diff options
Diffstat (limited to 'kubernetes/common')
10 files changed, 59 insertions, 10 deletions
diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval_check.sh new file mode 100644 index 0000000000..f3af14b17a --- /dev/null +++ b/kubernetes/common/certInitializer/resources/retrieval_check.sh @@ -0,0 +1,26 @@ +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +#!/bin/sh + +echo "*** retrieving passwords for certificates" +export $(/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) +if [ -z "${{ .Values.envVarToCheck }}" ] +then + echo " /!\ certificates retrieval failed" + exit 1 +fi +echo "*** password retrieval succeeded" diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index 5a8e84cd8c..a46400b911 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -55,6 +55,9 @@ - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64 name: aaf-agent-certs subPath: truststoreONAP.p12.b64 + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/retrieval_check.sh + subPath: retrieval_check.sh {{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh @@ -66,6 +69,7 @@ - | #!/usr/bin/env bash /opt/app/aaf_config/bin/agent.sh + source /opt/app/aaf_config/bin/retrieval_check.sh {{- if $initRoot.aaf_add_config }} /opt/app/aaf_config/bin/aaf-add-config.sh {{- end }} @@ -174,13 +178,10 @@ configMap: name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }} defaultMode: 0700 - -{{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} configMap: name: {{ include "common.fullname" $subchartDot }}-add-config defaultMode: 0700 -{{- end -}} {{- if $dot.Values.global.importCustomCertsEnabled }} - name: updated-truststore emptyDir: {} diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml index 7eae899cc1..1e9254abef 100644 --- a/kubernetes/common/certInitializer/templates/configmap.yaml +++ b/kubernetes/common/certInitializer/templates/configmap.yaml @@ -14,12 +14,13 @@ # limitations under the License. */}} -{{ if .Values.aaf_add_config }} apiVersion: v1 kind: ConfigMap {{- $suffix := "add-config" }} metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: +{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} +{{ if .Values.aaf_add_config }} aaf-add-config.sh: | {{ tpl .Values.aaf_add_config . | indent 4 | trim }} {{- end }} diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml index e7a0a3f02e..52b2765329 100644 --- a/kubernetes/common/certInitializer/values.yaml +++ b/kubernetes/common/certInitializer/values.yaml @@ -54,6 +54,7 @@ importCustomCertsEnabled: false truststoreMountpath: "" truststoreOutputFileName: truststore.jks truststorePassword: changeit +envVarToCheck: cadi_keystore_password_p12 # This introduces implicit dependency on cert-wrapper # if you are using cert initializer cert-wrapper has to be also deployed. diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index de2548562d..b38a7f1105 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -36,13 +36,13 @@ {{- $global := . }} {{- range $index, $port := $ports }} {{- if (include "common.needTLS" $global) }} -- containerPort: {{ $port.port }} +- containerPort: {{ default $port.port $port.internal_port }} {{- else }} -- containerPort: {{ default $port.port $port.plain_port }} +- containerPort: {{ default (default $port.port $port.internal_port) (default $port.plain_port $port.internal_plain_port) }} {{- end }} name: {{ $port.name }} {{- if (and $port.plain_port (and (include "common.needTLS" $global) $both_tls_and_plain)) }} -- containerPort: {{ $port.plain_port }} +- containerPort: {{ default $port.plain_port $port.internal_plain_port }} name: {{ $port.name }}-plain {{- end }} {{- end }} @@ -67,4 +67,3 @@ securityContext: privileged: false allowPrivilegeEscalation: false {{- end }} - diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml index 665cdaad0a..2a1fb4f59e 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml @@ -58,6 +58,9 @@ spec: - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} {{ end -}} readinessProbe: exec: @@ -67,6 +70,9 @@ spec: - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + successThreshold: {{ .Values.readiness.successThreshold }} + failureThreshold: {{ .Values.readiness.failureThreshold }} lifecycle: preStop: exec: diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml index 317087cf24..8530172269 100644 --- a/kubernetes/common/music/components/music-cassandra/values.yaml +++ b/kubernetes/common/music/components/music-cassandra/values.yaml @@ -73,7 +73,10 @@ cql: # probe configuration parameters liveness: initialDelaySeconds: 120 - periodSeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true @@ -82,7 +85,10 @@ readinessTimeout: 240 readiness: initialDelaySeconds: 10 - periodSeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 podManagementPolicy: OrderedReady updateStrategy: diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml index f815847f06..07bb5c4eac 100644 --- a/kubernetes/common/postgres/values.yaml +++ b/kubernetes/common/postgres/values.yaml @@ -41,6 +41,9 @@ secrets: # Application configuration defaults. ################################################################# +# bitnami image doesn't support well single quote in password +passwordStrengthOverride: basic + pullPolicy: Always # application configuration diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl index 95de6ec29f..71201a1cc6 100644 --- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl +++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl @@ -67,6 +67,9 @@ - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $namePart) (empty $namePart) }}-readiness image: {{ include "repositoryGenerator.image.readiness" $subchartDot }} imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }} + securityContext: + runAsUser: {{ $subchartDot.Values.user }} + runAsGroup: {{ $subchartDot.Values.group }} command: - /app/ready.py args: diff --git a/kubernetes/common/readinessCheck/values.yaml b/kubernetes/common/readinessCheck/values.yaml index b15b1c2af3..128c5057cc 100644 --- a/kubernetes/common/readinessCheck/values.yaml +++ b/kubernetes/common/readinessCheck/values.yaml @@ -15,6 +15,9 @@ global: pullPolicy: Always +user: 100 +group: 65533 + limits: cpu: 100m memory: 100Mi |