diff options
Diffstat (limited to 'kubernetes/common')
23 files changed, 290 insertions, 236 deletions
diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh index 5b652228a6..5f23a89867 100644 --- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh +++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh @@ -1,4 +1,5 @@ #!/bin/bash + set -e # first arg is `-f` or `--some-option` @@ -11,7 +12,7 @@ fi if [ "$1" = 'cassandra' -a "$(id -u)" = '0' ]; then find /var/lib/cassandra /var/log/cassandra "$CASSANDRA_CONFIG" \ \! -user cassandra -exec chown cassandra '{}' + - exec gosu cassandra "$BASH_SOURCE" "$@" + exec gosu cassandra "$0" "$@" fi _ip_address() { @@ -71,7 +72,8 @@ if [ "$1" = 'cassandra' ]; then authenticator \ ; do var="CASSANDRA_${yaml^^}" - val="${!var}" + # eval presents no security issue here because of limited possible values of var + eval val=\$$var if [ "$val" ]; then _sed-in-place "$CASSANDRA_CONFIG/cassandra.yaml" \ -r 's/^(# )?('"$yaml"':).*/\2 '"$val"'/' @@ -80,7 +82,8 @@ if [ "$1" = 'cassandra' ]; then for rackdc in dc rack; do var="CASSANDRA_${rackdc^^}" - val="${!var}" + # eval presents no security issue here because of limited possible values of var + eval val=\$$var if [ "$val" ]; then _sed-in-place "$CASSANDRA_CONFIG/cassandra-rackdc.properties" \ -r 's/^('"$rackdc"'=).*/\1 '"$val"'/' diff --git a/kubernetes/common/cassandra/resources/restore.sh b/kubernetes/common/cassandra/resources/restore.sh index a8105345f7..7f271d262f 100644 --- a/kubernetes/common/cassandra/resources/restore.sh +++ b/kubernetes/common/cassandra/resources/restore.sh @@ -41,7 +41,7 @@ then print_usage fi -while [[ $# -gt 0 ]] +while [ $# -gt 0 ] do key="$1" shift diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index cb4153e778..6df7505e7b 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -1,7 +1,7 @@ -#!/bin/bash +#!/bin/sh {{/* -# Copyright © 2020 Bell Canada +# Copyright © 2020-2021 Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl deleted file mode 100644 index f80b06b4d3..0000000000 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ /dev/null @@ -1,189 +0,0 @@ -{{/* -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{/* -In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each -certificate will be requested from separate init container - -Minimum example of array in target component values.yaml: -certificates: - - mountPath: /var/custom-certs - commonName: common-name - -Full example (other fields are ignored): -certificates: - - mountPath: /var/custom-certs - caName: RA - keystore: - outputType: - - jks - commonName: common-name - dnsNames: - - dns-name-1 - - dns-name-2 - ipAddresses: - - 192.168.0.1 - - 192.168.0.2 - emailAddresses: - - email-1@onap.org - - email-2@onap.org - uris: - - http://uri-1.onap.org - - http://uri-2.onap.org - subject: - organization: Linux-Foundation - country: US - locality: San Francisco - province: California - organizationalUnit: ONAP - -There also need to be some includes used in a target component deployment (indent values may need to be adjusted): - 1. In initContainers section: - {{ include "common.certServiceClient.initContainer" . | indent 6 }} - 2. In volumeMounts section of container using certificates: - {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} - 3. In volumes section: - {{ include "common.certServiceClient.volumes" . | indent 8 }} - -*/}} - -{{- define "common.certServiceClient.initContainer" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- range $index, $certificate := $dot.Values.certificates -}} -{{/*# General certifiacate attributes #*/}} -{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} -{{/*# SAN's #*/}} -{{- $dnsNames := default (list) $certificate.dnsNames -}} -{{- $ipAddresses := default (list) $certificate.ipAddresses -}} -{{- $uris := default (list) $certificate.uris -}} -{{- $emailAddresses := default (list) $certificate.emailAddresses -}} -{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}} -{{- $sans := join "," $sansList }} -{{/*# Subject #*/}} -{{- $organization := $subchartGlobal.certificate.default.subject.organization -}} -{{- $country := $subchartGlobal.certificate.default.subject.country -}} -{{- $locality := $subchartGlobal.certificate.default.subject.locality -}} -{{- $province := $subchartGlobal.certificate.default.subject.province -}} -{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}} -{{- if $certificate.subject -}} -{{- $organization := $certificate.subject.organization -}} -{{- $country := $certificate.subject.country -}} -{{- $locality := $certificate.subject.locality -}} -{{- $province := $certificate.subject.province -}} -{{- $orgUnit := $certificate.subject.organizationalUnit -}} -{{- end -}} -{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} -{{- $outputType := $subchartGlobal.platform.certServiceClient.envVariables.outputType -}} -{{- if $certificate.keystore -}} -{{- $outputTypeList := (required "'outputType' in 'keystore' section is required." $certificate.keystore.outputType) -}} -{{- $outputType = mustFirst ($outputTypeList) | upper -}} -{{- end -}} -{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} -{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} -{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} -{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}} -{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}} -{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}} -{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}} -{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}} -{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}} -{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}} -{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}} -- name: certs-init-{{ $index }} - image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} - env: - - name: REQUEST_URL - value: {{ $requestUrl | quote }} - - name: REQUEST_TIMEOUT - value: {{ $requestTimeout | quote }} - - name: OUTPUT_PATH - value: {{ $certPath | quote }} - - name: OUTPUT_TYPE - value: {{ $outputType | quote }} - - name: CA_NAME - value: {{ $caName | quote }} - - name: COMMON_NAME - value: {{ $commonName | quote }} - - name: SANS - value: {{ $sans | quote }} - - name: ORGANIZATION - value: {{ $organization | quote }} - - name: ORGANIZATION_UNIT - value: {{ $orgUnit | quote }} - - name: LOCATION - value: {{ $locality | quote }} - - name: STATE - value: {{ $province | quote }} - - name: COUNTRY - value: {{ $country | quote }} - - name: KEYSTORE_PATH - value: {{ $keystorePath | quote }} - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $keystorePasswordSecret | quote}} - key: {{ $keystorePasswordSecretKey | quote}} - - name: TRUSTSTORE_PATH - value: {{ $truststorePath | quote }} - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $truststorePasswordSecret | quote}} - key: {{ $truststorePasswordSecretKey | quote}} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: {{ $certPath }} - name: cmpv2-certs-volume-{{ $index }} - - mountPath: {{ $certificatesSecretMountPath }} - name: certservice-tls-volume -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "common.certServiceClient.volumes" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}} -- name: certservice-tls-volume - secret: - secretName: {{ $certificatesSecretName }} -{{ range $index, $certificate := $dot.Values.certificates -}} -- name: cmpv2-certs-volume-{{ $index }} - emptyDir: - medium: Memory -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "common.certServiceClient.volumeMounts" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- range $index, $certificate := $dot.Values.certificates -}} -{{- $mountPath := $certificate.mountPath -}} -- mountPath: {{ $mountPath }} - name: cmpv2-certs-volume-{{ $index }} -{{ end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 695e40616c..02595b348d 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -15,7 +15,6 @@ global: # Enabling CMPv2 cmpv2Enabled: true - CMPv2CertManagerIntegration: false certificate: default: @@ -35,17 +34,6 @@ global: keystorePasswordSecretKey: password truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password - certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ - envVariables: - certPath: "/var/custom-certs" - # Certificate related - caName: "RA" - # Client configuration related - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - outputType: "P12" certPostProcessor: image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 9c3010c209..8489cc5021 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -181,6 +181,8 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- $labels := default (dict) .labels -}} {{- $matchLabels := default (dict) .matchLabels -}} {{- $sessionAffinity := default "None" $dot.Values.service.sessionAffinity -}} +{{- $kubeTargetVersion := default $dot.Capabilities.KubeVersion.Version | trimPrefix "v" -}} +{{- $ipFamilyPolicy := default "PreferDualStack" $dot.Values.service.ipFamilyPolicy -}} apiVersion: v1 kind: Service metadata: {{ include "common.serviceMetadata" (dict "suffix" $suffix "annotations" $annotations "msb_informations" $msb_informations "labels" $labels "dot" $dot) | nindent 2 }} @@ -189,6 +191,9 @@ spec: clusterIP: None {{- end }} ports: {{- include "common.servicePorts" (dict "serviceType" $serviceType "ports" $ports "dot" $dot "add_plain_port" $add_plain_port) | nindent 4 }} + {{- if semverCompare ">=1.20.0" $kubeTargetVersion }} + ipFamilyPolicy: {{ $ipFamilyPolicy }} + {{- end }} {{- if $publishNotReadyAddresses }} publishNotReadyAddresses: true {{- end }} diff --git a/kubernetes/common/dgbuilder/requirements.yaml b/kubernetes/common/dgbuilder/requirements.yaml index 0157b7063e..1bbab11af4 100644 --- a/kubernetes/common/dgbuilder/requirements.yaml +++ b/kubernetes/common/dgbuilder/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~8.x-0 + repository: 'file://../serviceAccount' diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml index ad3e4cf128..6538ad0836 100644 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ b/kubernetes/common/dgbuilder/templates/deployment.yaml @@ -128,6 +128,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml index ae1d85795d..0f91bbd882 100644 --- a/kubernetes/common/dgbuilder/values.yaml +++ b/kubernetes/common/dgbuilder/values.yaml @@ -186,3 +186,8 @@ resources: memory: 4Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: dgbuilder + roles: + - read diff --git a/kubernetes/common/etcd-init/.helmignore b/kubernetes/common/etcd-init/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/kubernetes/common/etcd-init/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/common/cmpv2Certificate/Chart.yaml b/kubernetes/common/etcd-init/Chart.yaml index 6641ec6954..20f5ac40cc 100644 --- a/kubernetes/common/cmpv2Certificate/Chart.yaml +++ b/kubernetes/common/etcd-init/Chart.yaml @@ -1,4 +1,4 @@ -# Copyright © 2021 Nokia +# Copyright (C) 2021 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,6 +13,6 @@ # limitations under the License. apiVersion: v1 -description: Template used to add cmpv2 certificates to components -name: cmpv2Certificate +description: Chart for etcd init job +name: etcd-init version: 8.0.0 diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/etcd-init/requirements.yaml index b10896d2ce..008789b822 100644 --- a/kubernetes/common/cmpv2Certificate/requirements.yaml +++ b/kubernetes/common/etcd-init/requirements.yaml @@ -1,4 +1,4 @@ -# Copyright © 2021 Nokia +# Copyright (C) 2021 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,6 +19,3 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' - - name: cmpv2Config - version: ~8.x-0 - repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/etcd-init/templates/job.yaml b/kubernetes/common/etcd-init/templates/job.yaml new file mode 100644 index 0000000000..69bcfaaf99 --- /dev/null +++ b/kubernetes/common/etcd-init/templates/job.yaml @@ -0,0 +1,104 @@ +{{/* +# Copyright (C) 2021 Wipro Limited. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-job + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: {{ .Values.backoffLimit }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + name: {{ include "common.name" . }} + spec: + initContainers: + - name: {{ include "common.name" . }}-readiness + command: + - /app/ready.py + args: + - --container-name + - {{ .Values.etcd.containerName }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -ec + - | + # Create users + export ETCDCTL_ENDPOINTS=http://${ETCD_HOST}:${ETCD_PORT} + export ETCDCTL_API=3 + echo "${ROOT_PASSWORD}" | etcdctl user add root --interactive=false + echo "${APP_PASSWORD}" | etcdctl user add ${APP_USER} --interactive=false + + # Create roles + etcdctl role add ${APP_ROLE} + etcdctl role grant-permission ${APP_ROLE} --prefix=true readwrite ${KEY_PREFIX} + + etcdctl user grant-role ${APP_USER} ${APP_ROLE} + etcdctl auth enable + env: + - name: ALLOW_NONE_AUTHENTICATION + value: "yes" + - name: ETCD_HOST + value: "{{ .Values.etcd.serviceName }}.{{ include "common.namespace" . }}" + - name: ETCD_PORT + value: "{{ .Values.etcd.port }}" + - name: ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-password" "key" "password" ) | indent 10 }} + - name: APP_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-creds" "key" "login") | indent 10 }} + - name: APP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-creds" "key" "password") | indent 10 }} + - name: APP_ROLE + value: "{{ .Values.config.appRole }}" + - name: KEY_PREFIX + value: "{{ .Values.config.keyPrefix }}" + volumeMounts: + - mountPath: /etc/localtime + name: localtime + readOnly: true + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} + {{- end }} + volumes: + - name: localtime + hostPath: + path: /etc/localtime + restartPolicy: Never + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/etcd-init/templates/secret.yaml index 504947525d..e874185693 100644 --- a/kubernetes/common/cmpv2Certificate/values.yaml +++ b/kubernetes/common/etcd-init/templates/secret.yaml @@ -1,4 +1,5 @@ -# Copyright © 2021 Nokia +{{/* +# Copyright (C) 2021 Wipro Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,3 +12,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/etcd-init/values.yaml b/kubernetes/common/etcd-init/values.yaml new file mode 100644 index 0000000000..c99c9f1e5b --- /dev/null +++ b/kubernetes/common/etcd-init/values.yaml @@ -0,0 +1,74 @@ +# Copyright (C) 2021 Wipro Limited. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: {} + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: root-password + type: password + externalSecret: '{{ tpl (default "" .Values.config.userRootSecret) . }}' + password: '{{ .Values.config.userRootPassword }}' + - uid: app-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.appUser }}' + password: '{{ .Values.config.appPassword }}' + +################################################################# +# Application configuration defaults. +################################################################# + +image: bitnami/etcd:3.3.15 +pullPolicy: Always +backoffLimit: 20 + +nodeSelector: {} + +affinity: {} + +etcd: + serviceName: k8s-etcd + port : 2379 + containerName: k8s-etcd + +config: + userRootSecret: root +# userCredentialsExternalSecret: + appUser: user + appRole: role + keyPrefix: key + +flavor: small +resources: + small: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi + large: + limits: + cpu: 200m + memory: 500Mi + requests: + cpu: 20m + memory: 20Mi + unlimited: {} diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index a343d4fce5..48c8b6d0cc 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -49,7 +49,7 @@ spec: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} containers: - - name: {{ include "common.fullname" . }} + - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.googleK8sRepository" . }}/{{ .Values.image }} imagePullPolicy: "{{ .Values.pullPolicy }}" ports: diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 4c77efc83f..ed9977acd9 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -86,9 +86,10 @@ service: ## type: ClusterIP headless: {} + internalPort: &dbPort 3306 ports: - name: mysql - port: 3306 + port: *dbPort headlessPorts: - name: galera port: 4567 diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh index fa4b007a5a..f130bb5118 100755 --- a/kubernetes/common/mariadb-init/resources/config/db_init.sh +++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh @@ -1,4 +1,5 @@ #!/bin/bash + {{/* # Copyright © 2019 Orange # Copyright © 2020 Samsung Electronics @@ -22,8 +23,15 @@ set -e while read DB ; do USER_VAR="MYSQL_USER_${DB^^}" PASS_VAR="MYSQL_PASSWORD_${DB^^}" - USER=${!USER_VAR} - PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"` +{{/* + # USER=${!USER_VAR} + # PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"` + # eval replacement of the bashism equivalents above might present a security issue here + # since it reads content from DB values filled by helm at the end of the script. + # These possible values has to be constrainted and/or limited by helm for a safe use of eval. +*/}} + eval USER=\$$USER_VAR + PASS=$(eval echo -n \$$PASS_VAR | sed -e "s/'/''/g") MYSQL_OPTS=( -h ${DB_HOST} -P ${DB_PORT} -uroot -p${MYSQL_ROOT_PASSWORD} ) echo "Creating database ${DB} and user ${USER}..." diff --git a/kubernetes/common/music/components/music-cassandra/templates/job.yaml b/kubernetes/common/music/components/music-cassandra/templates/job.yaml index 3cf1ae34fd..d3c89d4a59 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/job.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/job.yaml @@ -39,8 +39,6 @@ spec: command: - /app/ready.py args: - - --timeout - - "{{ .Values.readinessTimeout }}" - --container-name - music-cassandra env: @@ -87,4 +85,3 @@ spec: restartPolicy: Never imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml index 2a1fb4f59e..1aabfb6bcc 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml @@ -73,6 +73,17 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} + startupProbe: + exec: + command: + - /bin/bash + - -c + - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + successThreshold: {{ .Values.startup.successThreshold }} + failureThreshold: {{ .Values.startup.failureThreshold }} lifecycle: preStop: exec: diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml index 8530172269..92ed723989 100644 --- a/kubernetes/common/music/components/music-cassandra/values.yaml +++ b/kubernetes/common/music/components/music-cassandra/values.yaml @@ -18,7 +18,7 @@ global: nodePortPrefix: 302 persistence: {} -replicaCount: 3 +replicaCount: 1 # Cassandra Image - This image is modified from the original on # Docker Hub where the Security has been turned on. @@ -72,8 +72,8 @@ cql: # probe configuration parameters liveness: - initialDelaySeconds: 120 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 @@ -81,15 +81,20 @@ liveness: # in debugger so K8s doesn't restart unresponsive container enabled: true -readinessTimeout: 240 - readiness: - initialDelaySeconds: 10 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 +startup: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 90 + podManagementPolicy: OrderedReady updateStrategy: type: OnDelete diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 91f21ab0c9..211cf1c599 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -67,6 +67,15 @@ {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "googleK8sRepository") .) }} {{- end -}} +{{/* + Resolve the name of the GithubContainer registry + - .Values.global.githubContainerRegistry : default image githubContainerRegistry for all dockerHub images + - .Values.githubContainerRegistryOverride : override global githubContainerRegistry on a per chart basis +*/}} +{{- define "repositoryGenerator.githubContainerRegistry" -}} + {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "githubContainerRegistry") .) }} +{{- end -}} + {{- define "repositoryGenerator.image._helper" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.repositoryGenerator .initRoot -}} @@ -83,10 +92,6 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }} {{- end -}} -{{- define "repositoryGenerator.image.certserviceclient" -}} - {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} -{{- end -}} - {{- define "repositoryGenerator.image.dcaepolicysync" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }} {{- end -}} @@ -143,7 +148,7 @@ {{/* Our version of helm doesn't support deepCopy so we need this nasty trick */}} {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} {{- $repoCreds := "" }} - {{- if $subchartDot.Values.global.dockerHubRepositoryCred }} + {{- if $subchartDot.Values.global.repositoryCred }} {{- $repo := $subchartDot.Values.global.repository }} {{- $cred := $subchartDot.Values.global.repositoryCred }} {{- $mail := default "@" $cred.mail }} @@ -186,5 +191,17 @@ {{- $repoCreds = printf "%s, %s" $repoCreds $gcrRepoCreds }} {{- end }} {{- end }} + {{- if $subchartDot.Values.global.githubContainerRegistryCred }} + {{- $ghcrRepo := $subchartDot.Values.global.githubContainerRegistry }} + {{- $ghcrCred := $subchartDot.Values.global.githubContainerRegistryCred }} + {{- $ghcrMail := default "@" $ghcrCred.mail }} + {{- $ghcrAuth := printf "%s:%s" $ghcrCred.user $ghcrCred.password | b64enc }} + {{- $ghcrRepoCreds := printf "\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}" $ghcrRepo $ghcrCred.user $ghcrCred.password $ghcrMail $ghcrAuth }} + {{- if eq "" $repoCreds }} + {{- $repoCreds = $ghcrRepoCreds }} + {{- else }} + {{- $repoCreds = printf "%s, %s" $repoCreds $ghcrRepoCreds }} + {{- end }} + {{- end }} {{- printf "{%s}" $repoCreds | b64enc -}} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 8a68f6dd9c..2a01112ce6 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -19,11 +19,11 @@ global: dockerHubRepository: docker.io elasticRepository: docker.elastic.co googleK8sRepository: k8s.gcr.io + githubContainerRegistry: ghcr.io # common global images busyboxImage: busybox:1.32 curlImage: curlimages/curl:7.69.1 - certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 envsubstImage: dibi/envsubst:1 # there's only latest image for htpasswd htpasswdImage: xmartlabs/htpasswd:latest @@ -56,7 +56,6 @@ global: imageRepoMapping: busyboxImage: dockerHubRepository curlImage: dockerHubRepository - certServiceClientImage: repository envsubstImage: dockerHubRepository htpasswdImage: dockerHubRepository jreImage: repository |