diff options
Diffstat (limited to 'kubernetes')
14 files changed, 342 insertions, 91 deletions
diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties index ea799e2119..0beaf4a42a 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties @@ -1,6 +1,6 @@ {{/* # -# Copyright (c) 2017-2019 AT&T, IBM, Bell Canada, Nordix Foundation. +# Copyright (c) 2017-2022 AT&T, IBM, Bell Canada, Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -109,19 +109,70 @@ blueprintsprocessor.restclient.aai-data.additionalHeaders.X-FromAppId=cds-app-id blueprintsprocessor.restclient.aai-data.additionalHeaders.Accept=application/json # Self Service Request Kafka Message Consumer -blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable=false -blueprintsprocessor.messageconsumer.self-service-api.type=kafka-basic-auth -blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers=message-router-kafka:9092 -blueprintsprocessor.messageconsumer.self-service-api.groupId=cds-consumer-group -blueprintsprocessor.messageconsumer.self-service-api.topic=cds-consumer -blueprintsprocessor.messageconsumer.self-service-api.clientId=cds-client -blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 +blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable={{ .Values.kafkaRequestConsumer.enabled }} +blueprintsprocessor.messageconsumer.self-service-api.type={{ .Values.kafkaRequestConsumer.type }} +{{- if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +{{- else -}} +blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ .Values.kafkaRequestConsumer.bootstrapServers }} +{{- end }} +blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .Values.kafkaRequestConsumer.groupId }} +blueprintsprocessor.messageconsumer.self-service-api.topic={{ .Values.kafkaRequestConsumer.topic }} +blueprintsprocessor.messageconsumer.self-service-api.clientId={{ .Values.kafkaRequestConsumer.clientId }} +blueprintsprocessor.messageconsumer.self-service-api.pollMillSec={{ .Values.kafkaRequestConsumer.pollMillSec }} +{{- if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} +# SCRAM +blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} +blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${JAAS_PASS} +{{ end }} # Self Service Response Kafka Message Producer -blueprintsprocessor.messageproducer.self-service-api.bootstrapServers=message-router-kafka:9092 - -# Kafka Audit Service Configurations -blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable=false +blueprintsprocessor.messageproducer.self-service-api.type={{ .Values.kafkaRequestProducer.type }} +{{- if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +{{- else -}} +blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ .Values.kafkaRequestProducer.bootstrapServers }} +{{- end }} +blueprintsprocessor.messageproducer.self-service-api.clientId={{ .Values.kafkaRequestProducer.clientId }} +blueprintsprocessor.messageproducer.self-service-api.topic={{ .Values.kafkaRequestProducer.topic }} +{{- if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} +# SCRAM +blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} +blueprintsprocessor.messageproducer.self-service-api.scramPassword=${JAAS_PASS} +{{ end }} + +# AUDIT KAFKA FEATURE CONFIGURATION +# Audit feature dumps CDS request to a topic as well as a truncated response message to another topic. +## Audit request +blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable={{ .Values.kafkaAuditRequest.enabled }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.type={{ .Values.kafkaAuditRequest.type }} +{{- if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +{{- else -}} +blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} +{{- end }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId={{ .Values.kafkaAuditRequest.clientId }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.topic={{ .Values.kafkaAuditRequest.topic }} +{{- if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} +# SCRAM +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${JAAS_PASS} +{{ end }} + +## Audit response +blueprintsprocessor.messageproducer.self-service-api.audit.response.type={{ .Values.kafkaAuditResponse.type }} +{{- if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +{{- else -}} +blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} +{{- end }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId={{ .Values.kafkaAuditResponse.clientId }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.topic={{ .Values.kafkaAuditResponse.topic }} +{{- if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} +# SCRAM +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${JAAS_PASS} +{{ end }} # Executor Options blueprintsprocessor.resourceResolution.enabled=true @@ -132,10 +183,10 @@ blueprintsprocessor.remoteScriptCommand.enabled=true ## Enable py-executor blueprintsprocessor.streamingRemoteExecution.enabled=true -# Used in Health Check -blueprintsprocessor.messageproducer.self-service-api.type=kafka-basic-auth -blueprintsprocessor.messageproducer.self-service-api.clientId=cds-client -blueprintsprocessor.messageproducer.self-service-api.topic=cds-producer +## Used in Health Check +#blueprintsprocessor.messageproducer.self-service-api.type=kafka-basic-auth +#blueprintsprocessor.messageproducer.self-service-api.clientId=cds-client +#blueprintsprocessor.messageproducer.self-service-api.topic=cds-producer #Encrypted username and password for health check service diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml new file mode 100644 index 0000000000..555f4d4e60 --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml @@ -0,0 +1,68 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if eq .Values.useStrimziKafka true }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.kafkaRequestConsumer.topic }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: 10 + replicas: 2 + config: + retention.ms: 7200000 + segment.bytes: 1073741824 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.kafkaRequestProducer.topic }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: 10 + replicas: 2 + config: + retention.ms: 7200000 + segment.bytes: 1073741824 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.kafkaAuditRequest.topic }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: 10 + replicas: 2 + config: + retention.ms: 7200000 + segment.bytes: 1073741824 +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.kafkaAuditResponse.topic }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: 10 + replicas: 2 + config: + retention.ms: 7200000 + segment.bytes: 1073741824 +{{ end }}
\ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml new file mode 100644 index 0000000000..65ee1d2a96 --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml @@ -0,0 +1,49 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if eq .Values.useStrimziKafka true }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: group + name: {{ .Values.kafkaRequestConsumer.groupId }} + operation: All + - resource: + type: topic + name: {{ .Values.kafkaRequestConsumer.topic }} + operation: All + - resource: + type: topic + name: {{ .Values.kafkaRequestProducer.topic }} + operation: All + - resource: + type: topic + name: {{ .Values.kafkaAuditRequest.topic }} + operation: All + - resource: + type: topic + name: {{ .Values.kafkaAuditResponse.topic }} + operation: All +{{ end }}
\ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index d92f09a4c8..d68e900222 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -78,10 +79,6 @@ spec: args: - --container-name - cds-db - {{- if .Values.dmaapEnabled }} - - --container-name - - message-router - {{ end }} env: - name: NAMESPACE valueFrom: @@ -121,6 +118,10 @@ spec: fieldPath: metadata.name - name: CLUSTER_CONFIG_FILE value: {{ .Values.config.appConfigDir }}/hazelcast.yaml + {{ if .Values.useStrimziKafka }} + - name: JAAS_PASS + value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-kafka-secret" "key" "password") | indent 12 }} + {{ end }} ports: - containerPort: {{ .Values.service.http.internalPort }} - containerPort: {{ .Values.service.grpc.internalPort }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index a5180c53c6..af9482b663 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -1,5 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,6 +58,13 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.sdncDB.dbRootPassExternalSecret) . }}' password: '{{ .Values.config.sdncDB.dbRootPass }}' passwordPolicy: required + - uid: cds-kafka-secret + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: password + value: '{{ .Values.config.someConfig }}' + policy: generate ################################################################# # AAF part @@ -111,6 +119,7 @@ config: # dbCredsExternalSecret: <some secret name> # dbRootPassword: password # dbRootPassExternalSecret + someConfig: blah # default number of instances replicaCount: 1 @@ -119,10 +128,40 @@ nodeSelector: {} affinity: {} -# flag for kafka-listener dependency. Set to true if you are using message-router otherwise set to false if you are using -# custom kafka cluster. -dmaapEnabled: true +# If useStrimziKafka is true, the following also applies: +# strimzi will create an associated kafka user and the topics defined for Request and Audit elements below. +# The connection type must be kafka-scram-plain-text-auth +# The bootstrapServers will target the strimzi kafka cluster by default +useStrimziKafka: false +cdsKafkaUser: cds-kafka-user +kafkaRequestConsumer: + enabled: false + type: kafka-scram-plain-text-auth + bootstrapServers: host:port + groupId: cds-consumer + topic: cds.blueprint-processor.self-service-api.request + clientId: request-receiver-client-id + pollMillSec: 1000 +kafkaRequestProducer: + type: kafka-scram-plain-text-auth + bootstrapServers: host:port + clientId: request-producer-client-id + topic: cds.blueprint-processor.self-service-api.response + enableIdempotence: false +kafkaAuditRequest: + enabled: false + type: kafka-scram-plain-text-auth + bootstrapServers: host:port + clientId: audit-request-producer-client-id + topic: cds.blueprint-processor.self-service-api.audit.request + enableIdempotence: false +kafkaAuditResponse: + type: kafka-scram-plain-text-auth + bootstrapServers: host:port + clientId: audit-response-producer-client-id + topic: cds.blueprint-processor.self-service-api.audit.response + enableIdempotence: false # probe configuration parameters startup: diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index edac066f6f..58e6b65c6f 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2020 Samsung Electronics # Copyright © 2019 Orange, Bell Canada # Copyright © 2017 Amdocs, Bell Canada +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,7 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs + cdsKafkaUser: cds-kafka-user ################################################################# # Secrets metaconfig @@ -212,6 +214,7 @@ cds-blueprints-processor: dbPort: 3306 dbName: *mysqlDbName dbCredsExternalSecret: *dbUserSecretName + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.kafkaUser }}' cds-command-executor: enabled: true diff --git a/kubernetes/contrib/components/awx/templates/service.yaml b/kubernetes/contrib/components/awx/templates/service.yaml index 10f031da82..85ec8c8428 100755 --- a/kubernetes/contrib/components/awx/templates/service.yaml +++ b/kubernetes/contrib/components/awx/templates/service.yaml @@ -49,7 +49,6 @@ spec: ports: - port: {{ .Values.service.web.externalPort }} targetPort: {{ .Values.service.web.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.web.nodePort }} name: {{ .Values.service.web.portName }} selector: app: {{ include "common.fullname" . }} diff --git a/kubernetes/contrib/components/awx/values.yaml b/kubernetes/contrib/components/awx/values.yaml index 0a247c5743..44c57414a4 100755 --- a/kubernetes/contrib/components/awx/values.yaml +++ b/kubernetes/contrib/components/awx/values.yaml @@ -92,11 +92,10 @@ service: internalPort: 15672 externalPort: 15672 web: - type: NodePort + type: ClusterIP portName: web internalPort: 8052 externalPort: 8052 - nodePort: 78 rabbitmq: type: ClusterIP http: diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml index 869472e2d8..ef272eef23 100644 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml @@ -2,6 +2,7 @@ # ============================================================================ # Copyright (C) 2021-2022 Wipro Limited. # Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (C) 2022 Huawei Canada Limited. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,7 +58,7 @@ tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.0.7 +image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.1.1 # Log directory where logging sidecar should look for log files # if path is set to null sidecar won't be deployed in spite of @@ -144,6 +145,17 @@ applicationConfig: sliceanalysisms.rannfnssiDetailsTemplateId: get-rannfnssiid-details sliceanalysisms.desUrl: http://dl-des:1681/datalake/v1/exposure/pm_data sliceanalysisms.pmDataDurationInWeeks: 4 + sliceanalysisms.vesNotifPollingInterval: 15 + sliceanalysisms.vesNotifChangeIdentifier: PM_BW_UPDATE + sliceanalysisms.vesNotifChangeType: BandwidthChanged + sliceanalysisms.aaiNotif.targetAction: UPDATE + sliceanalysisms.aaiNotif.targetSource: UUI + sliceanalysisms.aaiNotif.targetEntity: service-instance + sliceanalysisms.ccvpnEvalInterval: 15 + sliceanalysisms.ccvpnEvalThreshold: 0.8 + sliceanalysisms.ccvpnEvalPrecision: 100.0 + sliceanalysisms.ccvpnEvalPeriodicCheckOn: true + sliceanalysisms.ccvpnEvalOnDemandCheckOn: true streams_publishes: CL_topic: type: message-router @@ -162,6 +174,19 @@ applicationConfig: type: message-router dmaap_info: topic_url: http://message-router:3904/events/DCAE_CL_RSP + ves_ccvpn_notification_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT + aai_subscriber: + type: message-router + servers : ["message-router:3904"] + consumer_group: dcae_ccvpn_cl + consumer_instance: dcae_ccvpn_cl_aaievent + fetch_timeout: 15000 + fetch_limit: 100 + dmaap_info: + topic_url: http://message-router:3904/events/AAI-EVENT applicationEnv: STANDALONE: 'false' diff --git a/kubernetes/policy/components/policy-gui/resources/config/default.conf b/kubernetes/policy/components/policy-gui/resources/config/default.conf deleted file mode 100644 index 98417cd822..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/default.conf +++ /dev/null @@ -1,32 +0,0 @@ -server { - - listen 2443 default ssl; - ssl_protocols TLSv1.2; - {{ if .Values.global.aafEnabled }} - ssl_certificate {{.Values.certInitializer.credsPath}}/{{.Values.certInitializer.clamp_pem}}; - ssl_certificate_key {{.Values.certInitializer.credsPath}}/{{.Values.certInitializer.clamp_key}}; - {{ else }} - ssl_certificate /etc/ssl/clamp.pem; - ssl_certificate_key /etc/ssl/clamp.key; - {{ end }} - - ssl_verify_client optional_no_ca; - absolute_redirect off; - - location / { - root /usr/share/nginx/html; - index index.html index.htm; - try_files $uri $uri/ =404; - } - - location /clamp/restservices/clds/ { - proxy_pass https://policy-clamp-be:8443/restservices/clds/; - proxy_set_header X-SSL-Cert $ssl_client_escaped_cert; - } - - location = /50x.html { - root /var/lib/nginx/html; - } - error_page 500 502 503 504 /50x.html; - error_log /var/log/nginx/error.log warn; -} diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml index b67fa273de..a155715580 100644 --- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-gui/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. +# Copyright (C) 2021-2022 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -62,6 +62,20 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} +{{- if .Values.global.aafEnabled }} + command: ["sh","-c"] + args: ["source {{ .Values.certInitializer.credsPath }}/.ci;/opt/app/policy/gui/bin/policy-gui.sh"] + env: +{{- else }} + command: ["/opt/app/policy/gui/bin/policy-gui.sh"] + env: + - name: KEYSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} +{{- end }} + - name: CLAMP_URL + value: https://policy-clamp-be:8443 ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -81,9 +95,6 @@ spec: volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - name: logs mountPath: {{ .Values.log.path }} - - mountPath: /etc/nginx/conf.d/default.conf - name: {{ include "common.fullname" . }}-config - subPath: default.conf resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -99,9 +110,6 @@ spec: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - items: - - key: default.conf - path: default.conf - name: logs emptyDir: {} {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml index 6ee7715678..aa2b9d3122 100644 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ b/kubernetes/policy/components/policy-gui/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. +# Copyright (C) 2021-2022 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,36 +26,46 @@ global: # global defaults aafEnabled: true ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: keystore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required + - uid: truststore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required + +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap + +################################################################# # AAF part ################################################################# certInitializer: - permission_user: 1000 - permission_group: 999 - addconfig: true - keystoreFile: "org.onap.clamp.p12" - truststoreFile: "org.onap.clamp.trust.jks" - keyFile: "org.onap.clamp.keyfile" - truststoreFileONAP: "truststoreONAPall.jks" - clamp_key: "clamp.key" - clamp_pem: "clamp.pem" - clamp_ca_certs_pem: "clamp-ca-certs.pem" nameOverride: policy-gui-cert-initializer aafDeployFqi: deployer@people.osaaf.org aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: clamp - fqi: clamp@clamp.onap.org - public_fqdn: clamp.onap.org - cadi_longitude: "0.0" + fqdn: policy + fqi: policy@policy.onap.org + public_fqdn: policy.onap.org cadi_latitude: "0.0" - app_ns: org.osaaf.aaf + cadi_longitude: "0.0" credsPath: /opt/app/osaaf/local + app_ns: org.osaaf.aaf + uid: 100 + gid: 101 aaf_add_config: > - cd {{ .Values.credsPath }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }}; - chmod a+rx *; + echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; + echo "export TRUSTSTORE='{{ .Values.credsPath }}/org.onap.policy.trust.jks'" >> {{ .Values.credsPath }}/.ci; + echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; + echo "export TRUSTSTORE_PASSWD='${cadi_truststore_password}'" >> {{ .Values.credsPath }}/.ci; + chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); subChartsOnly: enabled: true @@ -63,7 +73,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-gui:2.2.0 +image: onap/policy-gui:2.2.2 pullPolicy: Always # flag to enable debugging - application support required @@ -71,7 +81,7 @@ debugEnabled: false # log configuration log: - path: /var/log/nginx/ + path: /var/log/onap/policy/gui ################################################################# # Application configuration defaults. diff --git a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml new file mode 100644 index 0000000000..2653c6799c --- /dev/null +++ b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml @@ -0,0 +1,31 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ .Values.kafkaStrimziAdminUser }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: {{ .Values.saslMechanism }} + authorization: + type: simple + acls: + - resource: + type: group + name: onap-group + operation: Read
\ No newline at end of file diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index a94879b8a0..df3afee96d 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -57,7 +57,7 @@ spec: authorization: type: simple superUsers: - - {{ include "common.release" . }}-{{ .Values.kafkaStrimziAdminUser }} + - {{ .Values.kafkaStrimziAdminUser }} template: pod: securityContext: |