diff options
Diffstat (limited to 'kubernetes/common')
34 files changed, 879 insertions, 77 deletions
diff --git a/kubernetes/common/cassandra/requirements.yaml b/kubernetes/common/cassandra/requirements.yaml index 501cc89a44..f2860ff140 100644 --- a/kubernetes/common/cassandra/requirements.yaml +++ b/kubernetes/common/cassandra/requirements.yaml @@ -20,3 +20,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~8.x-0 + repository: 'file://../serviceAccount' diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh index 5b652228a6..2d30f2e068 100644 --- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh +++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh @@ -1,4 +1,5 @@ #!/bin/bash + set -e # first arg is `-f` or `--some-option` @@ -11,7 +12,7 @@ fi if [ "$1" = 'cassandra' -a "$(id -u)" = '0' ]; then find /var/lib/cassandra /var/log/cassandra "$CASSANDRA_CONFIG" \ \! -user cassandra -exec chown cassandra '{}' + - exec gosu cassandra "$BASH_SOURCE" "$@" + exec gosu cassandra "$0" "$@" fi _ip_address() { @@ -27,7 +28,7 @@ _ip_address() { } # "sed -i", but without "mv" (which doesn't work on a bind-mounted file, for example) -_sed-in-place() { +_sed_in_place() { local filename="$1"; shift local tempFile tempFile="$(mktemp)" @@ -56,7 +57,7 @@ if [ "$1" = 'cassandra' ]; then fi : ${CASSANDRA_SEEDS:="$CASSANDRA_BROADCAST_ADDRESS"} - _sed-in-place "$CASSANDRA_CONFIG/cassandra.yaml" \ + _sed_in_place "$CASSANDRA_CONFIG/cassandra.yaml" \ -r 's/(- seeds:).*/\1 "'"$CASSANDRA_SEEDS"'"/' for yaml in \ @@ -70,19 +71,21 @@ if [ "$1" = 'cassandra' ]; then start_rpc \ authenticator \ ; do - var="CASSANDRA_${yaml^^}" - val="${!var}" + var="CASSANDRA_$(echo $yaml | tr '[:lower:]' '[:upper:]')" + # eval presents no security issue here because of limited possible values of var + eval val=\$$var if [ "$val" ]; then - _sed-in-place "$CASSANDRA_CONFIG/cassandra.yaml" \ + _sed_in_place "$CASSANDRA_CONFIG/cassandra.yaml" \ -r 's/^(# )?('"$yaml"':).*/\2 '"$val"'/' fi done for rackdc in dc rack; do - var="CASSANDRA_${rackdc^^}" - val="${!var}" + var="CASSANDRA_$(echo $rackdc | tr '[:lower:]' '[:upper:]')" + # eval presents no security issue here because of limited possible values of var + eval val=\$$var if [ "$val" ]; then - _sed-in-place "$CASSANDRA_CONFIG/cassandra-rackdc.properties" \ + _sed_in_place "$CASSANDRA_CONFIG/cassandra-rackdc.properties" \ -r 's/^('"$rackdc"'=).*/\1 '"$val"'/' fi done diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 3553cd4069..840e95b490 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -28,6 +28,8 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: hostNetwork: {{ .Values.hostNetwork }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -111,14 +113,6 @@ spec: value: {{ default "GossipingPropertyFileSnitch" .Values.config.endpoint_snitch | quote }} - name: CASSANDRA_AUTHENTICATOR value: {{ default "PasswordAuthenticator" .Values.config.authenticator | quote }} - {{- if include "common.onServiceMesh" . }} - - name: CASSANDRA_LISTEN_ADDRESS - value: "127.0.0.1" - - name: CASSANDRA_BROADCAST_ADDRESS - valueFrom: - fieldRef: - fieldPath: status.podIP - {{- end }} - name: POD_IP valueFrom: fieldRef: @@ -138,6 +132,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index 9f19bf5c14..1d69993956 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -162,3 +162,9 @@ backup: - name: system_traces - name: system_auth - name: system_distributed + +#Pods Service Account +serviceAccount: + nameOverride: cassandra + roles: + - nothing diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index 6df7505e7b..fa3de03ece 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -22,6 +22,7 @@ WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks} +SSL_WORKDIR=${SSL_WORKDIR:-/usr/local/share/ca-certificates} mkdir -p $WORK_DIR @@ -37,10 +38,10 @@ for f in $CERTS_DIR/*; do # Dont use onap truststore when aaf is disabled continue fi - if [ ${f: -3} = ".sh" ]; then + if echo $f | grep '\.sh$' >/dev/null; then continue fi - if [ ${f: -4} = ".b64" ] + if echo $f | grep '\.b64$' >/dev/null; then then base64 -d $f > $WORK_DIR/`basename $f .b64` else @@ -49,8 +50,7 @@ for f in $CERTS_DIR/*; do done for f in $MORE_CERTS_DIR/*; do - if [ ${f: -4} == ".pem" ] - then + if echo $f | grep '\.pem$' >/dev/null; then cp $f $WORK_DIR/. fi done @@ -67,7 +67,7 @@ fi # Import Custom Certificates for f in $WORK_DIR/*; do - if [ ${f: -4} = ".pem" ]; then + if echo $f | grep '\.pem$' >/dev/null; then echo "importing certificate: $f" keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt if [ $? != 0 ]; then @@ -76,3 +76,15 @@ for f in $WORK_DIR/*; do fi fi done + +# Import certificates to Linux SSL Truststore +cp $CERTS_DIR/*.crt $SSL_WORKDIR/. +cp $MORE_CERTS_DIR/*.crt $SSL_WORKDIR/. +update-ca-certificates +if [ $? != 0 ] + then + echo "failed importing certificates" + exit 1 + else + cp /etc/ssl/certs/ca-certificates.crt $WORK_DIR/. +fi
\ No newline at end of file diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index f3ba8a24e0..32bba457ee 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -174,6 +174,9 @@ - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }} name: updated-truststore subPath: {{ $initRoot.truststoreOutputFileName }} +- mountPath: /etc/ssl/certs/ca-certificates.crt + name: updated-truststore + subPath: ca-certificates.crt {{- end -}} {{- end -}} diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 02595b348d..4b8438ace2 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -35,5 +35,5 @@ global: truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 diff --git a/kubernetes/common/common/templates/_affinities.tpl b/kubernetes/common/common/templates/_affinities.tpl index f0802be29d..bf7ae497ca 100644 --- a/kubernetes/common/common/templates/_affinities.tpl +++ b/kubernetes/common/common/templates/_affinities.tpl @@ -23,7 +23,7 @@ Return a soft nodeAffinity definition preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: {{ .key }} + - key: {{ .key }} operator: In values: {{- range .values }} @@ -40,7 +40,7 @@ Return a hard nodeAffinity definition requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: {{ .key }} + - key: {{ .key }} operator: In values: {{- range .values }} diff --git a/kubernetes/common/common/templates/_dmaapProvisioning.tpl b/kubernetes/common/common/templates/_dmaapProvisioning.tpl new file mode 100644 index 0000000000..704bd06a49 --- /dev/null +++ b/kubernetes/common/common/templates/_dmaapProvisioning.tpl @@ -0,0 +1,186 @@ +{{/* +################################################################################ +# Copyright (C) 2021 Nordix Foundation. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ +*/}} + +{{/* + This template generates a Kubernetes init containers common template to enable applications to provision + DMaaP topics (on Message Router) and feeds (on Data Router), with associated authorization (on AAF). + DMaap Bus Controller endpoints are used to provision: + - Authorized topic on MR, and to create and grant permission for publishers and subscribers. + - Feed on DR, with associated user authentication. + + common.dmaap.provisioning.initContainer: + This template make use of Dmaap Bus Controller docker image to create resources on Dmaap Data Router + microservice, with the help of dbc-client.sh script it makes use of Bus Controller API to create Feed, Topics. + If the resource creation is successful via script response is logged back at particular location with + appropriate naming convention. + + More details can be found at : + (https://wiki.onap.org/pages/viewpage.action?pageId=103417564) + + The template directly references data in .Values, and indirectly (through its + use of templates from the ONAP "common" collection) references data in .Release. + + Parameter for _dmaapProvisioning to be defined in values.yaml + # DataRouter Feed Configuration + drFeedConfig: + - feedName: bulk_pm_feed + owner: dcaecm + feedVersion: 0.0 + asprClassification: unclassified + feedDescription: DFC Feed Creation + + # DataRouter Publisher Configuration + drPubConfig: + - feedName: bulk_pm_feed + dcaeLocationName: loc00 + + # DataRouter Subscriber Configuration + drSubConfig: + - feedName: bulk_pm_feed + decompress: True + dcaeLocationName: loc00 + privilegedSubscriber: True + deliveryURL: https://dcae-pm-mapper:8443/delivery + + # MessageRouter Topic, Publisher Configuration + mrTopicsConfig: + - topicName: PERFORMANCE_MEASUREMENTS + topicDescription: Description about Topic + owner: dcaecm + tnxEnabled: false + clients: + - dcaeLocationName: san-francisco + clientRole: org.onap.dcae.pmPublisher + action: + - pub + - view + + # ConfigMap Configuration for DR Feed, Dr_Publisher, Dr_Subscriber, MR Topics + volumes: + - name: feeds-config + path: /opt/app/config/feeds + - name: drpub-config + path: /opt/app/config/dr_pubs + - name: drsub-config + path: /opt/app/config/dr_subs + - name: topics-config + path: /opt/app/config/topics + + In deployments/jobs/stateful include: + initContainers: + {{- include "common.dmaap.provisioning.initContainer" . | nindent XX }} + volumes: + {{- include "common.dmaap.provisioning._volumes" . | nindent XX -}} +*/}} + +{{- define "common.dmaap.provisioning._volumeMounts" -}} +{{- $dot := default . .dot -}} +- mountPath: /opt/app/config/cache + name: dbc-response-cache +{{- range $name, $volume := $dot.Values.volumes }} +- name: {{ $volume.name }} + mountPath: {{ $volume.path }} +{{- end }} +{{- end -}} + +{{- define "common.dmaap.provisioning._volumes" -}} +{{- $dot := default . .dot -}} +- name: dbc-response-cache + emptyDir: {} +{{- range $name, $volume := $dot.Values.volumes }} +- name: {{ $volume.name }} + configMap: + defaultMode: 420 + name: {{ include "common.fullname" $dot }}-{{ printf "%s" $volume.name }} +{{- end }} +{{- end -}} + +{{- define "common.dmaap.provisioning.initContainer" -}} +{{- $dot := default . .dot -}} +{{- $drFeedConfig := default $dot.Values.drFeedConfig .drFeedConfig -}} +{{- $mrTopicsConfig := default $dot.Values.mrTopicsConfig .mrTopicsConfig -}} +{{- if or $drFeedConfig $mrTopicsConfig -}} +- name: {{ include "common.name" $dot }}-init-dmaap-provisioning + image: {{ include "repositoryGenerator.image.dbcClient" $dot }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + env: + - name: RESP_CACHE + value: /opt/app/config/cache + - name: REQUESTID + value: "{{ include "common.name" $dot }}-dmaap-provisioning" + {{- range $cred := $dot.Values.credentials }} + - name: {{ $cred.name }} + {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $cred.uid "key" $cred.key) | nindent 4 }} + {{- end }} + volumeMounts: + {{- include "common.dmaap.provisioning._volumeMounts" $dot | trim | nindent 2 }} + resources: {{ include "common.resources" $dot | nindent 1 }} +- name: {{ include "common.name" $dot }}-init-merge-config + image: {{ include "repositoryGenerator.image.envsubst" $dot }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + command: + - /bin/sh + args: + - -c + - | + if [ -d /opt/app/config/cache ]; then + cd /opt/app/config/cache + for file in $(ls feed*); do + NUM=$(echo "$file" | sed 's/feedConfig-\([0-9]\+\)-resp.json/\1/') + export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | cut -d '"' -f4)" + export DR_FILES_PUBLISHER_URL_"$NUM"="$(grep -o '"publishURL":"[^"]*' "$file" | cut -d '"' -f4)" + done + for file in $(ls drpub*); do + NUM=$(echo "$file" | sed 's/drpubConfig-\([0-9]\+\)-resp.json/\1/') + export DR_USERNAME_"$NUM"="$(grep -o '"username":"[^"]*' "$file" | cut -d '"' -f4)" + export DR_PASSWORD_"$NUM"="$(grep -o '"userpwd":"[^"]*' "$file" | cut -d '"' -f4)" + export DR_FILES_PUBLISHER_ID_"$NUM"="$(grep -o '"pubId":"[^"]*' "$file" | cut -d '"' -f4)" + done + for file in $(ls drsub*); do + NUM=$(echo "$file" | sed 's/drsubConfig-\([0-9]\+\)-resp.json/\1/') + export DR_FILES_SUBSCRIBER_ID_"$NUM"="$(grep -o '"subId":"[^"]*' "$file" | cut -d '"' -f4)" + done + for file in $(ls topics*); do + NUM=$(echo "$file" | sed 's/topicsConfig-\([0-9]\+\)-resp.json/\1/') + export MR_FILES_PUBLISHER_CLIENT_ID_"$NUM"="$(grep -o '"mrClientId":"[^"]*' "$file" | cut -d '"' -f4)" + done + else + echo "No Response logged for Dmaap BusController Http POST Request..!" + fi + cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done + env: + {{- range $cred := $dot.Values.credentials }} + - name: {{ $cred.name }} + {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $cred.uid "key" $cred.key) | nindent 4 }} + {{- end }} + volumeMounts: + - mountPath: /opt/app/config/cache + name: dbc-response-cache + - mountPath: /config-input + name: app-config-input + - mountPath: /config + name: app-config + resources: + limits: + cpu: 200m + memory: 250Mi + requests: + cpu: 100m + memory: 200Mi +{{- end -}} +{{- end -}}
\ No newline at end of file diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 2650929389..a488e0d5fa 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -13,7 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - {{/* Resolve the name of a chart's service. @@ -122,6 +121,11 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- if (include "common.needTLS" $dot) }} - port: {{ $port.port }} targetPort: {{ $port.name }} +{{- if $port.l4_protocol }} + protocol: {{ $port.l4_protocol }} +{{- else }} + protocol: TCP +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%ss-%s" $port.port_protocol $port.name }} {{- else }} @@ -133,6 +137,11 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- else }} - port: {{ default $port.port $port.plain_port }} targetPort: {{ $port.name }} +{{- if $port.plain_port_l4_protocol }} + protocol: {{ $port.plain_port_l4_protocol }} +{{- else }} + protocol: {{ default "TCP" $port.l4_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} {{- else }} @@ -143,6 +152,11 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- if (eq $serviceType "ClusterIP") }} - port: {{ $port.plain_port }} targetPort: {{ $port.name }}-plain +{{- if $port.plain_l4_port_protocol }} + protocol: {{ $port.plain_port_l4_protocol }} +{{- else }} + protocol: {{ default "TCP" $port.l4_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} {{- else }} diff --git a/kubernetes/common/common/templates/_serviceMonitor.tpl b/kubernetes/common/common/templates/_serviceMonitor.tpl new file mode 100644 index 0000000000..eb6c047c2f --- /dev/null +++ b/kubernetes/common/common/templates/_serviceMonitor.tpl @@ -0,0 +1,166 @@ +{{/* +# Copyright © 2021 Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{/* + Resolve the name of a chart's serviceMonitor. + + The default will be the chart name (or $dot.Values.nameOverride if set). + And the use of .Values.metrics.serviceMonitor.name overrides all. + + - .Values.metrics.serviceMonitor.name: override default serviceMonitor (ie. chart) name + Example values file addition: + metrics: + serviceMonitor: + enabled: true + port: blueprints-processor-http + ## specify target port if name is not given to the port in the service definition + ## + # targetPort: 8080 + path: /metrics + basicAuth: + enabled: false + externalSecretName: mysecretname + externalSecretUserKey: login + externalSecretPasswordKey: password + + ## Namespace in which Prometheus is running + ## + # namespace: monitoring + + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # interval: 60s + + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # scrapeTimeout: 10s + + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ include "common.release" . }}' + heritage: '{{ .Release.Service }}' + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] + # - sourceLabels: + # - "__name__" + # targetLabel: "__name__" + # action: replace + # regex: '(.*)' + # replacement: 'example_prefix_$1' + +*/}} +{{/* + Expand the serviceMonitor name for a chart. +*/}} +{{- define "common.serviceMonitorName" -}} + {{- $name := default .Chart.Name .Values.nameOverride -}} + {{- default $name .Values.metrics.serviceMonitor.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Define the metadata of serviceMonitor + The function takes from one to four arguments (inside a dictionary): + - .dot : environment (.) + - .suffix : a string which will be added at the end of the name (with a '-'). + - .annotations: the annotations to add + - .labels : labels to add + Usage example: + {{ include "common.serviceMonitorMetadata" ( dict "suffix" "myService" "dot" .) }} + {{ include "common.serviceMonitorMetadata" ( dict "annotations" .Values.metrics.serviceMonitor.annotation "dot" .) }} +*/}} + +{{- define "common.serviceMonitorMetadata" -}} +{{- $dot := default . .dot -}} +{{- $annotations := default "" .annotations -}} +{{- $labels := default (dict) .labels -}} +{{- if $annotations -}} +annotations: +{{ include "common.tplValue" (dict "value" $annotations "context" $dot) | indent 2 }} +{{- end }} +name: {{ include "common.serviceMonitorName" $dot }} +{{- if $dot.Values.metrics.serviceMonitor.namespace }} +namespace: {{ $dot.Values.metrics.serviceMonitor.namespace }} +{{- else }} +namespace: {{ include "common.namespace" $dot }} +{{- end }} +labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent 2 }} +{{- end -}} + +{{/* + Create service monitor template +*/}} +{{- define "common.serviceMonitor" -}} +{{- $dot := default . .dot -}} +{{- $labels := default (dict) .labels -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: +{{- include "common.serviceMonitorMetadata" $dot | nindent 2 }} +spec: + endpoints: + - path: {{ default "/metrics" $dot.Values.metrics.serviceMonitor.path }} + {{- if $dot.Values.metrics.serviceMonitor.port }} + port: {{ $dot.Values.metrics.serviceMonitor.port }} + {{- else if $dot.Values.metrics.serviceMonitor.targetPort }} + targetPort: {{ $dot.Values.metrics.serviceMonitor.targetPort }} + {{- else }} + port: metrics + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.basicAuth.enabled }} + basicAuth: + username: + key: {{ $dot.Values.metrics.serviceMonitor.basicAuth.externalSecretUserKey }} + name: {{ $dot.Values.metrics.serviceMonitor.basicAuth.externalSecretName }} + password: + key: {{ $dot.Values.metrics.serviceMonitor.basicAuth.externalSecretPasswordKey }} + name: {{ $dot.Values.metrics.serviceMonitor.basicAuth.externalSecretName }} + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.interval }} + interval: {{ $dot.Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ $dot.Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplValue" ( dict "value" $dot.Values.metrics.serviceMonitor.relabelings "context" $dot) | nindent 6 }} + {{- end }} + {{- if $dot.Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplValue" ( dict "value" $dot.Values.metrics.serviceMonitor.metricRelabelings "context" $dot) | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "common.namespace" $dot }} + selector: + {{- if $dot.Values.metrics.serviceMonitor.selector }} + matchLabels: {{- include "common.tplValue" ( dict "value" $dot.Values.metrics.serviceMonitor.selector "context" $dot) | nindent 6 }} + {{- else }} + matchLabels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent 6 }} + {{- end }} +{{- end -}} diff --git a/kubernetes/common/elasticsearch/values.yaml b/kubernetes/common/elasticsearch/values.yaml index b91ac76056..a3f15645a3 100644 --- a/kubernetes/common/elasticsearch/values.yaml +++ b/kubernetes/common/elasticsearch/values.yaml @@ -279,7 +279,6 @@ certInitializer: aaf_add_config: > cd {{ .Values.credsPath }}; mkdir -p certs; - export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password; openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12; cp {{ .Values.fqi_namespace }}.key certs/key.pem; diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index 48c8b6d0cc..c8c0ffa0b2 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -48,6 +48,8 @@ spec: tolerations: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.googleK8sRepository" . }}/{{ .Values.image }} diff --git a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml index 6c3b41f5a5..6d1ed40e13 100644 --- a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml +++ b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2020 Bitnami, Orange +# Copyright © 2021 Bitnami, Orange, Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,38 +14,6 @@ # limitations under the License. */}} -{{- if default false (and .Values.global.metrics.enabled .Values.global.metrics.custom_resources) }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "common.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- else }} - namespace: {{ include "common.namespace" . }} - {{- end }} - labels: {{- include "common.labels" . | nindent 4 }} - {{- range $key, $value := .Values.metrics.serviceMonitor.selector }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - selector: - matchLabels: {{- include "common.matchLabels" . | nindent 6 }} - endpoints: - - port: metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- include "common.tplValue" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- include "common.tplValue" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} {{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 7b0d90a9aa..9227e182b6 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -223,7 +223,7 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} {{- if .Values.affinity }} - affinity: {{- include "common.tplvalues" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + affinity: {{- include "common.tplValue" ( dict "value" .Values.affinity "context" $) | nindent 8 }} {{- else }} affinity: podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} @@ -231,10 +231,10 @@ spec: nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.nodeSelector }} - nodeSelector: {{- include "common.tplvalues" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + nodeSelector: {{- include "common.tplValue" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} {{- end }} {{- if .Values.tolerations }} - tolerations: {{- include "common.tplvalues" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" .) | nindent 8 }} {{- end }} volumes: - name: previous-boot diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 4c77efc83f..ed9977acd9 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -86,9 +86,10 @@ service: ## type: ClusterIP headless: {} + internalPort: &dbPort 3306 ports: - name: mysql - port: 3306 + port: *dbPort headlessPorts: - name: galera port: 4567 diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh index fa4b007a5a..df7c336405 100755 --- a/kubernetes/common/mariadb-init/resources/config/db_init.sh +++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh @@ -1,4 +1,5 @@ #!/bin/bash + {{/* # Copyright © 2019 Orange # Copyright © 2020 Samsung Electronics @@ -20,10 +21,17 @@ set -e while read DB ; do - USER_VAR="MYSQL_USER_${DB^^}" - PASS_VAR="MYSQL_PASSWORD_${DB^^}" - USER=${!USER_VAR} - PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"` + USER_VAR="MYSQL_USER_$(echo $DB | tr '[:lower:]' '[:upper:]')" + PASS_VAR="MYSQL_PASSWORD_$(echo $DB | tr '[:lower:]' '[:upper:]')" +{{/* + # USER=${!USER_VAR} + # PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"` + # eval replacement of the bashism equivalents above might present a security issue here + # since it reads content from DB values filled by helm at the end of the script. + # These possible values has to be constrainted and/or limited by helm for a safe use of eval. +*/}} + eval USER=\$$USER_VAR + PASS=$(eval echo -n \$$PASS_VAR | sed -e "s/'/''/g") MYSQL_OPTS=( -h ${DB_HOST} -P ${DB_PORT} -uroot -p${MYSQL_ROOT_PASSWORD} ) echo "Creating database ${DB} and user ${USER}..." diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml index ad97cd4ed6..96d1dc54a4 100644 --- a/kubernetes/common/mariadb-init/templates/job.yaml +++ b/kubernetes/common/mariadb-init/templates/job.yaml @@ -63,9 +63,9 @@ spec: /db_config/db_cmd.sh{{ end }} env: - name: DB_HOST - value: "{{ default .Values.global.mariadbGalera.nameOverride .Values.mariadbGalera.serviceName }}" + value: {{ include "common.mariadbService" . }} - name: DB_PORT - value: "{{ default .Values.global.mariadbGalera.servicePort .Values.mariadbGalera.servicePort }}" + value: {{ include "common.mariadbPort" . | quote }} - name: MYSQL_ROOT_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-password" "key" (default "password" .Values.global.mariadbGalera.userRootSecretKey)) | indent 10 }} - name: {{ printf "MYSQL_USER_%s" .Values.config.mysqlDatabase | upper }} @@ -83,10 +83,10 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true - - name: mariadb-conf + - name: mariadb-init mountPath: /db_init/ {{- if or .Values.dbScriptConfigMap .Values.dbScript }} - - name: mariadb-init + - name: mariadb-conf mountPath: /db_config/ {{- end }} resources: @@ -104,7 +104,7 @@ spec: hostPath: path: /etc/localtime {{- if or .Values.dbScriptConfigMap .Values.dbScript }} - - name: mariadb-init + - name: mariadb-conf configMap: {{- if .Values.dbScriptConfigMap }} name: {{ tpl .Values.dbScriptConfigMap . }} @@ -113,7 +113,7 @@ spec: {{- end }} defaultMode: 0755 {{- end }} - - name: mariadb-conf + - name: mariadb-init configMap: name: {{ include "mariadbInit.configMap" . }} defaultMode: 0755 diff --git a/kubernetes/common/mongo/templates/statefulset.yaml b/kubernetes/common/mongo/templates/statefulset.yaml index 73186b392d..11602054e8 100644 --- a/kubernetes/common/mongo/templates/statefulset.yaml +++ b/kubernetes/common/mongo/templates/statefulset.yaml @@ -37,6 +37,8 @@ spec: release: {{ include "common.release" . }} spec: {{ include "common.podSecurityContext" . | indent 6 }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml index 1aabfb6bcc..d80e70b5fb 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml @@ -41,6 +41,8 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} diff --git a/kubernetes/common/music/templates/deployment.yaml b/kubernetes/common/music/templates/deployment.yaml index 1e5d3c5377..53d5a366f7 100644 --- a/kubernetes/common/music/templates/deployment.yaml +++ b/kubernetes/common/music/templates/deployment.yaml @@ -23,6 +23,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" initContainers: - name: {{ include "common.name" . }}-cassandra-readiness image: {{ include "repositoryGenerator.image.readiness" . }} diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl index 7d04501f24..d93d401ebc 100644 --- a/kubernetes/common/postgres/templates/_deployment.tpl +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -42,6 +42,8 @@ spec: release: {{ include "common.release" $dot }} name: "{{ index $dot.Values "container" "name" $pgMode }}" spec: + imagePullSecrets: + - name: "{{ include "common.namespace" $dot }}-docker-registry-key" initContainers: - command: - sh diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 488db054a0..1662985d0a 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2021 AT&T +# Copyright © 2021 AT&T +# Modifications Copyright (C) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -67,6 +68,15 @@ {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "googleK8sRepository") .) }} {{- end -}} +{{/* + Resolve the name of the GithubContainer registry + - .Values.global.githubContainerRegistry : default image githubContainerRegistry for all dockerHub images + - .Values.githubContainerRegistryOverride : override global githubContainerRegistry on a per chart basis +*/}} +{{- define "repositoryGenerator.githubContainerRegistry" -}} + {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "githubContainerRegistry") .) }} +{{- end -}} + {{- define "repositoryGenerator.image._helper" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.repositoryGenerator .initRoot -}} @@ -123,6 +133,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "readinessImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.dbcClient" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dbcClientImage") .) }} +{{- end -}} + {{/* Resolve the image repository secret token. The value for .Values.global.repositoryCred is used if provided: @@ -182,5 +196,17 @@ {{- $repoCreds = printf "%s, %s" $repoCreds $gcrRepoCreds }} {{- end }} {{- end }} + {{- if $subchartDot.Values.global.githubContainerRegistryCred }} + {{- $ghcrRepo := $subchartDot.Values.global.githubContainerRegistry }} + {{- $ghcrCred := $subchartDot.Values.global.githubContainerRegistryCred }} + {{- $ghcrMail := default "@" $ghcrCred.mail }} + {{- $ghcrAuth := printf "%s:%s" $ghcrCred.user $ghcrCred.password | b64enc }} + {{- $ghcrRepoCreds := printf "\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}" $ghcrRepo $ghcrCred.user $ghcrCred.password $ghcrMail $ghcrAuth }} + {{- if eq "" $repoCreds }} + {{- $repoCreds = $ghcrRepoCreds }} + {{- else }} + {{- $repoCreds = printf "%s, %s" $repoCreds $ghcrRepoCreds }} + {{- end }} + {{- end }} {{- printf "{%s}" $repoCreds | b64enc -}} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index bf21e2da08..f4104538f7 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2020 Orange # Copyright © 2021 Nokia, AT&T +# Modifications Copyright (C) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,6 +20,7 @@ global: dockerHubRepository: docker.io elasticRepository: docker.elastic.co googleK8sRepository: k8s.gcr.io + githubContainerRegistry: ghcr.io # common global images busyboxImage: busybox:1.32 @@ -34,6 +36,7 @@ global: postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 readinessImage: onap/oom/readiness:3.0.1 dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 + dbcClientImage: onap/dmaap/dbc-client:2.0.7 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -65,3 +68,4 @@ imageRepoMapping: postgresImage: dockerHubRepository readinessImage: repository dcaePolicySyncImage: repository + dbcClientImage: repository diff --git a/kubernetes/common/timescaledb/.helmignore b/kubernetes/common/timescaledb/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/kubernetes/common/timescaledb/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml new file mode 100644 index 0000000000..7aeafa01f2 --- /dev/null +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +appVersion: "1.0" +description: ONAP timescaledb +name: timescaledb +version: 8.0.0 diff --git a/kubernetes/common/timescaledb/requirements.yaml b/kubernetes/common/timescaledb/requirements.yaml new file mode 100644 index 0000000000..de0c414c19 --- /dev/null +++ b/kubernetes/common/timescaledb/requirements.yaml @@ -0,0 +1,28 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: common + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/timescaledb/resources/init/init-schema.sh b/kubernetes/common/timescaledb/resources/init/init-schema.sh new file mode 100644 index 0000000000..ab83cffae2 --- /dev/null +++ b/kubernetes/common/timescaledb/resources/init/init-schema.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -e +set echo on; +psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER $DB_USERNAME WITH PASSWORD '$DB_PASSWORD'; + CREATE SCHEMA $POSTGRES_DB; + GRANT ALL PRIVILEGES ON SCHEMA $POSTGRES_DB TO $DB_USERNAME; + CREATE EXTENSION IF NOT EXISTS timescaledb WITH SCHEMA $POSTGRES_DB; +EOSQL diff --git a/kubernetes/common/timescaledb/templates/configmap-init.yaml b/kubernetes/common/timescaledb/templates/configmap-init.yaml new file mode 100644 index 0000000000..82c1de6255 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/configmap-init.yaml @@ -0,0 +1,33 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-init + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + init-schema.sh: |- +{{ .Files.Get "resources/init/init-schema.sh" | indent 4}} diff --git a/kubernetes/common/timescaledb/templates/pv.yaml b/kubernetes/common/timescaledb/templates/pv.yaml new file mode 100644 index 0000000000..f99b5f3562 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/pv.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.PV" . }} diff --git a/kubernetes/common/timescaledb/templates/secrets.yaml b/kubernetes/common/timescaledb/templates/secrets.yaml new file mode 100644 index 0000000000..c888d48b6c --- /dev/null +++ b/kubernetes/common/timescaledb/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/timescaledb/templates/service.yaml b/kubernetes/common/timescaledb/templates/service.yaml new file mode 100644 index 0000000000..c205ff4889 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml new file mode 100644 index 0000000000..9b63de434d --- /dev/null +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -0,0 +1,90 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + imagePullPolicy: {{ .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 60 + readinessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "password") | indent 14 }} + - name: POSTGRES_DB + value: {{ .Values.config.pgDatabase }} + - name: POSTGRES_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "login") | indent 14 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "password") | indent 14 }} + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + resources: +{{ include "common.resources" . | indent 12 }} + volumeMounts: + - name: {{ include "common.fullname" . }}-init + mountPath: /docker-entrypoint-initdb.d + - name: {{ include "common.fullname" . }} + mountPath: /var/lib/postgresql/data + volumes: + - name: {{ include "common.fullname" . }}-init + configMap: + name: {{ include "common.fullname" . }}-init + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} +{{- end }} diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml new file mode 100644 index 0000000000..b6d2face3a --- /dev/null +++ b/kubernetes/common/timescaledb/values.yaml @@ -0,0 +1,111 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +replicaCount: 1 +global: + persistence: {} + +################################################################# +# Secrets. +############################################################## +image: timescale/timescaledb:2.1.1-pg13 + +pullPolicy: Always +containerPorts: 5432 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + nameOverride: timescaledb + roles: + - read + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 0.5 + memory: 256Mi + requests: + cpu: 20m + memory: 256Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +service: + type: ClusterIP + name: timescaledb + ports: + - name: tcp-timescaledb + port: 5432 + +persistence: + enabled: true + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + volumeReclaimPolicy: Retain + + ## database data Persistent Volume Storage Class + ## If defined, storageClassName: <storageClass> + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + accessMode: ReadWriteOnce + size: 1Gi + mountPath: /dockerdata-nfs + +config: + pgUserName: timescaledb + pgRootUserName: postgres + pgDatabase: timescaledb + +secrets: + - uid: root-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgRootPasswordExternalSecret) . }}' + login: '{{ .Values.config.pgRootUserName }}' + password: '{{ .Values.config.pgRootpassword }}' + - uid: user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgUserExternalSecret) . }}' + login: '{{ .Values.config.pgUserName }}' + password: '{{ .Values.config.pgUserPassword }}' + |