diff options
Diffstat (limited to 'kubernetes/common')
122 files changed, 1391 insertions, 1189 deletions
diff --git a/kubernetes/common/dgbuilder/.helmignore b/kubernetes/common/cassandra/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/dgbuilder/.helmignore +++ b/kubernetes/common/cassandra/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/cassandra/Chart.yaml b/kubernetes/common/cassandra/Chart.yaml index ee3f4e5355..544ebb247d 100644 --- a/kubernetes/common/cassandra/Chart.yaml +++ b/kubernetes/common/cassandra/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP cassandra name: cassandra -version: 13.1.0 +version: 13.1.1 dependencies: - name: common @@ -30,4 +30,4 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: 'file://../serviceAccount' - condition: global.cassandra.enableServiceAccount
\ No newline at end of file + condition: global.cassandra.enableServiceAccount diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh index f9f62739f2..50051b4b44 100644 --- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh +++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh @@ -93,4 +93,3 @@ if [ "$1" = 'cassandra' ]; then fi exec "$@" - diff --git a/kubernetes/common/cassandra/resources/exec.py b/kubernetes/common/cassandra/resources/exec.py index a7f297399e..ec2f0b4fc6 100644 --- a/kubernetes/common/cassandra/resources/exec.py +++ b/kubernetes/common/cassandra/resources/exec.py @@ -118,5 +118,3 @@ def main(argv): if __name__ == "__main__": main(sys.argv[1:]) - - diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml index 402d1688a7..263ac28512 100644 --- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml +++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml @@ -148,9 +148,6 @@ spec: apiVersion: v1 fieldPath: metadata.namespace volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true {{- range $i := until (int .Values.replicaCount)}} - mountPath: /onap-data/cassandra-{{ $i }} name: data-dir-{{ $i }} @@ -239,13 +236,7 @@ spec: volumeMounts: - name: backup-dir mountPath: /backup - - name: localtime - mountPath: /etc/localtime - readOnly: true volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: scripts configMap: name: {{ include "common.fullname" . }}-configmap @@ -259,4 +250,4 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-backup-data {{- end -}} -{{- end -}}
\ No newline at end of file +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/cassOp.yaml b/kubernetes/common/cassandra/templates/cassOp.yaml index 9f463adf08..6b7052d10e 100644 --- a/kubernetes/common/cassandra/templates/cassOp.yaml +++ b/kubernetes/common/cassandra/templates/cassOp.yaml @@ -16,4 +16,4 @@ {{- if .Values.global.cassandra.useOperator }} {{ include "common.k8ssandraCluster" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/cassandra/templates/configmap.yaml b/kubernetes/common/cassandra/templates/configmap.yaml index 5510986e54..117100a441 100644 --- a/kubernetes/common/cassandra/templates/configmap.yaml +++ b/kubernetes/common/cassandra/templates/configmap.yaml @@ -26,4 +26,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/docker-entrypoint.sh").AsConfig . | indent 2 }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml index d18e51d2f4..00e61d3bb5 100644 --- a/kubernetes/common/cassandra/templates/pv.yaml +++ b/kubernetes/common/cassandra/templates/pv.yaml @@ -15,4 +15,4 @@ */}} {{- if not .Values.global.cassandra.useOperator }} {{ include "common.replicaPV" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/cassandra/templates/secrets.yaml b/kubernetes/common/cassandra/templates/secrets.yaml index 5a611a9bef..181e5f98a7 100644 --- a/kubernetes/common/cassandra/templates/secrets.yaml +++ b/kubernetes/common/cassandra/templates/secrets.yaml @@ -18,4 +18,4 @@ {{- if .Values.global.cassandra.useOperator }} {{ include "common.secretFast" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml index 8b2e534a5f..6b6f585d2f 100644 --- a/kubernetes/common/cassandra/templates/service.yaml +++ b/kubernetes/common/cassandra/templates/service.yaml @@ -16,4 +16,4 @@ {{- if not .Values.global.cassandra.useOperator }} {{ include "common.headlessService" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/cassandra/templates/servicemonitor.yaml b/kubernetes/common/cassandra/templates/servicemonitor.yaml index 078107393a..57f4d3f412 100644 --- a/kubernetes/common/cassandra/templates/servicemonitor.yaml +++ b/kubernetes/common/cassandra/templates/servicemonitor.yaml @@ -18,4 +18,4 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index bb7027cab9..d76dde3454 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -38,9 +38,6 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-data mountPath: /var/lib/cassandra - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: cassandra-entrypoint mountPath: /docker-entrypoint.sh subPath: docker-entrypoint.sh @@ -169,9 +166,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{- range $key, $value := .Values.configOverrides }} - name: cassandra-config-{{ $key | replace "." "-" }} configMap: @@ -205,4 +199,4 @@ spec: requests: storage: {{ .Values.persistence.size | quote }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index 2fc368f04f..842c268c8a 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -40,8 +40,16 @@ k8ssandraOperator: superuserPassword: &superuserpassword cassandra casOptions: authorizer: AllowAllAuthorizer - write_request_timeout: 10000ms + read_request_timeout: 15000ms + write_request_timeout: 15000ms counter_write_request_timeout: 15000ms + request_timeout: 15000ms + auto_snapshot: false + commitlog_segment_size: 128MiB + commitlog_sync_period: 15000ms + concurrent_reads: 16 + concurrent_writes: 16 + counter_cache_size: 16MiB jvmOptions: heap_initial_size: 512M heap_max_size: 4096M @@ -49,6 +57,13 @@ k8ssandraOperator: datacenters: - name: dc1 size: 3 + resources: + requests: + cpu: 2 + memory: 8Gi + limits: + cpu: 8 + memory: 8Gi reaper: enabled: true stargate: @@ -159,11 +174,9 @@ service: podAnnotations: # sidecar.istio.io/inject: "false" - traffic.sidecar.istio.io/excludeInboundPorts: "7000,7001" + traffic.sidecar.istio.io/excludeInboundPorts: "7000,7001,7199,50051" traffic.sidecar.istio.io/includeInboundPorts: '*' - traffic.sidecar.istio.io/excludeOutboundPorts: "7000,7001" - prometheus.io/scrape: 'true' - prometheus.io/port: '8080' + traffic.sidecar.istio.io/excludeOutboundPorts: "7000,7001,7199,50051" podManagementPolicy: OrderedReady updateStrategy: @@ -211,7 +224,7 @@ configOverrides: {} resources: limits: cpu: "2" - memory: "8Gi" + memory: "16Gi" requests: cpu: "0.2" memory: "2.5Gi" diff --git a/kubernetes/common/common/.helmignore b/kubernetes/common/common/.helmignore new file mode 100644 index 0000000000..f066c4b723 --- /dev/null +++ b/kubernetes/common/common/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.local/ +.config/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index bb9e8a24fc..6fa292639e 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,8 +13,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +--- apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.1.0 +version: 13.2.6 diff --git a/kubernetes/common/common/templates/_affinities.tpl b/kubernetes/common/common/templates/_affinities.tpl index bf7ae497ca..69d0e78680 100644 --- a/kubernetes/common/common/templates/_affinities.tpl +++ b/kubernetes/common/common/templates/_affinities.tpl @@ -106,4 +106,4 @@ Return a podAffinity/podAntiAffinity definition {{- else if eq .type "hard" }} {{- include "common.affinities.pods.hard" . -}} {{- end -}} -{{- end -}}
\ No newline at end of file +{{- end -}} diff --git a/kubernetes/common/common/templates/_cassOp.tpl b/kubernetes/common/common/templates/_cassOp.tpl index b9f676665f..c707312b80 100644 --- a/kubernetes/common/common/templates/_cassOp.tpl +++ b/kubernetes/common/common/templates/_cassOp.tpl @@ -1,5 +1,5 @@ {{/* -# Copyright © 2022 Deutsche Telekom AG +# Copyright © 2022-2024 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,6 +35,39 @@ spec: commonLabels: app: {{ .Values.k8ssandraOperator.config.clusterName }}-reaper version: {{ .Values.k8ssandraOperator.cassandraVersion }} + {{- if .Values.metrics.enabled }} + telemetry: + prometheus: + enabled: true + mcac: + enabled: false + cassandra: + endpoint: + address: 0.0.0.0 + {{- end }} + podSecurityContext: + fsGroup: 1001 + runAsGroup: 1001 + runAsUser: 1001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + initContainerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW {{- end }} {{ if .Values.k8ssandraOperator.stargate.enabled -}} stargate: @@ -74,6 +107,16 @@ spec: storage: {{ .Values.k8ssandraOperator.persistence.size }} superuserSecretRef: name: {{ include "common.fullname" . }}-{{ .Values.k8ssandraOperator.config.secretName }} + {{- if .Values.metrics.enabled }} + telemetry: + prometheus: + enabled: true + mcac: + enabled: false + cassandra: + endpoint: + address: 0.0.0.0 + {{- end }} config: {{ if .Values.k8ssandraOperator.config.casOptions -}} cassandraYaml: @@ -90,14 +133,61 @@ spec: - metadata: name: {{ $datacenter.name }} size: {{ $datacenter.size }} + {{ if $datacenter.resources -}} + resources: + {{ toYaml $datacenter.resources | nindent 10 }} + {{- end }} {{- end }} - {{ if .Values.podAnnotations -}} + initContainers: + - name: server-config-init-base + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + - name: server-config-init + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + containers: + - name: cassandra + securityContext: + allowPrivilegeEscalation: false + #readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + - name: server-system-logger + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + podSecurityContext: + fsGroup: 999 + runAsGroup: 999 + runAsUser: 999 + runAsNonRoot: true metadata: + {{ if .Values.podAnnotations -}} pods: annotations: {{ toYaml .Values.podAnnotations | nindent 10 }} + {{- end }} commonLabels: app: {{ .Values.k8ssandraOperator.config.clusterName }} version: {{ .Values.k8ssandraOperator.cassandraVersion }} - {{- end }} {{ end }} diff --git a/kubernetes/common/common/templates/_dmaapProvisioning.tpl b/kubernetes/common/common/templates/_dmaapProvisioning.tpl index e7b90ea8ff..f162e9a2f9 100644 --- a/kubernetes/common/common/templates/_dmaapProvisioning.tpl +++ b/kubernetes/common/common/templates/_dmaapProvisioning.tpl @@ -115,4 +115,4 @@ {{- include "common.dmaap.provisioning._volumeMounts" $dot | trim | nindent 2 }} resources: {{ include "common.resources" $dot | nindent 4 }} {{- end -}} -{{- end -}}
\ No newline at end of file +{{- end -}} diff --git a/kubernetes/common/common/templates/_log.tpl b/kubernetes/common/common/templates/_log.tpl index 993c48239a..dc900dd4e4 100644 --- a/kubernetes/common/common/templates/_log.tpl +++ b/kubernetes/common/common/templates/_log.tpl @@ -59,4 +59,3 @@ data: {{ tpl (.Files.Glob "resources/config/log/filebeat/*").AsConfig . | indent 2 }} {{- end }} {{- end -}} - diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index caf2fd1031..0e46e5ef26 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -80,11 +80,7 @@ {{- index .Values "mariadb-galera" "nameOverride" -}} {{- end }} {{- else -}} - {{- if .Values.global.mariadbGalera.useOperator }} - {{- printf "%s-primary" (.Values.global.mariadbGalera.service) }} - {{- else }} {{- .Values.global.mariadbGalera.service -}} - {{- end }} {{- end -}} {{- end -}} @@ -118,14 +114,14 @@ {{- end -}} {{/* - Create MariDB Database via mariadb-operator + Create MariaDB Database via mariadb-operator */}} {{- define "common.mariadbOpDatabase" -}} {{- $dot := default . .dot -}} {{- $dbname := (required "'dbame' param, is required." .dbname) -}} {{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: Database metadata: name: {{ $dbinst }}-{{ $dbname }} @@ -147,7 +143,7 @@ spec: {{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} {{- $dbsecret := (required "'dbsecret' param, is required." .dbsecret) -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: User metadata: name: {{ $dbinst }}-{{ $dbuser }} @@ -155,6 +151,7 @@ spec: name: {{ $dbuser }} mariaDbRef: name: {{ $dbinst }} + waitForIt: true passwordSecretKeyRef: name: {{ $dbsecret }} key: password @@ -172,13 +169,14 @@ spec: {{- $dbname := (required "'dbame' param, is required." .dbname) -}} {{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: Grant metadata: name: {{ $dbuser }}-{{ $dbname }}-{{ $dbinst }} spec: mariaDbRef: name: {{ $dbinst }} + waitForIt: true privileges: - "ALL" database: {{ $dbname }} @@ -196,13 +194,19 @@ spec: {{- $dbinst := include "common.name" $dot -}} {{- $name := default $dbinst $dot.Values.backup.nameOverride -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: Backup metadata: name: {{ $name }} spec: + inheritMetadata: + labels: + sidecar.istio.io/inject: 'false' + backoffLimit: 5 + logLevel: info mariaDbRef: name: {{ $dbinst }} + waitForIt: true schedule: cron: {{ $dot.Values.backup.cron }} suspend: false @@ -244,7 +248,7 @@ spec: {{- $dbrootsecret := tpl (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.rootUser.externalSecret) $dot -}} {{- $dbusersecret := tpl (default (include "common.mariadb.secret.userCredentialsSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.db.externalSecret) $dot -}} --- -apiVersion: mariadb.mmontes.io/v1alpha1 +apiVersion: k8s.mariadb.com/v1alpha1 kind: MariaDB metadata: name: {{ $dbinst }} @@ -253,11 +257,37 @@ spec: runAsUser: 10001 runAsGroup: 10001 fsGroup: 10001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + volumes: + - name: run + emptyDir: + sizeLimit: 64Mi + - name: tmp + emptyDir: + sizeLimit: 64Mi + volumeMounts: + - name: run + mountPath: /run/mysqld + - name: tmp + mountPath: /tmp inheritMetadata: {{ if .Values.podAnnotations -}} annotations: {{ toYaml .Values.podAnnotations | nindent 6 }} {{- end }} labels: + # temporarily test mariaDB without sidecar (fix initial Job, Backup and Metrics) + # will be obsolete with "native-sidecars" feature in K8S and Istio + sidecar.istio.io/inject: "false" app: {{ $dbinst }} version: {{ .Values.mariadbOperator.appVersion }} rootPasswordSecretKeyRef: @@ -281,24 +311,52 @@ spec: enabled: true authDelegatorRoleName: {{ $dbinst }}-auth gracefulShutdownTimeout: 5s + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + primary: + automaticFailover: true + podIndex: 0 recovery: enabled: true - clusterHealthyTimeout: 5m0s + clusterHealthyTimeout: 30s clusterBootstrapTimeout: 10m0s - podRecoveryTimeout: 5m0s - podSyncTimeout: 10m0s + minClusterSize: 50% + podRecoveryTimeout: 3m0s + podSyncTimeout: 3m0s initContainer: image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ $dot.Values.mariadbOperator.galera.initImage }}:{{ $dot.Values.mariadbOperator.galera.initVersion }} imagePullPolicy: IfNotPresent - volumeClaimTemplate: - {{- if .Values.mariadbOperator.storageClassName }} - storageClassName: {{ .Values.mariadbOperator.storageClassName }} - {{- end }} - resources: - requests: - storage: 50Mi - accessModes: - - ReadWriteOnce + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + config: + reuseStorageVolume: false + volumeClaimTemplate: + {{- if .Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ .Values.mariadbOperator.persistence.storageClassName }} + {{- end }} + resources: + requests: + storage: 50Mi + accessModes: + - ReadWriteOnce {{- end }} livenessProbe: exec: @@ -318,16 +376,41 @@ spec: initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 5 - {{- if default false .Values.global.metrics.enabled }} + {{- if default false $dot.Values.global.metrics.enabled }} metrics: enabled: true + exporter: + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/prom/mysqld-exporter:v0.15.1 + port: 9104 + podSecurityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsUser: 10001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi {{- end }} affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - topologyKey: kubernetes.io/hostname tolerations: - - key: mariadb.mmontes.io/ha + - key: k8s.mariadb.com/ha operator: Exists effect: NoSchedule podDisruptionBudget: @@ -339,15 +422,11 @@ spec: key: my.cnf name: {{ printf "%s-configuration" (include "common.fullname" $dot) }} resources: {{ include "common.resources" . | nindent 4 }} - volumeClaimTemplate: - {{- if $dot.Values.mariadbOperator.storageClassName }} - storageClassName: {{ $dot.Values.mariadbOperator.storageClassName }} + storage: + {{- if $dot.Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ $dot.Values.mariadbOperator.persistence.storageClassName }} {{- end }} - resources: - requests: - storage: {{ $dot.Values.mariadbOperator.persistence.size | quote }} - accessModes: - - ReadWriteOnce + size: {{ $dot.Values.mariadbOperator.persistence.size | quote }} {{- if $dot.Values.db.user }} {{ include "common.mariadbOpUser" (dict "dot" . "dbuser" $dot.Values.db.user "dbinst" $dbinst "dbsecret" $dbusersecret) }} {{- end }} diff --git a/kubernetes/common/common/templates/_mongodb.tpl b/kubernetes/common/common/templates/_mongodb.tpl new file mode 100644 index 0000000000..80d8d72194 --- /dev/null +++ b/kubernetes/common/common/templates/_mongodb.tpl @@ -0,0 +1,165 @@ +{{/* +# Copyright © 2019 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{/* + UID of mongodb root password +*/}} +{{- define "common.mongodb.secret.rootPassUID" -}} + {{- printf "db-root-password" }} +{{- end -}} + +{{/* + Name of mongodb secret +*/}} +{{- define "common.mongodb.secret._secretName" -}} + {{- $global := .dot }} + {{- $chartName := tpl .chartName $global -}} + {{- include "common.secret.genName" (dict "global" $global "uid" (include .uidTemplate $global) "chartName" $chartName) }} +{{- end -}} + +{{/* + Name of mongodb root password secret +*/}} +{{- define "common.mongodb.secret.rootPassSecretName" -}} + {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.rootPassUID") }} +{{- end -}} + +{{/* + UID of mongodb user credentials +*/}} +{{- define "common.mongodb.secret.userCredentialsUID" -}} + {{- printf "db-user-credentials" }} +{{- end -}} + +{{/* + Name of mongodb user credentials secret +*/}} +{{- define "common.mongodb.secret.userCredentialsSecretName" -}} + {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.userCredentialsUID") }} +{{- end -}} + +{{/* + UID of mongodb primary password +*/}} +{{- define "common.mongodb.secret.primaryPasswordUID" -}} + {{- printf "primary-password" }} +{{- end -}} + +{{/* + Name of mongodb user credentials secret +*/}} +{{- define "common.mongodb.secret.primaryPasswordSecretName" -}} + {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.primaryPasswordUID") }} +{{- end -}} + +{{/* + Choose the name of the mongodb app label to use. +*/}} +{{- define "common.mongodbAppName" -}} + {{- if .Values.global.mongodb.localCluster -}} + {{- index .Values "mongodb" "nameOverride" -}} + {{- else -}} + {{- .Values.global.mongodb.nameOverride -}} + {{- end -}} +{{- end -}} + +#Not edited yet +{{/* + Create mongodb cluster via mongodb percona-operator +*/}} +{{- define "common.mongodbOpInstance" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +--- + +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDB +metadata: + name: {{ $dbinst }} + labels: + app: {{ $dbinst }} + version: "5.5" +spec: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.mongodbOperator.imageMongo }} + image: {{ .Values.mongodbOperator.imageMongo | quote }} + {{- end }} + imagePullSecrets: + - name: {{ include "common.namespace" . }}-docker-registry-key + mongodbVersion: {{ $dot.Values.mongodbOperator.mongodbVersion }} + instances: + - name: {{ default "instance1" .Values.mongodbOperator.instanceName | quote }} + replicas: {{ default 2 .Values.mongodbOperator.instanceReplicas }} + dataVolumeClaimSpec: + {{- if .Values.instanceStorageClassName }} + storageClassName: {{ .Values.mongodbOperator.instanceStorageClassName | quote }} + {{- end }} + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{ default "1Gi" .Values.mongodbOperator.instanceSize | quote }} + {{- if or .Values.instanceMemory .Values.mongodbOperator.instanceCPU }} + resources: + limits: + cpu: {{ default "" .Values.mongodbOperator.instanceCPU | quote }} + memory: {{ default "" .Values.mongodbOperator.instanceMemory | quote }} + {{- end }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + mongodb-operator.crunchydata.com/cluster: {{ $dbinst }} + mongodb-operator.crunchydata.com/instance-set: {{ default "instance1" .Values.mongodbOperator.instanceName | quote }} + proxy: + pgBouncer: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.mongodbOperator.imagePgBouncer }} + image: {{ .Values.mongodbOperator.imagePgBouncer | quote }} + {{- end }} + replicas: {{ default 2 .Values.mongodbOperator.bouncerReplicas }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + mongodb-operator.crunchydata.com/cluster: {{ $dbinst }} + mongodb-operator.crunchydata.com/role: pgbouncer + {{- if .Values.mongodbOperator.monitoring }} + monitoring: + pgmonitor: + exporter: + image: {{ default "" .Values.mongodbOperator.imageExporter | quote }} + {{- if .Values.mongodbOperator.monitoringConfig }} +{{ toYaml .Values.monitoringConfig | indent 8 }} + {{- end }} + {{- end }} + users: + - name: mongodb +{{- end -}} diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index 810350bfa6..743e3db1df 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -53,20 +53,60 @@ {{/* Generate securityContext for pod + required variables: user_id, group_id + optional variables: fsgroup_id, runAsNonRoot, seccompProfileType + Example in values.yaml + securityContext: + user_id: 70 + group_id: 70 + # fsgroup_id: 70 + # runAsNonRoot: true + # seccompProfileType: "RuntimeDefault" */}} {{- define "common.podSecurityContext" -}} securityContext: runAsUser: {{ .Values.securityContext.user_id }} runAsGroup: {{ .Values.securityContext.group_id }} - fsGroup: {{ .Values.securityContext.group_id }} + fsGroup: {{ default .Values.securityContext.group_id .Values.securityContext.fsgroup_id }} + runAsNonRoot: {{ hasKey .Values.securityContext "runAsNonRoot" | ternary .Values.securityContext.runAsNonRoot true }} + seccompProfile: + type: {{ default "RuntimeDefault" .Values.securityContext.seccompProfileType }} {{- end }} {{/* - Generate securityContext for container + Generate securityContext for container (optional) + predefined variables: capabilities.drop + optional variables: readOnlyRootFilesystem, privileged, allowPrivilegeEscalation + Example in values.yaml + containerSecurityContext: + capabilities: + privileged: false + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false */}} {{- define "common.containerSecurityContext" -}} securityContext: +{{- if not .Values.containerSecurityContext }} readOnlyRootFilesystem: true privileged: false allowPrivilegeEscalation: false +{{- else }} + readOnlyRootFilesystem: {{ hasKey .Values.containerSecurityContext "readOnlyRootFilesystem" | ternary .Values.containerSecurityContext.readOnlyRootFilesystem false }} + privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }} + allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }} + runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }} +{{- if .Values.containerSecurityContext.runAsUser }} + runAsUser: {{ .Values.containerSecurityContext.runAsUser }} +{{- end }} +{{- if .Values.containerSecurityContext.runAsGroup }} + runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} +{{ end }} +{{- end }} + capabilities: + drop: + - ALL + - CAP_NET_RAW {{- end }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index de779f8db8..638db8cab1 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -27,14 +27,27 @@ true {{- end -}} {{/* + Calculate if we require a sidecar killer. +*/}} +{{- define "common.requireSidecarKiller" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if eq .Values.global.serviceMesh.engine "istio" }} +{{- if not (default false .Values.global.serviceMesh.nativeSidecars) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Kills the sidecar proxy associated with a pod. */}} {{- define "common.serviceMesh.killSidecar" -}} -{{- if (include "common.onServiceMesh" .) }} +{{- if (include "common.requireSidecarKiller" .) }} RCODE="$?"; echo "*** script finished with exit code $RCODE" ; echo "*** killing service mesh sidecar" ; -curl -sf -X POST http://127.0.0.1:15020/quitquitquit ; +wget --quiet --post-data '' --output-document=- http://127.0.0.1:15020/quitquitquit || exit $? ; echo "" ; echo "*** exiting with script exit code" ; exit "$RCODE" @@ -47,7 +60,7 @@ exit "$RCODE" {{- define "common.waitForJobContainer" -}} {{- $dot := default . .dot -}} {{- $wait_for_job_container := default $dot.Values.wait_for_job_container .wait_for_job_container -}} -{{- if (include "common.onServiceMesh" .) }} +{{- if (include "common.requireSidecarKiller" .) }} - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $wait_for_job_container.name) (empty $wait_for_job_container.name) }}-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} @@ -65,6 +78,23 @@ exit "$RCODE" fieldRef: apiVersion: v1 fieldPath: metadata.namespace + securityContext: + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 100 + runAsGroup: 65533 + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} {{- end }} diff --git a/kubernetes/common/dgbuilder/resources/config/customSettings.js b/kubernetes/common/dgbuilder/resources/config/customSettings.js deleted file mode 100644 index abaab57254..0000000000 --- a/kubernetes/common/dgbuilder/resources/config/customSettings.js +++ /dev/null @@ -1,58 +0,0 @@ -/* Copyright © 2017 AT&T, Amdocs, Bell Canada -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -module.exports={ - "name": "Release sdnc1.0", - "emailAddress": "dguser@onap.org", - "uiPort": 3100, - "mqttReconnectTime": 15000, - "serialReconnectTime": 15000, - "debugMaxLength": 1000, - "htmlPath": "releases/sdnc1.0/html/", - "xmlPath": "releases/sdnc1.0/xml/", - "flowFile": "releases/sdnc1.0/flows/flows.json", - "sharedDir": "releases/sdnc1.0/flows/shared", - "userDir": "releases/sdnc1.0", - "httpAuth": { - "user": "${HTTP_USER}", - "pass": "${HTTP_PASSWORD}" - }, - "dbHost": "{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}", - "dbPort": "3306", - "dbName": "{{.Values.config.db.dbName}}", - "dbUser": "${DB_USER}", - "dbPassword": "${DB_PASSWORD}", - "gitLocalRepository": "", - "restConfUrl": "http://localhost:8181/restconf/operations/SLI-API:execute-graph", - "restConfUser": "${REST_CONF_USER}", - "restConfPassword": "${REST_CONF_PASSWORD}", - "formatXML": "Y", - "formatJSON": "Y", - "httpRoot": "/", - "disableEditor": false, - "httpAdminRoot": "/", - "httpAdminAuth": { - "user": "${HTTP_ADMIN_USER}", - "pass": "${HTTP_ADMIN_PASSWORD}" - }, - "httpNodeRoot": "/", - "httpNodeAuth": { - "user": "${HTTP_NODE_USER}", - "pass": "${HTTP_NODE_PASSWORD}" - }, - "uiHost": "0.0.0.0", - "version": "0.9.1", - "performGitPull": "N" -} diff --git a/kubernetes/common/dgbuilder/resources/config/svclogic.properties b/kubernetes/common/dgbuilder/resources/config/svclogic.properties deleted file mode 100644 index 01edb4d411..0000000000 --- a/kubernetes/common/dgbuilder/resources/config/svclogic.properties +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -org.onap.ccsdk.sli.dbtype=jdbc -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}:3306/{{.Values.config.db.dbName}} -org.onap.ccsdk.sli.jdbc.database={{.Values.config.db.dbName}} -org.onap.ccsdk.sli.jdbc.user=${DB_USER} -org.onap.ccsdk.sli.jdbc.password=${DB_PASSWORD} diff --git a/kubernetes/common/dgbuilder/templates/NOTES.txt b/kubernetes/common/dgbuilder/templates/NOTES.txt deleted file mode 100644 index 27db4f3535..0000000000 --- a/kubernetes/common/dgbuilder/templates/NOTES.txt +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# This file is licensed under the CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE -# -# Full license text at https://creativecommons.org/licenses/by/4.0/legalcode - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml deleted file mode 100644 index 18963f94f0..0000000000 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} - - name: DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} - - name: HTTP_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }} - - name: HTTP_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }} - - name: HTTP_ADMIN_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }} - - name: HTTP_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }} - - name: HTTP_NODE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }} - - name: HTTP_NODE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }} - - name: REST_CONF_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} - - name: REST_CONF_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: config-input - - mountPath: /config - name: config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - command: - - /app/ready.py - args: - - --app-name - - {{ .Values.config.dbPodName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && ./start.sh sdnc1.0 && wait"] - ports: {{- include "common.containerPorts" . | indent 10 }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: SDNC_CONFIG_DIR - value: /opt/onap/sdnc/data/properties - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: config - mountPath: /opt/app/application.properties - subPath: application.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/conf/svclogic.properties - subPath: svclogic.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties - subPath: svclogic.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js - subPath: customSettings.js - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: config-input - configMap: - name: {{ include "common.fullname" . }}-config - - name: config - emptyDir: - medium: Memory - {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/dgbuilder/templates/ingress.yaml b/kubernetes/common/dgbuilder/templates/ingress.yaml deleted file mode 100644 index 4392308e38..0000000000 --- a/kubernetes/common/dgbuilder/templates/ingress.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{/* -# Copyright © 2020 Samsung, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/common/dgbuilder/templates/secrets.yaml b/kubernetes/common/dgbuilder/templates/secrets.yaml deleted file mode 100644 index 4b4849980c..0000000000 --- a/kubernetes/common/dgbuilder/templates/secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/common/dgbuilder/templates/service.yaml b/kubernetes/common/dgbuilder/templates/service.yaml deleted file mode 100644 index 53f04104d9..0000000000 --- a/kubernetes/common/dgbuilder/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }}
\ No newline at end of file diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml deleted file mode 100644 index c4dcb2f40e..0000000000 --- a/kubernetes/common/dgbuilder/values.yaml +++ /dev/null @@ -1,173 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image pull policy - pullPolicy: Always - - # default mount path root directory referenced - # by persistent volumes and log files - persistence: - mountPath: /dockerdata-nfs - - # flag to enable debugging - application support required - debugEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: 'db-root-password' - type: password - externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' - password: '{{ .Values.config.db.rootPassword }}' - - uid: 'db-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: 'http-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' - login: '{{ .Values.config.httpUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'admin-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' - login: '{{ .Values.config.adminUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'node-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' - login: '{{ .Values.config.nodeUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'restconf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' - login: '{{ .Values.config.restconfUser }}' - password: '{{ .Values.config.restconfPassword }}' - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/ccsdk-dgbuilder-image:1.5.1 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - db: - dbName: sdnctl - # unused for now to preserve the API - rootPassword: openECOMP1.0 - # rootPasswordExternalSecret: some secret - userName: sdnctl - # unused for now to preserve the API - userPassword: gamma - # userCredentialsExternalSecret: some secret - httpUser: dguser - # unused for now to preserve the API - httpPassword: cc03e747a6afbbcbf8be7668acfebee5 - # httpCredsExternalSecret: some secret - adminUser: dguser - # unused for now to preserve the API - adminPassword: cc03e747a6afbbcbf8be7668acfebee5 - # adminCredsExternalSecret: some secret - nodeUser: dguser - # unused for now to preserve the API - nodePassword: cc03e747a6afbbcbf8be7668acfebee5 - # nodeCredsExternalSecret: some secret - restconfUser: admin - # unused for now to preserve the API - restconfPassword: admin - # restconfCredsExternalSecret: some secret - - dbPodName: mysql-db - dbServiceName: sdnc-dbhost - # MD5 hash of dguser password ( default: test123 ) - dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: dgbuilder - internalPort: 3100 - ports: - - name: http - port: 3100 - nodePort: 28 - -ingress: - enabled: false - service: - - baseaddr: "dgbuilder" - name: "dgbuilder" - port: 3100 - config: - ssl: "redirect" - -#Resource Limit flavor -By Default using small -flavor: small -#segregation for different envionment (Small and Large) - -resources: - small: - limits: - cpu: "2" - memory: "4Gi" - requests: - cpu: "1" - memory: "2Gi" - large: - limits: - cpu: "4" - memory: "8Gi" - requests: - cpu: "2" - memory: "4Gi" - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dgbuilder - roles: - - read diff --git a/kubernetes/common/elasticsearch/.helmignore b/kubernetes/common/elasticsearch/.helmignore index 68ffb32406..0bab41b6b1 100644 --- a/kubernetes/common/elasticsearch/.helmignore +++ b/kubernetes/common/elasticsearch/.helmignore @@ -1 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs components/ diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml index 82c8ccd056..48de2c0502 100644 --- a/kubernetes/common/elasticsearch/Chart.yaml +++ b/kubernetes/common/elasticsearch/Chart.yaml @@ -23,7 +23,10 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' - name: master version: ~13.x-0 repository: 'file://components/master' @@ -35,6 +38,3 @@ dependencies: version: ~13.x-0 repository: 'file://components/curator' condition: elasticsearch.curator.enabled,curator.enabled - - name: repositoryGenerator - version: ~13.x-0 - repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml index 39780f2e83..baceb1dadc 100644 --- a/kubernetes/common/elasticsearch/components/curator/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml @@ -23,7 +23,7 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../../../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../../../repositoryGenerator'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/common/elasticsearch/components/curator/values.yaml b/kubernetes/common/elasticsearch/components/curator/values.yaml index 00f113b5bb..d02d017108 100644 --- a/kubernetes/common/elasticsearch/components/curator/values.yaml +++ b/kubernetes/common/elasticsearch/components/curator/values.yaml @@ -175,4 +175,3 @@ extraInitContainers: {} # "storage_class": "${S3_STORAGE_CLASS}" # } # } - diff --git a/kubernetes/common/elasticsearch/components/data/Chart.yaml b/kubernetes/common/elasticsearch/components/data/Chart.yaml index d49a21085b..30c925aba7 100644 --- a/kubernetes/common/elasticsearch/components/data/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/data/Chart.yaml @@ -23,7 +23,7 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../../../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../../../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/elasticsearch/components/master/Chart.yaml b/kubernetes/common/elasticsearch/components/master/Chart.yaml index 73d59075e3..e481c7cd4b 100644 --- a/kubernetes/common/elasticsearch/components/master/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/master/Chart.yaml @@ -22,7 +22,7 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../../../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../../../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/elasticsearch/templates/_helpers.tpl b/kubernetes/common/elasticsearch/templates/_helpers.tpl index 1de2599af9..34663e14f1 100644 --- a/kubernetes/common/elasticsearch/templates/_helpers.tpl +++ b/kubernetes/common/elasticsearch/templates/_helpers.tpl @@ -69,5 +69,3 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{ default "default" .Values.serviceAccount.name }} {{- end -}} {{- end -}} - - diff --git a/kubernetes/common/etcd-init/templates/job.yaml b/kubernetes/common/etcd-init/templates/job.yaml index 8919dc7a39..71f912e201 100644 --- a/kubernetes/common/etcd-init/templates/job.yaml +++ b/kubernetes/common/etcd-init/templates/job.yaml @@ -27,6 +27,12 @@ spec: backoffLimit: {{ .Values.backoffLimit }} template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} @@ -37,8 +43,8 @@ spec: command: - /app/ready.py args: - - --container-name - - {{ .Values.etcd.containerName }} + - --service-name + - {{ .Values.etcd.serviceName }} env: - name: NAMESPACE valueFrom: @@ -93,10 +99,6 @@ spec: value: "{{ .Values.config.appRole }}" - name: KEY_PREFIX value: "{{ .Values.config.keyPrefix }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} @@ -106,9 +108,5 @@ spec: affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime restartPolicy: Never {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/etcd/.helmignore b/kubernetes/common/etcd/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/etcd/.helmignore +++ b/kubernetes/common/etcd/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/etcd/Chart.yaml b/kubernetes/common/etcd/Chart.yaml index 02fc2c0603..465364b3da 100644 --- a/kubernetes/common/etcd/Chart.yaml +++ b/kubernetes/common/etcd/Chart.yaml @@ -28,7 +28,7 @@ sources: dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/etcd/templates/service.yaml b/kubernetes/common/etcd/templates/service.yaml index 006378f631..72dea06832 100644 --- a/kubernetes/common/etcd/templates/service.yaml +++ b/kubernetes/common/etcd/templates/service.yaml @@ -35,4 +35,3 @@ spec: selector: app.kubernetes.io/name: {{ include "common.name" . }} app.kubernetes.io/instance: {{ include "common.release" . }} - diff --git a/kubernetes/common/logConfiguration/.helmignore b/kubernetes/common/logConfiguration/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/logConfiguration/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/logConfiguration/Chart.yaml b/kubernetes/common/logConfiguration/Chart.yaml index a5790a4d62..7908bfa405 100644 --- a/kubernetes/common/logConfiguration/Chart.yaml +++ b/kubernetes/common/logConfiguration/Chart.yaml @@ -22,4 +22,4 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' diff --git a/kubernetes/common/mariadb-galera/.helmignore b/kubernetes/common/mariadb-galera/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/mariadb-galera/.helmignore +++ b/kubernetes/common/mariadb-galera/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index 470e64b5f1..41d11a646e 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 13.1.0 +version: 13.2.2 keywords: - mariadb - mysql @@ -30,14 +30,14 @@ keywords: dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: readinessCheck version: ~13.x-0 - repository: 'file://../readinessCheck' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: 'file://../serviceAccount' + repository: '@local' condition: global.mariadbGalera.enableServiceAccount
\ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml index 9f0a786282..877e6faaa6 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml @@ -32,6 +32,13 @@ spec: jobTemplate: spec: template: + metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} {{ include "common.podSecurityContext" . | indent 10 | trim}} @@ -157,16 +164,10 @@ spec: name: tmp-data - mountPath: /opt/bitnami/mariadb/tmp name: tmp - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: backup-dir mountPath: /backup {{- include "common.imagePullSecrets" . | nindent 10 }} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: data persistentVolumeClaim: {{- if .Values.persistence.existingClaim }} diff --git a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml index 4c2bfcd389..05aafb5cc9 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml @@ -47,4 +47,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} -{{- end -}}
\ No newline at end of file +{{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml index 0aa0a63f0a..152d39f4a5 100644 --- a/kubernetes/common/mariadb-galera/templates/configmap.yaml +++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml @@ -39,4 +39,4 @@ data: my.cnf: | {{ .Values.mariadbConfiguration | indent 4 }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/mariadb.yaml b/kubernetes/common/mariadb-galera/templates/mariadb.yaml index ce09c9ff06..d8ada6fbbb 100644 --- a/kubernetes/common/mariadb-galera/templates/mariadb.yaml +++ b/kubernetes/common/mariadb-galera/templates/mariadb.yaml @@ -16,4 +16,4 @@ {{- if .Values.global.mariadbGalera.useOperator }} {{ include "common.mariadbOpInstance" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml index d37aeb1751..e628deea15 100644 --- a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml +++ b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml @@ -34,4 +34,4 @@ spec: targetPort: tcp-metrics selector: {{- include "common.matchLabels" . | nindent 4 }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/pdb.yaml b/kubernetes/common/mariadb-galera/templates/pdb.yaml index 734f03f237..da83abc993 100644 --- a/kubernetes/common/mariadb-galera/templates/pdb.yaml +++ b/kubernetes/common/mariadb-galera/templates/pdb.yaml @@ -29,4 +29,4 @@ spec: selector: matchLabels: {{- include "common.matchLabels" . | nindent 6 }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml b/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml index cf0ab566a4..ee9124f23b 100644 --- a/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml +++ b/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml @@ -28,4 +28,3 @@ spec: rules: {{- toYaml .Values.metrics.prometheusRules.rules | nindent 6 }} {{- end }} - diff --git a/kubernetes/common/mariadb-galera/templates/pv.yaml b/kubernetes/common/mariadb-galera/templates/pv.yaml index 129b5b26c7..267755259d 100644 --- a/kubernetes/common/mariadb-galera/templates/pv.yaml +++ b/kubernetes/common/mariadb-galera/templates/pv.yaml @@ -17,4 +17,4 @@ {{- if not .Values.global.mariadbGalera.useOperator }} {{ include "common.replicaPV" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/secrets.yaml b/kubernetes/common/mariadb-galera/templates/secrets.yaml index 527f41266d..77a8e38e80 100644 --- a/kubernetes/common/mariadb-galera/templates/secrets.yaml +++ b/kubernetes/common/mariadb-galera/templates/secrets.yaml @@ -16,4 +16,4 @@ # limitations under the License. */}} -{{ include "common.secretFast" . }}
\ No newline at end of file +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml index 4cbf7b394f..1bffb246f4 100644 --- a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml +++ b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml @@ -18,4 +18,4 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 70cc0c34bd..66ce8abc6e 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -55,7 +55,20 @@ spec: image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + add: + - CHOWN + - SYS_CHROOT + runAsGroup: {{ .Values.securityContext.group_id }} + readOnlyRootFilesystem: false runAsUser: 0 + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault volumeMounts: - name: previous-boot mountPath: /bootstrap @@ -169,6 +182,7 @@ spec: successThreshold: {{ .Values.startupProbe.successThreshold }} failureThreshold: {{ .Values.startupProbe.failureThreshold }} {{- end }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: previous-boot @@ -218,7 +232,7 @@ spec: timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} - {{ include "common.containerSecurityContext" . | indent 10 | trim }} + securityContext: {{- toYaml .Values.metrics.securityContext | nindent 12 }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} {{- include "common.imagePullSecrets" . | nindent 6 }} @@ -266,4 +280,4 @@ spec: volumeClaimTemplates: - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 29d643eb1e..faab7af1b3 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -56,16 +56,16 @@ secrets: mariadbOperator: image: mariadb - appVersion: 11.1.2 + appVersion: 11.2.2 persistence: #storageClassName: default size: 3Gi galera: enabled: true - agentImage: mariadb-operator/agent - agentVersion: v0.0.3 - initImage: mariadb-operator/init - initVersion: v0.0.6 + agentImage: mariadb-operator/mariadb-operator + agentVersion: v0.0.28 + initImage: mariadb-operator/mariadb-operator + initVersion: v0.0.28 ## String to partially override common.names.fullname template (will maintain the release name) ## @@ -99,7 +99,7 @@ podAnnotations: # sidecar.istio.io/inject: "false" traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568" traffic.sidecar.istio.io/includeInboundPorts: '*' - traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568" + traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568,443" mariadbOpConfiguration: |- [mysqld] @@ -217,10 +217,13 @@ serviceAccount: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## securityContext: - enabled: true user_id: 10001 group_id: 10001 +# Old Bitnami Chart does not work without Filesystem access +containerSecurityContext: + readOnlyFileSystem: false + ## Database credentials for root (admin) user ## rootUser: @@ -329,8 +332,8 @@ backup: readinessCheck: wait_for: - apps: - - '{{ include "common.name" . }}' + services: + - '{{ include "common.servicename" . }}' ## TLS configuration ## @@ -659,6 +662,19 @@ metrics: ## - --collect.binlog_size ## extraFlags: [] + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault ## MySQL Prometheus exporter containers' resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## diff --git a/kubernetes/common/mariadb-init/.helmignore b/kubernetes/common/mariadb-init/.helmignore index dadf202953..f4d0b92f20 100644 --- a/kubernetes/common/mariadb-init/.helmignore +++ b/kubernetes/common/mariadb-init/.helmignore @@ -21,3 +21,14 @@ *.tmproj tests +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml index fa89a669d2..d1844916e0 100644 --- a/kubernetes/common/mariadb-init/Chart.yaml +++ b/kubernetes/common/mariadb-init/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,19 +14,19 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +--- apiVersion: v2 description: Chart for MariaDB Galera init job name: mariadb-init -version: 13.0.0 +version: 13.0.2 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' - name: serviceAccount version: ~13.x-0 repository: '@local' diff --git a/kubernetes/common/mariadb-init/templates/_configmap.tpl b/kubernetes/common/mariadb-init/templates/_configmap.tpl index ea612a078d..8d111b5170 100644 --- a/kubernetes/common/mariadb-init/templates/_configmap.tpl +++ b/kubernetes/common/mariadb-init/templates/_configmap.tpl @@ -1,4 +1,4 @@ -{{/* +{{- /* # Copyright © 2019 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -12,7 +12,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} +*/ -}} {{/* Choose the name of the configmap to use. diff --git a/kubernetes/common/mariadb-init/templates/_mariadb.tpl b/kubernetes/common/mariadb-init/templates/_mariadb.tpl index 5563fe714d..fda93b52ef 100644 --- a/kubernetes/common/mariadb-init/templates/_mariadb.tpl +++ b/kubernetes/common/mariadb-init/templates/_mariadb.tpl @@ -1,4 +1,4 @@ -{{/* +{{- /* # Copyright © 2019 Orange # Copyright © 2020 Samsung Electronics # @@ -13,7 +13,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} +*/ -}} {{/* Choose the name of the mariadb secret to use. diff --git a/kubernetes/common/mariadb-init/templates/configmap.yaml b/kubernetes/common/mariadb-init/templates/configmap.yaml index 6708efdb60..6df329e8a5 100644 --- a/kubernetes/common/mariadb-init/templates/configmap.yaml +++ b/kubernetes/common/mariadb-init/templates/configmap.yaml @@ -1,4 +1,3 @@ -{{/* # Copyright © 2019 Orange # Modifications Copyright © 2018 AT&T # @@ -13,8 +12,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} - +--- apiVersion: v1 kind: ConfigMap metadata: diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml index 88ff0e09c2..d620bd2edc 100644 --- a/kubernetes/common/mariadb-init/templates/job.yaml +++ b/kubernetes/common/mariadb-init/templates/job.yaml @@ -1,4 +1,3 @@ -{{/* # Copyright © 2019 Orange # Copyright © 2020 Samsung Electronics # @@ -13,8 +12,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} - +--- {{ include "mariadbInit._updateSecrets" . -}} apiVersion: batch/v1 @@ -31,29 +29,24 @@ spec: backoffLimit: 20 template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: - {{- if .Values.global.mariadbGalera.localCluster }} - {{- if .Values.global.mariadbGalera.useOperator }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local_operator ) | indent 6 | trim }} - {{ else }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }} - {{- end }} - {{ else }} - {{- if .Values.global.mariadbGalera.useOperator }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global_operator ) | indent 6 | trim }} - {{ else }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }} - {{- end }} - {{- end }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.image.mariadb" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - /bin/sh - -c @@ -81,9 +74,6 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" $root "uid" $db "key" "password") | indent 10 }} {{ end }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: mariadb-init mountPath: /db_init/ {{- if or .Values.dbScriptConfigMap .Values.dbScript }} @@ -102,9 +92,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{- if or .Values.dbScriptConfigMap .Values.dbScript }} - name: mariadb-conf configMap: diff --git a/kubernetes/common/mariadb-init/templates/secret.yaml b/kubernetes/common/mariadb-init/templates/secret.yaml index a9d9e0b704..b2876bcb82 100644 --- a/kubernetes/common/mariadb-init/templates/secret.yaml +++ b/kubernetes/common/mariadb-init/templates/secret.yaml @@ -1,4 +1,3 @@ -{{/* # Copyright © 2017 Amdocs, Bell Canada, Orange # Copyright © 2020 Samsung Electronics # @@ -13,8 +12,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -*/}} - +--- {{ include "mariadbInit._updateSecrets" . -}} {{ include "common.secretFast" . }} diff --git a/kubernetes/common/mariadb-init/tests/job_test.yaml b/kubernetes/common/mariadb-init/tests/job_test.yaml index 170eaf3c96..33cd1c2dc3 100644 --- a/kubernetes/common/mariadb-init/tests/job_test.yaml +++ b/kubernetes/common/mariadb-init/tests/job_test.yaml @@ -36,7 +36,7 @@ tests: content: mariadb-galera - equal: path: spec.template.spec.initContainers[0].image - value: nexus3.onap.org:10001/onap/oom/readiness:3.0.1 + value: nexus3.onap.org:10001/onap/oom/readiness:6.0.3 - equal: path: spec.template.spec.initContainers[0].imagePullPolicy value: IfNotPresent @@ -98,11 +98,11 @@ tests: - it: "should render with default value (volumes)" asserts: - contains: - path: spec.template.spec.volumes - content: - name: mariadb-conf - configMap: - name: RELEASE-NAME-mariadb-init + path: spec.template.spec.volumes + content: + name: mariadb-conf + configMap: + name: RELEASE-NAME-mariadb-init - it: "should render with nameOverride set" set: @@ -136,11 +136,11 @@ tests: name: RELEASE-NAME-myJob-secret key: db-user-password - contains: - path: spec.template.spec.volumes - content: - name: mariadb-conf - configMap: - name: RELEASE-NAME-myJob + path: spec.template.spec.volumes + content: + name: mariadb-conf + configMap: + name: RELEASE-NAME-myJob - it: "should render with configmap set" set: @@ -158,8 +158,8 @@ tests: set: global: mariadbGalera: - nameOverride: myMaria - servicePort: 545 + nameOverride: myMaria + servicePort: 545 asserts: - contains: path: spec.template.spec.initContainers[0].args @@ -187,10 +187,10 @@ tests: set: global: mariadbGalera: - nameOverride: myMaria - servicePort: 545 - userRootSecret: galera-secret - userRootSecretKey: root-password + nameOverride: myMaria + servicePort: 545 + userRootSecret: galera-secret + userRootSecretKey: root-password asserts: - contains: path: spec.template.spec.initContainers[0].args @@ -230,11 +230,11 @@ tests: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: kubernetes.io/e2e-az-name - operator: In - values: - - e2e-az1 - - e2e-az2 + - key: kubernetes.io/e2e-az-name + operator: In + values: + - e2e-az1 + - e2e-az2 asserts: - equal: path: spec.template.spec.affinity @@ -243,11 +243,11 @@ tests: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: kubernetes.io/e2e-az-name - operator: In - values: - - e2e-az1 - - e2e-az2 + - key: kubernetes.io/e2e-az-name + operator: In + values: + - e2e-az1 + - e2e-az2 - it: "should use large flavor" set: flavor: large diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml index 5c181dded2..591477c5cf 100644 --- a/kubernetes/common/mariadb-init/values.yaml +++ b/kubernetes/common/mariadb-init/values.yaml @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +--- ################################################################# # Global configuration defaults. ################################################################# @@ -106,21 +106,25 @@ config: # externalSecret: some-secret-name config_map: default +securityContext: + user_id: 100 + group_id: 65533 + nodeSelector: {} affinity: {} -#resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory +# resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory flavor: small resources: small: @@ -139,7 +143,7 @@ resources: memory: "20Mi" unlimited: {} -#Pods Service Account +# Pods Service Account serviceAccount: nameOverride: mariadb-init roles: @@ -150,15 +154,6 @@ wait_for_job_container: - '{{ include "common.name" . }}' readinessCheck: - wait_for_global_operator: - pods: - - '{{ .Values.global.mariadbGalera.nameOverride }}-0' - wait_for_local_operator: - pods: - - '{{ index .Values "mariadb-galera" "nameOverride" }}-0' - wait_for_global: - apps: - - '{{ include "common.mariadbAppName" . }}' - wait_for_local: - apps: - - '{{ include "common.mariadbAppName" . }}' + wait_for: + services: + - '{{ include "common.mariadbService" . }}' diff --git a/kubernetes/common/mongodb-init/.helmignore b/kubernetes/common/mongodb-init/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/mongodb-init/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/dgbuilder/Chart.yaml b/kubernetes/common/mongodb-init/Chart.yaml index b5a2c94471..0cdeecf84b 100644 --- a/kubernetes/common/dgbuilder/Chart.yaml +++ b/kubernetes/common/mongodb-init/Chart.yaml @@ -1,6 +1,4 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,17 +13,20 @@ # limitations under the License. apiVersion: v2 -description: D.G. Builder application -name: dgbuilder -version: 13.0.0 +description: Chart for MongoDB init job +name: mongodb-init +version: 13.0.2 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: 'file://../serviceAccount' + repository: '@local' diff --git a/kubernetes/common/mongodb-init/README.md b/kubernetes/common/mongodb-init/README.md new file mode 100644 index 0000000000..aa6c735744 --- /dev/null +++ b/kubernetes/common/mongodb-init/README.md @@ -0,0 +1,16 @@ +# mongodb-init + +## Introduction + +Initialization scripts for mongo database. + +- not part of ONAP OOM yet + +## Requirements + +mongodb-init needs the following ONAP projects to work: + +- common/common +- common/repositoryGenerator +- common/serviceAccount +- common/readinessCheck diff --git a/kubernetes/common/mongodb-init/resources/config/setup.sql b/kubernetes/common/mongodb-init/resources/config/setup.sql new file mode 100644 index 0000000000..452ee187df --- /dev/null +++ b/kubernetes/common/mongodb-init/resources/config/setup.sql @@ -0,0 +1,11 @@ +// Database Setup +use ${MONGO_DATABASE} + +// UserCreation Setup +db.createUser( + { + user: "${MONGODB_USER}", + pwd: "${MONGODB_PASSWORD}", + roles: [ { role: "readWrite", db: "${MONGO_DATABASE}" } ] + } +) diff --git a/kubernetes/common/dgbuilder/templates/configmap.yaml b/kubernetes/common/mongodb-init/templates/configmap.yaml index 05699e6107..bde790f205 100644 --- a/kubernetes/common/dgbuilder/templates/configmap.yaml +++ b/kubernetes/common/mongodb-init/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada +# Copyright © 2024 Deutsche Telekom +# # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +18,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-config + name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} diff --git a/kubernetes/common/mongodb-init/templates/job.yaml b/kubernetes/common/mongodb-init/templates/job.yaml new file mode 100644 index 0000000000..5e232e26d3 --- /dev/null +++ b/kubernetes/common/mongodb-init/templates/job.yaml @@ -0,0 +1,129 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-config-job + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + name: {{ include "common.name" . }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + - name: {{ include "common.name" . }}-update-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + command: + - sh + args: + - -c + - | + function prepare_password { + echo -n $1 | sed -e "s/'/''/g" + } + export MONGODB_PASSWORD=`prepare_password $MONGODB_PASSWORD_INPUT`; + export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`; + export MONGODB_USER=`prepare_password $MONGODB_USER_INPUT`; + export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`; + {{- if include "common.onServiceMesh" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s; + {{- end }} + cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done; + env: + - name: MONGODB_HOST + value: "{{ .Values.global.mongodb.service.name }}" + - name: MONGODB_USER_INPUT + #value: "{{ .Values.config.mgUserName }}" + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "login") | indent 10 }} + - name: MONGODB_PASSWORD_INPUT + #value: "{{ .Values.config.mgUserPassword }}" + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "password") | indent 10 }} + - name: MONGO_DATABASE + value: "{{ .Values.config.mgDatabase }}" + - name: MONGODB_ROOT_USER_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootUserKey) | indent 10 }} + - name: MONGODB_ROOT_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootPasswordKey) | indent 10 }} + volumeMounts: + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: mgconf + containers: + - name: {{ include "common.name" . }}-setup-db + image: {{ include "repositoryGenerator.image.mongodbImage" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + command: + - sh + args: + - -c + - | + function prepare_password { + echo -n $1 | sed -e "s/'/''/g" + } + export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`; + export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`; + mongosh "mongodb://${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$MONGODB_HOST" < /config/setup.sql + env: + - name: MONGODB_HOST + value: "{{ .Values.global.mongodb.service.name }}" + - name: MONGODB_ROOT_USER_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_USER") | indent 10 }} + - name: MONGODB_ROOT_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_PASSWORD") | indent 10 }} + volumeMounts: + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: mgconf + resources: {{ include "common.resources" . | nindent 10 }} + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: config + configMap: + name: {{ include "common.fullname" . }} + - name: mgconf + emptyDir: + medium: Memory + sizeLimit: 64Mi + restartPolicy: Never + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/mongodb-init/templates/secrets.yaml b/kubernetes/common/mongodb-init/templates/secrets.yaml new file mode 100644 index 0000000000..577d9d581e --- /dev/null +++ b/kubernetes/common/mongodb-init/templates/secrets.yaml @@ -0,0 +1,15 @@ +{{/* +# ## Copyright © 2024 Deutsche Telekom +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/mongodb-init/values.yaml b/kubernetes/common/mongodb-init/values.yaml new file mode 100644 index 0000000000..478fab5cdd --- /dev/null +++ b/kubernetes/common/mongodb-init/values.yaml @@ -0,0 +1,108 @@ +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + mongodb: + service: + name: mgset + container: + name: mongodb + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: '{{ include "common.mongodb.secret.rootPassUID" . }}' + type: password + externalSecret: '{{ tpl (default "" .Values.config.mgExternalSecret) . }}' + password: '{{ .Values.config.mgRootPasswordKey }}' + - uid: '{{ .Values.config.mgDatabase }}' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.mgUserExternalSecret) . }}' + login: '{{ .Values.config.mgUserName }}' + password: '{{ .Values.config.mgUserPassword }}' + +################################################################# +# Application configuration defaults. +################################################################# + +pullPolicy: Always + +# application configuration +config: + mgUserName: testuser + mgUserPassword: testuser123 + mgDatabase: testdb + mgDataPath: data + #mgRootPasswordExternalSecret: '{{ include "common.namespace" . }}-mongodb-db-root-password' + mgExternalSecret: '{{ include "common.name" . }}-mongo-secrets' + mgRootUserKey: MONGODB_DATABASE_ADMIN_USER + mgRootPasswordKey: MONGODB_DATABASE_ADMIN_PASSWORD + mgUserExternalSecret: '{{ include "common.release" . }}-{{ include "common.name" . }}-mg-secret' + +nodeSelector: {} + +affinity: {} + +flavor: small + +#resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: "100m" + memory: "0.3Gi" + requests: + cpu: "10m" + memory: "0.09Gi" + large: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: mongodb-init + roles: + - read + +securityContext: + user_id: 100 + group_id: 65533 + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.mongodb.service.name }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-setup-db' diff --git a/kubernetes/common/mongodb/Chart.yaml b/kubernetes/common/mongodb/Chart.yaml index 73c8bab5c2..fc39ce3dee 100644 --- a/kubernetes/common/mongodb/Chart.yaml +++ b/kubernetes/common/mongodb/Chart.yaml @@ -16,7 +16,7 @@ annotations: - name: os-shell image: docker.io/bitnami/os-shell:12-debian-12-r15 apiVersion: v2 -appVersion: 7.0.5 +appVersion: 7.0.8 dependencies: - name: common repository: 'file://./common' @@ -40,4 +40,4 @@ maintainers: name: mongodb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mongodb -version: 14.12.2 +version: 14.12.4 diff --git a/kubernetes/common/mongodb/README.md b/kubernetes/common/mongodb/README.md index 065e047fdc..a4d1803a9f 100644 --- a/kubernetes/common/mongodb/README.md +++ b/kubernetes/common/mongodb/README.md @@ -1117,4 +1117,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License.
\ No newline at end of file +limitations under the License. diff --git a/kubernetes/common/mongodb/common/templates/_images.tpl b/kubernetes/common/mongodb/common/templates/_images.tpl index 1bcb779df5..e6acf9e3c6 100644 --- a/kubernetes/common/mongodb/common/templates/_images.tpl +++ b/kubernetes/common/mongodb/common/templates/_images.tpl @@ -114,4 +114,3 @@ Return the proper image version (ingores image revision/prerelease info & fallba {{- print .chart.AppVersion -}} {{- end -}} {{- end -}} - diff --git a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml index 269863f3ec..ee033e9437 100644 --- a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml +++ b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml @@ -254,6 +254,9 @@ spec: - name: empty-dir mountPath: /opt/bitnami/mongodb/logs subPath: app-logs-dir + - name: empty-dir + mountPath: /bitnami/mongodb + subPath: app-volume-dir {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} - name: config mountPath: /opt/bitnami/mongodb/conf/mongodb.conf @@ -271,7 +274,8 @@ spec: {{- end }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }} {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} - name: common-scripts configMap: @@ -284,7 +288,8 @@ spec: {{- end }} {{- if and .Values.tls.enabled .Values.arbiter.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml index 79466e919e..b1d0b589a9 100644 --- a/kubernetes/common/mongodb/templates/backup/cronjob.yaml +++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml @@ -166,14 +166,16 @@ spec: restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.backup.emptyDir.sizeLimit }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} defaultMode: 0550 {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml index 5b2a807d84..493c2b2cfe 100644 --- a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml +++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml @@ -514,7 +514,8 @@ spec: {{- end }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.hidden.emptyDir.sizeLimit }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} @@ -531,7 +532,8 @@ spec: {{- end }} {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} - name: shared - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} - name: scripts configMap: @@ -542,7 +544,8 @@ spec: {{- end }} {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: @@ -568,8 +571,10 @@ spec: {{- if .Values.hidden.persistence.medium }} emptyDir: medium: {{ .Values.hidden.persistence.medium | quote }} + sizeLimit: 64Mi {{- else }} - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} {{- else }} volumeClaimTemplates: diff --git a/kubernetes/common/mongodb/templates/networkpolicy.yaml b/kubernetes/common/mongodb/templates/networkpolicy.yaml index f6d62ca867..63c4d715d4 100644 --- a/kubernetes/common/mongodb/templates/networkpolicy.yaml +++ b/kubernetes/common/mongodb/templates/networkpolicy.yaml @@ -80,4 +80,4 @@ spec: {{- if $extraIngress }} {{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml index 55158e8fb0..7de00e7925 100644 --- a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml +++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml @@ -512,7 +512,8 @@ spec: {{- end }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.replicaSet.emptyDir.sizeLimit }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} @@ -529,7 +530,8 @@ spec: {{- end }} {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} - name: shared - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} - name: scripts configMap: @@ -540,7 +542,8 @@ spec: {{- end }} {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: @@ -566,8 +569,10 @@ spec: {{- if .Values.persistence.medium }} emptyDir: medium: {{ .Values.persistence.medium | quote }} + sizeLimit: 64Mi {{- else }} - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} {{- else }} {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml index 29dd406bca..817698beed 100644 --- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml +++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml @@ -437,7 +437,8 @@ spec: {{- end }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.standalone.emptyDir.sizeLimit }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} @@ -457,7 +458,8 @@ spec: {{- end }} {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: @@ -481,8 +483,10 @@ spec: {{- if .Values.persistence.medium }} emptyDir: medium: {{ .Values.persistence.medium | quote }} + sizeLimit: 64Mi {{- else }} - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} {{- else if .Values.persistence.existingClaim }} - name: {{ .Values.persistence.name | default "datadir" }} diff --git a/kubernetes/common/mongodb/values.yaml b/kubernetes/common/mongodb/values.yaml index 8d995ce973..7628846a3e 100644 --- a/kubernetes/common/mongodb/values.yaml +++ b/kubernetes/common/mongodb/values.yaml @@ -120,7 +120,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/mongodb - tag: 7.0.5-debian-12-r5 + tag: 7.0.8-debian-12-r2 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -246,7 +246,7 @@ tls: image: registry: docker.io repository: bitnami/nginx - tag: 1.25.4-debian-12-r1 + tag: 1.25.4-debian-12-r7 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -307,6 +307,14 @@ hostAliases: [] ## @param replicaSetName Name of the replica set (only when `architecture=replicaset`) ## Ignored when mongodb.architecture=standalone ## +replicaSet: + emptyDir: + sizeLimit: 1Gi + +standalone: + emptyDir: + sizeLimit: 1Gi + replicaSetName: rs0 ## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) ## Ignored when mongodb.architecture=standalone @@ -571,15 +579,17 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: - drop: ["ALL"] + drop: + - ALL + - CAP_NET_RAW seccompProfile: type: "RuntimeDefault" ## MongoDB(®) containers' resource requests and limits. @@ -834,7 +844,7 @@ externalAccess: image: registry: docker.io repository: bitnami/kubectl - tag: 1.29.2-debian-12-r1 + tag: 1.29.3-debian-12-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1164,6 +1174,8 @@ backup: ## @param backup.enabled Enable the logical dump of the database "regularly" ## enabled: false + emptyDir: + sizeLimit: 1Gi ## Fine tuning cronjob's config ## cronjob: @@ -1203,15 +1215,17 @@ backup: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: - drop: ["ALL"] + drop: + - ALL + - CAP_NET_RAW seccompProfile: type: "RuntimeDefault" ## @param backup.cronjob.command Set backup container's command to run @@ -1382,7 +1396,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 12-debian-12-r15 + tag: 12-debian-12-r18 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1429,11 +1443,13 @@ volumePermissions: ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container ## securityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## @section Arbiter parameters ## arbiter: + emptyDir: + sizeLimit: 1Gi ## @param arbiter.enabled Enable deploying the arbiter ## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/ ## @@ -1603,15 +1619,17 @@ arbiter: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: - drop: ["ALL"] + drop: + - ALL + - CAP_NET_RAW seccompProfile: type: "RuntimeDefault" ## MongoDB(®) Arbiter containers' resource requests and limits. @@ -1777,6 +1795,8 @@ hidden: ## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/ ## enabled: false + emptyDir: + sizeLimit: 1Gi ## @param hidden.automountServiceAccountToken Mount Service Account token in pod ## automountServiceAccountToken: false @@ -1946,12 +1966,12 @@ hidden: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1963,7 +1983,7 @@ hidden: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). + ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## resourcesPreset: "none" @@ -2180,7 +2200,7 @@ metrics: image: registry: docker.io repository: bitnami/mongodb-exporter - tag: 0.40.0-debian-12-r11 + tag: 0.40.0-debian-12-r15 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml deleted file mode 100644 index 88336f49c3..0000000000 --- a/kubernetes/common/network-name-gen/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
-# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v2
-description: Name Generation Micro Service
-name: network-name-gen
-version: 13.0.0
-
-dependencies:
- - name: common
- version: ~13.x-0
- repository: 'file://../common'
- - name: repositoryGenerator
- version: ~13.x-0
- repository: 'file://../repositoryGenerator'
- - name: mariadb-galera
- version: ~13.x-0
- repository: 'file://../mariadb-galera'
- condition: global.mariadbGalera.localCluster
- - name: mariadb-init
- version: ~13.x-0
- repository: 'file://../mariadb-init'
- condition: global.mariadbGalera.globalCluster
- - name: serviceAccount
- version: ~13.x-0
- repository: '@local'
\ No newline at end of file diff --git a/kubernetes/common/network-name-gen/resources/config/aai_keystore b/kubernetes/common/network-name-gen/resources/config/aai_keystore Binary files differdeleted file mode 100644 index 83cae95273..0000000000 --- a/kubernetes/common/network-name-gen/resources/config/aai_keystore +++ /dev/null diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml deleted file mode 100644 index 6bba995b11..0000000000 --- a/kubernetes/common/network-name-gen/templates/deployment.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{/* -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: -{{- if .Values.global.mariadbGalera.localCluster }} - - --app-name - - {{ index .Values "mariadb-galera" "nameOverride" }} -{{- else }} - - --job-name - - {{ include "common.release" . }}-{{ index .Values "mariadb-init" "nameOverride" }}-config-job -{{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" - containers: - - name: {{ include "common.name" . }} - command: - - bash - args: - - '-c' - - 'export POL_BASIC_AUTH=`echo -n $POL_BASIC_AUTH_USER:$POL_BASIC_AUTH_PASSWORD | base64`; /startService.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: SPRING_PROFILE - value: "{{ .Values.config.springProfile }}" - - name: NENG_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "login") | indent 10}} - - name: NENG_DB_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "password") | indent 10}} - - name: NENG_DB_URL - value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "db" "name" }} - - name: POL_CLIENT_AUTH - value: "{{ .Values.config.polClientAuth }}" - - name: POL_BASIC_AUTH_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "login") | indent 10}} - - name: POL_BASIC_AUTH_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "password") | indent 10}} - - name: POL_URL - {{- if (include "common.needTLS" .) }} - value: "{{ .Values.config.polUrl.https }}" - {{- else }} - value: "{{ .Values.config.polUrl.http }}" - {{- end }} - - name: POL_ENV - value: "{{ .Values.config.polEnv }}" - - name: POL_REQ_ID - value: "{{ .Values.config.polReqId }}" - - name: AAI_CERT_PASS - value: "{{ .Values.config.aaiCertPass }}" - - name: AAI_CERT_PATH - value: "{{ .Values.config.aaiCertPath }}" - - name: AAI_URI - {{- if (include "common.needTLS" .) }} - value: "{{ .Values.config.aaiUri.https }}" - {{- else }} - value: "{{ .Values.config.aaiUri.http }}" - {{- end }} - - name: AAI_AUTH - value: "{{ .Values.config.aaiAuth }}" - - name: DISABLE_HOST_VERIFICATION - value: "{{ .Values.config.disableHostVerification }}" - volumeMounts: - - name: certs - mountPath: /opt/etc/config/aai_keystore - subPath: aai_keystore - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: certs - secret: - secretName: {{ include "common.release" . }}-aai-keystore - {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/network-name-gen/templates/secrets.yaml b/kubernetes/common/network-name-gen/templates/secrets.yaml deleted file mode 100644 index 61b83d7a9b..0000000000 --- a/kubernetes/common/network-name-gen/templates/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright (c) 2018 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} ---- -apiVersion: v1 -data: -{{ tpl (.Files.Glob "resources/config/aai_keystore").AsSecrets . | indent 2 }} -metadata: - name: {{ include "common.release" . }}-aai-keystore - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -kind: Secret -type: Opaque diff --git a/kubernetes/common/network-name-gen/templates/service.yaml b/kubernetes/common/network-name-gen/templates/service.yaml deleted file mode 100644 index aac71f7eb3..0000000000 --- a/kubernetes/common/network-name-gen/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app.kubernetes.io/name: {{ include "common.name" . }} - app.kubernetes.io/instance: {{ include "common.release" . }} - diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml deleted file mode 100644 index e028e39545..0000000000 --- a/kubernetes/common/network-name-gen/values.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image pull policy - pullPolicy: IfNotPresent - - mariadbGalera: &mariadbGalera - # flag to enable the DB creation via mariadb-operator - useOperator: true - #This flag allows SO to instantiate its own mariadb-galera cluster - #When changing it to "true", also set "globalCluster: false" - #as the dependency check will not work otherwise (Chart.yaml) - localCluster: false - globalCluster: true - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: neng-db-secret - name: &dbUserSecretName '{{ include "common.release" . }}-neng-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.externalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: pol-basic-auth-secret - name: '{{ include "common.release" . }}-pol-basic-auth-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.polBasicAuthSecret) . }}' - login: '{{ .Values.config.polBasicAuthUser }}' - password: '{{ .Values.config.polBasicAuthPassword }}' - -# sub-chart config -mariadb-galera: - db: - user: sdnctl - # password: - externalSecret: *dbUserSecretName - name: &mysqlDbName nengdb - nameOverride: nengdb - service: - name: nengdb - portName: nengdbport - replicaCount: 1 - mariadbOperator: - galera: - enabled: false - - persistence: - enabled: true - mountSubPath: network-name-gen/data - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: nengdb-init - serviceAccount: - nameOverride: nengdb-init - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/ccsdk-apps-ms-neng:1.4.0 -pullPolicy: IfNotPresent - -# application configuration -config: - db: - userName: nenguser - # userPassword: password - # userCredentialsExternalSecret: some-secret - springProfile: live - polClientAuth: cHl0aG9uOnRlc3Q= - polBasicAuthUser: healthcheck - polBasicAuthPassword: zb!XztG34 - polUrl: - https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision - http: http://policy-xacml-pdp:6969/policy/pdpx/v1/decision - polEnv: TEST - polReqId: xx - disableHostVerification: true - aaiCertPass: changeit - aaiCertPath: /opt/etc/config/aai_keystore - aaiAuth: QUFJOkFBSQ== - aaiUri: - https: https://aai:8443/aai/v14/ - http: http://aai:80/aai/v14/ - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: neng-serv - portName: http - internalPort: 8080 - externalPort: 8080 - -ingress: - enabled: false - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: network-name-gen - roles: - - read
\ No newline at end of file diff --git a/kubernetes/common/postgres-init/.helmignore b/kubernetes/common/postgres-init/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/postgres-init/.helmignore +++ b/kubernetes/common/postgres-init/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml index 81f566f9e1..4951ed6359 100644 --- a/kubernetes/common/postgres-init/Chart.yaml +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -1,5 +1,6 @@ # Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,19 +17,19 @@ apiVersion: v2 description: Chart for Postgres init job name: postgres-init -version: 13.0.1 +version: 13.0.3 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' - name: readinessCheck version: ~13.x-0 repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml index 6736559b81..a2f7e12274 100644 --- a/kubernetes/common/postgres-init/templates/job.yaml +++ b/kubernetes/common/postgres-init/templates/job.yaml @@ -28,11 +28,18 @@ spec: backoffLimit: 20 template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - command: @@ -70,15 +77,13 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /config-input/setup.sql name: config subPath: setup.sql - mountPath: /config name: pgconf resources: {{ include "common.resources" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -90,14 +95,12 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config configMap: name: {{ include "common.fullname" . }} - name: pgconf emptyDir: + sizeLimit: 64Mi medium: Memory restartPolicy: Never {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml index d2eb090142..99be8354be 100644 --- a/kubernetes/common/postgres-init/values.yaml +++ b/kubernetes/common/postgres-init/values.yaml @@ -19,6 +19,7 @@ global: postgres: service: name: pgset + name2: tcp-pgset-primary container: name: postgres @@ -96,10 +97,15 @@ serviceAccount: roles: - read +securityContext: + user_id: 26 + group_id: 26 + readinessCheck: wait_for: - - '{{ .Values.global.postgres.container.name }}' + services: + - '{{ .Values.global.postgres.service.name2 }}' wait_for_job_container: containers: - - '{{ include "common.name" . }}-update-config'
\ No newline at end of file + - '{{ include "common.name" . }}-update-config' diff --git a/kubernetes/common/postgres/.helmignore b/kubernetes/common/postgres/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/postgres/.helmignore +++ b/kubernetes/common/postgres/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/postgres/Chart.yaml b/kubernetes/common/postgres/Chart.yaml index 3920d8e73d..562b69fd0e 100644 --- a/kubernetes/common/postgres/Chart.yaml +++ b/kubernetes/common/postgres/Chart.yaml @@ -22,7 +22,7 @@ version: 13.1.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/common/postgres/configs/pg_hba.conf b/kubernetes/common/postgres/configs/pg_hba.conf index 580185c6f0..d8918409e8 100644 --- a/kubernetes/common/postgres/configs/pg_hba.conf +++ b/kubernetes/common/postgres/configs/pg_hba.conf @@ -65,4 +65,3 @@ #local all all trust # IPv4 local connections: host all all 0.0.0.0/0 md5 - diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl index aae5da9195..ff701a2c10 100644 --- a/kubernetes/common/postgres/templates/_deployment.tpl +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -222,9 +222,6 @@ spec: {{ toYaml $dot.Values.affinity | indent 10 }} {{- end }} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" $dot }}-backup emptyDir: {} - name: {{ include "common.fullname" $dot }}-data diff --git a/kubernetes/common/postgres/templates/deployment-primary.yaml b/kubernetes/common/postgres/templates/deployment-primary.yaml index 535eefa8cf..7947559211 100644 --- a/kubernetes/common/postgres/templates/deployment-primary.yaml +++ b/kubernetes/common/postgres/templates/deployment-primary.yaml @@ -15,4 +15,4 @@ */}} {{- if not .Values.global.postgres.useOperator }} {{ include "common.postgres.deployment" (dict "dot" . "pgMode" "primary") }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/postgres/templates/deployment-replica.yaml b/kubernetes/common/postgres/templates/deployment-replica.yaml index 97c7e11053..246e1e9a07 100644 --- a/kubernetes/common/postgres/templates/deployment-replica.yaml +++ b/kubernetes/common/postgres/templates/deployment-replica.yaml @@ -15,4 +15,4 @@ */}} {{- if not .Values.global.postgres.useOperator }} {{ include "common.postgres.deployment" (dict "dot" . "pgMode" "replica") }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/postgres/templates/metrics-svc-primary.yaml b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml index 00a5182eb1..b8d7912210 100644 --- a/kubernetes/common/postgres/templates/metrics-svc-primary.yaml +++ b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml @@ -35,4 +35,4 @@ spec: name: {{ .Values.container.name.primary }} release: {{ include "common.release" . }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/postgres/templates/metrics-svc-replica.yaml b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml index b8b9e793e8..6d9990a7bc 100644 --- a/kubernetes/common/postgres/templates/metrics-svc-replica.yaml +++ b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml @@ -35,4 +35,4 @@ spec: name: {{ .Values.container.name.replica }} release: {{ include "common.release" . }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/postgres/templates/postgres.yaml b/kubernetes/common/postgres/templates/postgres.yaml index aca6aa260f..0dad7f5886 100644 --- a/kubernetes/common/postgres/templates/postgres.yaml +++ b/kubernetes/common/postgres/templates/postgres.yaml @@ -16,4 +16,4 @@ {{- if .Values.global.postgres.useOperator }} {{ include "common.postgresOpInstance" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/postgres/templates/pv-primary.yaml b/kubernetes/common/postgres/templates/pv-primary.yaml index 8db79d665e..9e73ceb8e3 100644 --- a/kubernetes/common/postgres/templates/pv-primary.yaml +++ b/kubernetes/common/postgres/templates/pv-primary.yaml @@ -38,4 +38,4 @@ spec: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/primary {{- end -}} {{- end -}} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/postgres/templates/pvc-replica.yaml b/kubernetes/common/postgres/templates/pvc-replica.yaml index f59adf736a..e71284fcec 100644 --- a/kubernetes/common/postgres/templates/pvc-replica.yaml +++ b/kubernetes/common/postgres/templates/pvc-replica.yaml @@ -43,4 +43,4 @@ spec: storageClassName: {{ include "common.storageClass" . }} {{- end }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/postgres/templates/service-replica.yaml b/kubernetes/common/postgres/templates/service-replica.yaml index 68694561bd..878a02ef66 100644 --- a/kubernetes/common/postgres/templates/service-replica.yaml +++ b/kubernetes/common/postgres/templates/service-replica.yaml @@ -40,4 +40,4 @@ spec: selector: name: "{{.Values.container.name.replica}}" release: {{ include "common.release" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/postgres/templates/servicemonitor.yaml b/kubernetes/common/postgres/templates/servicemonitor.yaml index 522e515545..3fb716b133 100644 --- a/kubernetes/common/postgres/templates/servicemonitor.yaml +++ b/kubernetes/common/postgres/templates/servicemonitor.yaml @@ -17,4 +17,4 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} {{- end }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/readinessCheck/.helmignore b/kubernetes/common/readinessCheck/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/readinessCheck/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/readinessCheck/Chart.yaml b/kubernetes/common/readinessCheck/Chart.yaml index a53c7ab980..c9134177c2 100644 --- a/kubernetes/common/readinessCheck/Chart.yaml +++ b/kubernetes/common/readinessCheck/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: Template used to wait for other deployment/sts/jobs in onap name: readinessCheck -version: 13.0.0 +version: 13.1.1 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl index 879be1288f..42f526148a 100644 --- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl +++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl @@ -42,6 +42,14 @@ pods: - test-pod + the powerful one allows also to wait for a service to be + available, which means all pods are deployed, which are + selected by the service definition: + wait_for: + name: myservice + services: + - mariadb-galera-service + the powerful one allows also to wait for pods with the given "app" label: wait_for: @@ -62,8 +70,8 @@ - .dot : environment (.) - .initRoot : the root dictionary of readinessCheck submodule (default to .Values.readinessCheck) - - .wait_for : list of containers / pods /apps / jobs to wait for (default to - .Values.wait_for) + - .wait_for : list of service / containers / pods /apps / jobs to wait for + (default to .Values.wait_for) Example calls: {{ include "common.readinessCheck.waitFor" . }} @@ -76,6 +84,7 @@ {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} {{- $wait_for := default $initRoot.wait_for .wait_for -}} {{- $containers := index (ternary (dict "containers" $wait_for) $wait_for (kindIs "slice" $wait_for)) "containers" -}} +{{- $services := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "services" -}} {{- $pods := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "pods" -}} {{- $apps := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "apps" -}} {{- $namePart := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "name" -}} @@ -86,6 +95,13 @@ securityContext: runAsUser: {{ $subchartDot.Values.user }} runAsGroup: {{ $subchartDot.Values.group }} + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW command: - /app/ready.py args: @@ -97,6 +113,10 @@ - --pod-name - {{ tpl $pod $dot }} {{- end }} + {{- range $service := default (list) $services }} + - --service-name + - {{ tpl $service $dot }} + {{- end }} {{- range $app := default (list) $apps }} - --app-name - {{ tpl $app $dot }} diff --git a/kubernetes/common/repositoryGenerator/.helmignore b/kubernetes/common/repositoryGenerator/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/repositoryGenerator/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 1da838a5b9..e708926049 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -2,6 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2021 AT&T # Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -139,6 +140,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "nginxImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.mongodbImage" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "mongodbImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.postgres" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "postgresImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 03ffddafd1..1c0909fce1 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -37,12 +37,13 @@ global: kubectlImage: bitnami/kubectl:1.22.4 loggingImage: beats/filebeat:5.5.0 mariadbImage: bitnami/mariadb:10.5.8 + mongodbImage: percona/percona-server-mongodb:7.0.5-3 nginxImage: bitnami/nginx:1.21.4 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 - readinessImage: onap/oom/readiness:5.0.1 + readinessImage: onap/oom/readiness:6.0.3 dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 drProvClientImage: onap/dmaap/datarouter-prov-client:2.1.15 - quitQuitImage: onap/oom/readiness:5.0.1 + quitQuitImage: onap/oom/readiness:6.0.3 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -71,6 +72,7 @@ imageRepoMapping: kubectlImage: dockerHubRepository loggingImage: elasticRepository mariadbImage: dockerHubRepository + mongodbImage: dockerHubRepository nginxImage: dockerHubRepository postgresImage: dockerHubRepository readinessImage: repository diff --git a/kubernetes/common/serviceAccount/.helmignore b/kubernetes/common/serviceAccount/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/serviceAccount/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index 7afd31f4d9..b691c40903 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -23,4 +23,4 @@ version: 13.0.1 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 83cb945ba9..d6d041f916 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -128,6 +128,7 @@ rules: - pods/exec verbs: - create + - get - apiGroups: - cert-manager.io resources: diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml index 20bd94f49a..683d5d2984 100644 --- a/kubernetes/common/serviceAccount/templates/service-account.yaml +++ b/kubernetes/common/serviceAccount/templates/service-account.yaml @@ -21,4 +21,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/common/timescaledb/.helmignore b/kubernetes/common/timescaledb/.helmignore index 50af031725..0bab41b6b1 100644 --- a/kubernetes/common/timescaledb/.helmignore +++ b/kubernetes/common/timescaledb/.helmignore @@ -19,4 +19,14 @@ .project .idea/ *.tmproj -.vscode/ +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml index d8b9869817..8ce460061d 100644 --- a/kubernetes/common/timescaledb/Chart.yaml +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 appVersion: "1.0" description: ONAP timescaledb name: timescaledb -version: 13.0.0 +version: 13.0.1 dependencies: - name: common @@ -33,4 +33,4 @@ dependencies: repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml index 653326be5f..031241dbaf 100644 --- a/kubernetes/common/timescaledb/templates/statefulset.yaml +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -29,27 +29,12 @@ spec: metadata: {{- include "common.templateMetadata" (dict "ignoreHelmChart" true "dot" . ) | nindent 6 }} spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} - {{ include "common.podSecurityContext" . | indent 10 | trim}} - initContainers: - # we shouldn't need this but for unknown reason, it's fsGroup is not - # applied - - name: fix-permission - command: - - /bin/sh - args: - - -c - - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /var/lib/postgresql/data - name: {{ include "common.fullname" . }} + {{ include "common.podSecurityContext" . | indent 6 | trim}} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim}} ports: {{ include "common.containerPorts" . | nindent 12 }} livenessProbe: exec: @@ -80,10 +65,15 @@ spec: mountPath: /docker-entrypoint-initdb.d - name: {{ include "common.fullname" . }} mountPath: /var/lib/postgresql/data + - name: var-run + mountPath: /var/run/postgresql volumes: - name: {{ include "common.fullname" . }}-init configMap: name: {{ include "common.fullname" . }}-init + - name: var-run + emptyDir: + sizeLimit: {{ .Values.dirSizes.varDir.sizeLimit }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -94,9 +84,9 @@ spec: {{- end }} {{- with .Values.tolerations }} tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} volumeClaimTemplates: - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence "ignoreHelmChart" true) | indent 6 | trim }} -{{- end }} + {{- end }} diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml index 2643f55062..35beab7ea1 100644 --- a/kubernetes/common/timescaledb/values.yaml +++ b/kubernetes/common/timescaledb/values.yaml @@ -21,9 +21,9 @@ global: persistence: {} ################################################################# -# Secrets. +# Image ############################################################## -image: timescale/timescaledb:2.5.1-pg14 +image: timescale/timescaledb:2.16.1-pg14 pullPolicy: Always containerPorts: 5432 @@ -41,11 +41,6 @@ securityContext: # Uid and gid to run the entrypoint of the container process (uid 70 is postgres user and gid 70 is postgres group) user_id: 70 group_id: 70 - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true flavor: small @@ -114,6 +109,10 @@ config: pgRootUserName: postgres pgDatabase: timescaledb +dirSizes: + varDir: + sizeLimit: 64Mi + secrets: - uid: root-creds type: basicAuth |