diff options
Diffstat (limited to 'kubernetes/common')
17 files changed, 106 insertions, 21 deletions
diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 471f88f735..953c89d24d 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -100,6 +100,14 @@ spec: value: {{ default "GossipingPropertyFileSnitch" .Values.config.endpoint_snitch | quote }} - name: CASSANDRA_AUTHENTICATOR value: {{ default "PasswordAuthenticator" .Values.config.authenticator | quote }} + {{- if include "common.onServiceMesh" . }} + - name: CASSANDRA_LISTEN_ADDRESS + value: "127.0.0.1" + - name: CASSANDRA_BROADCAST_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- end }} - name: POD_IP valueFrom: fieldRef: diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index fbdf8e3e19..c3d22cedc0 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -55,8 +55,8 @@ affinity: {} # probe configuration parameters liveness: initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 3 + periodSeconds: 20 + timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 # necessary to disable liveness probe when setting breakpoints @@ -65,8 +65,8 @@ liveness: readiness: initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 3 + periodSeconds: 20 + timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval_check.sh new file mode 100644 index 0000000000..f3af14b17a --- /dev/null +++ b/kubernetes/common/certInitializer/resources/retrieval_check.sh @@ -0,0 +1,26 @@ +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +#!/bin/sh + +echo "*** retrieving passwords for certificates" +export $(/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) +if [ -z "${{ .Values.envVarToCheck }}" ] +then + echo " /!\ certificates retrieval failed" + exit 1 +fi +echo "*** password retrieval succeeded" diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index 5a8e84cd8c..414192e2bc 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -55,6 +55,9 @@ - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64 name: aaf-agent-certs subPath: truststoreONAP.p12.b64 + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/retrieval_check.sh + subPath: retrieval_check.sh {{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh @@ -64,8 +67,8 @@ - sh - -c - | - #!/usr/bin/env bash /opt/app/aaf_config/bin/agent.sh + . /opt/app/aaf_config/bin/retrieval_check.sh {{- if $initRoot.aaf_add_config }} /opt/app/aaf_config/bin/aaf-add-config.sh {{- end }} @@ -174,13 +177,10 @@ configMap: name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }} defaultMode: 0700 - -{{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} configMap: name: {{ include "common.fullname" $subchartDot }}-add-config defaultMode: 0700 -{{- end -}} {{- if $dot.Values.global.importCustomCertsEnabled }} - name: updated-truststore emptyDir: {} diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml index 7eae899cc1..1e9254abef 100644 --- a/kubernetes/common/certInitializer/templates/configmap.yaml +++ b/kubernetes/common/certInitializer/templates/configmap.yaml @@ -14,12 +14,13 @@ # limitations under the License. */}} -{{ if .Values.aaf_add_config }} apiVersion: v1 kind: ConfigMap {{- $suffix := "add-config" }} metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: +{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} +{{ if .Values.aaf_add_config }} aaf-add-config.sh: | {{ tpl .Values.aaf_add_config . | indent 4 | trim }} {{- end }} diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml index e7a0a3f02e..52b2765329 100644 --- a/kubernetes/common/certInitializer/values.yaml +++ b/kubernetes/common/certInitializer/values.yaml @@ -54,6 +54,7 @@ importCustomCertsEnabled: false truststoreMountpath: "" truststoreOutputFileName: truststore.jks truststorePassword: changeit +envVarToCheck: cadi_keystore_password_p12 # This introduces implicit dependency on cert-wrapper # if you are using cert initializer cert-wrapper has to be also deployed. diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index 4e43f621de..f820c30ca9 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -181,8 +181,10 @@ spec: {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- range $i, $certificate := $dot.Values.certificates -}} {{- $mountPath := $certificate.mountPath -}} -- mountPath: {{ $mountPath }} +- mountPath: {{ (printf "%s/secret-%d" $mountPath $i) }} name: certmanager-certs-volume-{{ $i }} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }}-dir {{- end -}} {{- end -}} @@ -194,6 +196,8 @@ spec: {{- range $i, $certificate := $certificates -}} {{- $name := include "common.fullname" $dot -}} {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }}-dir + emptyDir: {} - name: certmanager-certs-volume-{{ $i }} projected: sources: @@ -217,3 +221,17 @@ spec: {{- end }} {{- end -}} {{- end -}} + +{{- define "common.certManager.linkVolumeMounts" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} +{{- $certsLinkCommand := "" -}} + {{- range $i, $certificate := $certificates -}} + {{- $destnationPath := (required "'mountPath' for Certificate is required." $certificate.mountPath) -}} + {{- $sourcePath := (printf "%s/secret-%d/*" $destnationPath $i) -}} + {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} + {{- end -}} +{{ $certsLinkCommand }} +{{- end -}} diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl index 57e6c69b1f..58cc9c7249 100644 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -27,7 +27,9 @@ Full example (other fields are ignored): certificates: - mountPath: /var/custom-certs caName: RA - outputType: JKS + keystore: + outputType: + - jks commonName: common-name dnsNames: - dns-name-1 @@ -65,7 +67,7 @@ There also need to be some includes used in a target component deployment (inden {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} {{/*# General certifiacate attributes #*/}} -{{- $commonName := $certificate.commonName -}} +{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} {{/*# SAN's #*/}} {{- $dnsNames := default (list) $certificate.dnsNames -}} {{- $ipAddresses := default (list) $certificate.ipAddresses -}} @@ -87,7 +89,11 @@ There also need to be some includes used in a target component deployment (inden {{- $orgUnit := $certificate.subject.organizationalUnit -}} {{- end -}} {{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} -{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}} +{{- $outputType := $subchartGlobal.platform.certServiceClient.envVariables.outputType -}} +{{- if $certificate.keystore -}} +{{- $outputTypeList := (required "'outputType' in 'keystore' section is required." $certificate.keystore.outputType) -}} +{{- $outputType = mustFirst ($outputTypeList) | upper -}} +{{- end -}} {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index de2548562d..b38a7f1105 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -36,13 +36,13 @@ {{- $global := . }} {{- range $index, $port := $ports }} {{- if (include "common.needTLS" $global) }} -- containerPort: {{ $port.port }} +- containerPort: {{ default $port.port $port.internal_port }} {{- else }} -- containerPort: {{ default $port.port $port.plain_port }} +- containerPort: {{ default (default $port.port $port.internal_port) (default $port.plain_port $port.internal_plain_port) }} {{- end }} name: {{ $port.name }} {{- if (and $port.plain_port (and (include "common.needTLS" $global) $both_tls_and_plain)) }} -- containerPort: {{ $port.plain_port }} +- containerPort: {{ default $port.plain_port $port.internal_plain_port }} name: {{ $port.name }}-plain {{- end }} {{- end }} @@ -67,4 +67,3 @@ securityContext: privileged: false allowPrivilegeEscalation: false {{- end }} - diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index dddd63491d..9c3010c209 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -128,7 +128,7 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent name: {{ $port.name }} {{- end }} {{- if (eq $serviceType "NodePort") }} - nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "portNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} + nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} {{- end }} {{- else }} - port: {{ default $port.port $port.plain_port }} diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index e39b8c4ca2..a343d4fce5 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -184,7 +184,7 @@ spec: fi cat /var/run/etcd/new_member_envs - source /var/run/etcd/new_member_envs + . /var/run/etcd/new_member_envs collect_member & diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml index 665cdaad0a..2a1fb4f59e 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml @@ -58,6 +58,9 @@ spec: - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} {{ end -}} readinessProbe: exec: @@ -67,6 +70,9 @@ spec: - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + successThreshold: {{ .Values.readiness.successThreshold }} + failureThreshold: {{ .Values.readiness.failureThreshold }} lifecycle: preStop: exec: diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml index 317087cf24..8530172269 100644 --- a/kubernetes/common/music/components/music-cassandra/values.yaml +++ b/kubernetes/common/music/components/music-cassandra/values.yaml @@ -73,7 +73,10 @@ cql: # probe configuration parameters liveness: initialDelaySeconds: 120 - periodSeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true @@ -82,7 +85,10 @@ readinessTimeout: 240 readiness: initialDelaySeconds: 10 - periodSeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 podManagementPolicy: OrderedReady updateStrategy: diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl index 6142baa63f..38a7ce1f63 100644 --- a/kubernetes/common/postgres/templates/_deployment.tpl +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, AT&T, Bell Canada # Copyright © 2020 Samsung Electronics +# Modifications Copyright (C) 2021 Bell Canada. # # # # Licensed under the Apache License, Version 2.0 (the "License"); # # you may not use this file except in compliance with the License. @@ -134,6 +135,8 @@ spec: value: "{{ $dot.Values.config.pgDatabase }}" - name: PG_ROOT_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }} + - name: PGDATA_PATH_OVERRIDE + value: "{{ $dot.Values.config.pgDataPath }}" volumeMounts: - name: config mountPath: /pgconf/pool_hba.conf diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml index f815847f06..93f6d66385 100644 --- a/kubernetes/common/postgres/values.yaml +++ b/kubernetes/common/postgres/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, AT&T, Bell Canada +# Modifications Copyright (C) 2021 Bell Canada. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,12 +42,16 @@ secrets: # Application configuration defaults. ################################################################# +# bitnami image doesn't support well single quote in password +passwordStrengthOverride: basic + pullPolicy: Always # application configuration config: pgUserName: testuser pgDatabase: userdb + pgDataPath: data # pgPrimaryPassword: password # pgUserPassword: password # pgRootPassword: password diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl index 95de6ec29f..71201a1cc6 100644 --- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl +++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl @@ -67,6 +67,9 @@ - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $namePart) (empty $namePart) }}-readiness image: {{ include "repositoryGenerator.image.readiness" $subchartDot }} imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }} + securityContext: + runAsUser: {{ $subchartDot.Values.user }} + runAsGroup: {{ $subchartDot.Values.group }} command: - /app/ready.py args: diff --git a/kubernetes/common/readinessCheck/values.yaml b/kubernetes/common/readinessCheck/values.yaml index b15b1c2af3..128c5057cc 100644 --- a/kubernetes/common/readinessCheck/values.yaml +++ b/kubernetes/common/readinessCheck/values.yaml @@ -15,6 +15,9 @@ global: pullPolicy: Always +user: 100 +group: 65533 + limits: cpu: 100m memory: 100Mi |