diff options
Diffstat (limited to 'kubernetes/common')
14 files changed, 293 insertions, 25 deletions
diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 953c89d24d..3553cd4069 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -71,6 +71,17 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} + startupProbe: + exec: + command: + - /bin/bash + - -c + - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + successThreshold: {{ .Values.startup.successThreshold }} + failureThreshold: {{ .Values.startup.failureThreshold }} env: {{- $seed_size := default 1 .Values.replicaCount | int -}} {{- $global := . }} diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index c3d22cedc0..9f19bf5c14 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -54,8 +54,8 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 @@ -64,12 +64,19 @@ liveness: enabled: true readiness: - initialDelaySeconds: 120 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 +startup: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 90 + service: name: cassandra headless: @@ -119,7 +126,7 @@ persistence: ## storageClass: "-" ## Not set as it depends of the backup enabledment or not. accessMode: ReadWriteOnce - size: 2Gi + size: 10Gi mountPath: /dockerdata-nfs mountSubPath: cassandra storageType: local diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index d955ecdf3c..cb4153e778 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -17,6 +17,7 @@ */}} CERTS_DIR=${CERTS_DIR:-/certs} +MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs} WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} @@ -47,10 +48,18 @@ for f in $CERTS_DIR/*; do fi done +for f in $MORE_CERTS_DIR/*; do + if [ ${f: -4} == ".pem" ] + then + cp $f $WORK_DIR/. + fi +done + # Prepare truststore output file if [ "$AAF_ENABLED" = "true" ] then - mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME + echo "AAF is enabled, use 'AAF' truststore" + export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} else echo "AAF is disabled, using JRE truststore" cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh new file mode 100644 index 0000000000..9cc5ec580e --- /dev/null +++ b/kubernetes/common/certInitializer/resources/ingress/onboard.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/ -}} + +echo "*** retrieving certificates and keys" +export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0) +export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0) +export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0) +echo "*** creating tls secret" +cat <<EOF | kubectl apply -f - +apiVersion: v1 +kind: Secret +metadata: + name: {{ tpl .Values.ingressTlsSecret . }} + namespace: {{ include "common.namespace" . }} +data: + ca.crt: "${CACERT}" + tls.crt: "${CRT}" + tls.key: '${KEY}' +type: kubernetes.io/tls +EOF diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh index 25e47693de..76f384502f 100644 --- a/kubernetes/common/certInitializer/resources/retrieval_check.sh +++ b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh @@ -14,7 +14,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} +*/ -}} + echo "*** retrieving passwords for certificates" export $(/opt/app/aaf_config/bin/agent.sh local showpass \ {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) diff --git a/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh new file mode 100644 index 0000000000..f201eadd0a --- /dev/null +++ b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/ -}} + +echo "--- Cert transformation for use with Ingress" +echo "*** transform AAF certs into pem files" +mkdir -p {{ .Values.credsPath }}/certs +keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ + -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ + -alias ca_local_0 \ + -storepass $cadi_truststore_password +openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/tls.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 +cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/tls.key +echo "--- Done" diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index 414192e2bc..f3ba8a24e0 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Bell Canada, Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,6 +59,11 @@ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/retrieval_check.sh subPath: retrieval_check.sh +{{- if hasKey $initRoot "ingressTlsSecret" }} + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh + subPath: tls_certs_configure.sh +{{- end }} {{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh @@ -69,6 +75,9 @@ - | /opt/app/aaf_config/bin/agent.sh . /opt/app/aaf_config/bin/retrieval_check.sh +{{- if hasKey $initRoot "ingressTlsSecret" }} + /opt/app/aaf_config/bin/tls_certs_configure.sh +{{- end -}} {{- if $initRoot.aaf_add_config }} /opt/app/aaf_config/bin/aaf-add-config.sh {{- end }} @@ -137,6 +146,8 @@ volumeMounts: - mountPath: /certs name: aaf-agent-certs + - mountPath: /more_certs + name: provided-custom-certs - mountPath: /root/import-custom-certs.sh name: aaf-agent-certs subPath: import-custom-certs.sh @@ -177,6 +188,21 @@ configMap: name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }} defaultMode: 0700 +{{- if $dot.Values.global.importCustomCertsEnabled }} +- name: provided-custom-certs +{{- if $dot.Values.global.customCertsSecret }} + secret: + secretName: {{ $dot.Values.global.customCertsSecret }} +{{- else }} +{{- if $dot.Values.global.customCertsConfigMap }} + configMap: + name: {{ $dot.Values.global.customCertsConfigMap }} +{{- else }} + emptyDir: + medium: Memory +{{- end }} +{{- end }} +{{- end }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} configMap: name: {{ include "common.fullname" $subchartDot }}-add-config diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml index 1e9254abef..abd1575774 100644 --- a/kubernetes/common/certInitializer/templates/configmap.yaml +++ b/kubernetes/common/certInitializer/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,8 +20,20 @@ kind: ConfigMap {{- $suffix := "add-config" }} metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/retrieval/retrieval_check.sh").AsConfig . | indent 2 }} +{{- if hasKey .Values "ingressTlsSecret" }} +{{ tpl (.Files.Glob "resources/retrieval/tls_certs_configure.sh").AsConfig . | indent 2 }} +{{- end }} {{ if .Values.aaf_add_config }} aaf-add-config.sh: | {{ tpl .Values.aaf_add_config . | indent 4 | trim }} {{- end }} +{{- if hasKey .Values "ingressTlsSecret" }} +--- +apiVersion: v1 +kind: ConfigMap +{{- $suffix := "ingress" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +data: +{{ tpl (.Files.Glob "resources/ingress/onboard.sh").AsConfig . | indent 2 }} +{{- end }} diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml new file mode 100644 index 0000000000..331a58c310 --- /dev/null +++ b/kubernetes/common/certInitializer/templates/job.yaml @@ -0,0 +1,44 @@ +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if hasKey .Values "ingressTlsSecret" }} +apiVersion: batch/v1 +kind: Job +{{- $suffix := "set-tls-secret" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +spec: + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }} + containers: + - name: create tls secret + command: + - /ingress/onboard.sh + image: {{ include "repositoryGenerator.image.kubectl" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }} + - name: ingress-scripts + mountPath: /ingress + volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }} + - name: localtime + hostPath: + path: /etc/localtime + - name: ingress-scripts + configMap: + name: {{ include "common.fullname" . }}-ingress + defaultMode: 0777 +{{- end}} diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml index 52b2765329..747c94f4d1 100644 --- a/kubernetes/common/certInitializer/values.yaml +++ b/kubernetes/common/certInitializer/values.yaml @@ -15,6 +15,15 @@ global: aafAgentImage: onap/aaf/aaf_agent:2.1.20 aafEnabled: true + # Give the name of a config map where certInitializer will onboard all certs + # given (certs must be in pem format) + customCertsConfigMap: + # Give the name of a secret where certInitializer will onboard all certs given + # (certs must be in pem format) + # this one superseedes previous one (so if both are given, only certs from + # secret will be onboarded). + customCertsSecret: + pullPolicy: Always @@ -37,7 +46,6 @@ readinessCheck: - aaf-cm - aaf-service -aafDeployFqi: "changeme" fqdn: "" app_ns: "org.osaaf.aaf" fqi: "" @@ -55,6 +63,7 @@ truststoreMountpath: "" truststoreOutputFileName: truststore.jks truststorePassword: changeit envVarToCheck: cadi_keystore_password_p12 +# ingressTlsSecret: # This introduces implicit dependency on cert-wrapper # if you are using cert initializer cert-wrapper has to be also deployed. diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index 108873b31d..2b9461e50e 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -189,6 +189,8 @@ spec: {{ end }} {{- end -}} +{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}} + {{- define "common.certManager.volumeMounts" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} @@ -217,8 +219,14 @@ spec: sources: - secret: name: {{ $certificatesSecretName }} - {{- if $certificate.keystore }} items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} {{- range $outputType := $certificate.keystore.outputType }} - key: keystore.{{ $outputType }} path: keystore.{{ $outputType }} @@ -248,4 +256,55 @@ spec: {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} {{- end -}} {{ $certsLinkCommand }} -{{- end -}}
\ No newline at end of file +{{- end -}} + +{{/*Using templates below allows only read access to volume mounted at $mountPath*/}} + +{{- define "common.certManager.volumeMountsReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} + {{- range $i, $certificate := $dot.Values.certificates -}} + {{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }} + {{- end -}} +{{- end -}} + +{{- define "common.certManager.volumesReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} + {{- range $i, $certificate := $certificates -}} + {{- $name := include "common.fullname" $dot -}} + {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }} + projected: + sources: + - secret: + name: {{ $certificatesSecretName }} + items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} + {{- range $outputType := $certificate.keystore.outputType }} + - key: keystore.{{ $outputType }} + path: keystore.{{ $outputType }} + - key: truststore.{{ $outputType }} + path: truststore.{{ $outputType }} + {{- end }} + - secret: + name: {{ $certificate.keystore.passwordSecretRef.name }} + items: + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: keystore.pass + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: truststore.pass + {{- end }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index bde971ffe7..7b0d90a9aa 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -129,7 +129,7 @@ spec: livenessProbe: exec: command: - - bash + - sh - -ec - | exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD @@ -143,7 +143,7 @@ spec: readinessProbe: exec: command: - - bash + - sh - -ec - | exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD @@ -153,6 +153,20 @@ spec: successThreshold: {{ .Values.readinessProbe.successThreshold }} failureThreshold: {{ .Values.readinessProbe.failureThreshold }} {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - sh + - -ec + - | + exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- end }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: previous-boot diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 79b1cb2933..4c77efc83f 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -478,18 +478,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2.5Gi + cpu: 1 + memory: 4Gi requests: - cpu: 100m - memory: 750Mi + cpu: 500m + memory: 2Gi large: limits: cpu: 2 - memory: 4Gi + memory: 6Gi requests: cpu: 1 - memory: 2Gi + memory: 3Gi unlimited: {} ## MariaDB Galera containers' liveness and readiness probes @@ -497,20 +497,29 @@ resources: ## livenessProbe: enabled: true - ## Initializing the database could take some time - ## - initialDelaySeconds: 150 + initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 readinessProbe: enabled: true - initialDelaySeconds: 60 + initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 +startupProbe: + ## Initializing the database could take some time + ## + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + # will wait up for initialDelaySeconds + failureThreshold*periodSeconds before + # stating startup wasn't good (910s per default) + failureThreshold: 90 ## Pod disruption budget configuration ## diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml index 25cab910a9..f578949196 100644 --- a/kubernetes/common/music/values.yaml +++ b/kubernetes/common/music/values.yaml @@ -164,5 +164,4 @@ certInitializer: credsPath: /opt/app/osaaf/local appMountPath: /opt/app/aafcertman aaf_add_config: > - cd {{ .Values.credsPath }}; - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1; + echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass; |