aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/cassandra/resources/exec.py4
-rw-r--r--kubernetes/common/cassandra/resources/restore.sh2
-rw-r--r--kubernetes/common/cassandra/templates/backup/cronjob.yaml5
-rwxr-xr-xkubernetes/common/certInitializer/resources/import-custom-certs.sh61
-rw-r--r--kubernetes/common/certInitializer/templates/_certInitializer.yaml74
-rw-r--r--kubernetes/common/certInitializer/values.yaml12
-rw-r--r--kubernetes/common/logConfiguration/Chart.yaml18
-rw-r--r--kubernetes/common/logConfiguration/requirements.yaml18
-rw-r--r--kubernetes/common/logConfiguration/templates/_log.tpl41
-rw-r--r--kubernetes/common/logConfiguration/values.yaml15
-rw-r--r--kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml5
11 files changed, 247 insertions, 8 deletions
diff --git a/kubernetes/common/cassandra/resources/exec.py b/kubernetes/common/cassandra/resources/exec.py
index 5b3ae33371..a7f297399e 100644
--- a/kubernetes/common/cassandra/resources/exec.py
+++ b/kubernetes/common/cassandra/resources/exec.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
import getopt
import logging
import os
@@ -7,7 +7,7 @@ import time
from kubernetes import config
from kubernetes.client import Configuration
-from kubernetes.client.apis import core_v1_api
+from kubernetes.client.api import core_v1_api
from kubernetes.client.rest import ApiException
from kubernetes.stream import stream
diff --git a/kubernetes/common/cassandra/resources/restore.sh b/kubernetes/common/cassandra/resources/restore.sh
index b9deb32316..798ab6c53c 100644
--- a/kubernetes/common/cassandra/resources/restore.sh
+++ b/kubernetes/common/cassandra/resources/restore.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
# Initialize variables
ss_dir=""
diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
index e4f2aabfa0..f536be5053 100644
--- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml
+++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
@@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
+{{- $global := . }}
{{- if .Values.backup.enabled }}
apiVersion: batch/v1beta1
kind: CronJob
@@ -52,7 +53,7 @@ spec:
image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - /bin/sh
- -c
- |
clearSnapshot(){
@@ -237,7 +238,7 @@ spec:
{{- range $i := until (int .Values.replicaCount)}}
- name: data-dir-{{ $i }}
persistentVolumeClaim:
- claimName: {{ include "common.fullname" . }}-data-{{ $i }}
+ claimName: {{ include "common.fullname" $global }}-data-{{ include "common.fullname" $global }}-{{ $i }}
{{- end }}
- name: backup-dir
persistentVolumeClaim:
diff --git a/kubernetes/common/certInitializer/resources/import-custom-certs.sh b/kubernetes/common/certInitializer/resources/import-custom-certs.sh
new file mode 100755
index 0000000000..dd311830e7
--- /dev/null
+++ b/kubernetes/common/certInitializer/resources/import-custom-certs.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# Copyright © 2020 Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+CERTS_DIR=${CERTS_DIR:-/certs}
+WORK_DIR=${WORK_DIR:-/updatedTruststore}
+ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks}
+JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts}
+TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks}
+
+mkdir -p $WORK_DIR
+
+# Decrypt and move relevant files to WORK_DIR
+for f in $CERTS_DIR/*; do
+ if [[ $AAF_ENABLED == false ]] && [[ $f == *$ONAP_TRUSTSTORE* ]]; then
+ # Dont use onap truststore when aaf is disabled
+ continue
+ fi
+ if [[ $f == *.sh ]]; then
+ continue
+ fi
+ if [[ $f == *.b64 ]]
+ then
+ base64 -d $f > $WORK_DIR/`basename $f .b64`
+ else
+ cp $f $WORK_DIR/.
+ fi
+done
+
+# Prepare truststore output file
+if [[ $AAF_ENABLED == true ]]
+ then
+ mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME
+ else
+ echo "AAF is disabled, using JRE truststore"
+ cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME
+fi
+
+# Import Custom Certificates
+for f in $WORK_DIR/*; do
+ if [[ $f == *.pem ]]; then
+ echo "importing certificate: $f"
+ keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt
+ if [[ $? != 0 ]]; then
+ echo "failed importing certificate: $f"
+ exit 1
+ fi
+ fi
+done
diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
index 1250c1225e..c453f11c85 100644
--- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml
+++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
@@ -1,5 +1,5 @@
{{/*
-# Copyright © 2020 Samsung Electronics
+# Copyright © 2020 Bell Canada, Samsung Electronics
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -96,6 +96,51 @@
value: "{{ $initRoot.public_fqdn | default "" }}"
{{- end -}}
+{{/*
+ This init container will import custom .pem certificates to truststoreONAPall.jks
+ Custom certificates must be placed in common/certInitializer/resources directory.
+
+ The feature is enabled by setting Values.global.importCustomCertsEnabled = true
+ It can be used independently of aafEnabled, however it requires the same includes
+ as describe above for _initContainer.
+
+ When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used
+ to import custom certificates, otherwise the default java keystore will be used.
+
+ The updated truststore file will be placed in /updatedTruststore and can be mounted per component
+ to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount)
+ The truststore file will be available to mount even if no custom certificates were imported.
+*/}}
+{{- define "common.certInitializer._initImportCustomCertsContainer" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
+{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
+- name: {{ include "common.name" $dot }}-import-custom-certs
+ image: {{ $subchartDot.Values.global.jreImage }}
+ imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
+ securityContext:
+ runAsUser: 0
+ command:
+ - /bin/bash
+ - -c
+ - /root/import-custom-certs.sh
+ env:
+ - name: AAF_ENABLED
+ value: "{{ $subchartDot.Values.global.aafEnabled }}"
+ - name: TRUSTSTORE_OUTPUT_FILENAME
+ value: "{{ $initRoot.truststoreOutputFileName }}"
+ - name: TRUSTSTORE_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }}
+ volumeMounts:
+ - mountPath: /certs
+ name: aaf-agent-certs
+ - mountPath: /root/import-custom-certs.sh
+ name: aaf-agent-certs
+ subPath: import-custom-certs.sh
+ - mountPath: /updatedTruststore
+ name: updated-truststore
+{{- end -}}
+
{{- define "common.certInitializer._volumeMount" -}}
{{- $dot := default . .dot -}}
{{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
@@ -103,6 +148,21 @@
name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
{{- end -}}
+{{/*
+ This is used together with _initImportCustomCertsContainer
+ It mounts the updated truststore (with imported custom certificates) to the
+ truststoreMountpath defined in the values file for the component.
+*/}}
+{{- define "common.certInitializer._trustStoreVolumeMount" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
+{{- if gt (len $initRoot.truststoreMountpath) 0 }}
+- mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }}
+ name: updated-truststore
+ subPath: {{ $initRoot.truststoreOutputFileName }}
+{{- end -}}
+{{- end -}}
+
{{- define "common.certInitializer._volumes" -}}
{{- $dot := default . .dot -}}
{{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
@@ -121,10 +181,17 @@
name: {{ include "common.fullname" $subchartDot }}-add-config
defaultMode: 0700
{{- end -}}
+{{- if $dot.Values.global.importCustomCertsEnabled }}
+- name: updated-truststore
+ emptyDir: {}
+{{- end -}}
{{- end -}}
{{- define "common.certInitializer.initContainer" -}}
{{- $dot := default . .dot -}}
+ {{- if $dot.Values.global.importCustomCertsEnabled }}
+ {{ include "common.certInitializer._initImportCustomCertsContainer" . }}
+ {{- end -}}
{{- if $dot.Values.global.aafEnabled }}
{{ include "common.certInitializer._initContainer" . }}
{{- end -}}
@@ -135,11 +202,14 @@
{{- if $dot.Values.global.aafEnabled }}
{{- include "common.certInitializer._volumeMount" . }}
{{- end -}}
+ {{- if $dot.Values.global.importCustomCertsEnabled }}
+ {{- include "common.certInitializer._trustStoreVolumeMount" . }}
+ {{- end -}}
{{- end -}}
{{- define "common.certInitializer.volumes" -}}
{{- $dot := default . .dot -}}
- {{- if $dot.Values.global.aafEnabled }}
+ {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }}
{{- include "common.certInitializer._volumes" . }}
{{- end -}}
{{- end -}}
diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml
index 416282f72a..271e410069 100644
--- a/kubernetes/common/certInitializer/values.yaml
+++ b/kubernetes/common/certInitializer/values.yaml
@@ -1,4 +1,4 @@
-# Copyright © 2020 Samsung Electronics
+# Copyright © 2020 Bell Canada, Samsung Electronics
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@ global:
repository: nexus3.onap.org:10001
aafAgentImage: onap/aaf/aaf_agent:2.1.20
aafEnabled: true
+ jreImage: registry.gitlab.com/onap-integration/docker/onap-java
pullPolicy: Always
@@ -26,6 +27,11 @@ secrets:
login: '{{ .Values.aafDeployFqi }}'
password: '{{ .Values.aafDeployPass }}'
passwordPolicy: required
+ - uid: truststore-creds
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.truststoreCredsExternalSecret) . }}'
+ password: '{{ .Values.truststorePassword }}'
+ passwordPolicy: required
readinessCheck:
wait_for:
@@ -45,3 +51,7 @@ cadi_latitude: "38.0"
cadi_longitude: "-72.0"
aaf_add_config: ""
mountPath: "/opt/app/osaaf"
+importCustomCertsEnabled: false
+truststoreMountpath: ""
+truststoreOutputFileName: truststore.jks
+truststorePassword: changeit
diff --git a/kubernetes/common/logConfiguration/Chart.yaml b/kubernetes/common/logConfiguration/Chart.yaml
new file mode 100644
index 0000000000..1d13dcbd56
--- /dev/null
+++ b/kubernetes/common/logConfiguration/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2017 Amdocs, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: Template used to create same STDOUT log configuration
+name: logConfiguration
+version: 6.0.0
diff --git a/kubernetes/common/logConfiguration/requirements.yaml b/kubernetes/common/logConfiguration/requirements.yaml
new file mode 100644
index 0000000000..237f1d1354
--- /dev/null
+++ b/kubernetes/common/logConfiguration/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2018 Amdocs, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~6.x-0
+ repository: 'file://../common'
diff --git a/kubernetes/common/logConfiguration/templates/_log.tpl b/kubernetes/common/logConfiguration/templates/_log.tpl
new file mode 100644
index 0000000000..bf19f210e4
--- /dev/null
+++ b/kubernetes/common/logConfiguration/templates/_log.tpl
@@ -0,0 +1,41 @@
+{{/*
+# Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{/*
+ Resolve the level of the logs.
+ The value for .Values.logLevel is used by default,
+ unless either override mechanism is used.
+
+ - .Values.global.logLevel : override default log level for all components
+ - .Values.logLevelOverride : override global and default log level on a per
+ component basis
+
+ The function can takes below arguments (inside a dictionary):
+ - .dot : environment (.)
+ - .initRoot : the root dictionary of logConfiguration submodule
+ (default to .Values.logConfiguration)
+*/}}
+{{- define "common.log.level" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.logConfiguration .initRoot -}}
+{{/* Our version of helm doesn't support deepCopy so we need this nasty trick */}}
+{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
+ {{- if $subchartDot.Values.logLevelOverride }}
+ {{- printf "%s" $subchartDot.Values.logLevelOverride -}}
+ {{- else }}
+ {{- default $subchartDot.Values.logLevel $subchartDot.Values.global.logLevel -}}
+ {{- end }}
+{{- end -}}
diff --git a/kubernetes/common/logConfiguration/values.yaml b/kubernetes/common/logConfiguration/values.yaml
new file mode 100644
index 0000000000..7ebb0ff84e
--- /dev/null
+++ b/kubernetes/common/logConfiguration/values.yaml
@@ -0,0 +1,15 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+logLevel: INFO
diff --git a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
index 29d96748a3..0c05977322 100644
--- a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
+++ b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml
@@ -90,6 +90,8 @@ spec:
volumeMounts:
- name: backup-dir
mountPath: /backup
+ - name: db-data
+ mountPath: /var/lib/mysql
containers:
- name: mariadb-backup-validate
image: "{{ include "common.repository" . }}/{{ .Values.backupImage }}"
@@ -164,4 +166,7 @@ spec:
- name: backup-dir
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-backup-data
+ - name: db-data
+ persistentVolumeClaim:
+ claimName: {{ include "common.fullname" . }}-data-{{ include "common.fullname" . }}-{{ sub .Values.replicaCount 1 }}
{{- end }}