diff options
Diffstat (limited to 'kubernetes/common')
14 files changed, 104 insertions, 79 deletions
diff --git a/kubernetes/common/cassandra/resources/restore.sh b/kubernetes/common/cassandra/resources/restore.sh index 798ab6c53c..a8105345f7 100644 --- a/kubernetes/common/cassandra/resources/restore.sh +++ b/kubernetes/common/cassandra/resources/restore.sh @@ -7,7 +7,7 @@ ss_name="" ss="snapshots" me=`basename $0` -function find_target_table_name() +find_target_table_name () { dest_path=$1 keyspace_name=$2 @@ -18,7 +18,7 @@ function find_target_table_name() printf $dest_table_name } -function print_usage() +print_usage () { echo "NAME" echo " Script to restore Cassandra database from Nuvo/Cain snapshot" @@ -75,7 +75,7 @@ esac done # Validate inputs -if [ "$base_db_dir" == "" ] || [ "$ss_dir" == "" ] || [ "$keyspace_name" == "" ] +if [ "$base_db_dir" = "" ] || [ "$ss_dir" = "" ] || [ "$keyspace_name" = "" ] then echo "" echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>" diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index 87e584c78e..d955ecdf3c 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -28,18 +28,18 @@ mkdir -p $WORK_DIR for f in $CERTS_DIR/*; do export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/') export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/') - if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_b64" == "$ONAP_TRUSTSTORE" ]; then + if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_b64" = "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_nob64" == "$ONAP_TRUSTSTORE" ]; then + if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_nob64" = "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [ ${f: -3} == ".sh" ]; then + if [ ${f: -3} = ".sh" ]; then continue fi - if [ ${f: -4} == ".b64" ] + if [ ${f: -4} = ".b64" ] then base64 -d $f > $WORK_DIR/`basename $f .b64` else @@ -48,7 +48,7 @@ for f in $CERTS_DIR/*; do done # Prepare truststore output file -if [ "$AAF_ENABLED" == "true" ] +if [ "$AAF_ENABLED" = "true" ] then mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME else @@ -58,7 +58,7 @@ fi # Import Custom Certificates for f in $WORK_DIR/*; do - if [ ${f: -4} == ".pem" ]; then + if [ ${f: -4} = ".pem" ]; then echo "importing certificate: $f" keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt if [ $? != 0 ]; then diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval_check.sh index f3af14b17a..25e47693de 100644 --- a/kubernetes/common/certInitializer/resources/retrieval_check.sh +++ b/kubernetes/common/certInitializer/resources/retrieval_check.sh @@ -1,3 +1,5 @@ +#!/bin/sh + {{/* # Copyright © 2021 Orange # @@ -13,8 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -#!/bin/sh - echo "*** retrieving passwords for certificates" export $(/opt/app/aaf_config/bin/agent.sh local showpass \ {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml index 210a02c65c..83becb0a33 100644 --- a/kubernetes/common/certManagerCertificate/requirements.yaml +++ b/kubernetes/common/certManagerCertificate/requirements.yaml @@ -16,3 +16,6 @@ dependencies: - name: common version: ~8.x-0 repository: 'file://../common' + - name: cmpv2Config + version: ~8.x-0 + repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index f820c30ca9..108873b31d 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -18,7 +18,7 @@ # # To request a certificate following steps are to be done: # - create an object 'certificates' in the values.yaml -# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate". +# - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate". # # Here is an example of the certificate request for a component: # @@ -53,6 +53,7 @@ # passwordSecretRef: # name: secret-name # key: secret-key +# create: true # # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. # Other mandatory fields for the certificate definition do not have to be defined directly, @@ -74,7 +75,7 @@ {{/*# General certifiacate attributes #*/}} {{- $name := include "common.fullname" $dot -}} {{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} -{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +{{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}} {{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} {{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}} {{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}} @@ -94,10 +95,11 @@ {{- if $certificate.issuer -}} {{- $issuer = $certificate.issuer -}} {{- end -}} ---- -{{- if $certificate.keystore }} +{{/*# Secret #*/}} +{{ if $certificate.keystore -}} {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}} - {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }} + {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}} + {{- if $passwordSecretRef.create }} apiVersion: v1 kind: Secret metadata: @@ -106,7 +108,8 @@ metadata: type: Opaque stringData: {{ $passwordSecretRef.key }}: {{ $password }} -{{- end }} + {{- end }} +{{ end -}} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -120,6 +123,15 @@ spec: {{- if $duration }} duration: {{ $duration }} {{- end }} + {{- if $certificate.isCA }} + isCA: {{ $certificate.isCA }} + {{- end }} + {{- if $certificate.usages }} + usages: + {{- range $usage := $certificate.usages }} + - {{ $usage }} + {{- end }} + {{- end }} subject: organizations: - {{ $subject.organization }} @@ -156,7 +168,9 @@ spec: {{- end }} {{- end }} issuerRef: + {{- if not (eq $issuer.kind "Issuer" ) }} group: {{ $issuer.group }} + {{- end }} kind: {{ $issuer.kind }} name: {{ $issuer.name }} {{- if $certificate.keystore }} @@ -168,7 +182,7 @@ spec: {{ $outputType }}: create: true passwordSecretRef: - name: {{ $certificate.keystore.passwordSecretRef.name }} + name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }} key: {{ $certificate.keystore.passwordSecretRef.key }} {{- end }} {{- end }} @@ -234,4 +248,4 @@ spec: {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} {{- end -}} {{ $certsLinkCommand }} -{{- end -}} +{{- end -}}
\ No newline at end of file diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml index 87509d11bc..b10896d2ce 100644 --- a/kubernetes/common/cmpv2Certificate/requirements.yaml +++ b/kubernetes/common/cmpv2Certificate/requirements.yaml @@ -19,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' + - name: cmpv2Config + version: ~8.x-0 + repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl index 58cc9c7249..f80b06b4d3 100644 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -62,7 +62,7 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.initContainer" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} @@ -97,11 +97,14 @@ There also need to be some includes used in a target component deployment (inden {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} -{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}} -{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}} -{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}} -{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}} -{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}} +{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}} +{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}} +{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}} +{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}} +{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}} +{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}} +{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}} +{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}} - name: certs-init-{{ $index }} image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} @@ -133,11 +136,17 @@ There also need to be some includes used in a target component deployment (inden - name: KEYSTORE_PATH value: {{ $keystorePath | quote }} - name: KEYSTORE_PASSWORD - value: {{ $keystorePassword | quote }} + valueFrom: + secretKeyRef: + name: {{ $keystorePasswordSecret | quote}} + key: {{ $keystorePasswordSecretKey | quote}} - name: TRUSTSTORE_PATH value: {{ $truststorePath | quote }} - name: TRUSTSTORE_PASSWORD - value: {{ $truststorePassword | quote }} + valueFrom: + secretKeyRef: + name: {{ $truststorePasswordSecret | quote}} + key: {{ $truststorePasswordSecretKey | quote}} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -151,10 +160,10 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.volumes" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}} +{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}} - name: certservice-tls-volume secret: secretName: {{ $certificatesSecretName }} @@ -168,7 +177,7 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.volumeMounts" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml index b7531431c4..504947525d 100644 --- a/kubernetes/common/cmpv2Certificate/values.yaml +++ b/kubernetes/common/cmpv2Certificate/values.yaml @@ -11,38 +11,3 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -################################################################# -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - # Enabling CMPv2 - cmpv2Enabled: true - CMPv2CertManagerIntegration: false - - certificate: - default: - subject: - organization: "Linux-Foundation" - country: "US" - locality: "San-Francisco" - province: "California" - organizationalUnit: "ONAP" - - platform: - certServiceClient: - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ - envVariables: - certPath: "/var/custom-certs" - # Client configuration related - caName: "RA" - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" - outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index b6ee064302..695e40616c 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -12,22 +12,40 @@ # See the License for the specific language governing permissions and # limitations under the License. global: + + # Enabling CMPv2 + cmpv2Enabled: true + CMPv2CertManagerIntegration: false + + certificate: + default: + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + platform: + certificates: + clientSecretName: oom-cert-service-client-tls-secret + keystoreKeyRef: keystore.jks + truststoreKeyRef: truststore.jks + keystorePasswordSecretName: oom-cert-service-keystore-password + keystorePasswordSecretKey: password + truststorePasswordSecretName: oom-cert-service-truststore-password + truststorePasswordSecretKey: password certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - secretName: oom-cert-service-client-tls-secret + certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ envVariables: + certPath: "/var/custom-certs" # Certificate related - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2State: "California" - cmpv2Country: "US" + caName: "RA" # Client configuration related requestURL: "https://oom-cert-service:8443/v1/certificate/" requestTimeout: "30000" - keystorePassword: "secret" - truststorePassword: "secret" + outputType: "P12" certPostProcessor: image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/common/common/templates/_createPassword.tpl b/kubernetes/common/common/templates/_createPassword.tpl index bfd0999e16..4ded11f53f 100644 --- a/kubernetes/common/common/templates/_createPassword.tpl +++ b/kubernetes/common/common/templates/_createPassword.tpl @@ -24,11 +24,11 @@ */}} {{- define "common.masterPassword" -}} {{ if .Values.masterPasswordOverride }} - {{- printf "%d" .Values.masterPasswordOverride -}} + {{- printf "%s" .Values.masterPasswordOverride -}} {{ else if .Values.global.masterPassword }} - {{- printf "%d" .Values.global.masterPassword -}} + {{- printf "%s" .Values.global.masterPassword -}} {{ else if .Values.masterPassword }} - {{- printf "%d" .Values.masterPassword -}} + {{- printf "%s" .Values.masterPassword -}} {{ else if eq "testRelease" (include "common.release" .) }} {{/* Special case for chart liniting. DON"T NAME YOUR PRODUCTION RELEASE testRelease */}} {{- printf "testRelease" -}} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 12d2d75e38..79b1cb2933 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -329,6 +329,12 @@ mariadbConfiguration: |- innodb_flush_log_at_trx_commit=2 # MYISAM REPLICATION SUPPORT # wsrep_replicate_myisam=ON + binlog_format=row + default_storage_engine=InnoDB + innodb_autoinc_lock_mode=2 + transaction-isolation=READ-COMMITTED + wsrep_causal_reads=1 + wsrep_sync_wait=7 [mariadb] plugin_load_add=auth_pam diff --git a/kubernetes/common/music/resources/config/startup.sh b/kubernetes/common/music/resources/config/startup.sh index 37bb84de8b..e3cee36f1f 100755 --- a/kubernetes/common/music/resources/config/startup.sh +++ b/kubernetes/common/music/resources/config/startup.sh @@ -32,8 +32,8 @@ DEBUG_PROP= # Debug Setup. Uses env variables # DEBUG and DEBUG_PORT # DEBUG=true/false | DEBUG_PORT=<Port valie must be integer> -if [ "${DEBUG}" == "true" ]; then - if [ "${DEBUG_PORT}" == "" ]; then +if [ "${DEBUG}" = "true" ]; then + if [ "${DEBUG_PORT}" = "" ]; then DEBUG_PORT=8000 fi echo "Debug mode on" diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index a6b434f43a..91f21ab0c9 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -86,6 +87,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.dcaepolicysync" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.envsubst" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 386ba9b490..8a68f6dd9c 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2020 Orange -# Copyright © 2021 Nokia +# Copyright © 2021 Nokia, AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +34,7 @@ global: nginxImage: bitnami/nginx:1.18-debian-10 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 readinessImage: onap/oom/readiness:3.0.1 + dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -65,3 +66,4 @@ imageRepoMapping: nginxImage: dockerHubRepository postgresImage: dockerHubRepository readinessImage: repository + dcaePolicySyncImage: repository |