aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/certInitializer/resources/retrieval_check.sh26
-rw-r--r--kubernetes/common/certInitializer/templates/_certInitializer.yaml8
-rw-r--r--kubernetes/common/certInitializer/templates/configmap.yaml3
-rw-r--r--kubernetes/common/certInitializer/values.yaml1
-rw-r--r--kubernetes/common/common/templates/_pod.tpl7
-rw-r--r--kubernetes/common/etcd/templates/statefulset.yaml2
-rw-r--r--kubernetes/common/postgres/templates/_deployment.tpl3
-rw-r--r--kubernetes/common/postgres/values.yaml5
-rw-r--r--kubernetes/common/readinessCheck/templates/_readinessCheck.tpl3
-rw-r--r--kubernetes/common/readinessCheck/values.yaml3
10 files changed, 51 insertions, 10 deletions
diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval_check.sh
new file mode 100644
index 0000000000..f3af14b17a
--- /dev/null
+++ b/kubernetes/common/certInitializer/resources/retrieval_check.sh
@@ -0,0 +1,26 @@
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+#!/bin/sh
+
+echo "*** retrieving passwords for certificates"
+export $(/opt/app/aaf_config/bin/agent.sh local showpass \
+ {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
+if [ -z "${{ .Values.envVarToCheck }}" ]
+then
+ echo " /!\ certificates retrieval failed"
+ exit 1
+fi
+echo "*** password retrieval succeeded"
diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
index 5a8e84cd8c..414192e2bc 100644
--- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml
+++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
@@ -55,6 +55,9 @@
- mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
name: aaf-agent-certs
subPath: truststoreONAP.p12.b64
+ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
+ subPath: retrieval_check.sh
{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
@@ -64,8 +67,8 @@
- sh
- -c
- |
- #!/usr/bin/env bash
/opt/app/aaf_config/bin/agent.sh
+ . /opt/app/aaf_config/bin/retrieval_check.sh
{{- if $initRoot.aaf_add_config }}
/opt/app/aaf_config/bin/aaf-add-config.sh
{{- end }}
@@ -174,13 +177,10 @@
configMap:
name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
defaultMode: 0700
-
-{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
configMap:
name: {{ include "common.fullname" $subchartDot }}-add-config
defaultMode: 0700
-{{- end -}}
{{- if $dot.Values.global.importCustomCertsEnabled }}
- name: updated-truststore
emptyDir: {}
diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml
index 7eae899cc1..1e9254abef 100644
--- a/kubernetes/common/certInitializer/templates/configmap.yaml
+++ b/kubernetes/common/certInitializer/templates/configmap.yaml
@@ -14,12 +14,13 @@
# limitations under the License.
*/}}
-{{ if .Values.aaf_add_config }}
apiVersion: v1
kind: ConfigMap
{{- $suffix := "add-config" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
data:
+{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
+{{ if .Values.aaf_add_config }}
aaf-add-config.sh: |
{{ tpl .Values.aaf_add_config . | indent 4 | trim }}
{{- end }}
diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml
index e7a0a3f02e..52b2765329 100644
--- a/kubernetes/common/certInitializer/values.yaml
+++ b/kubernetes/common/certInitializer/values.yaml
@@ -54,6 +54,7 @@ importCustomCertsEnabled: false
truststoreMountpath: ""
truststoreOutputFileName: truststore.jks
truststorePassword: changeit
+envVarToCheck: cadi_keystore_password_p12
# This introduces implicit dependency on cert-wrapper
# if you are using cert initializer cert-wrapper has to be also deployed.
diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl
index de2548562d..b38a7f1105 100644
--- a/kubernetes/common/common/templates/_pod.tpl
+++ b/kubernetes/common/common/templates/_pod.tpl
@@ -36,13 +36,13 @@
{{- $global := . }}
{{- range $index, $port := $ports }}
{{- if (include "common.needTLS" $global) }}
-- containerPort: {{ $port.port }}
+- containerPort: {{ default $port.port $port.internal_port }}
{{- else }}
-- containerPort: {{ default $port.port $port.plain_port }}
+- containerPort: {{ default (default $port.port $port.internal_port) (default $port.plain_port $port.internal_plain_port) }}
{{- end }}
name: {{ $port.name }}
{{- if (and $port.plain_port (and (include "common.needTLS" $global) $both_tls_and_plain)) }}
-- containerPort: {{ $port.plain_port }}
+- containerPort: {{ default $port.plain_port $port.internal_plain_port }}
name: {{ $port.name }}-plain
{{- end }}
{{- end }}
@@ -67,4 +67,3 @@ securityContext:
privileged: false
allowPrivilegeEscalation: false
{{- end }}
-
diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml
index e39b8c4ca2..a343d4fce5 100644
--- a/kubernetes/common/etcd/templates/statefulset.yaml
+++ b/kubernetes/common/etcd/templates/statefulset.yaml
@@ -184,7 +184,7 @@ spec:
fi
cat /var/run/etcd/new_member_envs
- source /var/run/etcd/new_member_envs
+ . /var/run/etcd/new_member_envs
collect_member &
diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl
index 6142baa63f..38a7ce1f63 100644
--- a/kubernetes/common/postgres/templates/_deployment.tpl
+++ b/kubernetes/common/postgres/templates/_deployment.tpl
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2018 Amdocs, AT&T, Bell Canada
# Copyright © 2020 Samsung Electronics
+# Modifications Copyright (C) 2021 Bell Canada.
# #
# # Licensed under the Apache License, Version 2.0 (the "License");
# # you may not use this file except in compliance with the License.
@@ -134,6 +135,8 @@ spec:
value: "{{ $dot.Values.config.pgDatabase }}"
- name: PG_ROOT_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }}
+ - name: PGDATA_PATH_OVERRIDE
+ value: "{{ $dot.Values.config.pgDataPath }}"
volumeMounts:
- name: config
mountPath: /pgconf/pool_hba.conf
diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml
index f815847f06..93f6d66385 100644
--- a/kubernetes/common/postgres/values.yaml
+++ b/kubernetes/common/postgres/values.yaml
@@ -1,4 +1,5 @@
# Copyright © 2018 Amdocs, AT&T, Bell Canada
+# Modifications Copyright (C) 2021 Bell Canada.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -41,12 +42,16 @@ secrets:
# Application configuration defaults.
#################################################################
+# bitnami image doesn't support well single quote in password
+passwordStrengthOverride: basic
+
pullPolicy: Always
# application configuration
config:
pgUserName: testuser
pgDatabase: userdb
+ pgDataPath: data
# pgPrimaryPassword: password
# pgUserPassword: password
# pgRootPassword: password
diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
index 95de6ec29f..71201a1cc6 100644
--- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
+++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
@@ -67,6 +67,9 @@
- name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $namePart) (empty $namePart) }}-readiness
image: {{ include "repositoryGenerator.image.readiness" $subchartDot }}
imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
+ securityContext:
+ runAsUser: {{ $subchartDot.Values.user }}
+ runAsGroup: {{ $subchartDot.Values.group }}
command:
- /app/ready.py
args:
diff --git a/kubernetes/common/readinessCheck/values.yaml b/kubernetes/common/readinessCheck/values.yaml
index b15b1c2af3..128c5057cc 100644
--- a/kubernetes/common/readinessCheck/values.yaml
+++ b/kubernetes/common/readinessCheck/values.yaml
@@ -15,6 +15,9 @@
global:
pullPolicy: Always
+user: 100
+group: 65533
+
limits:
cpu: 100m
memory: 100Mi