diff options
Diffstat (limited to 'kubernetes/policy')
28 files changed, 1469 insertions, 1 deletions
diff --git a/kubernetes/policy/components/policy-clamp-be/Chart.yaml b/kubernetes/policy/components/policy-clamp-be/Chart.yaml new file mode 100644 index 0000000000..fd48cc2243 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/Chart.yaml @@ -0,0 +1,19 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: ONAP Policy Clamp Backend +name: policy-clamp-be +version: 7.0.0 diff --git a/kubernetes/policy/components/policy-clamp-be/requirements.yaml b/kubernetes/policy/components/policy-clamp-be/requirements.yaml new file mode 100644 index 0000000000..734166b43d --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/requirements.yaml @@ -0,0 +1,22 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: certInitializer + version: ~7.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~7.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties new file mode 100644 index 0000000000..17185cc4bb --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties @@ -0,0 +1,71 @@ +{{/* +### +# ============LICENSE_START======================================================= +# ONAP CLAMP +# ================================================================================ +# Copyright (C) 2017-2019 AT&T Intellectual Property. All rights +# reserved. +# ================================================================================ +# Modifications copyright (c) 2019 Nokia +# ================================================================================\ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END============================================ +# =================================================================== +# +### +*/}} +{{- if .Values.global.aafEnabled }} +server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} +server.ssl.key-store-password=${cadi_keystore_password_p12} +server.ssl.key-password=${cadi_key_password} +server.ssl.key-store-type=PKCS12 +server.ssl.key-alias={{ .Values.certInitializer.fqi }} + +# The key file used to decode the key store and trust store password +# If not defined, the key store and trust store password will not be decrypted +clamp.config.keyFile=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keyFile }} + +## Config part for Client certificates +server.ssl.client-auth=want +server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} +server.ssl.trust-store-password=${cadi_truststore_password} +{{- end }} + +#clds datasource connection details +spring.datasource.username=${MYSQL_USER} +spring.datasource.password=${MYSQL_PASSWORD} +spring.datasource.url=jdbc:mariadb:sequential://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyclamp?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3 +spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements + +#The log folder that will be used in logback.xml file +clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config.json + +# +# Configuration Settings for Policy Engine Components +clamp.config.policy.api.url=https4://policy-api.{{ include "common.namespace" . }}:6969 +clamp.config.policy.api.userName=healthcheck +clamp.config.policy.api.password=zb!XztG34 +clamp.config.policy.pap.url=https4://policy-pap.{{ include "common.namespace" . }}:6969 +clamp.config.policy.pap.userName=healthcheck +clamp.config.policy.pap.password=zb!XztG34 + +#DCAE Inventory Url Properties +clamp.config.dcae.inventory.url=https4://inventory.{{ include "common.namespace" . }}:8080 +clamp.config.dcae.dispatcher.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443 +#DCAE Deployment Url Properties +clamp.config.dcae.deployment.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443 +clamp.config.dcae.deployment.userName=none +clamp.config.dcae.deployment.password=none + +#AAF related parameters +clamp.config.cadi.aafLocateUrl=https://aaf-locate.{{ include "common.namespace" . }}:8095 diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh new file mode 100755 index 0000000000..329479fad2 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh @@ -0,0 +1,19 @@ +#!/bin/sh +{{/* +# Copyright © 2017 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2018, 2020-2021 AT&T Intellectual Property +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" policyclamp < /dbcmd-config/policy-clamp-create-tables.sql diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/log/filebeat/filebeat.yml b/kubernetes/policy/components/policy-clamp-be/resources/config/log/filebeat/filebeat.yml new file mode 100644 index 0000000000..8717e6f33a --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/log/filebeat/filebeat.yml @@ -0,0 +1,55 @@ +{{/* +# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +filebeat.prospectors: +#it is mandatory, in our case it's log +- input_type: log + #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. + paths: + - /var/log/onap/*/*/*/*.log + - /var/log/onap/*/*/*.log + - /var/log/onap/*/*.log + #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive + ignore_older: 48h + # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit + clean_inactive: 96h + +# Name of the registry file. If a relative path is used, it is considered relative to the +# data path. Else full qualified file name. +#filebeat.registry_file: ${path.data}/registry + + +output.logstash: + #List of logstash server ip addresses with port number. + #But, in our case, this will be the loadbalancer IP address. + #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. + hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"] + #If enable will do load balancing among availabe Logstash, automatically. + loadbalance: true + + #The list of root certificates for server verifications. + #If certificate_authorities is empty or not set, the trusted + #certificate authorities of the host system are used. + #ssl.certificate_authorities: $ssl.certificate_authorities + + #The path to the certificate for SSL client authentication. If the certificate is not specified, + #client authentication is not available. + #ssl.certificate: $ssl.certificate + + #The client certificate key used for client authentication. + #ssl.key: $ssl.key + + #The passphrase used to decrypt an encrypted key stored in the configured key file + #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/policy-clamp-create-tables.sql b/kubernetes/policy/components/policy-clamp-be/resources/config/policy-clamp-create-tables.sql new file mode 100644 index 0000000000..1f153bce04 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/policy-clamp-create-tables.sql @@ -0,0 +1,257 @@ + + create table dictionary ( + name varchar(255) not null, + created_by varchar(255), + created_timestamp datetime(6) not null, + updated_by varchar(255), + updated_timestamp datetime(6) not null, + dictionary_second_level integer, + dictionary_type varchar(255), + primary key (name) + ) engine=InnoDB; + + create table dictionary_elements ( + short_name varchar(255) not null, + created_by varchar(255), + created_timestamp datetime(6) not null, + updated_by varchar(255), + updated_timestamp datetime(6) not null, + description varchar(255) not null, + name varchar(255) not null, + subdictionary_name varchar(255), + type varchar(255) not null, + primary key (short_name) + ) engine=InnoDB; + + create table dictionary_to_dictionaryelements ( + dictionary_name varchar(255) not null, + dictionary_element_short_name varchar(255) not null, + primary key (dictionary_name, dictionary_element_short_name) + ) engine=InnoDB; + + create table hibernate_sequence ( + next_val bigint + ) engine=InnoDB; + + insert into hibernate_sequence values ( 1 ); + + create table loop_element_models ( + name varchar(255) not null, + created_by varchar(255), + created_timestamp datetime(6) not null, + updated_by varchar(255), + updated_timestamp datetime(6) not null, + blueprint_yaml MEDIUMTEXT, + dcae_blueprint_id varchar(255), + loop_element_type varchar(255) not null, + short_name varchar(255), + primary key (name) + ) engine=InnoDB; + + create table loop_logs ( + id bigint not null, + log_component varchar(255) not null, + log_instant datetime(6) not null, + log_type varchar(255) not null, + message MEDIUMTEXT not null, + loop_id varchar(255) not null, + primary key (id) + ) engine=InnoDB; + + create table loop_templates ( + name varchar(255) not null, + created_by varchar(255), + created_timestamp datetime(6) not null, + updated_by varchar(255), + updated_timestamp datetime(6) not null, + allowed_loop_type varchar(255), + blueprint_yaml MEDIUMTEXT, + dcae_blueprint_id varchar(255), + maximum_instances_allowed integer, + svg_representation MEDIUMTEXT, + unique_blueprint boolean default false, + service_uuid varchar(255), + primary key (name) + ) engine=InnoDB; + + create table loopelementmodels_to_policymodels ( + loop_element_name varchar(255) not null, + policy_model_type varchar(255) not null, + policy_model_version varchar(255) not null, + primary key (loop_element_name, policy_model_type, policy_model_version) + ) engine=InnoDB; + + create table loops ( + name varchar(255) not null, + created_by varchar(255), + created_timestamp datetime(6) not null, + updated_by varchar(255), + updated_timestamp datetime(6) not null, + dcae_deployment_id varchar(255), + dcae_deployment_status_url varchar(255), + global_properties_json json, + last_computed_state varchar(255) not null, + svg_representation MEDIUMTEXT, + loop_template_name varchar(255) not null, + service_uuid varchar(255), + primary key (name) + ) engine=InnoDB; + + create table loops_to_microservicepolicies ( + loop_name varchar(255) not null, + microservicepolicy_name varchar(255) not null, + primary key (loop_name, microservicepolicy_name) + ) engine=InnoDB; + + create table looptemplates_to_loopelementmodels ( + loop_element_model_name varchar(255) not null, + loop_template_name varchar(255) not null, + flow_order integer not null, + primary key (loop_element_model_name, loop_template_name) + ) engine=InnoDB; + + create table micro_service_policies ( + name varchar(255) not null, + created_by varchar(255), + created_timestamp datetime(6) not null, + updated_by varchar(255), + updated_timestamp datetime(6) not null, + configurations_json json, + json_representation json not null, + pdp_group varchar(255), + pdp_sub_group varchar(255), + context varchar(255), + dcae_blueprint_id varchar(255), + dcae_deployment_id varchar(255), + dcae_deployment_status_url varchar(255), + device_type_scope varchar(255), + shared bit not null, + loop_element_model_id varchar(255), + policy_model_type varchar(255), + policy_model_version varchar(255), + primary key (name) + ) engine=InnoDB; + + create table operational_policies ( + name varchar(255) not null, + created_by varchar(255), + created_timestamp datetime(6) not null, + updated_by varchar(255), + updated_timestamp datetime(6) not null, + configurations_json json, + json_representation json not null, + pdp_group varchar(255), + pdp_sub_group varchar(255), + loop_element_model_id varchar(255), + policy_model_type varchar(255), + policy_model_version varchar(255), + loop_id varchar(255) not null, + primary key (name) + ) engine=InnoDB; + + create table policy_models ( + policy_model_type varchar(255) not null, + version varchar(255) not null, + created_by varchar(255), + created_timestamp datetime(6) not null, + updated_by varchar(255), + updated_timestamp datetime(6) not null, + policy_acronym varchar(255), + policy_tosca MEDIUMTEXT, + policy_pdp_group json, + primary key (policy_model_type, version) + ) engine=InnoDB; + + create table services ( + service_uuid varchar(255) not null, + name varchar(255) not null, + resource_details json, + service_details json, + version varchar(255), + primary key (service_uuid) + ) engine=InnoDB; + + alter table dictionary_to_dictionaryelements + add constraint FK68hjjinnm8nte2owstd0xwp23 + foreign key (dictionary_element_short_name) + references dictionary_elements (short_name); + + alter table dictionary_to_dictionaryelements + add constraint FKtqfxg46gsxwlm2gkl6ne3cxfe + foreign key (dictionary_name) + references dictionary (name); + + alter table loop_logs + add constraint FK1j0cda46aickcaoxqoo34khg2 + foreign key (loop_id) + references loops (name); + + alter table loop_templates + add constraint FKn692dk6281wvp1o95074uacn6 + foreign key (service_uuid) + references services (service_uuid); + + alter table loopelementmodels_to_policymodels + add constraint FK23j2q74v6kaexefy0tdabsnda + foreign key (policy_model_type, policy_model_version) + references policy_models (policy_model_type, version); + + alter table loopelementmodels_to_policymodels + add constraint FKjag1iu0olojfwryfkvb5o0rk5 + foreign key (loop_element_name) + references loop_element_models (name); + + alter table loops + add constraint FK844uwy82wt0l66jljkjqembpj + foreign key (loop_template_name) + references loop_templates (name); + + alter table loops + add constraint FK4b9wnqopxogwek014i1shqw7w + foreign key (service_uuid) + references services (service_uuid); + + alter table loops_to_microservicepolicies + add constraint FKle255jmi7b065fwbvmwbiehtb + foreign key (microservicepolicy_name) + references micro_service_policies (name); + + alter table loops_to_microservicepolicies + add constraint FK8avfqaf7xl71l7sn7a5eri68d + foreign key (loop_name) + references loops (name); + + alter table looptemplates_to_loopelementmodels + add constraint FK1k7nbrbugvqa0xfxkq3cj1yn9 + foreign key (loop_element_model_name) + references loop_element_models (name); + + alter table looptemplates_to_loopelementmodels + add constraint FKj29yxyw0x7ue6mwgi6d3qg748 + foreign key (loop_template_name) + references loop_templates (name); + + alter table micro_service_policies + add constraint FKqvvdypacbww07fuv8xvlvdjgl + foreign key (loop_element_model_id) + references loop_element_models (name); + + alter table micro_service_policies + add constraint FKn17j9ufmyhqicb6cvr1dbjvkt + foreign key (policy_model_type, policy_model_version) + references policy_models (policy_model_type, version); + + alter table operational_policies + add constraint FKi9kh7my40737xeuaye9xwbnko + foreign key (loop_element_model_id) + references loop_element_models (name); + + alter table operational_policies + add constraint FKlsyhfkoqvkwj78ofepxhoctip + foreign key (policy_model_type, policy_model_version) + references policy_models (policy_model_type, version); + + alter table operational_policies + add constraint FK1ddoggk9ni2bnqighv6ecmuwu + foreign key (loop_id) + references loops (name); diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json new file mode 100644 index 0000000000..3adda95c11 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json @@ -0,0 +1,18 @@ +{ + "sdc-connections":{ + "sdc-controller":{ + "user": "clamp", + "consumerGroup": "clamp", + "consumerId": "clamp", + "environmentName": "AUTO", + "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443", + "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981", + "pollingInterval":30, + "pollingTimeout":30, + "activateServerTLSAuth":"false", + "keyStorePassword":"", + "keyStorePath":"", + "messageBusAddresses":["message-router.{{ include "common.namespace" . }}"] + } + } +} diff --git a/kubernetes/policy/components/policy-clamp-be/templates/NOTES.txt b/kubernetes/policy/components/policy-clamp-be/templates/NOTES.txt new file mode 100644 index 0000000000..e36d6a5bfb --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/templates/NOTES.txt @@ -0,0 +1,32 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.externalPort }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit https://127.0.0.1:8443 to use your application" + kubectl port-forward $POD_NAME 8443:{{ .Values.service.internalPort }} +{{- end }} diff --git a/kubernetes/policy/components/policy-clamp-be/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-be/templates/configmap.yaml new file mode 100644 index 0000000000..aeadc37bd4 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/templates/configmap.yaml @@ -0,0 +1,31 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} + +{{ include "common.log.configMap" . }} diff --git a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml new file mode 100644 index 0000000000..1120f9b2b6 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml @@ -0,0 +1,126 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "common.name" . }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + spec: + initContainers: + - command: + - /app/ready.py + args: + - --job-name + - {{ include "common.release" . }}-policy-clamp-galera-config + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness +{{ include "common.certInitializer.initContainer" . | indent 6 }} + containers: + # side car containers + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} + # main container + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + workingDir: "/opt/policy/clamp/" + args: + - -c + - | + {{- if .Values.global.aafEnabled }} + export $(grep '^cadi_' {{ .Values.certInitializer.credsPath }}/org.onap.clamp.cred.props | xargs -0) + {{- end }} + java -Djava.security.egd=file:/dev/./urandom ${JAVA_RAM_CONFIGURATION} -jar ./policy-clamp-backend.jar + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + - name: logs + mountPath: {{ .Values.log.path }} + - mountPath: /opt/policy/clamp/sdc-controllers-config.json + name: {{ include "common.fullname" . }}-config + subPath: sdc-controllers-config.json + - mountPath: /opt/policy/clamp/application.properties + name: {{ include "common.fullname" . }}-config + subPath: application.properties + env: + - name: MYSQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} + - name: MYSQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }} + {{- if ne "unlimited" (include "common.flavor" .) }} + - name: JAVA_RAM_CONFIGURATION + value: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=75 + {{- end }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} + {{- end }} + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-configmap + items: + - key: sdc-controllers-config.json + path: sdc-controllers-config.json + - key: application.properties + path: application.properties + - name: logs + emptyDir: {} + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-clamp-be/templates/job.yaml b/kubernetes/policy/components/policy-clamp-be/templates/job.yaml new file mode 100755 index 0000000000..c5c968a2e1 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/templates/job.yaml @@ -0,0 +1,84 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada +# Modifications Copyright © 2020-2021 AT&T Intellectual Property +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.release" . }}-policy-clamp-galera-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-policy-clamp-job + release: {{ include "common.release" . }} +spec: + template: + metadata: + labels: + app: {{ include "common.name" . }}-policy-clamp-job + release: {{ include "common.release" . }} + spec: + initContainers: +#This container checks that all galera instances are up before initializing it. + - name: {{ include "common.name" . }}-readiness + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + - --job-name + - {{ include "common.release" . }}-policy-galera-config + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + containers: + - name: {{ include "common.release" . }}-policy-clamp-galera-config + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.db.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /dbcmd-config/create-db-tables.sh + name: {{ include "common.fullname" . }}-config + subPath: create-db-tables.sh + - mountPath: /dbcmd-config/policy-clamp-create-tables.sql + name: {{ include "common.fullname" . }}-config + subPath: policy-clamp-create-tables.sql + command: + - /bin/sh + args: + - -x + - /dbcmd-config/create-db-tables.sh + env: + - name: MYSQL_HOST + value: "{{ .Values.db.service.name }}" + - name: MYSQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 10 }} + - name: MYSQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 10 }} + - name: MYSQL_PORT + value: "{{ .Values.db.service.internalPort }}" + resources: +{{ include "common.resources" . }} + restartPolicy: Never + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-configmap + items: + - key: create-db-tables.sh + path: create-db-tables.sh + - key: policy-clamp-create-tables.sql + path: policy-clamp-create-tables.sql diff --git a/kubernetes/policy/components/policy-clamp-be/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-be/templates/secrets.yaml new file mode 100644 index 0000000000..4cf8155f6c --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/templates/secrets.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-be/templates/service.yaml b/kubernetes/policy/components/policy-clamp-be/templates/service.yaml new file mode 100644 index 0000000000..c01d36a53d --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/templates/service.yaml @@ -0,0 +1,42 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + {{if eq .Values.service.type "NodePort" -}} + - port: {{ .Values.service.internalPort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + name: {{ .Values.service.portName }} + {{- else -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + {{- end}} + selector: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} diff --git a/kubernetes/policy/components/policy-clamp-be/values.yaml b/kubernetes/policy/components/policy-clamp-be/values.yaml new file mode 100644 index 0000000000..1446ac42b6 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-be/values.yaml @@ -0,0 +1,154 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018-2019 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: # global defaults + nodePortPrefix: 302 + persistence: {} + centralizedLoggingEnabled: true + #AAF service + aafEnabled: true + +################################################################# +# AAF part +################################################################# +certInitializer: + permission_user: 1000 + permission_group: 999 + keystoreFile: 'org.onap.clamp.p12' + truststoreFile: 'org.onap.clamp.trust.jks' + keyFile: 'org.onap.clamp.keyfile' + truststoreFileONAP: 'truststoreONAPall.jks' + nameOverride: clamp-backend-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + fqdn: clamp + fqi: clamp@clamp.onap.org + public_fqdn: clamp.onap.org + cadi_longitude: '-72.0' + cadi_latitude: '38.0' + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; + grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_truststore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_truststore_password.pwd; + grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_key_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_key_password.pwd; + grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password.pwd; + grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password_p12=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd; + cd {{ .Values.credsPath }}; + chmod a+rx *; + +secrets: + - uid: db-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' + login: '{{ .Values.db.user }}' + password: '{{ .Values.db.password }}' + passwordPolicy: required + +flavor: small + +# application image +image: onap/policy-clamp-backend:6.0.0 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# log configuration +log: + path: /var/log/onap + +################################################################# +# Application configuration defaults. +################################################################# + +#####dummy values for db user and password to pass lint!!!####### + +db: + user: policy_user + password: policy_user + image: mariadb:10.5.8 + service: + name: policy-mariadb + internalPort: 3306 + +config: + log: + logstashServiceName: log-ls + logstashPort: 5044 + mysqlPassword: strong_pitchou + dataRootDir: /dockerdata-nfs + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 3 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + +service: + type: ClusterIP + name: policy-clamp-be + portName: policy-clamp-be + internalPort: 8443 + externalPort: 8443 + +ingress: + enabled: false + +#resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: 1 + memory: 1Gi + requests: + cpu: 1m + memory: 1Gi + large: + limits: + cpu: 1 + memory: 3Gi + requests: + cpu: 10m + memory: 3Gi + unlimited: {} diff --git a/kubernetes/policy/components/policy-clamp-fe/Chart.yaml b/kubernetes/policy/components/policy-clamp-fe/Chart.yaml new file mode 100644 index 0000000000..331ba86995 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/Chart.yaml @@ -0,0 +1,19 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: ONAP Policy Clamp Frontend +name: policy-clamp-fe +version: 7.0.0 diff --git a/kubernetes/policy/components/policy-clamp-fe/requirements.yaml b/kubernetes/policy/components/policy-clamp-fe/requirements.yaml new file mode 100644 index 0000000000..734166b43d --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/requirements.yaml @@ -0,0 +1,22 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: certInitializer + version: ~7.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~7.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-fe/resources/config/default.conf b/kubernetes/policy/components/policy-clamp-fe/resources/config/default.conf new file mode 100644 index 0000000000..4cab734074 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/resources/config/default.conf @@ -0,0 +1,31 @@ +server { + + listen 2443 default ssl; + ssl_protocols TLSv1.2; + {{ if .Values.global.aafEnabled }} + ssl_certificate {{.Values.certInitializer.credsPath}}/{{.Values.certInitializer.clamp_pem}}; + ssl_certificate_key {{.Values.certInitializer.credsPath}}/{{.Values.certInitializer.clamp_key}}; + {{ else }} + ssl_certificate /etc/ssl/clamp.pem; + ssl_certificate_key /etc/ssl/clamp.key; + {{ end }} + + ssl_verify_client optional_no_ca; + location /restservices/clds/ { + proxy_pass https://policy-clamp-be:8443; + proxy_set_header X-SSL-Cert $ssl_client_escaped_cert; + } + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + try_files $uri $uri/ /index.html; + } + + error_page 500 502 503 504 /50x.html; + + location = /50x.html { + root /usr/share/nginx/html; + } + +} diff --git a/kubernetes/policy/components/policy-clamp-fe/resources/config/log/filebeat/filebeat.yml b/kubernetes/policy/components/policy-clamp-fe/resources/config/log/filebeat/filebeat.yml new file mode 100644 index 0000000000..8717e6f33a --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/resources/config/log/filebeat/filebeat.yml @@ -0,0 +1,55 @@ +{{/* +# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +filebeat.prospectors: +#it is mandatory, in our case it's log +- input_type: log + #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. + paths: + - /var/log/onap/*/*/*/*.log + - /var/log/onap/*/*/*.log + - /var/log/onap/*/*.log + #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive + ignore_older: 48h + # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit + clean_inactive: 96h + +# Name of the registry file. If a relative path is used, it is considered relative to the +# data path. Else full qualified file name. +#filebeat.registry_file: ${path.data}/registry + + +output.logstash: + #List of logstash server ip addresses with port number. + #But, in our case, this will be the loadbalancer IP address. + #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. + hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"] + #If enable will do load balancing among availabe Logstash, automatically. + loadbalance: true + + #The list of root certificates for server verifications. + #If certificate_authorities is empty or not set, the trusted + #certificate authorities of the host system are used. + #ssl.certificate_authorities: $ssl.certificate_authorities + + #The path to the certificate for SSL client authentication. If the certificate is not specified, + #client authentication is not available. + #ssl.certificate: $ssl.certificate + + #The client certificate key used for client authentication. + #ssl.key: $ssl.key + + #The passphrase used to decrypt an encrypted key stored in the configured key file + #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/policy/components/policy-clamp-fe/templates/NOTES.txt b/kubernetes/policy/components/policy-clamp-fe/templates/NOTES.txt new file mode 100644 index 0000000000..e36d6a5bfb --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/templates/NOTES.txt @@ -0,0 +1,32 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.externalPort }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit https://127.0.0.1:8443 to use your application" + kubectl port-forward $POD_NAME 8443:{{ .Values.service.internalPort }} +{{- end }} diff --git a/kubernetes/policy/components/policy-clamp-fe/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-fe/templates/configmap.yaml new file mode 100644 index 0000000000..1a5b0ce06a --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/templates/configmap.yaml @@ -0,0 +1,31 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} + +{{ include "common.log.configMap" . }} diff --git a/kubernetes/policy/components/policy-clamp-fe/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-fe/templates/deployment.yaml new file mode 100644 index 0000000000..97c7919389 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/templates/deployment.yaml @@ -0,0 +1,105 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "common.name" . }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + spec: + initContainers: + - command: + - /app/ready.py + args: + - --container-name + - policy-clamp-be + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness +{{ include "common.certInitializer.initContainer" . | nindent 6 }} + containers: + # side car containers + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} + # main container + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + - name: logs + mountPath: {{ .Values.log.path }} + - mountPath: /etc/nginx/conf.d/default.conf + name: {{ include "common.fullname" . }}-config + subPath: default.conf + resources: +{{ include "common.resources" . | indent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }} + items: + - key: default.conf + path: default.conf + - name: logs + emptyDir: {} + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-clamp-fe/templates/ingress.yaml b/kubernetes/policy/components/policy-clamp-fe/templates/ingress.yaml new file mode 100644 index 0000000000..8f87c68f1e --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/templates/ingress.yaml @@ -0,0 +1 @@ +{{ include "common.ingress" . }} diff --git a/kubernetes/policy/components/policy-clamp-fe/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-fe/templates/secrets.yaml new file mode 100644 index 0000000000..4cf8155f6c --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/templates/secrets.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-fe/templates/service.yaml b/kubernetes/policy/components/policy-clamp-fe/templates/service.yaml new file mode 100644 index 0000000000..b4549ba099 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/templates/service.yaml @@ -0,0 +1,43 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + {{if eq .Values.service.type "NodePort" -}} + - port: {{ .Values.service.internalPort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + name: {{ .Values.service.portName }} + {{- else -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + {{- end}} + selector: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} +--- diff --git a/kubernetes/policy/components/policy-clamp-fe/values.yaml b/kubernetes/policy/components/policy-clamp-fe/values.yaml new file mode 100644 index 0000000000..91a096d1b2 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-fe/values.yaml @@ -0,0 +1,150 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018-2019 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: # global defaults + nodePortPrefix: 302 + centralizedLoggingEnabled: true + #AAF service + aafEnabled: true + +################################################################# +# AAF part +################################################################# +certInitializer: + permission_user: 1000 + permission_group: 999 + addconfig: true + keystoreFile: "org.onap.clamp.p12" + truststoreFile: "org.onap.clamp.trust.jks" + keyFile: "org.onap.clamp.keyfile" + truststoreFileONAP: "truststoreONAPall.jks" + clamp_key: "clamp.key" + clamp_pem: "clamp.pem" + clamp_ca_certs_pem: "clamp-ca-certs.pem" + nameOverride: clamp-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: clamp + fqi: clamp@clamp.onap.org + public_fqdn: clamp.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; + export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); + cd {{ .Values.credsPath }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }}; + chmod a+rx *; + +subChartsOnly: + enabled: true + +flavor: small + +# application image +image: onap/policy-clamp-frontend:6.0.0 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# log configuration +log: + path: /var/log/nginx/ + +################################################################# +# Application configuration defaults. +################################################################# +config: + log: + logstashServiceName: log-ls + logstashPort: 5044 + dataRootDir: /dockerdata-nfs + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 3 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + +service: + type: NodePort + name: policy-clamp-fe + portName: policy-clamp-fe + internalPort: 2443 + nodePort: 58 + + # as of 20180904 port 58 is reserved for clamp from log/logdemonode + # see https://wiki.onap.org/display/DW/OOM+NodePort+List + +ingress: + enabled: false + service: + - baseaddr: "clamp.api" + name: "clamp" + port: 2443 + config: + ssl: "redirect" + +#resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # + # Example: + # Configure resource requests and limits + # ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # Minimum memory for development is 2 CPU cores and 4GB memory + # Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: 1 + memory: 200Mi + requests: + cpu: 1m + memory: 50Mi + large: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 10m + memory: 50Mi + unlimited: {} diff --git a/kubernetes/policy/requirements.yaml b/kubernetes/policy/requirements.yaml index b2f2b7430a..22e3dfad18 100755 --- a/kubernetes/policy/requirements.yaml +++ b/kubernetes/policy/requirements.yaml @@ -48,6 +48,14 @@ dependencies: version: ~7.x-0 repository: 'file://components/policy-distribution' condition: policy-distribution.enabled + - name: policy-clamp-be + version: ~7.x-0 + repository: 'file://components/policy-clamp-be' + condition: policy-clamp-be.enabled + - name: policy-clamp-fe + version: ~7.x-0 + repository: 'file://components/policy-clamp-fe' + condition: policy-clamp-fe.enabled - name: repositoryGenerator version: ~7.x-0 repository: '@local' diff --git a/kubernetes/policy/resources/config/db.sh b/kubernetes/policy/resources/config/db.sh index 0d7ce07c9b..90c987984f 100755 --- a/kubernetes/policy/resources/config/db.sh +++ b/kubernetes/policy/resources/config/db.sh @@ -18,7 +18,7 @@ mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; }; -for db in support onap_sdk log migration operationshistory10 pooling policyadmin operationshistory +for db in support onap_sdk log migration operationshistory10 pooling policyadmin policyclamp operationshistory do mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index d09895484c..678772c481 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -66,6 +66,11 @@ policy-drools-pdp: policy-distribution: enabled: true db: *dbSecretsHook +policy-clamp-be: + enabled: true + db: *dbSecretsHook +policy-clamp-fe: + enabled: true policy-nexus: enabled: false |