summaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/certInitializer/resources/retrieval_check.sh26
-rw-r--r--kubernetes/common/certInitializer/templates/_certInitializer.yaml7
-rw-r--r--kubernetes/common/certInitializer/templates/configmap.yaml3
-rw-r--r--kubernetes/common/certInitializer/values.yaml1
-rw-r--r--kubernetes/common/common/templates/_pod.tpl7
-rw-r--r--kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml6
-rw-r--r--kubernetes/common/music/components/music-cassandra/values.yaml10
-rw-r--r--kubernetes/common/postgres/values.yaml3
-rw-r--r--kubernetes/common/readinessCheck/templates/_readinessCheck.tpl3
-rw-r--r--kubernetes/common/readinessCheck/values.yaml3
10 files changed, 59 insertions, 10 deletions
diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval_check.sh
new file mode 100644
index 0000000000..f3af14b17a
--- /dev/null
+++ b/kubernetes/common/certInitializer/resources/retrieval_check.sh
@@ -0,0 +1,26 @@
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+#!/bin/sh
+
+echo "*** retrieving passwords for certificates"
+export $(/opt/app/aaf_config/bin/agent.sh local showpass \
+ {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
+if [ -z "${{ .Values.envVarToCheck }}" ]
+then
+ echo " /!\ certificates retrieval failed"
+ exit 1
+fi
+echo "*** password retrieval succeeded"
diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
index 5a8e84cd8c..a46400b911 100644
--- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml
+++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
@@ -55,6 +55,9 @@
- mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
name: aaf-agent-certs
subPath: truststoreONAP.p12.b64
+ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
+ subPath: retrieval_check.sh
{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
@@ -66,6 +69,7 @@
- |
#!/usr/bin/env bash
/opt/app/aaf_config/bin/agent.sh
+ source /opt/app/aaf_config/bin/retrieval_check.sh
{{- if $initRoot.aaf_add_config }}
/opt/app/aaf_config/bin/aaf-add-config.sh
{{- end }}
@@ -174,13 +178,10 @@
configMap:
name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
defaultMode: 0700
-
-{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
configMap:
name: {{ include "common.fullname" $subchartDot }}-add-config
defaultMode: 0700
-{{- end -}}
{{- if $dot.Values.global.importCustomCertsEnabled }}
- name: updated-truststore
emptyDir: {}
diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml
index 7eae899cc1..1e9254abef 100644
--- a/kubernetes/common/certInitializer/templates/configmap.yaml
+++ b/kubernetes/common/certInitializer/templates/configmap.yaml
@@ -14,12 +14,13 @@
# limitations under the License.
*/}}
-{{ if .Values.aaf_add_config }}
apiVersion: v1
kind: ConfigMap
{{- $suffix := "add-config" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
data:
+{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
+{{ if .Values.aaf_add_config }}
aaf-add-config.sh: |
{{ tpl .Values.aaf_add_config . | indent 4 | trim }}
{{- end }}
diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml
index e7a0a3f02e..52b2765329 100644
--- a/kubernetes/common/certInitializer/values.yaml
+++ b/kubernetes/common/certInitializer/values.yaml
@@ -54,6 +54,7 @@ importCustomCertsEnabled: false
truststoreMountpath: ""
truststoreOutputFileName: truststore.jks
truststorePassword: changeit
+envVarToCheck: cadi_keystore_password_p12
# This introduces implicit dependency on cert-wrapper
# if you are using cert initializer cert-wrapper has to be also deployed.
diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl
index de2548562d..b38a7f1105 100644
--- a/kubernetes/common/common/templates/_pod.tpl
+++ b/kubernetes/common/common/templates/_pod.tpl
@@ -36,13 +36,13 @@
{{- $global := . }}
{{- range $index, $port := $ports }}
{{- if (include "common.needTLS" $global) }}
-- containerPort: {{ $port.port }}
+- containerPort: {{ default $port.port $port.internal_port }}
{{- else }}
-- containerPort: {{ default $port.port $port.plain_port }}
+- containerPort: {{ default (default $port.port $port.internal_port) (default $port.plain_port $port.internal_plain_port) }}
{{- end }}
name: {{ $port.name }}
{{- if (and $port.plain_port (and (include "common.needTLS" $global) $both_tls_and_plain)) }}
-- containerPort: {{ $port.plain_port }}
+- containerPort: {{ default $port.plain_port $port.internal_plain_port }}
name: {{ $port.name }}-plain
{{- end }}
{{- end }}
@@ -67,4 +67,3 @@ securityContext:
privileged: false
allowPrivilegeEscalation: false
{{- end }}
-
diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml
index 665cdaad0a..2a1fb4f59e 100644
--- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml
+++ b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml
@@ -58,6 +58,9 @@ spec:
- nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }'
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
+ timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
+ successThreshold: {{ .Values.liveness.successThreshold }}
+ failureThreshold: {{ .Values.liveness.failureThreshold }}
{{ end -}}
readinessProbe:
exec:
@@ -67,6 +70,9 @@ spec:
- nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }'
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
+ timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
+ successThreshold: {{ .Values.readiness.successThreshold }}
+ failureThreshold: {{ .Values.readiness.failureThreshold }}
lifecycle:
preStop:
exec:
diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml
index 317087cf24..8530172269 100644
--- a/kubernetes/common/music/components/music-cassandra/values.yaml
+++ b/kubernetes/common/music/components/music-cassandra/values.yaml
@@ -73,7 +73,10 @@ cql:
# probe configuration parameters
liveness:
initialDelaySeconds: 120
- periodSeconds: 10
+ periodSeconds: 20
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
@@ -82,7 +85,10 @@ readinessTimeout: 240
readiness:
initialDelaySeconds: 10
- periodSeconds: 10
+ periodSeconds: 20
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
podManagementPolicy: OrderedReady
updateStrategy:
diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml
index f815847f06..07bb5c4eac 100644
--- a/kubernetes/common/postgres/values.yaml
+++ b/kubernetes/common/postgres/values.yaml
@@ -41,6 +41,9 @@ secrets:
# Application configuration defaults.
#################################################################
+# bitnami image doesn't support well single quote in password
+passwordStrengthOverride: basic
+
pullPolicy: Always
# application configuration
diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
index 95de6ec29f..71201a1cc6 100644
--- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
+++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
@@ -67,6 +67,9 @@
- name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $namePart) (empty $namePart) }}-readiness
image: {{ include "repositoryGenerator.image.readiness" $subchartDot }}
imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
+ securityContext:
+ runAsUser: {{ $subchartDot.Values.user }}
+ runAsGroup: {{ $subchartDot.Values.group }}
command:
- /app/ready.py
args:
diff --git a/kubernetes/common/readinessCheck/values.yaml b/kubernetes/common/readinessCheck/values.yaml
index b15b1c2af3..128c5057cc 100644
--- a/kubernetes/common/readinessCheck/values.yaml
+++ b/kubernetes/common/readinessCheck/values.yaml
@@ -15,6 +15,9 @@
global:
pullPolicy: Always
+user: 100
+group: 65533
+
limits:
cpu: 100m
memory: 100Mi