{ClassName}|%msg%n" />
- <property name="auditLogPattern"
- value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
+ <property name="auditLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
- <property name="metricsLogPattern"
- value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
+ <property name="metricsLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
<!-- ============================================================================ -->
<!-- EELF Appenders -->
<!-- ============================================================================ -->
- <appender name="EELF"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${generalLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip
- </fileNamePattern>
+ <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
<maxHistory>60</maxHistory>
</rollingPolicy>
<encoder>
@@ -65,12 +61,10 @@
are specializations of the EELF application root logger and appender. This can be used to segregate Policy engine events
from other components, or it can be eliminated to record these events as part of the application root log. -->
- <appender name="EELFAudit"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${auditLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip
- </fileNamePattern>
+ <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
<maxHistory>60</maxHistory>
</rollingPolicy>
<encoder>
@@ -82,12 +76,10 @@
<appender-ref ref="EELFAudit" />
</appender>
- <appender name="EELFMetrics"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${metricsLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip
- </fileNamePattern>
+ <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
<maxHistory>60</maxHistory>
</rollingPolicy>
<encoder>
@@ -100,14 +92,10 @@
<appender-ref ref="EELFMetrics" />
</appender>
- <appender name="EELFDebug"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
- <file>
- ${logDirectory}/${debugLogName}.log
- </file>
+ <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${logDirectory}/${debugLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip
- </fileNamePattern>
+ <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
<maxHistory>60</maxHistory>
</rollingPolicy>
<encoder>
@@ -119,9 +107,7 @@
<!-- allow only events with a level below INFO, that is TRACE and DEBUG -->
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<evaluator class="ch.qos.logback.classic.boolex.GEventEvaluator">
- <expression>
- e.level.toInt() &lt; INFO.toInt()
- </expression>
+ <expression>e.level.toInt() &lt; INFO.toInt()</expression>
</evaluator>
<OnMismatch>DENY</OnMismatch>
<OnMatch>NEUTRAL</OnMatch>
@@ -131,6 +117,15 @@
<includeCallerData>false</includeCallerData>
</appender>
+ <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+ <encoder>
+ <pattern>${errorLogPattern}</pattern>
+ </encoder>
+ </appender>
+ <appender name="AsyncSysOut" class="ch.qos.logback.classic.AsyncAppender">
+ <appender-ref ref="STDOUT" />
+ </appender>
+
<!-- ============================================================================ -->
<!-- Default / root appenders -->
<!-- This determines the logging level for 3rd party code -->
@@ -138,29 +133,34 @@
<root level="INFO">
<appender-ref ref="asyncEELF" />
- <appender-ref ref="asyncEELFDebug" />
-</root>
+ <appender-ref ref="asyncEELFDebug" />
+ <appender-ref ref="AsyncSysOut" />
+ </root>
<!-- ============================================================================ -->
<!-- EELF loggers -->
<!-- ============================================================================ -->
<logger name="com.att.eelf" level="INFO" additivity="false">
- <appender-ref ref="asyncEELF" />
-</logger>
+ <appender-ref ref="asyncEELF" />
+ <appender-ref ref="AsyncSysOut" />
+ </logger>
<!-- The level of this logger determines the contents of the debug log -->
<logger name="com.att.eelf.debug" level="INFO" additivity="false">
- <appender-ref ref="asyncEELFDebug" />
-</logger>
+ <appender-ref ref="asyncEELFDebug" />
+ <appender-ref ref="AsyncSysOut" />
+ </logger>
<logger name="com.att.eelf.audit" level="INFO" additivity="false">
- <appender-ref ref="asyncEELFAudit" />
-</logger>
+ <appender-ref ref="asyncEELFAudit" />
+ <appender-ref ref="AsyncSysOut" />
+ </logger>
<logger name="com.att.eelf.metrics" level="INFO" additivity="false">
- <appender-ref ref="asyncEELFMetrics" />
-</logger>
+ <appender-ref ref="asyncEELFMetrics" />
+ <appender-ref ref="AsyncSysOut" />
+ </logger>
<!-- ============================================================================ -->
<!-- Non-EELF loggers -->
diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
index e12a234b8e..bd6b8c728c 100644
--- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
@@ -37,10 +37,22 @@ spec:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{- if .Values.global.aafEnabled }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+ echo "*** actual launch of AAI Babel"
+ /bin/bash /opt/app/babel/bin/start.sh
+ {{- end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
@@ -60,35 +72,28 @@ spec:
env:
- name: CONFIG_HOME
value: /opt/app/babel/config
- - name: KEY_STORE_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "common.fullname" . }}-pass
- key: KEY_STORE_PASSWORD
- - name: KEY_MANAGER_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "common.fullname" . }}-pass
- key: KEY_MANAGER_PASSWORD
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
+ - mountPath: /opt/app/babel/config/application.properties
+ name: config
+ subPath: application.properties
- mountPath: /opt/app/babel/config/artifact-generator.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: artifact-generator.properties
- mountPath: /opt/app/babel/config/tosca-mappings.json
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: tosca-mappings.json
- mountPath: /opt/app/babel/config/babel-auth.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: babel-auth.properties
- mountPath: /opt/app/babel/config/auth
- name: {{ include "common.fullname" . }}-secrets
+ name: secrets
- mountPath: {{ .Values.log.path }}
name: logs
- mountPath: /opt/app/babel/config/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
resources:
{{ include "common.resources" . }}
@@ -104,23 +109,14 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 8 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
name: {{ include "common.fullname" . }}-configmap
- items:
- - key: artifact-generator.properties
- path: artifact-generator.properties
- - key: tosca-mappings.json
- path: tosca-mappings.json
- - key: babel-auth.properties
- path: babel-auth.properties
- - key: logback.xml
- path: logback.xml
- - name: {{ include "common.fullname" . }}-secrets
+ - name: secrets
secret:
secretName: {{ include "common.fullname" . }}-babel-secrets
- name: logs
diff --git a/kubernetes/aai/components/aai-babel/templates/secrets.yaml b/kubernetes/aai/components/aai-babel/templates/secrets.yaml
index b81ffa05b9..9d7d2c5a80 100644
--- a/kubernetes/aai/components/aai-babel/templates/secrets.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/secrets.yaml
@@ -29,18 +29,3 @@ metadata:
type: Opaque
data:
{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-pass
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
- KEY_STORE_PASSWORD: {{ .Values.config.keyStorePassword | b64enc | quote }}
- KEY_MANAGER_PASSWORD: {{ .Values.config.keyManagerPassword | b64enc | quote }}
diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml
index 0c34deae13..3b68f4defe 100644
--- a/kubernetes/aai/components/aai-babel/values.yaml
+++ b/kubernetes/aai/components/aai-babel/values.yaml
@@ -20,6 +20,41 @@
global: {}
#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-babel-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai
+ fqi: aai@aai.onap.org
+ public_fqdn: aai.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.aai
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "KEY_STORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "KEY_MANAGER_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R 1000 {{ .Values.credsPath }}
+
+#################################################################
# Application configuration defaults.
#################################################################
@@ -29,11 +64,6 @@ image: onap/babel:1.9.1
flavor: small
flavorOverride: small
-# application configuration
-config:
- keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
- keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
-
# default number of instances
replicaCount: 1
diff --git a/kubernetes/aai/components/aai-graphadmin/requirements.yaml b/kubernetes/aai/components/aai-graphadmin/requirements.yaml
index d80dc5aea2..5a41aefe84 100644
--- a/kubernetes/aai/components/aai-graphadmin/requirements.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/requirements.yaml
@@ -21,6 +21,9 @@ dependencies:
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
index 512e906b00..f768338d99 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -41,10 +42,10 @@ aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.global.config.truststore.filename }}
-aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
-aai.keystore.filename={{ .Values.global.config.keystore.filename }}
-aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
+aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
{{ end }}
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
index 367e9038cd..27606021ef 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright � 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -44,16 +45,16 @@ server.tomcat.max-idle-time=60000
# If you get an application startup failure that the port is already taken
# If thats not it, please check if the key-store file path makes sense
-server.local.startpath=aai-graphadmin/src/main/resources/
+server.local.startpath=/opt/app/aai-graphadmin/resources/
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8449
{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+server.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
server.ssl.client-auth=want
server.ssl.key-store-type=JKS
{{ else }}
@@ -103,10 +104,10 @@ schema.service.versions.endpoint=versions
schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-schema.service.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-schema.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-schema.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+schema.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+schema.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
{{ end }}
aperture.rdbmsname=aai_relational
@@ -115,9 +116,9 @@ aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .V
aperture.service.base.url=http://localhost:8457/aai/aperture
{{ if ( include "common.needTLS" .) }}
-aperture.service.ssl.key-store=${server.local.startpath}etc/auth/{{ .Values.global.config.keystore.filename }}
-aperture.service.ssl.trust-store=${server.local.startpath}etc/auth/{{ .Values.global.config.truststore.filename }}
-aperture.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-aperture.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+aperture.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+aperture.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aperture.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+aperture.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
{{ end }}
aperture.service.timeout-in-milliseconds=300000
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml b/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml
index 95b8140e0b..243acd2955 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml
@@ -839,32 +839,41 @@
<!-- logback jms appenders & loggers definition ends here -->
<logger name="org.onap.aai.aaf" level="DEBUG" additivity="false">
<appender-ref ref="asyncAUTH"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.filter.RestClientLoggingInterceptor" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractMetricLogFilter" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiScheduledTaskAuditLog" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractAuditLogFilter" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiDBMetricLog" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.logging.ErrorLogHelper" level="WARN">
<appender-ref ref="asyncERROR"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.interceptors.post" level="DEBUG" additivity="false">
<appender-ref ref="asynctranslog"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.dmaap" level="DEBUG" additivity="false">
<appender-ref ref="dmaapAAIEventConsumer"/>
<appender-ref ref="dmaapAAIEventConsumerDebug"/>
<appender-ref ref="dmaapAAIEventConsumerMetric"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.datasnapshot" level="DEBUG" additivity="false">
<appender-ref ref="dataSnapshot"/>
@@ -938,6 +947,7 @@
<appender-ref ref="asyncDEBUG"/>
<appender-ref ref="asyncERROR"/>
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<root level="DEBUG">
<appender-ref ref="external"/>
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
index 91cd748066..8eb4a4a781 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +23,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-configmap
+ name: {{ include "common.fullname" . }}
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
@@ -40,16 +41,33 @@ data:
{{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-properties
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+ {{- if .Values.global.jobs.migration.enabled }}
+ annotations:
+ "helm.sh/hook": pre-upgrade,pre-install
+ "helm.sh/hook-weight": "0"
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{- end }}
+data:
{{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
-
{{- if .Values.global.jobs.migration.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-migration-configmap
+ name: {{ include "common.fullname" . }}-migration
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
index 6de34e9be7..6b58eaa3fd 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -53,7 +53,49 @@ spec:
hostname: aai-graphadmin
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
{{ if .Values.global.initContainers.enabled }}
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
{{ if .Values.global.jobs.migration.enabled }}
- /app/ready.py
@@ -93,46 +135,40 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
+ value: {{ .Values.securityContext.group_id | quote }}
- name: INTERNAL_PORT_1
value: {{ .Values.service.internalPort | quote }}
- name: INTERNAL_PORT_2
value: {{ .Values.service.internalPort2 | quote }}
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES
name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/etc/auth/realm.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: realm.properties
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.service.internalPort2 }}
@@ -176,24 +212,22 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
+ configMap:
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: {{ include "common.namespace" . }}-docker-registry-key
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
index 0cdce11395..d1e72841bc 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,8 +58,50 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- initContainers:
- command:
- /bin/bash
- -c
@@ -79,65 +121,69 @@ spec:
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh dataSnapshot.sh ;
+ bash docker-entrypoint.sh dataSnapshot.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-real.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES/
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- resources:
-{{ include "common.resources" . | indent 10 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
+ configMap:
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-migration
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
+ - name: migration
configMap:
- name: {{ include "common.fullname" . }}-migration-configmap
- - name: {{ include "common.fullname" . }}-snapshots
+ name: {{ include "common.fullname" . }}-migration
+ - name: snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
restartPolicy: Never
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
index 1705cf58f8..4a7de648e7 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -53,7 +53,49 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
- /app/ready.py
args:
@@ -79,74 +121,64 @@ spec:
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh createDBSchema.sh ;
+ bash docker-entrypoint.sh createDBSchema.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
- resources:
-{{ include "common.resources" . }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
+ configMap:
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: Never
imagePullSecrets:
- name: {{ include "common.namespace" . }}-docker-registry-key
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
index 5752e54926..1256e71e08 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,7 +58,49 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
- /app/ready.py
args:
@@ -80,46 +122,42 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-readiness
- command:
- - /bin/bash
+ - sh
+ args:
- -c
- - bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'`
+ - |
+ bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'`
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-restore-backup
@@ -128,57 +166,49 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-perform-migration
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ;
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
- resources:
-{{ include "common.resources" . }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
@@ -191,14 +221,12 @@ spec:
- name: {{ include "common.fullname" . }}-snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ - name: properties-input
+ configMap:
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: Never
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
@@ -226,8 +254,50 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- initContainers:
- command:
- /bin/bash
- -c
@@ -247,65 +317,69 @@ spec:
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh dataSnapshot.sh ;
+ bash docker-entrypoint.sh dataSnapshot.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-real.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES/
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- resources:
-{{ include "common.resources" . | indent 10 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.resources" . | nindent 10 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-migration
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-migration-configmap
- - name: {{ include "common.fullname" . }}-snapshots
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
+ - name: migration
+ configMap:
+ name: {{ include "common.fullname" . }}-migration
+ - name: snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
restartPolicy: Never
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
index 85165e2dc4..cf4655361d 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml
index 031a082eac..2774609e8f 100644
--- a/kubernetes/aai/components/aai-graphadmin/values.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/values.yaml
@@ -4,7 +4,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -37,8 +37,6 @@ global: # global defaults
migration:
enabled: false
config:
- # User information for the admin user in container
- userId: 1000
# Specifies that the cluster connected to a dynamic
# cluster being spinned up by kubernetes deployment
@@ -96,27 +94,54 @@ global: # global defaults
edge:
label: v12
- # Keystore configuration password and filename
- keystore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-
- # Truststore configuration password and filename
- truststore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-
-
-
- # Specifies a list of files to be included in auth volume
- auth:
- files:
- - aai_keystore
-
# Specifies which clients should always default to realtime graph connection
realtime:
clients: SDNC,MSO,SO,robot-ete
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-graphadmin-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai
+ fqi: aai@aai.onap.org
+ public_fqdn: aai.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.aai
+ user_id: &user_id 1000
+ group_id: &group_id 1000
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export KEYSTORE_JKS_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ keytool -storepasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_jks}" \
+ -keystore {{ .Values.fqi_namespace }}.jks
+ echo "*** set key password as same password as keystore password"
+ keytool -keypasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
+ -keystore {{ .Values.fqi_namespace }}.jks \
+ -keypass "${cadi_keystore_password_jks}" \
+ -storepass "${KEYSTORE_JKS_PLAIN_PASSWORD}" -alias {{ .Values.fqi }}
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "KEYSTORE_JKS_PLAIN_PASSWORD=${KEYSTORE_JKS_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
# application image
image: onap/aai-graphadmin:1.9.1
@@ -259,6 +284,11 @@ resources:
memory: 2Gi
unlimited: {}
+# Not fully used for now
+securityContext:
+ user_id: *user_id
+ group_id: *group_id
+
#Pods Service Account
serviceAccount:
nameOverride: aai-graphadmin
diff --git a/kubernetes/aai/components/aai-modelloader/requirements.yaml b/kubernetes/aai/components/aai-modelloader/requirements.yaml
index d80dc5aea2..5a41aefe84 100644
--- a/kubernetes/aai/components/aai-modelloader/requirements.yaml
+++ b/kubernetes/aai/components/aai-modelloader/requirements.yaml
@@ -21,6 +21,9 @@ dependencies:
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12 b/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12
deleted file mode 100644
index e64895e911..0000000000
--- a/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore b/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore
deleted file mode 100644
index e1d24d9b4d..0000000000
--- a/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
index cd36e799d6..129af8f2ac 100644
--- a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
+++ b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
@@ -1,6 +1,7 @@
{{/*
<!--
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -26,8 +27,7 @@
<property name="auditLogName" value="audit" />
<property name="debugLogName" value="debug" />
- <property name="errorLogPattern"
- value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|ModelLoader|%mdc{PartnerName}|%logger||%.-5level|%msg%n" />
+ <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|ModelLoader|%mdc{PartnerName}|%logger||%.-5level|%msg%n" />
<property name="auditMetricPattern" value="%m%n" />
<property name="logDirectory" value="${logDir}/${componentName}" />
@@ -35,9 +35,12 @@
<!-- Example evaluator filter applied against console appender -->
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
- <pattern>${defaultPattern}</pattern>
+ <pattern>${errorLogPattern}</pattern>
</encoder>
</appender>
+ <appender name="AsyncSysOut" class="ch.qos.logback.classic.AsyncAppender">
+ <appender-ref ref="STDOUT" />
+ </appender>
<!-- ============================================================================ -->
<!-- EELF Appenders -->
@@ -46,8 +49,7 @@
<!-- The EELFAppender is used to record events to the general application
log -->
- <appender name="EELF"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${generalLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -66,8 +68,7 @@
<appender-ref ref="EELF" />
</appender>
- <appender name="EELFAudit"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${auditLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -82,8 +83,7 @@
<appender-ref ref="EELFAudit" />
</appender>
- <appender name="EELFMetrics"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${metricsLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -98,8 +98,7 @@
<appender-ref ref="EELFMetrics" />
</appender>
- <appender name="EELFDebug"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${debugLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -121,12 +120,15 @@
<logger name="com.att.eelf" level="info" additivity="false">
<appender-ref ref="asyncEELF" />
<appender-ref ref="asyncEELFDebug" />
+ <appender-ref ref="AsyncSysOut" />
</logger>
<logger name="com.att.eelf.audit" level="info" additivity="false">
<appender-ref ref="asyncEELFAudit" />
+ <appender-ref ref="AsyncSysOut" />
</logger>
<logger name="com.att.eelf.metrics" level="info" additivity="false">
<appender-ref ref="asyncEELFMetrics" />
+ <appender-ref ref="AsyncSysOut" />
</logger>
<!-- Spring related loggers -->
@@ -162,8 +164,9 @@
<logger name="ch.qos.logback.core" level="WARN" />
<root>
- <appender-ref ref="asyncEELF" />
- <!-- <appender-ref ref="asyncEELFDebug" /> -->
-</root>
+ <appender-ref ref="asyncEELF" />
+ <appender-ref ref="AsyncSysOut" />
+ <!-- <appender-ref ref="asyncEELFDebug" /> -->
+ </root>
</configuration>
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
index 41b855490a..09eb397860 100644
--- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
+++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,7 +21,7 @@ ml.distribution.ACTIVE_SERVER_TLS_AUTH=false
ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443
ml.distribution.ASDC_USE_HTTPS=true
ml.distribution.KEYSTORE_PASSWORD=
-ml.distribution.KEYSTORE_FILE=asdc-client.jks
+ml.distribution.KEYSTORE_FILE=
ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp
{{ else }}
ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080
@@ -54,8 +55,8 @@ ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw
ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516
ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts
{{ if ( include "common.needTLS" .) }}
-ml.babel.KEYSTORE_FILE=babel-client-cert.p12
-ml.babel.KEYSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
-ml.babel.TRUSTSTORE_FILE=tomcat_keystore
-ml.babel.TRUSTSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12
+ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
+ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}
{{ end }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
index 7e05d3b6cf..0213d631a3 100644
--- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
@@ -1,7 +1,7 @@
{{/*
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
-# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2020-2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -39,12 +39,53 @@ spec:
name: {{ include "common.name" . }}
spec:
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.aafEnabled }}
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
+ export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: prop-config-input
+ - mountPath: /config
+ name: prop-config
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
{{- end }}
containers:
- name: {{ include "common.name" . }}
@@ -53,43 +94,41 @@ spec:
env:
- name: CONFIG_HOME
value: /opt/app/model-loader/config/
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/model-loader/config/model-loader.properties
subPath: model-loader.properties
- name: {{ include "common.fullname" . }}-prop-config
+ name: prop-config
- mountPath: /opt/app/model-loader/config/auth/
- name: {{ include "common.fullname" . }}-auth-config
+ name: auth-config
- mountPath: {{ .Values.log.path }}
name: logs
- mountPath: /opt/app/model-loader/logback.xml
- name: {{ include "common.fullname" . }}-log-conf
+ name: log-config
subPath: logback.xml
- ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPort2 }}
- resources:
-{{ include "common.resources" . }}
-
+ resources: {{ include "common.resources" . | nindent 10 }}
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-prop-config
+ - name: prop-config-input
configMap:
name: {{ include "common.fullname" . }}-prop
- - name: {{ include "common.fullname" . }}-auth-config
+ - name: prop-config
+ emptyDir:
+ medium: Memory
+ - name: auth-config
secret:
secretName: {{ include "common.fullname" . }}
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-log-conf
+ - name: log-config
configMap:
name: {{ include "common.fullname" . }}-log
restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml b/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml
deleted file mode 100644
index 8f87c68f1e..0000000000
--- a/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml
+++ /dev/null
@@ -1 +0,0 @@
-{{ include "common.ingress" . }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/service.yaml b/kubernetes/aai/components/aai-modelloader/templates/service.yaml
deleted file mode 100644
index fad857bb41..0000000000
--- a/kubernetes/aai/components/aai-modelloader/templates/service.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "common.servicename" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-spec:
- type: {{ .Values.service.type }}
- ports:
- {{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
- nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}
- - port: {{ .Values.service.internalPort2 }}
- nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
- name: {{ .Values.service.portName2 }}
- {{- else -}}
- - port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
- - port: {{ .Values.service.internalPort2 }}
- name: {{ .Values.service.portName2 }}
- {{- end}}
- selector:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml
index 443bf40122..95eae6a80b 100644
--- a/kubernetes/aai/components/aai-modelloader/values.yaml
+++ b/kubernetes/aai/components/aai-modelloader/values.yaml
@@ -1,5 +1,5 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
-# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2020-2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,6 +19,42 @@
global: # global defaults
nodePortPrefix: 302
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-ml-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai
+ fqi: aai@aai.onap.org
+ public_fqdn: aai.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ appMountPath: /opt/app/model-loader/config/auth/aaf
+ fqi_namespace: org.onap.aai
+ user_id: &user_id 1000
+ group_id: &group_id 1000
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
+
# application image
image: onap/model-loader:1.9.1
pullPolicy: Always
@@ -47,26 +83,6 @@ readiness:
initialDelaySeconds: 10
periodSeconds: 10
-service:
- type: NodePort
- portName: http
- externalPort: 8080
- internalPort: 8080
- nodePort: 10
- portName2: https
- externalPort2: 8443
- internalPort2: 8443
- nodePort2: 29
-
-ingress:
- enabled: false
- service:
- - baseaddr: "aaimodelloader"
- name: "aai-modelloader"
- port: 8443
- config:
- ssl: "redirect"
-
resources:
small:
limits:
@@ -90,6 +106,11 @@ serviceAccount:
roles:
- read
+# Not fully used for now
+securityContext:
+ user_id: *user_id
+ group_id: *group_id
+
#Log configuration
log:
path: /var/log/onap
diff --git a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
index b0ed0e89a0..a2abaf3785 100644
--- a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
@@ -36,10 +36,10 @@ aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.global.config.truststore.filename }}
-aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
-aai.keystore.filename={{ .Values.global.config.keystore.filename }}
-aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
+aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
{{ end }}
aai.default.api.version={{ .Values.global.config.schema.version.api.default }}
diff --git a/kubernetes/aai/components/aai-schema-service/config/application.properties b/kubernetes/aai/components/aai-schema-service/config/application.properties
index ad700dce6e..a3f7998a8f 100644
--- a/kubernetes/aai/components/aai-schema-service/config/application.properties
+++ b/kubernetes/aai/components/aai-schema-service/config/application.properties
@@ -39,12 +39,12 @@ server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties
server.port=8452
{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+server.ssl.key-store-password=${KEYSTORE_PASSWORD}
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
+server.ssl.key-store-type=PKCS12
{{ else }}
security.require-ssl=false
server.ssl.enabled=false
diff --git a/kubernetes/aai/components/aai-schema-service/config/logback.xml b/kubernetes/aai/components/aai-schema-service/config/logback.xml
index cfcd3c02e6..e91e257d14 100644
--- a/kubernetes/aai/components/aai-schema-service/config/logback.xml
+++ b/kubernetes/aai/components/aai-schema-service/config/logback.xml
@@ -268,20 +268,25 @@
<logger name="org.onap.aai.aaf.auth" level="DEBUG" additivity="false">
<appender-ref ref="asyncAUTH" />
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiScheduledTaskAuditLog" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractAuditLogFilter" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.logging.ErrorLogHelper" level="WARN">
<appender-ref ref="asyncERROR"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.schemaservice.interceptors.post" level="DEBUG" additivity="false">
<appender-ref ref="asynctranslog" />
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.apache" level="OFF"/>
diff --git a/kubernetes/aai/components/aai-schema-service/config/realm.properties b/kubernetes/aai/components/aai-schema-service/config/realm.properties
index 988bb2411b..7c8539dbe7 100644
--- a/kubernetes/aai/components/aai-schema-service/config/realm.properties
+++ b/kubernetes/aai/components/aai-schema-service/config/realm.properties
@@ -10,6 +10,7 @@ ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin
AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin
OOF:OBF:1img1ke71ily,admin
aai@aai.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
+aai-graphadmin@aai-graphadmin.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
so@so.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
diff --git a/kubernetes/aai/components/aai-schema-service/requirements.yaml b/kubernetes/aai/components/aai-schema-service/requirements.yaml
index d80dc5aea2..5a41aefe84 100644
--- a/kubernetes/aai/components/aai-schema-service/requirements.yaml
+++ b/kubernetes/aai/components/aai-schema-service/requirements.yaml
@@ -21,6 +21,9 @@ dependencies:
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
index 23a2af54a2..957387158a 100644
--- a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
@@ -30,7 +30,7 @@ data:
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-localhost-access-log-configmap
+ name: {{ include "common.fullname" . }}-localhost-access-log
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
@@ -43,7 +43,7 @@ data:
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-aaiconfig-configmap
+ name: {{ include "common.fullname" . }}-aaiconfig
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
@@ -56,7 +56,7 @@ data:
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-springapp-configmap
+ name: {{ include "common.fullname" . }}-springapp
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
@@ -69,7 +69,7 @@ data:
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-realm-configmap
+ name: {{ include "common.fullname" . }}-realm
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
index 7c25ab7e61..e4f1d72d7b 100644
--- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
@@ -40,16 +40,52 @@ spec:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
+ {{- if .Values.global.aafEnabled }}
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
+ export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{- if .Values.global.aafEnabled }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+ echo "keystore pass: $KEYSTORE_PASSWORD"
+ echo "truststore pass: $TRUSTSTORE_PASSWORD"
+ echo "*** actual launch of AAI Schema Service"
+ /bin/bash /opt/app/aai-schema-service/docker-entrypoint.sh
+ {{- end }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -59,7 +95,7 @@ spec:
- mountPath: /opt/aai/logroot/AAI-SS
name: logs
- mountPath: /opt/app/aai-schema-service/resources/logback.xml
- name: {{ include "common.fullname" . }}-log-conf
+ name: log-conf
subPath: logback.xml
- mountPath: /opt/app/aai-schema-service/resources/localhost-access-logback.xml
name: localhost-access-log-conf
@@ -70,12 +106,6 @@ spec:
- mountPath: /opt/app/aai-schema-service/resources/application.properties
name: springapp-conf
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-schema-service/resources/etc/auth/{{ . }}
- name: auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.service.internalPort2 }}
@@ -107,7 +137,7 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: aai-common-aai-auth-mount
secret:
secretName: aai-common-aai-auth
@@ -117,29 +147,21 @@ spec:
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-log-conf
+ - name: log-conf
configMap:
name: {{ include "common.fullname" . }}-log
- name: localhost-access-log-conf
configMap:
- name: {{ include "common.fullname" . }}-localhost-access-log-configmap
+ name: {{ include "common.fullname" . }}-localhost-access-log
- name: springapp-conf
configMap:
- name: {{ include "common.fullname" . }}-springapp-configmap
+ name: {{ include "common.fullname" . }}-springapp
- name: aaiconfig-conf
configMap:
- name: {{ include "common.fullname" . }}-aaiconfig-configmap
+ name: {{ include "common.fullname" . }}-aaiconfig
- name: realm-conf
configMap:
- name: {{ include "common.fullname" . }}-realm-configmap
- - name: auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}-realm
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml
index 4c2b64af82..7989bcc63d 100644
--- a/kubernetes/aai/components/aai-schema-service/values.yaml
+++ b/kubernetes/aai/components/aai-schema-service/values.yaml
@@ -58,20 +58,40 @@ global: # global defaults
edge:
label: v12
- # Keystore configuration password and filename
- keystore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-
- # Truststore configuration password and filename
- truststore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-
- # Specifies a list of files to be included in auth volume
- auth:
- files:
- - aai_keystore
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-schema-service-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai-schema-service
+ fqi: aai-schema-service@aai-schema-service.onap.org
+ public_fqdn: aai-schema-service.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.aai-schema-service
+ user_id: &user_id 1000
+ group_id: &group_id 1000
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
# application image
image: onap/aai-schema-service:1.9.2
@@ -147,6 +167,11 @@ serviceAccount:
roles:
- read
+# Not fully used for now
+securityContext:
+ user_id: *user_id
+ group_id: *group_id
+
#Log configuration
log:
path: /var/log/onap
diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml
index b9c8207d7e..5c540c9b96 100644
--- a/kubernetes/aai/components/aai-sparky-be/values.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/values.yaml
@@ -75,7 +75,7 @@ config:
gerritBranch: 3.0.0-ONAP
gerritProject: http://gerrit.onap.org/r/aai/test-config
portalUsername: aaiui
- portalPassword: OBF:1t2v1vfv1unz1vgz1t3b
+ portalPassword: OBF:1t2v1vfv1unz1vgz1t3b # aaiui
portalCookieName: UserId
portalAppRoles: ui_view
cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties
diff --git a/kubernetes/aai/resources/config/aai/aai_keystore b/kubernetes/aai/resources/config/aai/aai_keystore
index b9a3e45107..dc86acca0c 100644
--- a/kubernetes/aai/resources/config/aai/aai_keystore
+++ b/kubernetes/aai/resources/config/aai/aai_keystore
Binary files differ
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index 79a0f045bc..3ceeb8439e 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -252,12 +252,12 @@ global: # global defaults
# Keystore configuration password and filename
keystore:
filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+ passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
# Truststore configuration password and filename
truststore:
filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+ passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
# Specifies a list of files to be included in auth volume
auth: