7 files changed, 153 insertions, 27 deletions

diff --git a/kubernetes/so/templates/_cadiValues.tpl b/kubernetes/so/templates/_cadiValues.tpl
new file mode 100644
index 0000000000..426facc4b1
--- /dev/null
+++ b/kubernetes/so/templates/_cadiValues.tpl
@@ -0,0 +1,19 @@
+{{- define "cadi.keys" -}}
+cadiLoglevel: DEBUG
+cadiKeyFile: /org.onap.so.keyfile
+cadiTrustStore: /app/org.onap.so.trust.jks
+cadiTruststorePassword: {{ .Values.global.app.cadi.cadiTruststorePassword }}
+cadiLatitude: {{ .Values.global.app.cadi.cadiLatitude }}
+cadiLongitude: {{ .Values.global.app.cadi.cadiLongitude }}
+aafEnv: {{ .Values.global.app.cadi.aafEnv }}
+aafApiVersion: 2.0
+aafRootNs: {{ .Values.global.app.cadi.aafRootNs }}
+aafId: {{ .Values.mso.config.cadi.aafId }}
+aafPassword: {{ .Values.mso.config.cadi.aafPassword }}
+aafLocateUrl: {{ .Values.global.app.cadi.aafLocateUrl }}
+aafUrl: {{ .Values.global.app.cadi.aafUrl }}
+apiEnforcement: {{ .Values.mso.config.cadi.apiEnforcement }}
+{{- if (.Values.global.app.cadi.noAuthn) }}
+noAuthn: {{ .Values.mso.config.cadi.noAuthn }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/so/templates/_certificates.tpl b/kubernetes/so/templates/_certificates.tpl
new file mode 100644
index 0000000000..8bd25d27a1
--- /dev/null
+++ b/kubernetes/so/templates/_certificates.tpl
@@ -0,0 +1,32 @@
+{{- define "so.certificate.container_importer" -}}
+- name: {{ include "common.name" . }}-certs-importer
+  image: "{{ include "common.repository" . }}/{{ .Values.global.soBaseImage }}"
+  imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+  command:
+  - "/bin/sh"
+  args:
+  - "-c"
+  - "update-ca-certificates --fresh && \
+    cp -r {{ .Values.global.certificates.path }}/* /certificates"
+  volumeMounts:
+  - name: {{ include "common.name" . }}-certificates
+    mountPath: /certificates
+  - name: {{ include "common.name" . }}-onap-certificates
+    mountPath: {{ .Values.global.certificates.share_path }}
+{{- end -}}
+
+{{- define "so.certificate.volume-mounts" -}}
+- name: {{ include "common.name" . }}-certificates
+  mountPath: {{ .Values.global.certificates.path }}
+- name: {{ include "common.name" . }}-onap-certificates
+  mountPath: {{ .Values.global.certificates.share_path }}
+{{- end -}}
+
+{{- define "so.certificate.volumes" -}}
+- name: {{ include "common.name" . }}-certificates
+  emptyDir:
+    medium: Memory
+- name: {{ include "common.name" . }}-onap-certificates
+  secret:
+    secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "so-onap-certs") }}
+{{- end -}}
diff --git a/kubernetes/so/templates/_livenessProbe.tpl b/kubernetes/so/templates/_livenessProbe.tpl
new file mode 100644
index 0000000000..4181beb1f8
--- /dev/null
+++ b/kubernetes/so/templates/_livenessProbe.tpl
@@ -0,0 +1,17 @@
+{{- define "helpers.livenessProbe" -}} 
+livenessProbe:
+  httpGet:
+    path: {{- index .Values.livenessProbe.path|indent 2}}
+    port: {{ index .Values.containerPort }}
+    scheme: {{- index .Values.livenessProbe.scheme| indent 2}}
+    {{- if eq .Values.global.security.aaf.enabled true }}
+    httpHeaders:
+    - name: Authorization
+      value: {{ index .Values.global.aaf.auth.header }}
+    {{- end }}
+  initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}}
+  periodSeconds: {{ index .Values.livenessProbe.periodSeconds}}
+  timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}}
+  successThreshold: {{ index .Values.livenessProbe.successThreshold}}
+  failureThreshold: {{ index .Values.livenessProbe.failureThreshold}}
+{{- end -}}
diff --git a/kubernetes/so/templates/_profileProperty.tpl b/kubernetes/so/templates/_profileProperty.tpl
new file mode 100644
index 0000000000..113bc343d0
--- /dev/null
+++ b/kubernetes/so/templates/_profileProperty.tpl
@@ -0,0 +1,3 @@
+{{- define "helpers.profileProperty" -}}
+  {{ if eq .condition true }}{{.value1}}{{else}}{{.value2}} {{ end }}
+{{- end -}}
diff --git a/kubernetes/so/templates/configmap.yaml b/kubernetes/so/templates/configmap.yaml
index d873beb62c..6aa4b5f4f0 100755
--- a/kubernetes/so/templates/configmap.yaml
+++ b/kubernetes/so/templates/configmap.yaml
@@ -15,6 +15,7 @@ apiVersion: v1
 data:
   LOG_PATH: {{ index .Values.logPath }}
   APP: {{ index .Values.app }}
+  ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}}
 kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-configmap
@@ -37,3 +38,19 @@ metadata:
     heritage: {{ .Release.Service }}
 data:
 {{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-log
+  namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/config/log/filebeat/filebeat.yml").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-so-filebeat-configmap
+  namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/config/log/filebeat/filebeat.yml").AsConfig . | indent 2 }}
diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml
index 931a89516b..07390097e7 100755
--- a/kubernetes/so/templates/deployment.yaml
+++ b/kubernetes/so/templates/deployment.yaml
@@ -34,8 +34,9 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
-      initContainers:
-      - command:
+      initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }}
+      - name: {{ include "common.name" . }}-readiness
+        command:
         - /root/job_complete.py
         args:
         - --job-name
@@ -66,54 +67,75 @@ spec:
               name: {{ include "common.release" . }}-so-db-secrets
               key: mariadb.readwrite.port
         - name: DB_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: {{ include "common.release" . }}-so-db-secrets
-              key: mariadb.readwrite.rolename
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }}
         - name: DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ include "common.release" . }}-so-db-secrets
-              key: mariadb.readwrite.password
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }}
         - name: DB_ADMIN_USERNAME
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }}
+        - name: DB_ADMIN_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }}
+         {{- if eq .Values.global.security.aaf.enabled true }}
+        - name: TRUSTSTORE
+          value: /app/org.onap.so.trust.jks
+        - name: TRUSTSTORE_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ include "common.release" . }}-so-db-secrets
-              key: mariadb.admin.rolename
-        - name: DB_ADMIN_PASSWORD
+              name: {{ .Release.Name}}-so-client-certs-secret
+              key: trustStorePassword
+        - name: KEYSTORE
+          value: /app/org.onap.so.jks
+        - name: KEYSTORE_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ include "common.release" . }}-so-db-secrets
-              key: mariadb.admin.password
+              name: {{ .Release.Name}}-so-client-certs-secret
+              key: keyStorePassword
+        {{- end }}
         envFrom:
         - configMapRef:
             name: {{ include "common.fullname" . }}-configmap
         imagePullPolicy:  {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        volumeMounts:
+        volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }}
         - name: logs
           mountPath: /app/logs
         - name: config
           mountPath: /app/config
           readOnly: true
-        livenessProbe:
-          httpGet:
-            path: {{- index .Values.livenessProbe.path|indent 2}}
-            port: {{ index .Values.containerPort }}
-            scheme: {{- index .Values.livenessProbe.scheme| indent 2}}
-          initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}}
-          periodSeconds: {{ index .Values.livenessProbe.periodSeconds}}
-          timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}}
-          successThreshold: {{ index .Values.livenessProbe.successThreshold}}
-          failureThreshold: {{ index .Values.livenessProbe.failureThreshold}}
+        - name: {{ include "common.fullname" . }}-logs
+          mountPath: /var/log/onap
+{{ include "helpers.livenessProbe" .| indent 8 }}
         ports:
         - containerPort: {{ index .Values.containerPort }}
           name: {{ .Values.service.portName }}
           protocol: TCP
-      volumes:
+      # Filebeat sidecar container
+      - name: {{ include "common.name" . }}-filebeat-onap
+        image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+        - name: {{ include "common.fullname" . }}-filebeat-conf
+          mountPath: /usr/share/filebeat/filebeat.yml
+          subPath: filebeat.yml
+        - name: {{ include "common.fullname" . }}-data-filebeat
+          mountPath: /usr/share/filebeat/data
+        - name: logs
+          mountPath: /var/log/onap/so
+        - name: {{ include "common.fullname" . }}-logs
+          mountPath: /var/log/onap
+      volumes: {{ include "so.certificate.volumes" . | nindent 6 }}
       - name: logs
         emptyDir: {}
       - name: config
         configMap:
             name: {{ include "common.fullname" . }}-app-configmap
+      - name: {{ include "common.fullname" . }}-log-conf
+        configMap:
+          name: {{ include "common.fullname" . }}-log
+      - name: {{ include "common.fullname" . }}-filebeat-conf
+        configMap:
+          name: {{ .Release.Name }}-so-filebeat-configmap
+      - name: {{ include "common.fullname" . }}-data-filebeat
+        emptyDir: {}
+      - name:  {{ include "common.fullname" . }}-logs
+        emptyDir: {}
       imagePullSecrets:
         - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/so/templates/secret.yaml b/kubernetes/so/templates/secret.yaml
new file mode 100644
index 0000000000..bdcecddfa3
--- /dev/null
+++ b/kubernetes/so/templates/secret.yaml
@@ -0,0 +1,16 @@
+# Copyright © 2020 Samsung Electronics
+# Modifications Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secret" . }}