diff options
Diffstat (limited to 'kubernetes/common')
25 files changed, 713 insertions, 103 deletions
diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh index c01d7c6d57..2d30f2e068 100644 --- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh +++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh @@ -71,7 +71,7 @@ if [ "$1" = 'cassandra' ]; then start_rpc \ authenticator \ ; do - var="CASSANDRA_${yaml^^}" + var="CASSANDRA_$(echo $yaml | tr '[:lower:]' '[:upper:]')" # eval presents no security issue here because of limited possible values of var eval val=\$$var if [ "$val" ]; then @@ -81,7 +81,7 @@ if [ "$1" = 'cassandra' ]; then done for rackdc in dc rack; do - var="CASSANDRA_${rackdc^^}" + var="CASSANDRA_$(echo $rackdc | tr '[:lower:]' '[:upper:]')" # eval presents no security issue here because of limited possible values of var eval val=\$$var if [ "$val" ]; then diff --git a/kubernetes/common/cassandra/resources/restore.sh b/kubernetes/common/cassandra/resources/restore.sh index 7f271d262f..0df2d79fc6 100644 --- a/kubernetes/common/cassandra/resources/restore.sh +++ b/kubernetes/common/cassandra/resources/restore.sh @@ -20,25 +20,25 @@ find_target_table_name () print_usage () { - echo "NAME" - echo " Script to restore Cassandra database from Nuvo/Cain snapshot" - echo "SYNOPSIS" - echo " $me [--help|-h] [--base_db_dir|-b] [--snapshot_dir|-s] [--keyspace|-k] [--tag|-t]" - echo " MUST OPTIONS: base_db_dir, snapshot_dir, keyspace_name" - echo "DESCRIPTION" - echo " --base_db_dir, -b" - echo " Location of running Cassandra database" - echo " --snapshot_dir, -s" - echo " Snapshot location of Cassandra database taken by Nuvo/Cain" - echo " --keyspace, -k" - echo " Name of the keyspace to restore" - echo "EXAMPLE" - echo " $me -b /var/lib/cassandra/data -s /root/data.ss -k DISCOVERY_SERVER -t 1234567" - exit + echo "NAME" + echo " Script to restore Cassandra database from Nuvo/Cain snapshot" + echo "SYNOPSIS" + echo " $me [--help|-h] [--base_db_dir|-b] [--snapshot_dir|-s] [--keyspace|-k] [--tag|-t]" + echo " MUST OPTIONS: base_db_dir, snapshot_dir, keyspace_name" + echo "DESCRIPTION" + echo " --base_db_dir, -b" + echo " Location of running Cassandra database" + echo " --snapshot_dir, -s" + echo " Snapshot location of Cassandra database taken by Nuvo/Cain" + echo " --keyspace, -k" + echo " Name of the keyspace to restore" + echo "EXAMPLE" + echo " $me -b /var/lib/cassandra/data -s /root/data.ss -k DISCOVERY_SERVER -t 1234567" + exit } if [ $# -eq 0 ] then - print_usage + print_usage fi while [ $# -gt 0 ] @@ -47,40 +47,40 @@ key="$1" shift case $key in - -h|--help) - print_usage - ;; - -b|--base_db_dir) - base_db_dir="$1" - shift - ;; - -s|--snapshot_dir) - ss_dir="$1" - shift - ;; - -k|--keyspace) - keyspace_name="$1" - ;; - -t|--tag) - tag_name="$1" - ;; - --default) - DEFAULT=YES - shift - ;; - *) - # unknown option - ;; + -h|--help) + print_usage + ;; + -b|--base_db_dir) + base_db_dir="$1" + shift + ;; + -s|--snapshot_dir) + ss_dir="$1" + shift + ;; + -k|--keyspace) + keyspace_name="$1" + ;; + -t|--tag) + tag_name="$1" + ;; + --default) + DEFAULT=YES + shift + ;; + *) + # unknown option + ;; esac done # Validate inputs if [ "$base_db_dir" = "" ] || [ "$ss_dir" = "" ] || [ "$keyspace_name" = "" ] then - echo "" - echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>" - echo "" - print_usage + echo "" + echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>" + echo "" + print_usage fi # Remove commit logs from current data dir diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index 6df7505e7b..fa3de03ece 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -22,6 +22,7 @@ WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks} +SSL_WORKDIR=${SSL_WORKDIR:-/usr/local/share/ca-certificates} mkdir -p $WORK_DIR @@ -37,10 +38,10 @@ for f in $CERTS_DIR/*; do # Dont use onap truststore when aaf is disabled continue fi - if [ ${f: -3} = ".sh" ]; then + if echo $f | grep '\.sh$' >/dev/null; then continue fi - if [ ${f: -4} = ".b64" ] + if echo $f | grep '\.b64$' >/dev/null; then then base64 -d $f > $WORK_DIR/`basename $f .b64` else @@ -49,8 +50,7 @@ for f in $CERTS_DIR/*; do done for f in $MORE_CERTS_DIR/*; do - if [ ${f: -4} == ".pem" ] - then + if echo $f | grep '\.pem$' >/dev/null; then cp $f $WORK_DIR/. fi done @@ -67,7 +67,7 @@ fi # Import Custom Certificates for f in $WORK_DIR/*; do - if [ ${f: -4} = ".pem" ]; then + if echo $f | grep '\.pem$' >/dev/null; then echo "importing certificate: $f" keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt if [ $? != 0 ]; then @@ -76,3 +76,15 @@ for f in $WORK_DIR/*; do fi fi done + +# Import certificates to Linux SSL Truststore +cp $CERTS_DIR/*.crt $SSL_WORKDIR/. +cp $MORE_CERTS_DIR/*.crt $SSL_WORKDIR/. +update-ca-certificates +if [ $? != 0 ] + then + echo "failed importing certificates" + exit 1 + else + cp /etc/ssl/certs/ca-certificates.crt $WORK_DIR/. +fi
\ No newline at end of file diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index f3ba8a24e0..32bba457ee 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -174,6 +174,9 @@ - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }} name: updated-truststore subPath: {{ $initRoot.truststoreOutputFileName }} +- mountPath: /etc/ssl/certs/ca-certificates.crt + name: updated-truststore + subPath: ca-certificates.crt {{- end -}} {{- end -}} diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml index 331a58c310..2acb423511 100644 --- a/kubernetes/common/certInitializer/templates/job.yaml +++ b/kubernetes/common/certInitializer/templates/job.yaml @@ -20,12 +20,13 @@ kind: Job {{- $suffix := "set-tls-secret" }} metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} spec: + backoffLimit: 20 template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }} containers: - - name: create tls secret + - name: create-tls-secret command: - /ingress/onboard.sh image: {{ include "repositoryGenerator.image.kubectl" . }} @@ -41,4 +42,5 @@ spec: configMap: name: {{ include "common.fullname" . }}-ingress defaultMode: 0777 + restartPolicy: Never {{- end}} diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 02595b348d..4b8438ace2 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -35,5 +35,5 @@ global: truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 diff --git a/kubernetes/common/common/templates/_affinities.tpl b/kubernetes/common/common/templates/_affinities.tpl index f0802be29d..bf7ae497ca 100644 --- a/kubernetes/common/common/templates/_affinities.tpl +++ b/kubernetes/common/common/templates/_affinities.tpl @@ -23,7 +23,7 @@ Return a soft nodeAffinity definition preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: {{ .key }} + - key: {{ .key }} operator: In values: {{- range .values }} @@ -40,7 +40,7 @@ Return a hard nodeAffinity definition requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: {{ .key }} + - key: {{ .key }} operator: In values: {{- range .values }} diff --git a/kubernetes/common/common/templates/_dmaapProvisioning.tpl b/kubernetes/common/common/templates/_dmaapProvisioning.tpl index 704bd06a49..d28494aacd 100644 --- a/kubernetes/common/common/templates/_dmaapProvisioning.tpl +++ b/kubernetes/common/common/templates/_dmaapProvisioning.tpl @@ -142,7 +142,7 @@ cd /opt/app/config/cache for file in $(ls feed*); do NUM=$(echo "$file" | sed 's/feedConfig-\([0-9]\+\)-resp.json/\1/') - export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | cut -d '"' -f4)" + export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | grep -w "feedlog" | cut -d '"' -f4)" export DR_FILES_PUBLISHER_URL_"$NUM"="$(grep -o '"publishURL":"[^"]*' "$file" | cut -d '"' -f4)" done for file in $(ls drpub*); do diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 8489cc5021..a488e0d5fa 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -13,7 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - {{/* Resolve the name of a chart's service. @@ -122,6 +121,11 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- if (include "common.needTLS" $dot) }} - port: {{ $port.port }} targetPort: {{ $port.name }} +{{- if $port.l4_protocol }} + protocol: {{ $port.l4_protocol }} +{{- else }} + protocol: TCP +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%ss-%s" $port.port_protocol $port.name }} {{- else }} @@ -133,6 +137,11 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- else }} - port: {{ default $port.port $port.plain_port }} targetPort: {{ $port.name }} +{{- if $port.plain_port_l4_protocol }} + protocol: {{ $port.plain_port_l4_protocol }} +{{- else }} + protocol: {{ default "TCP" $port.l4_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} {{- else }} @@ -143,6 +152,11 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- if (eq $serviceType "ClusterIP") }} - port: {{ $port.plain_port }} targetPort: {{ $port.name }}-plain +{{- if $port.plain_l4_port_protocol }} + protocol: {{ $port.plain_port_l4_protocol }} +{{- else }} + protocol: {{ default "TCP" $port.l4_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} {{- else }} @@ -309,6 +323,16 @@ true {{- end }} {{- end -}} +{{/* + generate needed scheme: + - https if needTLS + - http if not +*/}} + +{{- define "common.scheme" -}} + {{- ternary "https" "http" (eq "true" (include "common.needTLS" .)) }} +{{- end -}} + {{- define "common.port.buildCache" -}} {{- $global := . }} {{- if not $global.Values._DmaapDrNodePortsCache }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index 4457762754..d4fc182b34 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -25,3 +25,15 @@ true {{- end -}} {{- end -}} {{- end -}} + +{{- define "common.serviceMesh.killSidecar" -}} +{{- if (include "common.onServiceMesh" .) }} +RCODE="$?"; +echo "*** script finished with exit code $RCODE" ; +echo "*** killing service mesh sidecar" ; +curl -sf -X POST http://127.0.0.1:15020/quitquitquit ; +echo "" ; +echo "*** exiting with script exit code" ; +exit "$RCODE" +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_serviceMonitor.tpl b/kubernetes/common/common/templates/_serviceMonitor.tpl new file mode 100644 index 0000000000..eb6c047c2f --- /dev/null +++ b/kubernetes/common/common/templates/_serviceMonitor.tpl @@ -0,0 +1,166 @@ +{{/* +# Copyright © 2021 Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{/* + Resolve the name of a chart's serviceMonitor. + + The default will be the chart name (or $dot.Values.nameOverride if set). + And the use of .Values.metrics.serviceMonitor.name overrides all. + + - .Values.metrics.serviceMonitor.name: override default serviceMonitor (ie. chart) name + Example values file addition: + metrics: + serviceMonitor: + enabled: true + port: blueprints-processor-http + ## specify target port if name is not given to the port in the service definition + ## + # targetPort: 8080 + path: /metrics + basicAuth: + enabled: false + externalSecretName: mysecretname + externalSecretUserKey: login + externalSecretPasswordKey: password + + ## Namespace in which Prometheus is running + ## + # namespace: monitoring + + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # interval: 60s + + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # scrapeTimeout: 10s + + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ include "common.release" . }}' + heritage: '{{ .Release.Service }}' + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] + # - sourceLabels: + # - "__name__" + # targetLabel: "__name__" + # action: replace + # regex: '(.*)' + # replacement: 'example_prefix_$1' + +*/}} +{{/* + Expand the serviceMonitor name for a chart. +*/}} +{{- define "common.serviceMonitorName" -}} + {{- $name := default .Chart.Name .Values.nameOverride -}} + {{- default $name .Values.metrics.serviceMonitor.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Define the metadata of serviceMonitor + The function takes from one to four arguments (inside a dictionary): + - .dot : environment (.) + - .suffix : a string which will be added at the end of the name (with a '-'). + - .annotations: the annotations to add + - .labels : labels to add + Usage example: + {{ include "common.serviceMonitorMetadata" ( dict "suffix" "myService" "dot" .) }} + {{ include "common.serviceMonitorMetadata" ( dict "annotations" .Values.metrics.serviceMonitor.annotation "dot" .) }} +*/}} + +{{- define "common.serviceMonitorMetadata" -}} +{{- $dot := default . .dot -}} +{{- $annotations := default "" .annotations -}} +{{- $labels := default (dict) .labels -}} +{{- if $annotations -}} +annotations: +{{ include "common.tplValue" (dict "value" $annotations "context" $dot) | indent 2 }} +{{- end }} +name: {{ include "common.serviceMonitorName" $dot }} +{{- if $dot.Values.metrics.serviceMonitor.namespace }} +namespace: {{ $dot.Values.metrics.serviceMonitor.namespace }} +{{- else }} +namespace: {{ include "common.namespace" $dot }} +{{- end }} +labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent 2 }} +{{- end -}} + +{{/* + Create service monitor template +*/}} +{{- define "common.serviceMonitor" -}} +{{- $dot := default . .dot -}} +{{- $labels := default (dict) .labels -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: +{{- include "common.serviceMonitorMetadata" $dot | nindent 2 }} +spec: + endpoints: + - path: {{ default "/metrics" $dot.Values.metrics.serviceMonitor.path }} + {{- if $dot.Values.metrics.serviceMonitor.port }} + port: {{ $dot.Values.metrics.serviceMonitor.port }} + {{- else if $dot.Values.metrics.serviceMonitor.targetPort }} + targetPort: {{ $dot.Values.metrics.serviceMonitor.targetPort }} + {{- else }} + port: metrics + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.basicAuth.enabled }} + basicAuth: + username: + key: {{ $dot.Values.metrics.serviceMonitor.basicAuth.externalSecretUserKey }} + name: {{ $dot.Values.metrics.serviceMonitor.basicAuth.externalSecretName }} + password: + key: {{ $dot.Values.metrics.serviceMonitor.basicAuth.externalSecretPasswordKey }} + name: {{ $dot.Values.metrics.serviceMonitor.basicAuth.externalSecretName }} + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.interval }} + interval: {{ $dot.Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ $dot.Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplValue" ( dict "value" $dot.Values.metrics.serviceMonitor.relabelings "context" $dot) | nindent 6 }} + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplValue" ( dict "value" $dot.Values.metrics.serviceMonitor.metricRelabelings "context" $dot) | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "common.namespace" $dot }} + selector: + {{- if $dot.Values.metrics.serviceMonitor.selector }} + matchLabels: {{- include "common.tplValue" ( dict "value" $dot.Values.metrics.serviceMonitor.selector "context" $dot) | nindent 6 }} + {{- else }} + matchLabels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent 6 }} + {{- end }} +{{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml index 6c3b41f5a5..6d1ed40e13 100644 --- a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml +++ b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2020 Bitnami, Orange +# Copyright © 2021 Bitnami, Orange, Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,38 +14,6 @@ # limitations under the License. */}} -{{- if default false (and .Values.global.metrics.enabled .Values.global.metrics.custom_resources) }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "common.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- else }} - namespace: {{ include "common.namespace" . }} - {{- end }} - labels: {{- include "common.labels" . | nindent 4 }} - {{- range $key, $value := .Values.metrics.serviceMonitor.selector }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - selector: - matchLabels: {{- include "common.matchLabels" . | nindent 6 }} - endpoints: - - port: metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- include "common.tplValue" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- include "common.tplValue" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} {{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 7b0d90a9aa..bb3af76115 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -1,5 +1,6 @@ {{/* -# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2018 Amdocs +# Copyright © 2018,2021 Bell Canada # Copyright © 2019 Samsung Electronics # Copyright © 2019-2020 Orange # Copyright © 2020 Bitnami @@ -202,14 +203,20 @@ spec: httpGet: path: /metrics port: metrics - initialDelaySeconds: 30 - timeoutSeconds: 5 + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} readinessProbe: httpGet: path: /metrics port: metrics - initialDelaySeconds: 5 - timeoutSeconds: 1 + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} @@ -223,7 +230,7 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} {{- if .Values.affinity }} - affinity: {{- include "common.tplvalues" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + affinity: {{- include "common.tplValue" ( dict "value" .Values.affinity "context" $) | nindent 8 }} {{- else }} affinity: podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} @@ -231,10 +238,10 @@ spec: nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.nodeSelector }} - nodeSelector: {{- include "common.tplvalues" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + nodeSelector: {{- include "common.tplValue" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} {{- end }} {{- if .Values.tolerations }} - tolerations: {{- include "common.tplvalues" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" .) | nindent 8 }} {{- end }} volumes: - name: previous-boot diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index ed9977acd9..bc9273f41f 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -1,4 +1,5 @@ -# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2018 Amdocs +# Copyright © 2018,2021 Bell Canada # Copyright © 2019 Samsung Electronics # Copyright © 2020 Bitnami, Orange # @@ -560,6 +561,23 @@ metrics: requests: cpu: 0.5 memory: 256Mi + ## MariaDB Galera metrics container's liveness and readiness probes + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 ## MySQL Prometheus exporter service parameters ## service: diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh index f130bb5118..df7c336405 100755 --- a/kubernetes/common/mariadb-init/resources/config/db_init.sh +++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh @@ -21,8 +21,8 @@ set -e while read DB ; do - USER_VAR="MYSQL_USER_${DB^^}" - PASS_VAR="MYSQL_PASSWORD_${DB^^}" + USER_VAR="MYSQL_USER_$(echo $DB | tr '[:lower:]' '[:upper:]')" + PASS_VAR="MYSQL_PASSWORD_$(echo $DB | tr '[:lower:]' '[:upper:]')" {{/* # USER=${!USER_VAR} # PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"` diff --git a/kubernetes/common/timescaledb/.helmignore b/kubernetes/common/timescaledb/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/kubernetes/common/timescaledb/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml new file mode 100644 index 0000000000..7aeafa01f2 --- /dev/null +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +appVersion: "1.0" +description: ONAP timescaledb +name: timescaledb +version: 8.0.0 diff --git a/kubernetes/common/timescaledb/requirements.yaml b/kubernetes/common/timescaledb/requirements.yaml new file mode 100644 index 0000000000..de0c414c19 --- /dev/null +++ b/kubernetes/common/timescaledb/requirements.yaml @@ -0,0 +1,28 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: common + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/timescaledb/resources/init/init-schema.sh b/kubernetes/common/timescaledb/resources/init/init-schema.sh new file mode 100644 index 0000000000..ab83cffae2 --- /dev/null +++ b/kubernetes/common/timescaledb/resources/init/init-schema.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -e +set echo on; +psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER $DB_USERNAME WITH PASSWORD '$DB_PASSWORD'; + CREATE SCHEMA $POSTGRES_DB; + GRANT ALL PRIVILEGES ON SCHEMA $POSTGRES_DB TO $DB_USERNAME; + CREATE EXTENSION IF NOT EXISTS timescaledb WITH SCHEMA $POSTGRES_DB; +EOSQL diff --git a/kubernetes/common/timescaledb/templates/configmap-init.yaml b/kubernetes/common/timescaledb/templates/configmap-init.yaml new file mode 100644 index 0000000000..82c1de6255 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/configmap-init.yaml @@ -0,0 +1,33 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-init + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + init-schema.sh: |- +{{ .Files.Get "resources/init/init-schema.sh" | indent 4}} diff --git a/kubernetes/common/timescaledb/templates/pv.yaml b/kubernetes/common/timescaledb/templates/pv.yaml new file mode 100644 index 0000000000..f99b5f3562 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/pv.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.PV" . }} diff --git a/kubernetes/common/timescaledb/templates/secrets.yaml b/kubernetes/common/timescaledb/templates/secrets.yaml new file mode 100644 index 0000000000..c888d48b6c --- /dev/null +++ b/kubernetes/common/timescaledb/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/timescaledb/templates/service.yaml b/kubernetes/common/timescaledb/templates/service.yaml new file mode 100644 index 0000000000..c205ff4889 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml new file mode 100644 index 0000000000..9b63de434d --- /dev/null +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -0,0 +1,90 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + imagePullPolicy: {{ .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 60 + readinessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "password") | indent 14 }} + - name: POSTGRES_DB + value: {{ .Values.config.pgDatabase }} + - name: POSTGRES_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "login") | indent 14 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "password") | indent 14 }} + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + resources: +{{ include "common.resources" . | indent 12 }} + volumeMounts: + - name: {{ include "common.fullname" . }}-init + mountPath: /docker-entrypoint-initdb.d + - name: {{ include "common.fullname" . }} + mountPath: /var/lib/postgresql/data + volumes: + - name: {{ include "common.fullname" . }}-init + configMap: + name: {{ include "common.fullname" . }}-init + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} +{{- end }} diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml new file mode 100644 index 0000000000..b6d2face3a --- /dev/null +++ b/kubernetes/common/timescaledb/values.yaml @@ -0,0 +1,111 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +replicaCount: 1 +global: + persistence: {} + +################################################################# +# Secrets. +############################################################## +image: timescale/timescaledb:2.1.1-pg13 + +pullPolicy: Always +containerPorts: 5432 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + nameOverride: timescaledb + roles: + - read + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 0.5 + memory: 256Mi + requests: + cpu: 20m + memory: 256Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +service: + type: ClusterIP + name: timescaledb + ports: + - name: tcp-timescaledb + port: 5432 + +persistence: + enabled: true + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + volumeReclaimPolicy: Retain + + ## database data Persistent Volume Storage Class + ## If defined, storageClassName: <storageClass> + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + accessMode: ReadWriteOnce + size: 1Gi + mountPath: /dockerdata-nfs + +config: + pgUserName: timescaledb + pgRootUserName: postgres + pgDatabase: timescaledb + +secrets: + - uid: root-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgRootPasswordExternalSecret) . }}' + login: '{{ .Values.config.pgRootUserName }}' + password: '{{ .Values.config.pgRootpassword }}' + - uid: user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgUserExternalSecret) . }}' + login: '{{ .Values.config.pgUserName }}' + password: '{{ .Values.config.pgUserPassword }}' + |