diff options
Diffstat (limited to 'kubernetes/common')
-rwxr-xr-x | kubernetes/common/cert-wrapper/resources/import-custom-certs.sh | 13 | ||||
-rw-r--r-- | kubernetes/common/certInitializer/templates/_certInitializer.yaml | 3 | ||||
-rw-r--r-- | kubernetes/common/cmpv2Config/values.yaml | 2 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_service.tpl | 10 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_serviceMesh.tpl | 12 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/.helmignore | 22 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/Chart.yaml | 23 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/requirements.yaml | 28 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/resources/init/init-schema.sh | 28 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/templates/configmap-init.yaml | 33 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/templates/pv.yaml | 21 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/templates/secrets.yaml | 21 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/templates/service.yaml | 21 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/templates/statefulset.yaml | 90 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/values.yaml | 111 |
15 files changed, 437 insertions, 1 deletions
diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index eb07a74cd4..fa3de03ece 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -22,6 +22,7 @@ WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks} +SSL_WORKDIR=${SSL_WORKDIR:-/usr/local/share/ca-certificates} mkdir -p $WORK_DIR @@ -75,3 +76,15 @@ for f in $WORK_DIR/*; do fi fi done + +# Import certificates to Linux SSL Truststore +cp $CERTS_DIR/*.crt $SSL_WORKDIR/. +cp $MORE_CERTS_DIR/*.crt $SSL_WORKDIR/. +update-ca-certificates +if [ $? != 0 ] + then + echo "failed importing certificates" + exit 1 + else + cp /etc/ssl/certs/ca-certificates.crt $WORK_DIR/. +fi
\ No newline at end of file diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index f3ba8a24e0..32bba457ee 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -174,6 +174,9 @@ - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }} name: updated-truststore subPath: {{ $initRoot.truststoreOutputFileName }} +- mountPath: /etc/ssl/certs/ca-certificates.crt + name: updated-truststore + subPath: ca-certificates.crt {{- end -}} {{- end -}} diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 02595b348d..4b8438ace2 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -35,5 +35,5 @@ global: truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 49f1b940a6..a488e0d5fa 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -323,6 +323,16 @@ true {{- end }} {{- end -}} +{{/* + generate needed scheme: + - https if needTLS + - http if not +*/}} + +{{- define "common.scheme" -}} + {{- ternary "https" "http" (eq "true" (include "common.needTLS" .)) }} +{{- end -}} + {{- define "common.port.buildCache" -}} {{- $global := . }} {{- if not $global.Values._DmaapDrNodePortsCache }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index 4457762754..d4fc182b34 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -25,3 +25,15 @@ true {{- end -}} {{- end -}} {{- end -}} + +{{- define "common.serviceMesh.killSidecar" -}} +{{- if (include "common.onServiceMesh" .) }} +RCODE="$?"; +echo "*** script finished with exit code $RCODE" ; +echo "*** killing service mesh sidecar" ; +curl -sf -X POST http://127.0.0.1:15020/quitquitquit ; +echo "" ; +echo "*** exiting with script exit code" ; +exit "$RCODE" +{{- end }} +{{- end -}} diff --git a/kubernetes/common/timescaledb/.helmignore b/kubernetes/common/timescaledb/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/kubernetes/common/timescaledb/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml new file mode 100644 index 0000000000..7aeafa01f2 --- /dev/null +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +appVersion: "1.0" +description: ONAP timescaledb +name: timescaledb +version: 8.0.0 diff --git a/kubernetes/common/timescaledb/requirements.yaml b/kubernetes/common/timescaledb/requirements.yaml new file mode 100644 index 0000000000..de0c414c19 --- /dev/null +++ b/kubernetes/common/timescaledb/requirements.yaml @@ -0,0 +1,28 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: common + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/timescaledb/resources/init/init-schema.sh b/kubernetes/common/timescaledb/resources/init/init-schema.sh new file mode 100644 index 0000000000..ab83cffae2 --- /dev/null +++ b/kubernetes/common/timescaledb/resources/init/init-schema.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -e +set echo on; +psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER $DB_USERNAME WITH PASSWORD '$DB_PASSWORD'; + CREATE SCHEMA $POSTGRES_DB; + GRANT ALL PRIVILEGES ON SCHEMA $POSTGRES_DB TO $DB_USERNAME; + CREATE EXTENSION IF NOT EXISTS timescaledb WITH SCHEMA $POSTGRES_DB; +EOSQL diff --git a/kubernetes/common/timescaledb/templates/configmap-init.yaml b/kubernetes/common/timescaledb/templates/configmap-init.yaml new file mode 100644 index 0000000000..82c1de6255 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/configmap-init.yaml @@ -0,0 +1,33 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-init + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + init-schema.sh: |- +{{ .Files.Get "resources/init/init-schema.sh" | indent 4}} diff --git a/kubernetes/common/timescaledb/templates/pv.yaml b/kubernetes/common/timescaledb/templates/pv.yaml new file mode 100644 index 0000000000..f99b5f3562 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/pv.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.PV" . }} diff --git a/kubernetes/common/timescaledb/templates/secrets.yaml b/kubernetes/common/timescaledb/templates/secrets.yaml new file mode 100644 index 0000000000..c888d48b6c --- /dev/null +++ b/kubernetes/common/timescaledb/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/timescaledb/templates/service.yaml b/kubernetes/common/timescaledb/templates/service.yaml new file mode 100644 index 0000000000..c205ff4889 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml new file mode 100644 index 0000000000..9b63de434d --- /dev/null +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -0,0 +1,90 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + imagePullPolicy: {{ .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 60 + readinessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "password") | indent 14 }} + - name: POSTGRES_DB + value: {{ .Values.config.pgDatabase }} + - name: POSTGRES_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "login") | indent 14 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "password") | indent 14 }} + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + resources: +{{ include "common.resources" . | indent 12 }} + volumeMounts: + - name: {{ include "common.fullname" . }}-init + mountPath: /docker-entrypoint-initdb.d + - name: {{ include "common.fullname" . }} + mountPath: /var/lib/postgresql/data + volumes: + - name: {{ include "common.fullname" . }}-init + configMap: + name: {{ include "common.fullname" . }}-init + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} +{{- end }} diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml new file mode 100644 index 0000000000..b6d2face3a --- /dev/null +++ b/kubernetes/common/timescaledb/values.yaml @@ -0,0 +1,111 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +replicaCount: 1 +global: + persistence: {} + +################################################################# +# Secrets. +############################################################## +image: timescale/timescaledb:2.1.1-pg13 + +pullPolicy: Always +containerPorts: 5432 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + nameOverride: timescaledb + roles: + - read + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 0.5 + memory: 256Mi + requests: + cpu: 20m + memory: 256Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +service: + type: ClusterIP + name: timescaledb + ports: + - name: tcp-timescaledb + port: 5432 + +persistence: + enabled: true + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + volumeReclaimPolicy: Retain + + ## database data Persistent Volume Storage Class + ## If defined, storageClassName: <storageClass> + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + accessMode: ReadWriteOnce + size: 1Gi + mountPath: /dockerdata-nfs + +config: + pgUserName: timescaledb + pgRootUserName: postgres + pgDatabase: timescaledb + +secrets: + - uid: root-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgRootPasswordExternalSecret) . }}' + login: '{{ .Values.config.pgRootUserName }}' + password: '{{ .Values.config.pgRootpassword }}' + - uid: user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgUserExternalSecret) . }}' + login: '{{ .Values.config.pgUserName }}' + password: '{{ .Values.config.pgUserPassword }}' + |