diff options
Diffstat (limited to 'kubernetes/common')
37 files changed, 612 insertions, 197 deletions
diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile index c7aba635c1..6442068b2f 100644 --- a/kubernetes/common/Makefile +++ b/kubernetes/common/Makefile @@ -21,7 +21,7 @@ COMMON_CHARTS_DIR := common EXCLUDES := PROCESSED_LAST := cert-wrapper repository-wrapper -PROCESSED_FIRST := repositoryGenerator readinessCheck certInitializer +PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount certInitializer TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST) HELM_BIN := helm diff --git a/kubernetes/common/cassandra/resources/restore.sh b/kubernetes/common/cassandra/resources/restore.sh index 798ab6c53c..a8105345f7 100644 --- a/kubernetes/common/cassandra/resources/restore.sh +++ b/kubernetes/common/cassandra/resources/restore.sh @@ -7,7 +7,7 @@ ss_name="" ss="snapshots" me=`basename $0` -function find_target_table_name() +find_target_table_name () { dest_path=$1 keyspace_name=$2 @@ -18,7 +18,7 @@ function find_target_table_name() printf $dest_table_name } -function print_usage() +print_usage () { echo "NAME" echo " Script to restore Cassandra database from Nuvo/Cain snapshot" @@ -75,7 +75,7 @@ esac done # Validate inputs -if [ "$base_db_dir" == "" ] || [ "$ss_dir" == "" ] || [ "$keyspace_name" == "" ] +if [ "$base_db_dir" = "" ] || [ "$ss_dir" = "" ] || [ "$keyspace_name" = "" ] then echo "" echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>" diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 953c89d24d..3553cd4069 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -71,6 +71,17 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} + startupProbe: + exec: + command: + - /bin/bash + - -c + - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + successThreshold: {{ .Values.startup.successThreshold }} + failureThreshold: {{ .Values.startup.failureThreshold }} env: {{- $seed_size := default 1 .Values.replicaCount | int -}} {{- $global := . }} diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index c3d22cedc0..9f19bf5c14 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -54,8 +54,8 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 @@ -64,12 +64,19 @@ liveness: enabled: true readiness: - initialDelaySeconds: 120 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 +startup: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 90 + service: name: cassandra headless: @@ -119,7 +126,7 @@ persistence: ## storageClass: "-" ## Not set as it depends of the backup enabledment or not. accessMode: ReadWriteOnce - size: 2Gi + size: 10Gi mountPath: /dockerdata-nfs mountSubPath: cassandra storageType: local diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index 87e584c78e..cb4153e778 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -17,6 +17,7 @@ */}} CERTS_DIR=${CERTS_DIR:-/certs} +MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs} WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} @@ -28,18 +29,18 @@ mkdir -p $WORK_DIR for f in $CERTS_DIR/*; do export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/') export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/') - if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_b64" == "$ONAP_TRUSTSTORE" ]; then + if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_b64" = "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_nob64" == "$ONAP_TRUSTSTORE" ]; then + if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_nob64" = "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [ ${f: -3} == ".sh" ]; then + if [ ${f: -3} = ".sh" ]; then continue fi - if [ ${f: -4} == ".b64" ] + if [ ${f: -4} = ".b64" ] then base64 -d $f > $WORK_DIR/`basename $f .b64` else @@ -47,10 +48,18 @@ for f in $CERTS_DIR/*; do fi done +for f in $MORE_CERTS_DIR/*; do + if [ ${f: -4} == ".pem" ] + then + cp $f $WORK_DIR/. + fi +done + # Prepare truststore output file -if [ "$AAF_ENABLED" == "true" ] +if [ "$AAF_ENABLED" = "true" ] then - mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME + echo "AAF is enabled, use 'AAF' truststore" + export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} else echo "AAF is disabled, using JRE truststore" cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME @@ -58,7 +67,7 @@ fi # Import Custom Certificates for f in $WORK_DIR/*; do - if [ ${f: -4} == ".pem" ]; then + if [ ${f: -4} = ".pem" ]; then echo "importing certificate: $f" keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt if [ $? != 0 ]; then diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh new file mode 100644 index 0000000000..9cc5ec580e --- /dev/null +++ b/kubernetes/common/certInitializer/resources/ingress/onboard.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/ -}} + +echo "*** retrieving certificates and keys" +export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0) +export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0) +export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0) +echo "*** creating tls secret" +cat <<EOF | kubectl apply -f - +apiVersion: v1 +kind: Secret +metadata: + name: {{ tpl .Values.ingressTlsSecret . }} + namespace: {{ include "common.namespace" . }} +data: + ca.crt: "${CACERT}" + tls.crt: "${CRT}" + tls.key: '${KEY}' +type: kubernetes.io/tls +EOF diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh index f3af14b17a..76f384502f 100644 --- a/kubernetes/common/certInitializer/resources/retrieval_check.sh +++ b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh @@ -1,3 +1,5 @@ +#!/bin/sh + {{/* # Copyright © 2021 Orange # @@ -12,8 +14,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} -#!/bin/sh +*/ -}} echo "*** retrieving passwords for certificates" export $(/opt/app/aaf_config/bin/agent.sh local showpass \ diff --git a/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh new file mode 100644 index 0000000000..f201eadd0a --- /dev/null +++ b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/ -}} + +echo "--- Cert transformation for use with Ingress" +echo "*** transform AAF certs into pem files" +mkdir -p {{ .Values.credsPath }}/certs +keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ + -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ + -alias ca_local_0 \ + -storepass $cadi_truststore_password +openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/tls.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 +cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/tls.key +echo "--- Done" diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index 414192e2bc..f3ba8a24e0 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Bell Canada, Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,6 +59,11 @@ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/retrieval_check.sh subPath: retrieval_check.sh +{{- if hasKey $initRoot "ingressTlsSecret" }} + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh + subPath: tls_certs_configure.sh +{{- end }} {{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh @@ -69,6 +75,9 @@ - | /opt/app/aaf_config/bin/agent.sh . /opt/app/aaf_config/bin/retrieval_check.sh +{{- if hasKey $initRoot "ingressTlsSecret" }} + /opt/app/aaf_config/bin/tls_certs_configure.sh +{{- end -}} {{- if $initRoot.aaf_add_config }} /opt/app/aaf_config/bin/aaf-add-config.sh {{- end }} @@ -137,6 +146,8 @@ volumeMounts: - mountPath: /certs name: aaf-agent-certs + - mountPath: /more_certs + name: provided-custom-certs - mountPath: /root/import-custom-certs.sh name: aaf-agent-certs subPath: import-custom-certs.sh @@ -177,6 +188,21 @@ configMap: name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }} defaultMode: 0700 +{{- if $dot.Values.global.importCustomCertsEnabled }} +- name: provided-custom-certs +{{- if $dot.Values.global.customCertsSecret }} + secret: + secretName: {{ $dot.Values.global.customCertsSecret }} +{{- else }} +{{- if $dot.Values.global.customCertsConfigMap }} + configMap: + name: {{ $dot.Values.global.customCertsConfigMap }} +{{- else }} + emptyDir: + medium: Memory +{{- end }} +{{- end }} +{{- end }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} configMap: name: {{ include "common.fullname" $subchartDot }}-add-config diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml index 1e9254abef..abd1575774 100644 --- a/kubernetes/common/certInitializer/templates/configmap.yaml +++ b/kubernetes/common/certInitializer/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,8 +20,20 @@ kind: ConfigMap {{- $suffix := "add-config" }} metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/retrieval/retrieval_check.sh").AsConfig . | indent 2 }} +{{- if hasKey .Values "ingressTlsSecret" }} +{{ tpl (.Files.Glob "resources/retrieval/tls_certs_configure.sh").AsConfig . | indent 2 }} +{{- end }} {{ if .Values.aaf_add_config }} aaf-add-config.sh: | {{ tpl .Values.aaf_add_config . | indent 4 | trim }} {{- end }} +{{- if hasKey .Values "ingressTlsSecret" }} +--- +apiVersion: v1 +kind: ConfigMap +{{- $suffix := "ingress" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +data: +{{ tpl (.Files.Glob "resources/ingress/onboard.sh").AsConfig . | indent 2 }} +{{- end }} diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml new file mode 100644 index 0000000000..331a58c310 --- /dev/null +++ b/kubernetes/common/certInitializer/templates/job.yaml @@ -0,0 +1,44 @@ +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if hasKey .Values "ingressTlsSecret" }} +apiVersion: batch/v1 +kind: Job +{{- $suffix := "set-tls-secret" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +spec: + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }} + containers: + - name: create tls secret + command: + - /ingress/onboard.sh + image: {{ include "repositoryGenerator.image.kubectl" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }} + - name: ingress-scripts + mountPath: /ingress + volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }} + - name: localtime + hostPath: + path: /etc/localtime + - name: ingress-scripts + configMap: + name: {{ include "common.fullname" . }}-ingress + defaultMode: 0777 +{{- end}} diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml index 52b2765329..747c94f4d1 100644 --- a/kubernetes/common/certInitializer/values.yaml +++ b/kubernetes/common/certInitializer/values.yaml @@ -15,6 +15,15 @@ global: aafAgentImage: onap/aaf/aaf_agent:2.1.20 aafEnabled: true + # Give the name of a config map where certInitializer will onboard all certs + # given (certs must be in pem format) + customCertsConfigMap: + # Give the name of a secret where certInitializer will onboard all certs given + # (certs must be in pem format) + # this one superseedes previous one (so if both are given, only certs from + # secret will be onboarded). + customCertsSecret: + pullPolicy: Always @@ -37,7 +46,6 @@ readinessCheck: - aaf-cm - aaf-service -aafDeployFqi: "changeme" fqdn: "" app_ns: "org.osaaf.aaf" fqi: "" @@ -55,6 +63,7 @@ truststoreMountpath: "" truststoreOutputFileName: truststore.jks truststorePassword: changeit envVarToCheck: cadi_keystore_password_p12 +# ingressTlsSecret: # This introduces implicit dependency on cert-wrapper # if you are using cert initializer cert-wrapper has to be also deployed. diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml index 210a02c65c..83becb0a33 100644 --- a/kubernetes/common/certManagerCertificate/requirements.yaml +++ b/kubernetes/common/certManagerCertificate/requirements.yaml @@ -16,3 +16,6 @@ dependencies: - name: common version: ~8.x-0 repository: 'file://../common' + - name: cmpv2Config + version: ~8.x-0 + repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index f820c30ca9..2b9461e50e 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -18,7 +18,7 @@ # # To request a certificate following steps are to be done: # - create an object 'certificates' in the values.yaml -# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate". +# - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate". # # Here is an example of the certificate request for a component: # @@ -53,6 +53,7 @@ # passwordSecretRef: # name: secret-name # key: secret-key +# create: true # # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. # Other mandatory fields for the certificate definition do not have to be defined directly, @@ -74,7 +75,7 @@ {{/*# General certifiacate attributes #*/}} {{- $name := include "common.fullname" $dot -}} {{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} -{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +{{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}} {{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} {{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}} {{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}} @@ -94,10 +95,11 @@ {{- if $certificate.issuer -}} {{- $issuer = $certificate.issuer -}} {{- end -}} ---- -{{- if $certificate.keystore }} +{{/*# Secret #*/}} +{{ if $certificate.keystore -}} {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}} - {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }} + {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}} + {{- if $passwordSecretRef.create }} apiVersion: v1 kind: Secret metadata: @@ -106,7 +108,8 @@ metadata: type: Opaque stringData: {{ $passwordSecretRef.key }}: {{ $password }} -{{- end }} + {{- end }} +{{ end -}} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -120,6 +123,15 @@ spec: {{- if $duration }} duration: {{ $duration }} {{- end }} + {{- if $certificate.isCA }} + isCA: {{ $certificate.isCA }} + {{- end }} + {{- if $certificate.usages }} + usages: + {{- range $usage := $certificate.usages }} + - {{ $usage }} + {{- end }} + {{- end }} subject: organizations: - {{ $subject.organization }} @@ -156,7 +168,9 @@ spec: {{- end }} {{- end }} issuerRef: + {{- if not (eq $issuer.kind "Issuer" ) }} group: {{ $issuer.group }} + {{- end }} kind: {{ $issuer.kind }} name: {{ $issuer.name }} {{- if $certificate.keystore }} @@ -168,13 +182,15 @@ spec: {{ $outputType }}: create: true passwordSecretRef: - name: {{ $certificate.keystore.passwordSecretRef.name }} + name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }} key: {{ $certificate.keystore.passwordSecretRef.key }} {{- end }} {{- end }} {{ end }} {{- end -}} +{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}} + {{- define "common.certManager.volumeMounts" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} @@ -203,8 +219,14 @@ spec: sources: - secret: name: {{ $certificatesSecretName }} - {{- if $certificate.keystore }} items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} {{- range $outputType := $certificate.keystore.outputType }} - key: keystore.{{ $outputType }} path: keystore.{{ $outputType }} @@ -235,3 +257,54 @@ spec: {{- end -}} {{ $certsLinkCommand }} {{- end -}} + +{{/*Using templates below allows only read access to volume mounted at $mountPath*/}} + +{{- define "common.certManager.volumeMountsReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} + {{- range $i, $certificate := $dot.Values.certificates -}} + {{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }} + {{- end -}} +{{- end -}} + +{{- define "common.certManager.volumesReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} + {{- range $i, $certificate := $certificates -}} + {{- $name := include "common.fullname" $dot -}} + {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }} + projected: + sources: + - secret: + name: {{ $certificatesSecretName }} + items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} + {{- range $outputType := $certificate.keystore.outputType }} + - key: keystore.{{ $outputType }} + path: keystore.{{ $outputType }} + - key: truststore.{{ $outputType }} + path: truststore.{{ $outputType }} + {{- end }} + - secret: + name: {{ $certificate.keystore.passwordSecretRef.name }} + items: + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: keystore.pass + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: truststore.pass + {{- end }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml index 87509d11bc..b10896d2ce 100644 --- a/kubernetes/common/cmpv2Certificate/requirements.yaml +++ b/kubernetes/common/cmpv2Certificate/requirements.yaml @@ -19,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' + - name: cmpv2Config + version: ~8.x-0 + repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl index 58cc9c7249..f80b06b4d3 100644 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -62,7 +62,7 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.initContainer" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} @@ -97,11 +97,14 @@ There also need to be some includes used in a target component deployment (inden {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} -{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}} -{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}} -{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}} -{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}} -{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}} +{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}} +{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}} +{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}} +{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}} +{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}} +{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}} +{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}} +{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}} - name: certs-init-{{ $index }} image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} @@ -133,11 +136,17 @@ There also need to be some includes used in a target component deployment (inden - name: KEYSTORE_PATH value: {{ $keystorePath | quote }} - name: KEYSTORE_PASSWORD - value: {{ $keystorePassword | quote }} + valueFrom: + secretKeyRef: + name: {{ $keystorePasswordSecret | quote}} + key: {{ $keystorePasswordSecretKey | quote}} - name: TRUSTSTORE_PATH value: {{ $truststorePath | quote }} - name: TRUSTSTORE_PASSWORD - value: {{ $truststorePassword | quote }} + valueFrom: + secretKeyRef: + name: {{ $truststorePasswordSecret | quote}} + key: {{ $truststorePasswordSecretKey | quote}} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -151,10 +160,10 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.volumes" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}} +{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}} - name: certservice-tls-volume secret: secretName: {{ $certificatesSecretName }} @@ -168,7 +177,7 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.volumeMounts" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml index b7531431c4..504947525d 100644 --- a/kubernetes/common/cmpv2Certificate/values.yaml +++ b/kubernetes/common/cmpv2Certificate/values.yaml @@ -11,38 +11,3 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -################################################################# -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - # Enabling CMPv2 - cmpv2Enabled: true - CMPv2CertManagerIntegration: false - - certificate: - default: - subject: - organization: "Linux-Foundation" - country: "US" - locality: "San-Francisco" - province: "California" - organizationalUnit: "ONAP" - - platform: - certServiceClient: - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ - envVariables: - certPath: "/var/custom-certs" - # Client configuration related - caName: "RA" - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" - outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index b6ee064302..695e40616c 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -12,22 +12,40 @@ # See the License for the specific language governing permissions and # limitations under the License. global: + + # Enabling CMPv2 + cmpv2Enabled: true + CMPv2CertManagerIntegration: false + + certificate: + default: + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + platform: + certificates: + clientSecretName: oom-cert-service-client-tls-secret + keystoreKeyRef: keystore.jks + truststoreKeyRef: truststore.jks + keystorePasswordSecretName: oom-cert-service-keystore-password + keystorePasswordSecretKey: password + truststorePasswordSecretName: oom-cert-service-truststore-password + truststorePasswordSecretKey: password certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - secretName: oom-cert-service-client-tls-secret + certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ envVariables: + certPath: "/var/custom-certs" # Certificate related - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2State: "California" - cmpv2Country: "US" + caName: "RA" # Client configuration related requestURL: "https://oom-cert-service:8443/v1/certificate/" requestTimeout: "30000" - keystorePassword: "secret" - truststorePassword: "secret" + outputType: "P12" certPostProcessor: image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/common/common/templates/_createPassword.tpl b/kubernetes/common/common/templates/_createPassword.tpl index bfd0999e16..4ded11f53f 100644 --- a/kubernetes/common/common/templates/_createPassword.tpl +++ b/kubernetes/common/common/templates/_createPassword.tpl @@ -24,11 +24,11 @@ */}} {{- define "common.masterPassword" -}} {{ if .Values.masterPasswordOverride }} - {{- printf "%d" .Values.masterPasswordOverride -}} + {{- printf "%s" .Values.masterPasswordOverride -}} {{ else if .Values.global.masterPassword }} - {{- printf "%d" .Values.global.masterPassword -}} + {{- printf "%s" .Values.global.masterPassword -}} {{ else if .Values.masterPassword }} - {{- printf "%d" .Values.masterPassword -}} + {{- printf "%s" .Values.masterPassword -}} {{ else if eq "testRelease" (include "common.release" .) }} {{/* Special case for chart liniting. DON"T NAME YOUR PRODUCTION RELEASE testRelease */}} {{- printf "testRelease" -}} diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index 1be3e3b790..5021c500b0 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -63,7 +63,7 @@ */}} {{- define "common.mariadbService" -}} {{- if .Values.global.mariadbGalera.localCluster -}} - {{- index .Values "mariadb-galera" "service" "name" -}} + {{- index .Values "mariadb-galera" "nameOverride" -}} {{- else -}} {{- .Values.global.mariadbGalera.service -}} {{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index bde971ffe7..7b0d90a9aa 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -129,7 +129,7 @@ spec: livenessProbe: exec: command: - - bash + - sh - -ec - | exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD @@ -143,7 +143,7 @@ spec: readinessProbe: exec: command: - - bash + - sh - -ec - | exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD @@ -153,6 +153,20 @@ spec: successThreshold: {{ .Values.readinessProbe.successThreshold }} failureThreshold: {{ .Values.readinessProbe.failureThreshold }} {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - sh + - -ec + - | + exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- end }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: previous-boot diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 12d2d75e38..4c77efc83f 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -329,6 +329,12 @@ mariadbConfiguration: |- innodb_flush_log_at_trx_commit=2 # MYISAM REPLICATION SUPPORT # wsrep_replicate_myisam=ON + binlog_format=row + default_storage_engine=InnoDB + innodb_autoinc_lock_mode=2 + transaction-isolation=READ-COMMITTED + wsrep_causal_reads=1 + wsrep_sync_wait=7 [mariadb] plugin_load_add=auth_pam @@ -472,18 +478,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2.5Gi + cpu: 1 + memory: 4Gi requests: - cpu: 100m - memory: 750Mi + cpu: 500m + memory: 2Gi large: limits: cpu: 2 - memory: 4Gi + memory: 6Gi requests: cpu: 1 - memory: 2Gi + memory: 3Gi unlimited: {} ## MariaDB Galera containers' liveness and readiness probes @@ -491,20 +497,29 @@ resources: ## livenessProbe: enabled: true - ## Initializing the database could take some time - ## - initialDelaySeconds: 150 + initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 readinessProbe: enabled: true - initialDelaySeconds: 60 + initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 +startupProbe: + ## Initializing the database could take some time + ## + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + # will wait up for initialDelaySeconds + failureThreshold*periodSeconds before + # stating startup wasn't good (910s per default) + failureThreshold: 90 ## Pod disruption budget configuration ## diff --git a/kubernetes/common/music/components/music-cassandra/templates/job.yaml b/kubernetes/common/music/components/music-cassandra/templates/job.yaml index 3cf1ae34fd..d3c89d4a59 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/job.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/job.yaml @@ -39,8 +39,6 @@ spec: command: - /app/ready.py args: - - --timeout - - "{{ .Values.readinessTimeout }}" - --container-name - music-cassandra env: @@ -87,4 +85,3 @@ spec: restartPolicy: Never imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml index 2a1fb4f59e..1aabfb6bcc 100644 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml @@ -73,6 +73,17 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} + startupProbe: + exec: + command: + - /bin/bash + - -c + - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + successThreshold: {{ .Values.startup.successThreshold }} + failureThreshold: {{ .Values.startup.failureThreshold }} lifecycle: preStop: exec: diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml index 8530172269..92ed723989 100644 --- a/kubernetes/common/music/components/music-cassandra/values.yaml +++ b/kubernetes/common/music/components/music-cassandra/values.yaml @@ -18,7 +18,7 @@ global: nodePortPrefix: 302 persistence: {} -replicaCount: 3 +replicaCount: 1 # Cassandra Image - This image is modified from the original on # Docker Hub where the Security has been turned on. @@ -72,8 +72,8 @@ cql: # probe configuration parameters liveness: - initialDelaySeconds: 120 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 @@ -81,15 +81,20 @@ liveness: # in debugger so K8s doesn't restart unresponsive container enabled: true -readinessTimeout: 240 - readiness: - initialDelaySeconds: 10 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 +startup: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 90 + podManagementPolicy: OrderedReady updateStrategy: type: OnDelete diff --git a/kubernetes/common/music/resources/config/startup.sh b/kubernetes/common/music/resources/config/startup.sh index 37bb84de8b..e3cee36f1f 100755 --- a/kubernetes/common/music/resources/config/startup.sh +++ b/kubernetes/common/music/resources/config/startup.sh @@ -32,8 +32,8 @@ DEBUG_PROP= # Debug Setup. Uses env variables # DEBUG and DEBUG_PORT # DEBUG=true/false | DEBUG_PORT=<Port valie must be integer> -if [ "${DEBUG}" == "true" ]; then - if [ "${DEBUG_PORT}" == "" ]; then +if [ "${DEBUG}" = "true" ]; then + if [ "${DEBUG_PORT}" = "" ]; then DEBUG_PORT=8000 fi echo "Debug mode on" diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml index 25cab910a9..f578949196 100644 --- a/kubernetes/common/music/values.yaml +++ b/kubernetes/common/music/values.yaml @@ -164,5 +164,4 @@ certInitializer: credsPath: /opt/app/osaaf/local appMountPath: /opt/app/aafcertman aaf_add_config: > - cd {{ .Values.credsPath }}; - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1; + echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass; diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index a6b434f43a..91f21ab0c9 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -86,6 +87,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.dcaepolicysync" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.envsubst" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 386ba9b490..8a68f6dd9c 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2020 Orange -# Copyright © 2021 Nokia +# Copyright © 2021 Nokia, AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +34,7 @@ global: nginxImage: bitnami/nginx:1.18-debian-10 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 readinessImage: onap/oom/readiness:3.0.1 + dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -65,3 +66,4 @@ imageRepoMapping: nginxImage: dockerHubRepository postgresImage: dockerHubRepository readinessImage: repository + dcaePolicySyncImage: repository diff --git a/kubernetes/common/roles-wrapper/Chart.yaml b/kubernetes/common/roles-wrapper/Chart.yaml new file mode 100644 index 0000000000..862773fc87 --- /dev/null +++ b/kubernetes/common/roles-wrapper/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Wrapper chart to allow default roles to be shared among onap instances +name: roles-wrapper +version: 8.0.0 diff --git a/kubernetes/common/roles-wrapper/requirements.yaml b/kubernetes/common/roles-wrapper/requirements.yaml new file mode 100644 index 0000000000..b2d51ef925 --- /dev/null +++ b/kubernetes/common/roles-wrapper/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~8.x-0 + repository: 'file://../common' diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml new file mode 100644 index 0000000000..e2a84b4151 --- /dev/null +++ b/kubernetes/common/roles-wrapper/templates/role.yaml @@ -0,0 +1,110 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ printf "%s-%s" (include "common.release" $dot) $role_type }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployment + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/roles-wrapper/values.yaml b/kubernetes/common/roles-wrapper/values.yaml new file mode 100644 index 0000000000..8a53d7d733 --- /dev/null +++ b/kubernetes/common/roles-wrapper/values.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +roles: + - nothing + - read + - create diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml index 2082f8466b..7c272aecda 100644 --- a/kubernetes/common/serviceAccount/templates/role-binding.yaml +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -16,18 +16,24 @@ {{- $dot := . -}} {{- range $role_type := $dot.Values.roles }} +{{/* retrieve the names for generic roles */}} +{{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }} +{{- if not (has $role_type $dot.Values.defaultRoles) }} +{{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. kind: RoleBinding metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} namespace: {{ include "common.namespace" $dot }} subjects: - kind: ServiceAccount - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} roleRef: kind: Role - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ $name }} apiGroup: rbac.authorization.k8s.io {{- end }} + diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 6d12164938..2055885f2a 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -14,96 +14,28 @@ # limitations under the License. */}} -{{- $dot := . -}} +{{- $dot := . -}} {{- range $role_type := $dot.Values.roles }} +{{/* Default roles are already created, just creating specific ones */}} +{{- if not (has $role_type $dot.Values.defaultRoles) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} namespace: {{ include "common.namespace" $dot }} rules: -{{- if eq $role_type "read" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - verbs: - - get - - watch - - list -{{- else }} -{{- if eq $role_type "create" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - - secrets - verbs: - - get - - watch - - list -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - statefulsets - verbs: - - patch -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - deployments - - secrets - verbs: - - create -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods - - persistentvolumeclaims - - secrets - - deployment - verbs: - - delete +{{- if hasKey $dot.Values.new_roles_definitions $role_type }} +{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} +{{- else}} +# if no rules are provided, you're back to 'nothing' role - apiGroups: - - "" # "" indicates the core API group - - apps + - authorization.k8s.io resources: - - pods/exec + - selfsubjectaccessreviews + - selfsubjectrulesreviews verbs: - create -{{- else }} -{{- if hasKey $dot.Values.new_roles_definitions $role_type }} -{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} -{{- else}} -# if you don't match read or create, then you're not allowed to use API -- apiGroups: [] - resources: [] - verbs: [] {{- end }} {{- end }} {{- end }} -{{- end }} diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml index 449bea684c..20bd94f49a 100644 --- a/kubernetes/common/serviceAccount/templates/service-account.yaml +++ b/kubernetes/common/serviceAccount/templates/service-account.yaml @@ -20,5 +20,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} -{{- end }} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} +{{- end }}
\ No newline at end of file diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index afa819421c..22faeb6904 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -12,11 +12,18 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Default roles will be created by roles wrapper +# It won't work if roles wrapper is disabled. roles: - nothing # - read # - create +defaultRoles: + - nothing + - read + - create + new_roles_definitions: {} # few-read: # - apiGroups: |