diff options
Diffstat (limited to 'kubernetes')
64 files changed, 858 insertions, 652 deletions
diff --git a/kubernetes/Makefile b/kubernetes/Makefile index 3f41c3cc4b..7150f10c1f 100644 --- a/kubernetes/Makefile +++ b/kubernetes/Makefile @@ -20,6 +20,12 @@ OUTPUT_DIR := $(ROOT_DIR)/dist PACKAGE_DIR := $(OUTPUT_DIR)/packages SECRET_DIR := $(OUTPUT_DIR)/secrets +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := helm lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + SUBMODS := robot aai EXCLUDES := config oneclick readiness test dist helm $(PARENT_CHART) dcae $(SUBMODS) HELM_CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) $(PARENT_CHART) @@ -55,7 +61,7 @@ dep-%: make-% @if [ -f $*/requirements.yaml ]; then helm dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then helm lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) diff --git a/kubernetes/aai b/kubernetes/aai -Subproject 764cd8514707c1630dbfa6792b8d15953d5b9a5 +Subproject 23f076495d36081f34a367067918d15fcc5ada8 diff --git a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/hazelcast.yaml b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/hazelcast.yaml new file mode 100755 index 0000000000..3a3a1ce095 --- /dev/null +++ b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/hazelcast.yaml @@ -0,0 +1,35 @@ +hazelcast: + cp-subsystem: + cp-member-count: {{ .Values.replicaCount }} + group-size: {{ .Values.cluster.groupSize }} + session-time-to-live-seconds: 10 + session-heartbeat-interval-seconds: 5 + missing-cp-member-auto-removal-seconds: 120 + fail-on-indeterminate-operation-state: false + raft-algorithm: + leader-election-timeout-in-millis: 2000 + leader-heartbeat-period-in-millis: 5000 + max-missed-leader-heartbeat-count: 5 + append-request-max-entry-count: 50 + commit-index-advance-count-to-snapshot: 1000 + uncommitted-entry-count-to-reject-new-appends: 100 + append-request-backoff-timeout-in-millis: 100 + network: + enabled: true + rest-api: + enabled: true + endpoint-groups: + HEALTH_CHECK: + enabled: true + CP: + enabled: true + join: + multicast: + enabled: false + kubernetes: + enabled: true + namespace: {{ include "common.namespace" . }} + service-name: {{ include "common.servicename" . }}-cluster + resolve-not-ready-addresses: true + # service-label-name: MY-SERVICE-LABEL-NAME + # service-label-value: MY-SERVICE-LABEL-VALUE diff --git a/kubernetes/cds/charts/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/charts/cds-blueprints-processor/templates/deployment.yaml index a90e4d7b68..749e9a4637 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/charts/cds-blueprints-processor/templates/deployment.yaml @@ -24,6 +24,18 @@ metadata: heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} + strategy: + type: RollingUpdate + rollingUpdate: + # This allow a new pod to be ready before terminating the old one + # causing no downtime when replicas is set to 1 + maxUnavailable: 0 + + # maxSurge to 1 is very important for the hazelcast integration + # we only want one pod at a time to restart not multiple + # and break the hazelcast cluster. We should not use % maxSurge value + # ref : https://hazelcast.com/blog/rolling-upgrade-hazelcast-imdg-on-kubernetes/ + maxSurge: 1 template: metadata: labels: @@ -56,9 +68,23 @@ spec: env: - name: APP_CONFIG_HOME value: {{ .Values.config.appConfigDir }} + - name: USE_SCRIPT_COMPILE_CACHE + value: {{ .Values.config.useScriptCompileCache | quote }} + # Cluster should only be enabled when replicaCount is more than 2 and useScriptCompileCache is set to false otherwise it won't work properly + - name: CLUSTER_ENABLED + value: {{ if and (gt (int (.Values.replicaCount)) 2) (not .Values.config.useScriptCompileCache) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }} + - name: CLUSTER_ID + value: {{ .Values.cluster.clusterName }} + - name: CLUSTER_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CLUSTER_CONFIG_FILE + value: {{ .Values.config.appConfigDir }}/hazelcast.yaml ports: - containerPort: {{ .Values.service.http.internalPort }} - containerPort: {{ .Values.service.grpc.internalPort }} + - containerPort: {{ .Values.service.cluster.internalPort }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -93,6 +119,9 @@ spec: - mountPath: {{ .Values.config.appConfigDir }}/logback.xml name: {{ include "common.fullname" . }}-config subPath: logback.xml + - mountPath: {{ .Values.config.appConfigDir }}/hazelcast.yaml + name: {{ include "common.fullname" . }}-config + subPath: hazelcast.yaml - mountPath: {{ .Values.config.appConfigDir }}/ONAP_RootCA.cer name: {{ include "common.fullname" . }}-config @@ -122,6 +151,8 @@ spec: path: application.properties - key: logback.xml path: logback.xml + - key: hazelcast.yaml + path: hazelcast.yaml - key: ONAP_RootCA.cer path: ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-blueprints diff --git a/kubernetes/cds/charts/cds-blueprints-processor/templates/service.yaml b/kubernetes/cds/charts/cds-blueprints-processor/templates/service.yaml index 411df8631c..a6a21a6a01 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/templates/service.yaml +++ b/kubernetes/cds/charts/cds-blueprints-processor/templates/service.yaml @@ -56,3 +56,27 @@ spec: selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }}-cluster + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: +spec: + type: {{ .Values.service.cluster.type }} + ports: + - port: {{ .Values.service.cluster.externalPort }} + targetPort: {{ .Values.service.cluster.internalPort }} + {{- if eq .Values.service.cluster.type "NodePort"}} + nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.cluster.nodePort }} + {{- end}} + name: {{ .Values.service.cluster.portName | default "cluster" }} + selector: + app: {{ include "common.name" . }} + release: {{ .Release.Name }} diff --git a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml index 781b5383fe..35661c29e9 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml @@ -47,6 +47,7 @@ debugEnabled: false # application configuration config: appConfigDir: /opt/app/onap/config + useScriptCompileCache: true # default number of instances replicaCount: 1 @@ -85,6 +86,11 @@ service: portName: blueprints-processor-grpc internalPort: 9111 externalPort: 9111 + cluster: + type: ClusterIP + portName: blueprints-processor-cluster + internalPort: 5701 + externalPort: 5701 persistence: volumeReclaimPolicy: Retain @@ -94,6 +100,17 @@ persistence: mountSubPath: cds/blueprints/deploy deployedBlueprint: /opt/app/onap/blueprints/deploy +cluster: + # Cannot have cluster enabled if the replicaCount is not at least 3 + # AND config value useScriptCompileCache is not set to false + enabled: false + + clusterName: cds-cluster + + # Defines the number of node to be part of the CP subsystem/raft algorithm. This value should be + # between 3 and 7 only. + groupSize: 3 + ingress: enabled: false service: diff --git a/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml b/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml index 26affe600c..e4deab0e15 100644 --- a/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml +++ b/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml @@ -1,4 +1,5 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +--- +# Copyright © 2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,30 +31,24 @@ # The default name is elasticsearch, but you should change it to an appropriate name which describes the # purpose of the cluster. # -cluster.name: "clamp-dashboard" -# -# The port that other nodes in the cluster should use when communicating with this node. -# Required for Elasticsearch's nodes running on different cluster nodes. -# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html -#transport.publish_port:$transport.publish_port -# -# The host address to publish for nodes in the cluster to connect to. -# Required for Elasticsearch's nodes running on different cluster nodes. -# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html -#transport.publish_host:$transport.publish_host +## Default Elasticsearch configuration from elasticsearch-docker. +## from https://opendistro.github.io/for-elasticsearch-docs/docs/elasticsearch/configuration/ # -# ------------------------------------ Node ------------------------------------ -# -# It is better to provide different meaningfull names fot different elastic nodes. -# By default, Elasticsearch will take the 7 first character of the randomly generated uuid used as the node id. -# Note that the node id is persisted and does not change when a node restarts + +cluster.name: "clamp-dashboard" +node.name: "cldash-es-node1" +# ---------------------------------- Network ----------------------------------- # -#node.name: $node.name +# Set the bind address to a specific IP (IPv4 or IPv6): +# In order to communicate and to form a cluster with nodes on other servers, your node will need to bind to a +# non-loopback address. +network.host: 0.0.0.0 # -# Add custom attributes to the node: +# Set a custom port for HTTP: If required, default is 9200-9300 # -#node.attr.rack: r1 +#http.port: $http.port # +# For more information, consult the network module documentation. # ----------------------------------- Paths ------------------------------------ # # The location of the data files of each index / shard allocated on the node. Can hold multiple locations separated by coma. @@ -78,19 +73,6 @@ bootstrap.memory_lock: false # # Elasticsearch performs poorly when the system is swapping the memory. # -# ---------------------------------- Network ----------------------------------- -# -# Set the bind address to a specific IP (IPv4 or IPv6): -# In order to communicate and to form a cluster with nodes on other servers, your node will need to bind to a -# non-loopback address. -network.host: 0.0.0.0 -# -# Set a custom port for HTTP: If required, default is 9200-9300 -# -#http.port: $http.port -# -# For more information, consult the network module documentation. -# # --------------------------------- Discovery ---------------------------------- # # Pass an initial list of hosts to perform discovery when new node is started @@ -98,24 +80,16 @@ network.host: 0.0.0.0 # that are likely to be live and contactable. # By default, Elasticsearch will bind to the available loopback addresses and will scan ports 9300 to 9305 to try # to connect to other nodes running on the same server. -# -#$discovery.zen.ping.unicast.hosts -# -# This setting tells Elasticsearch to not elect a master unless there are enough master-eligible nodes -# available. Only then will an election take place. -# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1): +# # minimum_master_nodes need to be explicitly set when bound on a public IP +# # set to 1 to allow single node clusters +# # Details: https://github.com/elastic/elasticsearch/pull/17288 discovery.zen.minimum_master_nodes: 1 -# -# For more information, consult the zen discovery module documentation. -# -# ---------------------------------- Gateway ----------------------------------- -# -# Block initial recovery after a full cluster restart until N nodes are started: -# -#gateway.recover_after_nodes: 3 -# -# For more information, consult the gateway module documentation. -# +discovery.seed_hosts: [] +# # Breaking change in 7.0 +# # https://www.elastic.co/guide/en/elasticsearch/reference/7.0/breaking-changes-7.0.html#breaking_70_discovery_changes +cluster.initial_master_nodes: + - cldash-es-node1 +# - docker-test-node-1 # ---------------------------------- Various ----------------------------------- # # Require explicit names when deleting indices: @@ -129,26 +103,26 @@ http.port: {{.Values.service.externalPort}} # Defaults to 9300-9400. # More info: transport.tcp.port: {{.Values.service.externalPort2}} -#xpack.graph.enabled: false -#Set to false to disable X-Pack graph features. -#xpack.ml.enabled: false -#Set to false to disable X-Pack machine learning features. -#xpack.monitoring.enabled: false -#Set to false to disable X-Pack monitoring features. +######## Start OpenDistro for Elasticsearch Security Demo Configuration ######## +# WARNING: revise all the lines below before you go into production +opendistro_security.ssl.transport.pemcert_filepath: esnode.pem +opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.http.enabled: {{.Values.security.ssl.enabled}} +opendistro_security.ssl.http.pemcert_filepath: esnode.pem +opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.allow_unsafe_democertificates: true +opendistro_security.allow_default_init_securityindex: true +opendistro_security.authcz.admin_dn: + - CN=kirk,OU=client,O=client,L=test, C=de -#xpack.watcher.enabled: false -#Set to false to disable Watcher. - -#xpack.license.self_generated.type: basic -#xpack.security.enabled: false - -## Search Guard -# -searchguard.enterprise_modules_enabled: false -searchguard.ssl.transport.keystore_filepath: sg/node-0-keystore.jks -searchguard.ssl.transport.truststore_filepath: sg/truststore.jks -searchguard.ssl.transport.enforce_hostname_verification: false - -searchguard.authcz.admin_dn: - - "CN=kirk,OU=client,O=client,l=tEst,C=De" +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +node.max_local_storage_nodes: 3 +######## End OpenDistro for Elasticsearch Security Demo Configuration ########
\ No newline at end of file diff --git a/kubernetes/clamp/charts/clamp-dash-es/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-dash-es/templates/deployment.yaml index 8060a35b43..58ff107568 100644 --- a/kubernetes/clamp/charts/clamp-dash-es/templates/deployment.yaml +++ b/kubernetes/clamp/charts/clamp-dash-es/templates/deployment.yaml @@ -73,12 +73,14 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end -}} readinessProbe: tcpSocket: port: {{ .Values.service.internalPort2 }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} env: volumeMounts: - mountPath: /etc/localtime diff --git a/kubernetes/clamp/charts/clamp-dash-es/values.yaml b/kubernetes/clamp/charts/clamp-dash-es/values.yaml index 2d67048844..ae7abd5ec4 100644 --- a/kubernetes/clamp/charts/clamp-dash-es/values.yaml +++ b/kubernetes/clamp/charts/clamp-dash-es/values.yaml @@ -1,4 +1,4 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2020 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -32,7 +32,7 @@ busyboxImage: library/busybox:latest # application image repository: nexus3.onap.org:10001 -image: onap/clamp-dashboard-elasticsearch:4.1.1 +image: onap/clamp-dashboard-elasticsearch:5.0.2 pullPolicy: Always # flag to enable debugging - application support required @@ -51,15 +51,17 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 10 - periodSeconds: 10 + initialDelaySeconds: 180 + periodSeconds: 30 + timeoutSeconds: 5 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true readiness: - initialDelaySeconds: 10 - periodSeconds: 10 + initialDelaySeconds: 180 + periodSeconds: 30 + timeoutSeconds: 5 ## Persist data to a persitent volume persistence: @@ -83,6 +85,10 @@ persistence: mountSubPath: clamp/dashboard-elasticsearch/data mountSubPathLogs: clamp +security: + ssl: + enabled: true + service: type: ClusterIP name: cdash-es diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem b/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem deleted file mode 100644 index ce630d4354..0000000000 --- a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem +++ /dev/null @@ -1,30 +0,0 @@ -Bag Attributes - friendlyName: clamp@clamp.onap.org - localKeyID: 54 69 6D 65 20 31 35 35 33 37 38 37 35 31 38 33 30 33 -subject=/CN=clamp/emailAddress=/OU=clamp@clamp.onap.org/OU=OSAAF/O=ONAP/C=US -issuer=/C=US/O=ONAP/OU=OSAAF/CN=intermediateCA_9 ------BEGIN CERTIFICATE----- -MIIEKDCCAxCgAwIBAgIIWY+5kgf/UG4wDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE -BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp -bnRlcm1lZGlhdGVDQV85MB4XDTE5MDMyMTE2MTY1OFoXDTIwMDMyMTE2MTY1OFow -bDEOMAwGA1UEAwwFY2xhbXAxDzANBgkqhkiG9w0BCQEWADEdMBsGA1UECwwUY2xh -bXBAY2xhbXAub25hcC5vcmcxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQ -MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALic -uDccBjOAlOsL1Z1nKnDPRTNxBwIVfARRQDxK3C0zDHQ5qEmIQlF0Vjp+bJ2rgzMW -BnodC38zt1jSXymEsekZNV2sUyBbzJl6vxvA1xJKI9VHLyPSzyUEd1H4qh8b7IDX -3GDqUJgNfvzJ94DaNnnYWFVZq/IYdLjCFaXDxPUQZtlmpdkIWBzvMeNRe4bWajau -immkmSi5/2BYQfZXHXpiKiyBnN+1FbU3consmjNwS1L+PjD+k3JLsc5ANZYZMOTp -Szhu3xmDiB3UV4gPQWacQQZEo/5exywY3Ax3TowGwIA660eSkW1L5RPdyvzEgp7A -vu4+rbhfeR5bXjy2iAUCAwEAAaOB8jCB7zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQE -AwIF4DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVAYDVR0jBE0w -S4AUgfeZWxC5yIze81Je6k5poEM+rN2hMKQuMCwxDjAMBgNVBAsMBU9TQUFGMQ0w -CwYDVQQKDARPTkFQMQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQU+GZ6wmWDPrmq -Wd1/NtMYiCQ8Dg4wOwYDVR0RBDQwMoIFY2xhbXCCHWNsYW1wLmFwaS5zaW1wbGVk -ZW1vLm9uYXAub3JnggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQCFZdhB -U6xm6l0vj4q89onLx4opTPvwGNRc0n402lifkPYXseFtphZSHIf2Sg0mFTH4KHb4 -FdMyBzq1+f5WLU+xRC1nT4eGJ0FvRR6204/fGVrzJTS67phnRnxr2WZzLPW0wPJe -K8SzN6tkUgE7/a/s0T/htE/blDxWh75+tA2jQlgj1Ri0y9A1J8wx++REKjGlHjFN -53aiipsB+wC/oEMzYL4qEPiYPI0Lr3Lsay1F7f6cvDT4+EYzBLMFuwCvpcnHgSMS -4fFj2ROmUG2+CC23B88Q0WNxjLPq/CrmHZZBsqwruPJ0cSuCQxfshTQ6uZhcjtu8 -6TRYkIcL0x9r/AHP ------END CERTIFICATE----- diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem b/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem deleted file mode 100644 index fcf68bfa23..0000000000 --- a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem +++ /dev/null @@ -1,32 +0,0 @@ -Bag Attributes - friendlyName: clamp@clamp.onap.org - localKeyID: 54 69 6D 65 20 31 35 35 33 37 38 37 35 31 38 33 30 33 -Key Attributes: <No Attributes> ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4nLg3HAYzgJTr -C9WdZypwz0UzcQcCFXwEUUA8StwtMwx0OahJiEJRdFY6fmydq4MzFgZ6HQt/M7dY -0l8phLHpGTVdrFMgW8yZer8bwNcSSiPVRy8j0s8lBHdR+KofG+yA19xg6lCYDX78 -yfeA2jZ52FhVWavyGHS4whWlw8T1EGbZZqXZCFgc7zHjUXuG1mo2ropppJkouf9g -WEH2Vx16YiosgZzftRW1N3KJ7JozcEtS/j4w/pNyS7HOQDWWGTDk6Us4bt8Zg4gd -1FeID0FmnEEGRKP+XscsGNwMd06MBsCAOutHkpFtS+UT3cr8xIKewL7uPq24X3ke -W148togFAgMBAAECggEATncV+R5pKFS7dteV2IvzxvTh1cZxkxoslu0t3zJ2OKPc -5D1pYK+QeGx5Be2cHru6TOlMoXRc4ZjKke8AUXY74/Y573GB91vtL0KznYkuIHDw -oALcb153eqVWTbniHMzSjcSxv2N4E9iQo8L39oVI6CrjCIvPgFuSqMCdUNJPkVTI -4nsarTfLK4fzi7IbWzi9JdE1QRNIxcCMcYJRnLZMdneMLBleR0UL82Xc2KOy5SEt -zyKYCQ8zS247FKolnOrDkhKxXI5fzdDpRK5AQSsAykUPWlYq7pzKjY/dU9rMRohx -YSltFjPZ3sQ3UKqqIqhZS+GoVuZoc925WyhViPsqtQKBgQDsL4LFfPWN8nnsusQp -VR3T7HvvwXuEVAydlaJMwZU0cRYN+L7RHHjDoXZZrNJDIDzNoWnBLKRGx3mtLmgJ -9Pa6SxN6Oc8oo6jzv2D59g1PVjNOMOYTCTb/2Xum4LMLaeeF57HkWxzeA3Ws47++ -gXwzQpbE90tp1Ys4uXD3JoivvwKBgQDIGZTwLGhLSegdAjG83WEgmdtzT1kjvx0Q -A8IR2jkgkTJHdKiuslJ8Z3/XufHEwWMWwfs1XLwxYluoo1y9eNvNeHZXjLqjL62c -I3034F9IvvTUqFcxam2WdoklXbAiSvLUo/9exPgOuVxok6Zv1imRgGb/vYV9vyG7 -86MRuQu5OwKBgQC9E3fcA6JMpY3H3uhEsngzfMDm+fyYvfRvfyezzNFWbyWZv8V6 -gBGJg0vMlFarGDa044BW/hbw9qXI5zqwpeOS1aFdGsRlo0cRAuduk/Spy7c85FZ7 -bMgT4BZmTMHo5DpNb2NxDSO59AkThCuvJde47ZjnS5WavzI6EfKGWNnZ3wKBgQCF -QiwjCp/mS/DtqLFxAsmVSYGROG231aXILYiIFRloa+ndFn7j4NP4D4FfLHErRFL2 -K/ddIUYfaU57b1fqwts26ht90LXWyYDH9AaHOMCcFLe+C+INgcA7rPNG1C7hl6JC -JHmEJo7AV4eICZSU9D44rRdrB08oYCpaHjYiLmb1UwKBgQCWCDJ4p2DrNL9hzj3K -kzvM5saXrfI4aVBXVt9rw9s1d/WG8JOpnmHcnLPb6Tj59rDktrLCLv0sVstMwNVJ -sOO+qsgn1VoZalcVhhjdONm5YvhJQgz0F7Y2xkr6g/AuMPz2YigGfm7fe/z7rc+L -q9Ua2HmUS8DDBy7W89MNZJNkDQ== ------END PRIVATE KEY----- diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml b/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml index 55df82b0f1..db81e3da00 100644 --- a/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml +++ b/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml @@ -1,4 +1,4 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# Copyright © 2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -10,126 +10,26 @@ # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and -# limitations under the License. -#xpack.graph.enabled: false -#Set to false to disable X-Pack graph features. -#xpack.ml.enabled: false -#Set to false to disable X-Pack machine learning features. -#xpack.monitoring.enabled: false -#Set to false to disable X-Pack monitoring features. -#xpack.reporting.enabled: false -#Set to false to disable X-Pack reporting features. -#xpack.security.enabled: false -#Set to false to disable X-Pack security features. -#xpack.watcher.enabled: false -#Set to false to disable Watcher. +# limitations under the License.# Default Kibana configuration from kibana-docker. + +server.name: "Clamp CL Dashboard" +server.host: "0" # Kibana is served by a back end server. This setting specifies the port to use. server.port: {{.Values.service.externalPort}} -# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. -# The default is 'localhost', which usually means remote machines will not be able to connect. -# To allow connections from remote users, set this parameter to a non-loopback address. -server.host: "0.0.0.0" - -# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects -# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests -# to Kibana. This setting cannot end in a slash. -#server.basePath: "" - -# The maximum payload size in bytes for incoming server requests. -#server.maxPayloadBytes: 1048576 - -# The Kibana server's name. This is used for display purposes. -server.name: "Clamp Dashboard" - -# The URL of the Elasticsearch instance to use for all your queries. -elasticsearch.url: "http://{{.Values.config.elasticsearchServiceName}}.{{ include "common.namespace" . }}:{{.Values.config.elasticsearchPort}}" -# When this setting's value is true Kibana uses the hostname specified in the server.host -# setting. When the value of this setting is false, Kibana uses the hostname of the host -# that connects to this Kibana instance. -#elasticsearch.preserveHost: true - -# Kibana uses an index in Elasticsearch to store saved searches, visualizations and -# dashboards. Kibana creates a new index if the index doesn't already exist. -#kibana.index: ".kibana" - -# The default application to load. -#kibana.defaultAppId: "discover" - -# If your Elasticsearch is protected with basic authentication, these settings provide -# the username and password that the Kibana server uses to perform maintenance on the Kibana -# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which -# is proxied through the Kibana server. -#elasticsearch.username: "elastic" -#elasticsearch.password: "changeme" -# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. -# These settings enable SSL for outgoing requests from the Kibana server to the browser. server.ssl.enabled: {{.Values.config.sslEnabled}} server.ssl.certificate: {{.Values.config.sslPemCertFilePath}} server.ssl.key: {{.Values.config.sslPemkeyFilePath}} -# Optional settings that provide the paths to the PEM-format SSL certificate and key files. -# These files validate that your Elasticsearch backend uses the same key files. -#elasticsearch.ssl.certificate: $elasticsearch_ssl_certificate -#elasticsearch.ssl.key: $elasticsearch_ssl_key - -# Optional setting that enables you to specify a path to the PEM file for the certificate -# authority for your Elasticsearch instance. -#elasticsearch.ssl.certificateAuthorities: $elasticsearch_ssl_certificateAuthorities - -# To disregard the validity of SSL certificates, change this setting's value to 'none'. -#elasticsearch.ssl.verificationMode: $elasticsearch_ssl_verificationMode - -# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of -# the elasticsearch.requestTimeout setting. -#elasticsearch.pingTimeout: 1500 - -# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value -# must be a positive integer. -#elasticsearch.requestTimeout: 30000 - -# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side -# headers, set this value to [] (an empty list). -#elasticsearch.requestHeadersWhitelist: [ authorization ] - -# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten -# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. -#elasticsearch.customHeaders: {} - -# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. -#elasticsearch.shardTimeout: 0 - -# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. -#elasticsearch.startupTimeout: 5000 - -# Specifies the path where Kibana creates the process ID file. -#pid.file: /var/run/kibana.pid - -# Enables you specify a file where Kibana stores log output. -#logging.dest: stdout - -# Set the value of this setting to true to suppress all logging output. -#logging.silent: false - -# Set the value of this setting to true to suppress all logging output other than error messages. -#logging.quiet: false - -# Set the value of this setting to true to log all events, including system usage information -# and all requests. -#logging.verbose: false - -# Set the interval in milliseconds to sample system and process performance -# metrics. Minimum is 100ms. Defaults to 5000. -#ops.interval: 5000 - -# The default locale. This locale can be used in certain circumstances to substitute any missing -# translations. -#i18n.defaultLocale: "en" +# The URL of the Elasticsearch instance to use for all your queries. +elasticsearch.hosts: ${elasticsearch_base_url} -## Search Guard -# -#xpack.security.enabled: false +elasticsearch.ssl.verificationMode: none elasticsearch.username: {{.Values.config.elasticUSR}} elasticsearch.password: {{.Values.config.elasticPWD}} -searchguard.cookie.password: 123567818187654rwrwfsfshdhdhtegdhfzftdhncn +elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] + +opendistro_security.multitenancy.enabled: true +opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] +opendistro_security.readonly_mode.roles: ["kibana_read_only"]
\ No newline at end of file diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml index 2b0adac392..26547b23a9 100644 --- a/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml +++ b/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml @@ -68,6 +68,8 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} env: + - name: elasticsearch_base_url + value: "{{ternary "https" "http" .Values.security.ssl.enabled}}://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.config.elasticsearchPort}}" volumeMounts: - mountPath: /etc/localtime name: localtime @@ -75,8 +77,6 @@ spec: - mountPath: /usr/share/kibana/config/kibana.yml name: {{ include "common.fullname" . }} subPath: kibana.yml - - name: {{ include "common.fullname" . }}-aaf-pem-certs - mountPath: /usr/share/kibana/config/keystore/ resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -97,8 +97,5 @@ spec: items: - key: kibana.yml path: kibana.yml - - name: {{ include "common.fullname" . }}-aaf-pem-certs - secret: - secretName: {{ include "common.fullname" . }}-aaf-pem-keys imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml index 88587160e9..be0c40e1e1 100644 --- a/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml +++ b/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml @@ -34,13 +34,14 @@ busyboxImage: library/busybox:latest # application image repository: nexus3.onap.org:10001 -image: onap/clamp-dashboard-kibana:4.1.3 +image: onap/clamp-dashboard-kibana:5.0.2 pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false # application configuration +#the 'sslEnabled flag' here below is for the kibana UI connection (web browser connection to kibana) config: elasticsearchServiceName: cdash-es elasticsearchPort: 9200 @@ -60,14 +61,19 @@ affinity: {} # probe configuration parameters liveness: initialDelaySeconds: 360 - periodSeconds: 10 + periodSeconds: 30 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true readiness: - initialDelaySeconds: 10 - periodSeconds: 10 + initialDelaySeconds: 360 + periodSeconds: 30 + +#internal ssl security scheme for elasticsearch connection mainly +security: + ssl: + enabled: true service: #Example service definition with external, internal and node ports. diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/resources/certs/aafca.pem b/kubernetes/clamp/charts/clamp-dash-logstash/resources/certs/aafca.pem deleted file mode 100644 index cf12ec4c61..0000000000 --- a/kubernetes/clamp/charts/clamp-dash-logstash/resources/certs/aafca.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEVDCCAjygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwNjA1MDg1MTQxWhcN -MjMwNjA1MDg1MTQxWjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzEwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOXCdZIoWM0EnEEw3qPiVMhAgNolWCTaLt -eI2TjlTQdGDIcXdBZukHdNeOKYzOXRsLt6bLRtd5yARpn53EbzS/dgAyHuaz1HjE -5IPWSFRg9SulfHUmcS+GBt1+KiMJTlOsw6wSA73H/PjjXBbWs/uRJTnaNmV3so7W -DhNW6fHOrbom4p+3FucbB/QAM9b/3l/1LKnRgdXx9tekDnaKN5u3HVBmyOlRhaRp -tscLUCT3jijoGAPRcYZybgrpa0z3iCWquibTO/eLwuO/Dn7yHWau9ZZAHGPBSn9f -TiLKRYV55mNjr3zvs8diTPECFPW8w8sRIH3za1aKHgUC1gd87Yr3AgMBAAGjZjBk -MB0GA1UdDgQWBBQa1FdycErTZ6nr4dxiMbKH0P7vqjAfBgNVHSMEGDAWgBRTVTPy -S+vQUbHBeJrBKDF77+rtSTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE -AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAlA/RTPy5i09fJ4ytSAmAdytMwEwRaU9F -dshG7LU9q95ODsuM79yJvV9+ISIJZRsBqf5PDv93bUCKKHIYGvR6kNd+n3yx/fce -txDkC/tMj1T9D8TuDKAclGEO9K5+1roOQQFxr4SE6XKb/wjn8OMrCoJ75S0F3htF -LKL85T77JeGeNgSk8JEsZvQvj32m0gv9rxi5jM/Zi5E2vxrBR9T1v3kVvlt6+PSF -BoHXROk5HQmdHxnH+VYQtDHSwj9Xe9aoJMyL0WjYKd//8NUO+VACDOtK4Nia6gy9 -m/n9kMASMw6f9iF4n6t4902RWrRKTYM1CVu5wyVklVbEdE9i6Db4CpL9E8HpBUAP -t44JiNzuFkDmSE/z5XuQIimDt6nzOaSF8pX2KHY2ICDLwpMNUvxzqXD9ECbdspiy -JC2RGq8uARGGl6kQQBKDNO8SrO7rSBPANd1+LgqrKbCrHYfvFgkZPgT5MlQi+E1G -LNT+i6fzZha9ed/L6yjl5Em71flJGFwRZl2pfErZRxp8pLPcznYyIpSjcwnqNCRC -orhlp8nheiODC3oO3AFHDiFgUqvm8hgpnT2cPk2lpU2VY1TcZ8sW5qUDCxINIPcW -u1SAsa87IJK3vEzPZfTCs/S6XThoqRfXj0c0Rahj7YFRi/PqIPY0ejwdtmZ9m9pZ -8Lb0GYmlo44= ------END CERTIFICATE----- diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/logstash.yml b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/logstash.yml index 369b5820d5..cecd5b18c8 100644 --- a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/logstash.yml +++ b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/logstash.yml @@ -1,4 +1,4 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# Copyright © 2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,8 +22,3 @@ path.config: /usr/share/logstash/pipeline ## Setting true makes logstash check periodically for change in pipeline configurations config.reload.automatic: true -## xpack configurations -#xpack.monitoring.elasticsearch.url: ["http://10.247.186.12:9200", "http://10.247.186.13:9200"] -#xpack.monitoring.elasticsearch.username: elastic -#xpack.monitoring.elasticsearch.password: changeme -#xpack.monitoring.enabled: false diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf index 05d8085d43..4b05910c02 100644 --- a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf +++ b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf @@ -218,6 +218,8 @@ output { if "error" in [tags] { elasticsearch { codec => "json" + cacert => "/clamp-cert/ca-certs.pem" + ssl_certificate_verification => false hosts => ["${elasticsearch_base_url}"] user => ["${logstash_user}"] password => ["${logstash_pwd}"] @@ -229,6 +231,8 @@ output { elasticsearch { codec => "json" hosts => ["${elasticsearch_base_url}"] + cacert => "/clamp-cert/ca-certs.pem" + ssl_certificate_verification => false user => ["${logstash_user}"] password => ["${logstash_pwd}"] document_id => "%{requestID}" @@ -241,6 +245,8 @@ output { elasticsearch { codec => "json" hosts => ["${elasticsearch_base_url}"] + cacert => "/clamp-cert/ca-certs.pem" + ssl_certificate_verification => false user => ["${logstash_user}"] password => ["${logstash_pwd}"] index => "events-%{+YYYY.MM.DD}" # creates daily indexes diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/templates/configmap.yaml b/kubernetes/clamp/charts/clamp-dash-logstash/templates/configmap.yaml index 01ee76b7c1..4278a6e6d3 100644 --- a/kubernetes/clamp/charts/clamp-dash-logstash/templates/configmap.yaml +++ b/kubernetes/clamp/charts/clamp-dash-logstash/templates/configmap.yaml @@ -25,13 +25,3 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf-keys - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-dash-logstash/templates/deployment.yaml index 697ebb66b6..7c5c047930 100644 --- a/kubernetes/clamp/charts/clamp-dash-logstash/templates/deployment.yaml +++ b/kubernetes/clamp/charts/clamp-dash-logstash/templates/deployment.yaml @@ -62,13 +62,13 @@ spec: - name: request_topic value: "{{ .Values.config.requestTopic }}" - name: dmaap_base_url - value: {{ .Values.config.dmaapScheme }}://{{ .Values.config.dmaapHost }}.{{ include "common.namespace" . }}:{{ .Values.config.dmaapPort }} + value: {{ ternary "https" "http" .Values.security.ssl.enabled }}://{{ .Values.config.dmaapHost }}.{{ include "common.namespace" . }}:{{ .Values.config.dmaapPort }} - name: logstash_user value: "{{ .Values.config.logstash_user }}" - name: logstash_pwd value: "{{ .Values.config.logstash_pwd }}" - name: elasticsearch_base_url - value: "http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.config.elasticsearchPort}}" + value: "{{ ternary "https" "http" .Values.security.ssl.enabled }}://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.config.elasticsearchPort}}" ports: - containerPort: {{ .Values.service.internalPort }} name: {{ include "common.servicename" . }} @@ -77,6 +77,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -85,6 +86,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end -}} volumeMounts: - mountPath: /etc/localtime @@ -96,8 +98,6 @@ spec: - mountPath: /usr/share/logstash/pipeline/logstash.conf name: {{ include "common.fullname" . }} subPath: pipeline.conf - - name: {{ include "common.fullname" . }}-aaf-certs - mountPath: /certs.d/ resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -120,9 +120,5 @@ spec: path: logstash.yml - key: pipeline.conf path: pipeline.conf - - name: {{ include "common.fullname" . }}-aaf-certs - secret: - secretName: {{ include "common.fullname" . }}-aaf-keys - imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/values.yaml b/kubernetes/clamp/charts/clamp-dash-logstash/values.yaml index 20bf974157..9a0321a478 100644 --- a/kubernetes/clamp/charts/clamp-dash-logstash/values.yaml +++ b/kubernetes/clamp/charts/clamp-dash-logstash/values.yaml @@ -30,7 +30,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/clamp-dashboard-logstash:4.1.3 +image: onap/clamp-dashboard-logstash:5.0.2 pullPolicy: Always # flag to enable debugging - application support required @@ -41,7 +41,8 @@ config: elasticsearchServiceName: cdash-es elasticsearchPort: 9200 dmaapHost: message-router - dmaapScheme: https + dmaapSchemeSSL: https + dmaapSchemeNoSSL: http dmaapPort: 3905 dmaapConsumerGroup: "clampdashboard" dmaapConsumerId: "clampdashboard" @@ -60,15 +61,21 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 120 - periodSeconds: 10 + initialDelaySeconds: 900 + periodSeconds: 20 + timeoutSeconds: 5 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true readiness: - initialDelaySeconds: 10 - periodSeconds: 10 + initialDelaySeconds: 900 + periodSeconds: 20 + timeoutSeconds: 5 + +security: + ssl: + enabled: true service: #Example service definition with external, internal and node ports. diff --git a/kubernetes/common/dgbuilder/resources/scripts/customSettings.js b/kubernetes/common/dgbuilder/resources/config/customSettings.js index 66b7b5ed15..42c2e5728b 100644 --- a/kubernetes/common/dgbuilder/resources/scripts/customSettings.js +++ b/kubernetes/common/dgbuilder/resources/config/customSettings.js @@ -26,31 +26,31 @@ module.exports={ "sharedDir": "releases/sdnc1.0/flows/shared", "userDir": "releases/sdnc1.0", "httpAuth": { - "user": "dguser", - "pass": "{{.Values.config.dgUserPassword}}" + "user": "${HTTP_USER}", + "pass": "${HTTP_PASSWORD}" }, "dbHost": "{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}", "dbPort": "3306", - "dbName": "sdnctl", - "dbUser": "sdnctl", - "dbPassword": "{{.Values.config.dbSdnctlPassword}}", + "dbName": "{{.Values.config.db.dbName}}", + "dbUser": "${DB_USER}", + "dbPassword": "${DB_PASSWORD}", "gitLocalRepository": "", "restConfUrl": "http://localhost:8181/restconf/operations/SLI-API:execute-graph", - "restConfUser": "admin", - "restConfPassword": "admin", + "restConfUser": "${REST_CONF_USER}", + "restConfPassword": "${REST_CONF_PASSWORD}", "formatXML": "Y", "formatJSON": "Y", "httpRoot": "/", "disableEditor": false, "httpAdminRoot": "/", "httpAdminAuth": { - "user": "dguser", - "pass": "{{.Values.config.dgUserPassword}}" + "user": "${HTTP_ADMIN_USER}", + "pass": "${HTTP_ADMIN_PASSWORD}" }, "httpNodeRoot": "/", "httpNodeAuth": { - "user": "dguser", - "pass": "{{.Values.config.dgUserPassword}}" + "user": "${HTTP_NODE_USER}", + "pass": "${HTTP_NODE_PASSWORD}" }, "uiHost": "0.0.0.0", "version": "0.9.1", diff --git a/kubernetes/common/dgbuilder/resources/config/svclogic.properties b/kubernetes/common/dgbuilder/resources/config/svclogic.properties index b780cafbcd..28612a270b 100644 --- a/kubernetes/common/dgbuilder/resources/config/svclogic.properties +++ b/kubernetes/common/dgbuilder/resources/config/svclogic.properties @@ -13,7 +13,7 @@ # limitations under the License. org.onap.ccsdk.sli.dbtype=jdbc -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}:3306/sdnctl -org.onap.ccsdk.sli.jdbc.database=sdnctl -org.onap.ccsdk.sli.jdbc.user=sdnctl -org.onap.ccsdk.sli.jdbc.password={{.Values.config.dbSdnctlPassword}} +org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}:3306/{{.Values.config.db.dbName}} +org.onap.ccsdk.sli.jdbc.database={{.Values.config.db.dbName}} +org.onap.ccsdk.sli.jdbc.user=${DB_USER} +org.onap.ccsdk.sli.jdbc.password=${DB_PASSWORD} diff --git a/kubernetes/common/dgbuilder/resources/scripts/createReleaseDir.sh b/kubernetes/common/dgbuilder/resources/scripts/createReleaseDir.sh deleted file mode 100755 index b037058c2b..0000000000 --- a/kubernetes/common/dgbuilder/resources/scripts/createReleaseDir.sh +++ /dev/null @@ -1,149 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -#!/bin/bash -export PATH=$PATH:. -appDir=$(pwd) -if [ "$#" != 3 -a "$#" != 4 ] -then - echo "Usage $0 releaseDir loginId emailAddress [gitLocalRepository]" - echo "Note: Specify the gitLocalRepository path if you would want to be able to import flows from your local git repository" - exit -fi -if [ ! -e "releases" ] -then - mkdir releases -fi -releaseDir="$1" -name="Release $releaseDir" -loginId="$2" -emailid="$3" -dbHost="{{.Values.config.dbServiceName}}.{{.Release.Namespace}}" -dbPort="3306" -dbName="sdnctl" -dbUser="sdnctl" -dbPassword="{{.Values.config.dbSdnctlPassword}}" -gitLocalRepository="$4" - -lastPort=$(find "releases/" -name "customSettings.js" |xargs grep uiPort|cut -d: -f2|sed -e s/,//|sort|tail -1) -echo $lastPort|grep uiPort >/dev/null 2>&1 -if [ "$?" == "0" ] -then -lastPort=$(find "releases/" -name "customSettings.js" |xargs grep uiPort|cut -d: -f3|sed -e s/,//|sort|tail -1) -fi -#echo $lastPort -if [ "${lastPort}" == "" ] -then - lastPort="3099" -fi -let nextPort=$(expr $lastPort+1) -#echo $nextPort -if [ ! -e "releases/$releaseDir" ] -then -mkdir releases/$releaseDir -cd releases/$releaseDir -mkdir flows -mkdir flows/shared -mkdir flows/shared/backups -mkdir html -mkdir xml -mkdir lib -mkdir lib/flows -mkdir logs -mkdir conf -mkdir codecloud -customSettingsFile="customSettings.js" -if [ ! -e "./$customSettingsFile" ] -then - echo "module.exports = {" >$customSettingsFile - echo " 'name' : '$name'," >>$customSettingsFile - echo " 'emailAddress' :'$emailid'," >>$customSettingsFile - echo " 'uiPort' :$nextPort," >>$customSettingsFile - echo " 'mqttReconnectTime': 15000," >>$customSettingsFile - echo " 'serialReconnectTime' : 15000," >>$customSettingsFile - echo " 'debugMaxLength': 1000," >>$customSettingsFile - echo " 'htmlPath': 'releases/$releaseDir/html/'," >>$customSettingsFile - echo " 'xmlPath': 'releases/$releaseDir/xml/'," >>$customSettingsFile - echo " 'flowFile' : 'releases/$releaseDir/flows/flows.json'," >>$customSettingsFile - echo " 'sharedDir': 'releases/$releaseDir/flows/shared'," >>$customSettingsFile - echo " 'userDir' : 'releases/$releaseDir'," >>$customSettingsFile - echo " 'httpAuth': {user:'$loginId',pass:'cc03e747a6afbbcbf8be7668acfebee5'}," >>$customSettingsFile - echo " 'dbHost': '$dbHost'," >>$customSettingsFile - echo " 'dbPort': '$dbPort'," >>$customSettingsFile - echo " 'dbName': '$dbName'," >>$customSettingsFile - echo " 'dbUser': '$dbUser'," >>$customSettingsFile - echo " 'dbPassword': '$dbPassword'," >>$customSettingsFile - echo " 'gitLocalRepository': '$gitLocalRepository'" >>$customSettingsFile - echo " 'restConfUrl': '$restConfUrl'," >>$customSettingsFile - echo " 'restConfUser': '$restConfUser'," >>$customSettingsFile - echo " 'restConfPassword': '$restConfPassword'," >>$customSettingsFile - echo " 'formatXML': '$formatXML'," >>$customSettingsFile - echo " 'formatJSON': '$formatJSON'," >>$customSettingsFile - echo " 'enableHttps': true" >>$customSettingsFile - echo " }" >>$customSettingsFile -fi - #echo "Created custom settings file $customSettingsFile" - echo "Done ....." -else - echo "ERROR:customSettings file $customSettingsFile already exists for $releaseDir" - exit -fi -#echo "Content of custom settings file" -#echo "============================================================================" -# cat $customSettingsFile -#echo "============================================================================" -svclogicPropFile="./conf/svclogic.properties" -if [ ! -d "${appDir}/yangFiles" ] -then - mkdir -p "${appDir}/yangFiles" -fi -if [ ! -d "${appDir}/generatedJS" ] -then - mkdir -p "${appDir}/generatedJS" -fi - -if [ ! -e "./$svclogicPropFile" ] -then - echo "org.onap.ccsdk.sli.dbtype=jdbc" >$svclogicPropFile - echo "org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.dbServiceName}}.{{.Release.Namespace}}:3306/sdnctl" >>$svclogicPropFile - echo "org.onap.ccsdk.sli.jdbc.database=sdnctl" >>$svclogicPropFile - echo "org.onap.ccsdk.sli.jdbc.user=sdnctl" >>$svclogicPropFile - echo "org.onap.ccsdk.sli.jdbc.password={{.Values.config.dbSdnctlPassword}}" >>$svclogicPropFile -fi -if [ ! -e "${appDir}/flowShareUsers.js" ] -then - echo "module.exports = {\"flowShareUsers\":" >${appDir}/flowShareUsers.js - echo " [" >>${appDir}/flowShareUsers.js - echo " ]" >>${appDir}/flowShareUsers.js - echo "}" >>${appDir}/flowShareUsers.js -fi -grep "$releaseDir" ${appDir}/flowShareUsers.js >/dev/null 2>&1 -if [ "$?" != "0" ] -then - num_of_lines=$(cat ${appDir}/flowShareUsers.js|wc -l) - if [ $num_of_lines -gt 4 ] - then - content=$(head -n -2 ${appDir}/flowShareUsers.js) - echo "${content}," > ${appDir}/flowShareUsers.js - else - content=$(head -n -2 ${appDir}/flowShareUsers.js) - echo "$content" > ${appDir}/flowShareUsers.js - fi - echo " {" >> ${appDir}/flowShareUsers.js - echo " \"name\" : \"$name\"," >> ${appDir}/flowShareUsers.js - echo " \"rootDir\" : \"$releaseDir\"" >> ${appDir}/flowShareUsers.js - echo " }" >> ${appDir}/flowShareUsers.js - echo " ]" >> ${appDir}/flowShareUsers.js - echo "}" >> ${appDir}/flowShareUsers.js -fi diff --git a/kubernetes/common/dgbuilder/templates/configmap.yaml b/kubernetes/common/dgbuilder/templates/configmap.yaml index 24f61b5487..828818c68d 100644 --- a/kubernetes/common/dgbuilder/templates/configmap.yaml +++ b/kubernetes/common/dgbuilder/templates/configmap.yaml @@ -24,16 +24,3 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-scripts - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/scripts/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml index 495c4c6ab6..b3f0ab05a3 100644 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ b/kubernetes/common/dgbuilder/templates/deployment.yaml @@ -32,6 +32,40 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} + - name: HTTP_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }} + - name: HTTP_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }} + - name: HTTP_ADMIN_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }} + - name: HTTP_ADMIN_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }} + - name: HTTP_NODE_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }} + - name: HTTP_NODE_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }} + - name: REST_CONF_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} + - name: REST_CONF_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: config + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - command: - /root/ready.py args: - --container-name @@ -59,11 +93,6 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password - name: SDNC_CONFIG_DIR value: /opt/onap/sdnc/data/properties volumeMounts: @@ -79,10 +108,7 @@ spec: - name: config mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties subPath: svclogic.properties - - name: scripts - mountPath: /opt/onap/ccsdk/dgbuilder/createReleaseDir.sh - subPath: createReleaseDir.sh - - name: scripts + - name: config mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js subPath: customSettings.js resources: @@ -99,12 +125,11 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: config + - name: config-input configMap: name: {{ include "common.fullname" . }}-config - - name: scripts - configMap: - name: {{ include "common.fullname" . }}-scripts - defaultMode: 0755 + - name: config + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/dgbuilder/templates/secrets.yaml b/kubernetes/common/dgbuilder/templates/secrets.yaml index e00d7cfc03..c9a409fdca 100644 --- a/kubernetes/common/dgbuilder/templates/secrets.yaml +++ b/kubernetes/common/dgbuilder/templates/secrets.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 AT&T, Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,16 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.dbRootPassword | b64enc | quote }}
\ No newline at end of file +{{ include "common.secret" . }} diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml index fa205e227e..96d7dffb0a 100644 --- a/kubernetes/common/dgbuilder/values.yaml +++ b/kubernetes/common/dgbuilder/values.yaml @@ -31,6 +31,9 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + # envsusbt + envsubstImage: dibi/envsubst + # image pull policy pullPolicy: Always @@ -43,6 +46,40 @@ global: debugEnabled: true ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: 'db-root-password' + type: password + externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' + password: '{{ .Values.config.dbRootPassword }}' + - uid: 'db-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.dbSdnctlPassword }}' + - uid: 'http-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' + login: '{{ .Values.config.httpUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'admin-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' + login: '{{ .Values.config.adminUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'node-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' + login: '{{ .Values.config.nodeUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'restconf-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' + login: '{{ .Values.config.restconfUser }}' + password: '{{ .Values.config.restconfPassword }}' + +################################################################# # Application configuration defaults. ################################################################# # application image @@ -55,6 +92,32 @@ debugEnabled: false # application configuration config: + db: + dbName: sdnctl + # unused for now to preserve the API + rootPassword: openECOMP1.0 + # rootPasswordExternalSecret: some secret + userName: sdnctl + # unused for now to preserve the API + userPassword: gamma + # userCredentialsExternalSecret: some secret + httpUser: dguser + # unused for now to preserve the API + httpPassword: cc03e747a6afbbcbf8be7668acfebee5 + # httpCredsExternalSecret: some secret + adminUser: dguser + # unused for now to preserve the API + adminPassword: cc03e747a6afbbcbf8be7668acfebee5 + # adminCredsExternalSecret: some secret + nodeUser: dguser + # unused for now to preserve the API + nodePassword: cc03e747a6afbbcbf8be7668acfebee5 + # nodeCredsExternalSecret: some secret + restconfUser: admin + # unused for now to preserve the API + restconfPassword: admin + # restconfCredsExternalSecret: some secret + dbRootPassword: openECOMP1.0 dbSdnctlPassword: gamma dbPodName: mysql-db diff --git a/kubernetes/common/network-name-gen/requirements.yaml b/kubernetes/common/network-name-gen/requirements.yaml index 9ef8db89a4..eda693f832 100644 --- a/kubernetes/common/network-name-gen/requirements.yaml +++ b/kubernetes/common/network-name-gen/requirements.yaml @@ -18,4 +18,9 @@ dependencies: repository: '@local'
- name: mariadb-galera
version: ~5.x-0
- repository: file://../mariadb-galera/
+ repository: '@local'
+ condition: global.mariadbGalera.localCluster
+ - name: mariadb-init
+ version: ~5.x-0
+ repository: '@local'
+ condition: not global.mariadbGalera.localCluster
diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml index 2f9cd6a158..a6d18e7a59 100644 --- a/kubernetes/common/network-name-gen/templates/deployment.yaml +++ b/kubernetes/common/network-name-gen/templates/deployment.yaml @@ -31,11 +31,19 @@ spec: release: {{ include "common.release" . }} spec: initContainers: +{{- if .Values.global.mariadbGalera.localCluster }} - command: - /root/ready.py args: - --container-name - {{ index .Values "mariadb-galera" "nameOverride" }} +{{- else }} + - command: + - /root/job_complete.py + args: + - --job-name + - {{ include "common.release" . }}-{{ index .Values "mariadb-init" "nameOverride" }}-config-job +{{- end }} env: - name: NAMESPACE valueFrom: @@ -53,11 +61,11 @@ spec: - name: SPRING_PROFILE value: "{{ .Values.config.springProfile }}" - name: NENG_DB_USER - {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10}} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "neng-db-secret" "key" "login") | indent 10}} - name: NENG_DB_PASS - {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10}} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "neng-db-secret" "key" "password") | indent 10}} - name: NENG_DB_URL - value: {{ .Values.config.dbUrl }} + value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "config" "mysqlDatabase" }} - name: POL_CLIENT_AUTH value: "{{ .Values.config.polClientAuth }}" - name: POL_BASIC_AUTH diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml index d5897013c4..0defa97c26 100644 --- a/kubernetes/common/network-name-gen/values.yaml +++ b/kubernetes/common/network-name-gen/values.yaml @@ -32,24 +32,29 @@ global: # image pull policy pullPolicy: IfNotPresent + mariadbGalera: &mariadbGalera + #This flag allows SO to instantiate its own mariadb-galera cluster + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + ################################################################# # Secrets metaconfig ################################################################# secrets: - - uid: "db-user-creds" - externalSecret: '{{- include "common.mariadb.secret.userCredentialsSecretName" (dict "dot" . "chartName" (index .Values "mariadb-galera" "nameOverride")) }}' + - uid: neng-db-secret + name: '{{ include "common.release" . }}-neng-db-secret' type: basicAuth - - uid: "db-root-pass" - externalSecret: '{{- include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (index .Values "mariadb-galera" "nameOverride")) }}' - type: password + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' # sub-chart config mariadb-galera: - config: - userName: nenguser - userPassword: nenguser123 - mariadbRootPassword: nenguser123 - mysqlDatabase: nengdb + config: &mariadbConfig + userCredentialsExternalSecret: '{{ include "common.release" . }}-neng-db-secret' + mysqlDatabase: nengdb nameOverride: nengdb service: name: nengdb @@ -59,6 +64,9 @@ mariadb-galera: enabled: true mountSubPath: network-name-gen/data +mariadb-init: + config: *mariadbConfig + nameOverride: nengdb-init ################################################################# # Application configuration defaults. @@ -70,7 +78,10 @@ pullPolicy: IfNotPresent # application configuration config: - dbUrl: jdbc:mysql://nengdb:3306/nengdb + db: + userName: nenguser + # userPassword: password + # userCredentialsExternalSecret: some-secret springProfile: live polClientAuth: cHl0aG9uOnRlc3Q= polBasicAuth: dGVzdHBkcDphbHBoYTEyMw== diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml index c2131e9ad0..7aff189ba9 100644 --- a/kubernetes/common/postgres/values.yaml +++ b/kubernetes/common/postgres/values.yaml @@ -48,7 +48,7 @@ busyboxRepository: registry.hub.docker.com busyboxImage: library/busybox:latest postgresRepository: crunchydata -image: crunchy-postgres:centos7-10.4-2.0.0 +image: crunchy-postgres:centos7-10.11-4.2.1 pullPolicy: Always # application configuration diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml index ba247e151c..8756d57516 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml +++ b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml @@ -211,7 +211,7 @@ </logger> - <root level="INFO"> + <root level="{{.Values.config.dmaapDrNode.logLevel}}"> <appender-ref ref="asyncAudit" /> <appender-ref ref="asyncMetrics" /> <appender-ref ref="asyncDebug" /> diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml index 00e0d2d339..871a4228a2 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml @@ -120,3 +120,6 @@ config: portName2: dr-node-port2 nodePort: 93 nodePort2: 94 + # dr uses the EELF Logging framework https://github.com/att/EELF + # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF + logLevel: "INFO" diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml index f67b1cf380..dba613c33c 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml @@ -397,7 +397,7 @@ - <root level="INFO"> + <root level="{{.Values.config.dmaapDrProv.logLevel}}"> <appender-ref ref="asyncEELF" /> <appender-ref ref="asyncEELFError" /> <appender-ref ref="asyncEELFjettylog" /> diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index 8e3364f879..4dcd7c3319 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -79,6 +79,10 @@ config: portName2: dr-prov-port2 nodePort: 59 nodePort2: 69 + # dr uses the EELF Logging framework https://github.com/att/EELF + # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF + logLevel: "INFO" + # dr-prov db configuration dmaapDrDb: mariadbServiceName: dmaap-dr-db-svc diff --git a/kubernetes/esr/charts/esr-server/values.yaml b/kubernetes/esr/charts/esr-server/values.yaml index 98203fc12f..5316210f38 100644 --- a/kubernetes/esr/charts/esr-server/values.yaml +++ b/kubernetes/esr/charts/esr-server/values.yaml @@ -27,7 +27,7 @@ subChartsOnly: # application image repository: nexus3.onap.org:10001 -image: onap/aai/esr-server:1.4.0 +image: onap/aai/esr-server:1.5.1 pullPolicy: Always msbaddr: msb-iag.{{ include "common.namespace" . }}:80 diff --git a/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml b/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml index 05f73e841c..353f2a7c70 100644 --- a/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml +++ b/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml @@ -24,7 +24,7 @@ global: config: msbServiceName: msb-iag - msbPort: 80 + msbPort: 443 persistence: mountPath: /dockerdata-nfs diff --git a/kubernetes/onap/resources/overrides/openstack.yaml b/kubernetes/onap/resources/overrides/openstack.yaml index a8294d249f..5e09d7cfe9 100644 --- a/kubernetes/onap/resources/overrides/openstack.yaml +++ b/kubernetes/onap/resources/overrides/openstack.yaml @@ -55,8 +55,12 @@ so: openStackUserName: "OPENSTACK_USERNAME_HERE" openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_ENCRYPTED_PASSWORD_HERE_XXXXXXXXXXXXXXXX" + # For Support of Keystone v3, uncomment and fill + # openStackKeystoneVersion: "KEYSTONE_V3" + # openStackProjectDomainName: "DEFAULT" + # openStackUserDomainName: "DEFAULT" nbi: config: # openstack configuration openStackRegion: "Yolo" - openStackVNFTenantId: "1234"
\ No newline at end of file + openStackVNFTenantId: "1234" diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml index d7a0ea5ca3..f623496537 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml @@ -35,7 +35,7 @@ spec: - /root/ready.py args: - --container-name - - {{ .Values.mariadb.nameOverride }} + - {{ .Values.config.db.container }} env: - name: NAMESPACE valueFrom: @@ -50,18 +50,15 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - name: DB_HOST - value: {{ .Values.config.db_host }}.{{.Release.Namespace}} + value: {{ .Values.config.db.host }}.{{.Release.Namespace}} - name: DB_PORT - value: {{ .Values.config.db_port | quote}} + value: {{ .Values.config.db.port | quote}} - name: DB_USERNAME - value: {{ .Values.config.db_root }} + value: {{ .Values.config.db.root }} - name: DB_SCHEMA - value: {{ .Values.config.mysqlDatabase }} + value: {{ .Values.config.db.mysqlDatabase }} - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-cmso-db-db-root-password - key: password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "cmso-db-root-password" "key" "password") | indent 10}} terminationMessagePolicy: File volumeMounts: - name: {{ include "common.fullname" . }}-config @@ -74,18 +71,15 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - name: DB_HOST - value: {{ .Values.config.db_host }}.{{.Release.Namespace}} + value: {{ .Values.config.db.host }}.{{.Release.Namespace}} - name: DB_PORT - value: {{ .Values.config.db_port | quote}} + value: {{ .Values.config.db.port | quote}} - name: DB_USERNAME - value: {{ .Values.config.db_root }} + value: {{ .Values.config.db.root }} - name: DB_SCHEMA - value: {{ .Values.config.mysqlDatabase }} + value: {{ .Values.config.db.mysqlDatabase }} - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-cmso-db-db-root-password - key: password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "cmso-db-root-password" "key" "password") | indent 10}} - name: JAVA_TRUSTSTORE value: /share/etc/certs/{{ .Values.global.truststoreFile }} - name: SSL_KEYSTORE diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/secret.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/secret.yaml new file mode 100644 index 0000000000..dee311c336 --- /dev/null +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml index af56717fdc..a9a89ddd72 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml @@ -35,6 +35,23 @@ dbinit: # flag to enable debugging - application support required debugEnabled: false + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: cmso-db-root-password + type: password + password: '{{ .Values.config.db.rootPassword }}' + externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' + policy: required + - uid: cmso-db-user-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.user }}' + password: '{{ .Values.config.db.password }}' + passwordPolicy: required + ################################################################# # Application configuration defaults. ################################################################# @@ -70,19 +87,22 @@ service: config: - db_root: root - db_user: cmso-admin - mysqlDatabase: optimizer - db_host: oof-cmso-dbhost - db_port: 3306 + db: + port: 3306 + root: root +# rootPassword: pass +# rootPasswordExternalSecret: some secret +# user: cmso-admin +# password: pass +# userCredentialsExternalSecret: some-secret +# host: host +# container: container +# mysqlDatabase: optimizer topology_host: oof-cmso-topology topology_port: 7998 ticketmgt_host: oof-cmso-ticketmgt ticketmgt_port: 7999 -mariadb: - nameOverride: cmso-db - ingress: enabled: false diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml index 385d61684f..b0afb6e285 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml @@ -35,7 +35,7 @@ spec: - /root/ready.py args: - --container-name - - {{ .Values.mariadb.nameOverride }} + - {{ .Values.config.db.container }} env: - name: NAMESPACE valueFrom: @@ -50,18 +50,15 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - name: DB_HOST - value: {{ .Values.config.db_host }}.{{.Release.Namespace}} + value: {{ .Values.config.db.host }}.{{.Release.Namespace}} - name: DB_PORT - value: {{ .Values.config.db_port | quote}} + value: {{ .Values.config.db.port | quote}} - name: DB_USERNAME - value: {{ .Values.config.db_root }} + value: {{ .Values.config.db.root }} - name: DB_SCHEMA - value: {{ .Values.config.mysqlDatabase }} + value: {{ .Values.config.db.mysqlDatabase }} - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-cmso-db-db-root-password - key: password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "cmso-db-root-password" "key" "password") | indent 10}} terminationMessagePolicy: File volumeMounts: - name: {{ include "common.fullname" . }}-config @@ -98,18 +95,15 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - name: DB_HOST - value: {{ .Values.config.db_host }}.{{.Release.Namespace}} + value: {{ .Values.config.db.host }}.{{.Release.Namespace}} - name: DB_PORT - value: {{ .Values.config.db_port | quote}} + value: {{ .Values.config.db.port | quote}} - name: DB_USERNAME - value: {{ .Values.config.db_user }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "cmso-db-user-secret" "key" "login") | indent 10}} - name: DB_SCHEMA - value: {{ .Values.config.mysqlDatabase }} + value: {{ .Values.config.db.mysqlDatabase }} - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.release" . }}-cmso-db-db-user-credentials - key: password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "cmso-db-user-secret" "key" "password") | indent 10}} - name: JAVA_TRUSTSTORE value: /share/etc/certs/{{ .Values.global.truststoreFile }} - name: SSL_KEYSTORE diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/secret.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/secret.yaml new file mode 100644 index 0000000000..dee311c336 --- /dev/null +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml index 85f6094615..345f03d4d3 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml @@ -37,6 +37,22 @@ dbinit: debugEnabled: false ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: cmso-db-root-password + type: password + password: '{{ .Values.config.db.rootPassword }}' + externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' + policy: required + - uid: cmso-db-user-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.user }}' + password: '{{ .Values.config.db.password }}' + passwordPolicy: required + +################################################################# # Application configuration defaults. ################################################################# # default number of instances @@ -71,17 +87,20 @@ service: config: - db_root: root - db_user: cmso-admin - mysqlDatabase: cmso - db_host: oof-cmso-dbhost - db_port: 3306 + db: + port: 3306 + root: root +# rootPassword: pass +# rootPasswordExternalSecret: some secret +# user: cmso-admin +# password: pass +# userCredentialsExternalSecret: some-secret +# host: host +# container: container +# mysqlDatabase: cmso optimizer_host: oof-cmso-optimizer optimizer_port: 7997 -mariadb: - nameOverride: cmso-db - ingress: enabled: false diff --git a/kubernetes/oof/charts/oof-cmso/templates/secret.yaml b/kubernetes/oof/charts/oof-cmso/templates/secret.yaml index 11a9221fed..3c61bf3bdc 100644 --- a/kubernetes/oof/charts/oof-cmso/templates/secret.yaml +++ b/kubernetes/oof/charts/oof-cmso/templates/secret.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,6 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +{{ include "common.secret" . }} +--- apiVersion: v1 kind: Secret metadata: diff --git a/kubernetes/oof/charts/oof-cmso/values.yaml b/kubernetes/oof/charts/oof-cmso/values.yaml index c97138bded..2b8ad9487d 100644 --- a/kubernetes/oof/charts/oof-cmso/values.yaml +++ b/kubernetes/oof/charts/oof-cmso/values.yaml @@ -12,6 +12,23 @@ # See the License for the specific language governing permissions and # limitations under the License. +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: cmso-db-root-password + name: '{{ include "common.release" . }}-cmso-db-root-password' + type: password + password: '' + policy: generate + - uid: cmso-db-secret + name: '{{ include "common.release" . }}-cmso-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + passwordPolicy: generate + mariadb-galera: replicaCount: 1 nameOverride: cmso-db @@ -26,9 +43,8 @@ mariadb-galera: enabled: true disableNfsProvisioner: true config: - mariadbRootPassword: beer - userName: cmso-admin - userPassword: nimda-osmc + mariadbRootPasswordExternalSecret: '{{ include "common.release" . }}-cmso-db-root-password' + userCredentialsExternalSecret: '{{ include "common.release" . }}-cmso-db-secret' mysqlDatabase: cmso externalConfig: | [mysqld] @@ -49,4 +65,26 @@ flavor: small config: log: logstashServiceName: log-ls - logstashPort: 5044
\ No newline at end of file + logstashPort: 5044 + db: + # userCredentialsExternalsecret: some secret + userName: cmso-admin + # userPassword: password + +oof-cmso-service: + config: + db: + userCredentialsExternalSecret: '{{ include "common.release" . }}-cmso-db-secret' + rootPasswordExternalSecret: '{{ include "common.release" . }}-cmso-db-root-password' + host: oof-cmso-dbhost + container: cmso-db + mysqlDatabase: cmso + +oof-cmso-optimizer: + config: + db: + userCredentialsExternalSecret: '{{ include "common.release" . }}-cmso-db-secret' + rootPasswordExternalSecret: '{{ include "common.release" . }}-cmso-db-root-password' + host: oof-cmso-dbhost + container: cmso-db + mysqlDatabase: optimizer diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml index a6a3f6bd22..a7deeaeca0 100644 --- a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml @@ -99,7 +99,7 @@ cert: persistence: enabled: true size: 10Mi - accessMode: ReadOnlyMany + accessMode: ReadWriteOnce volumeReclaimPolicy: Retain mountSubPath: /sdc/onbaording/cert diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties index 66e62672b2..f9640a95db 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/aai.properties @@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000 AFT_DME2_EP_READ_TIMEOUT_MS=50000 sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt -sdnc.odl.user=admin -sdnc.odl.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U +sdnc.odl.user=${ODL_USER} +sdnc.odl.password=${ODL_PASSWORD} sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations
\ No newline at end of file diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties index 8a0a102396..beb514e583 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dblib.properties @@ -1,7 +1,6 @@ ### # ============LICENSE_START======================================================= -# Copyright (C) 2018 ONAP Intellectual Property. All rights -# reserved. +# Copyright (C) 2018 ONAP Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,11 +17,11 @@ ### org.onap.ccsdk.sli.dbtype=jdbc org.onap.ccsdk.sli.jdbc.hosts=sdnctldb01 -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}:{{.Values.config.mariadbGalera.internalPort}}/sdnctl +org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{include "common.mariadbService" $}}:{{include "common.mariadbPort" $}}/{{index $.Values "mariadb-galera" "config" "mysqlDatabase"}} org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database=sdnctl -org.onap.ccsdk.sli.jdbc.user=sdnctl -org.onap.ccsdk.sli.jdbc.password=gamma +org.onap.ccsdk.sli.jdbc.database={{index $.Values "mariadb-galera" "config" "mysqlDatabase"}} +org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} +org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWORD} org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 org.onap.ccsdk.sli.jdbc.connection.timeout=50 org.onap.ccsdk.sli.jdbc.request.timeout=100 diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties index 422696afbd..96f40790c6 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/dhcpalert.properties @@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000 AFT_DME2_EP_READ_TIMEOUT_MS=50000 sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt -sdnc.odl.user=admin -sdnc.odl.password={{.Values.config.odlPassword}} +sdnc.odl.user=${ODL_USER} +sdnc.odl.password=${ODL_PASSWORD} sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations diff --git a/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties b/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties index f38f701064..0b52b3febb 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties +++ b/kubernetes/sdnc/charts/dmaap-listener/resources/config/lcm.properties @@ -30,6 +30,6 @@ AFT_DME2_ROUNDTRIP_TIMEOUT_MS=240000 AFT_DME2_EP_READ_TIMEOUT_MS=50000 sessionstickinessrequired=NO DME2preferredRouterFilePath=/opt/onap/sdnc/data/properties/dmaap-listener.preferredRoute.txt -sdnc.odl.user=admin -sdnc.odl.password={{.Values.config.odlPassword}} +sdnc.odl.user=${ODL_USER} +sdnc.odl.password=${ODL_PASSWORD} sdnc.odl.url-base=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations
\ No newline at end of file diff --git a/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml b/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml index 7d8178b7b5..7ef5ca4998 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml +++ b/kubernetes/sdnc/charts/dmaap-listener/templates/deployment.yaml @@ -32,10 +32,33 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: ODL_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "login") | indent 10 }} + - name: ODL_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: properties + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: - /root/ready.py args: - --container-name - - {{ .Values.config.mariadbGalera.chartName }} + - {{ include "common.mariadbService" . }} - --container-name - {{ .Values.config.sdncChartName }} - --container-name @@ -91,9 +114,12 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: properties + - name: config-input configMap: name: {{ include "common.fullname" . }} defaultMode: 0644 + - name: properties + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdnc/charts/dmaap-listener/values.yaml b/kubernetes/sdnc/charts/dmaap-listener/values.yaml index 4965d96908..d90da63e6d 100644 --- a/kubernetes/sdnc/charts/dmaap-listener/values.yaml +++ b/kubernetes/sdnc/charts/dmaap-listener/values.yaml @@ -21,6 +21,35 @@ global: readinessImage: readiness-check:2.0.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + # envsusbt + envsubstImage: dibi/envsubst + mariadbGalera: + #This flag allows SO to instantiate its own mariadb-galera cluster + #If shared instance is used, this chart assumes that DB already exists + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + name: &dbSecretName '{{ include "common.release" . }}-sdnc-dmaap-listener-db-secret' + type: basicAuth + # This is a nasty trick that allows you override this secret using external one + # with the same field that is used to pass this to subchart + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-dmaap-listener-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "config" "userName" }}' + password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' + passwordPolicy: required + - uid: odl-creds + type: basicAuth + externalSecret: '{{ .Values.config.odlCredsExternalSecret }}' + login: '{{ .Values.config.odlUser }}' + password: '{{ .Values.config.odlPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -40,11 +69,25 @@ config: sdncPort: 8282 msgRouterContainerName: message-router configDir: /opt/onap/sdnc/data/properties + odlUser: admin odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - mariadbGalera: - chartName: mariadb-galera - serviceName: mariadb-galera + # odlCredsExternalSecret: some secret + +mariadb-galera: + config: + userCredentialsExternalSecret: *dbSecretName + userName: sdnctl + userPassword: gamma + mysqlDatabase: sdnctl + nameOverride: dmaap-listener-galera + service: + name: dmaap-listener-galera + portName: dmaap-listener-galera internalPort: 3306 + replicaCount: 1 + persistence: + enabled: true + mountSubPath: dmaap-listener/maria/data # default number of instances replicaCount: 1 diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config b/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config index eb88d7236b..7dc5c19e12 100644 --- a/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/resources/config/RestServer_config @@ -13,33 +13,33 @@ # limitations under the License. # Host definition -ip: 0.0.0.0 -port: {{.Values.service.internalPort}} +ip: 0.0.0.0 +port: {{.Values.service.internalPort}} # Security (controls use of TLS encrypton and RestServer authentication) -tls: no -auth: no +tls: no +auth: no # TLS certificates (must be built on application host) -priv: provide_privated_key.pem -pub: provide_public_key.pem +priv: provide_privated_key.pem +pub: provide_public_key.pem # RestServer authentication -id: sdnc -psswd: sdnc +id: ${REST_USER} +psswd: ${REST_PASSWORD} # Mysql -host: {{.Values.config.mariadbGalera.serviceName}} -user: sdnc -passwd: sdnc -db: ansible +host: {{ include "common.mariadbService" $ }} +user: ${DB_USER} +passwd: ${DB_PASSWORD} +db: {{ index .Values "mariadb-galera" "config" "mysqlDatabase" }} # Playbooks -from_files: yes -ansible_path: /opt/onap/sdnc/Playbooks -ansible_inv: Ansible_inventory -ansible_temp: PlaybooksTemp -timeout_seconds: 60 +from_files: yes +ansible_path: /opt/onap/sdnc/Playbooks +ansible_inv: Ansible_inventory +ansible_temp: PlaybooksTemp +timeout_seconds: 60 # Blocking on GetResults -getresults_block: yes +getresults_block: yes diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml index 2233099224..d353adaf58 100644 --- a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml @@ -32,6 +32,29 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: REST_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "rest-creds" "key" "login") | indent 10 }} + - name: REST_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "rest-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: config + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: - /root/ready.py args: - --container-name @@ -89,9 +112,12 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: config + - name: config-input configMap: name: {{ include "common.fullname" . }} defaultMode: 0644 + - name: config + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml new file mode 100644 index 0000000000..dee311c336 --- /dev/null +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml index db7c63cfa4..b0b3c81c8f 100644 --- a/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/values.yaml @@ -21,6 +21,35 @@ global: readinessImage: readiness-check:2.0.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + # envsusbt + envsubstImage: dibi/envsubst + mariadbGalera: + #This flag allows SO to instantiate its own mariadb-galera cluster + #If shared instance is used, this chart assumes that DB already exists + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + name: &dbSecretName '{{ include "common.release" . }}-sdnc-ansible-server-db-secret' + type: basicAuth + # This is a nasty trick that allows you override this secret using external one + # with the same field that is used to pass this to subchart + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-ansible-server-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "config" "userName" }}' + password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' + passwordPolicy: required + - uid: rest-creds + type: basicAuth + externalSecret: '{{ .Values.config.restCredsExternalSecret }}' + login: '{{ .Values.config.restUser }}' + password: '{{ .Values.config.restPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -37,9 +66,25 @@ debugEnabled: false config: sdncChartName: sdnc configDir: /opt/onap/sdnc - mariadbGalera: - serviceName: mariadb-galera + restUser: sdnc + restPassword: sdnc + # restCredsExternalSecret: some secret +mariadb-galera: + config: + userCredentialsExternalSecret: *dbSecretName + userName: sdnc + userPassword: sdnc + mysqlDatabase: ansible + nameOverride: ansible-server-galera + service: + name: ansible-server-galera + portName: ansible-server-galera + internalPort: 3306 + replicaCount: 1 + persistence: + enabled: true + mountSubPath: ansible-server/maria/data # default number of instances replicaCount: 1 diff --git a/kubernetes/sdnc/charts/ueb-listener/resources/config/dblib.properties b/kubernetes/sdnc/charts/ueb-listener/resources/config/dblib.properties index fdc2218532..b4e69d36f5 100644 --- a/kubernetes/sdnc/charts/ueb-listener/resources/config/dblib.properties +++ b/kubernetes/sdnc/charts/ueb-listener/resources/config/dblib.properties @@ -2,8 +2,8 @@ # ============LICENSE_START======================================================= # openECOMP : SDN-C # ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. +# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# Copyright (C) 2020 Samsung Electrinics # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,11 +23,11 @@ org.onap.ccsdk.sli.dbtype=jdbc org.onap.ccsdk.sli.jdbc.hosts=sdnctldb01 -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGalera.serviceName}}.{{.Release.Namespace}}:{{.Values.config.mariadbGalera.internalPort}}/sdnctl +org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{include "common.mariadbService" $}}:{{include "common.mariadbPort" $}}/{{index $.Values "mariadb-galera" "config" "mysqlDatabase"}} org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database=sdnctl -org.onap.ccsdk.sli.jdbc.user=sdnctl -org.onap.ccsdk.sli.jdbc.password=gamma +org.onap.ccsdk.sli.jdbc.database={{index $.Values "mariadb-galera" "config" "mysqlDatabase"}} +org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} +org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWORD} org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 org.onap.ccsdk.sli.jdbc.connection.timeout=50 org.onap.ccsdk.sli.jdbc.request.timeout=100 diff --git a/kubernetes/sdnc/charts/ueb-listener/resources/config/ueb-listener.properties b/kubernetes/sdnc/charts/ueb-listener/resources/config/ueb-listener.properties index 86e51317f2..946773b18b 100644 --- a/kubernetes/sdnc/charts/ueb-listener/resources/config/ueb-listener.properties +++ b/kubernetes/sdnc/charts/ueb-listener/resources/config/ueb-listener.properties @@ -2,10 +2,10 @@ org.onap.ccsdk.sli.northbound.uebclient.asdc-address=sdc-be.{{.Release.Namespace org.onap.ccsdk.sli.northbound.uebclient.consumer-group=sdc-OpenSource-Env1-sdnc-dockero org.onap.ccsdk.sli.northbound.uebclient.consumer-id=sdc-COpenSource-Env11-sdnc-dockero org.onap.ccsdk.sli.northbound.uebclient.environment-name=AUTO -org.onap.ccsdk.sli.northbound.uebclient.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U -org.onap.ccsdk.sli.northbound.uebclient.user=sdnc -org.onap.ccsdk.sli.northbound.uebclient.sdnc-user=admin -org.onap.ccsdk.sli.northbound.uebclient.sdnc-passwd={{.Values.config.odlPassword}} +org.onap.ccsdk.sli.northbound.uebclient.password=${UEB_PASSWORD} +org.onap.ccsdk.sli.northbound.uebclient.user=${UEB_USER} +org.onap.ccsdk.sli.northbound.uebclient.sdnc-user=${ODL_USER} +org.onap.ccsdk.sli.northbound.uebclient.sdnc-passwd=${ODL_PASSWORD} org.onap.ccsdk.sli.northbound.uebclient.asdc-api-base-url=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations/ org.onap.ccsdk.sli.northbound.uebclient.asdc-api-namespace=org:onap:ccsdk org.onap.ccsdk.sli.northbound.uebclient.spool.incoming=/opt/onap/sdnc/ueb-listener/spool/incoming diff --git a/kubernetes/sdnc/charts/ueb-listener/templates/deployment.yaml b/kubernetes/sdnc/charts/ueb-listener/templates/deployment.yaml index 154d36c411..da72e1e558 100644 --- a/kubernetes/sdnc/charts/ueb-listener/templates/deployment.yaml +++ b/kubernetes/sdnc/charts/ueb-listener/templates/deployment.yaml @@ -32,10 +32,36 @@ spec: spec: initContainers: - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: UEB_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ueb-creds" "key" "login") | indent 10 }} + - name: UEB_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "ueb-creds" "key" "password") | indent 10 }} + - name: ODL_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "login") | indent 10 }} + - name: ODL_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: properties + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - command: - /root/ready.py args: - --container-name - - {{ .Values.config.mariadbGalera.chartName }} + - {{ include "common.mariadbService" . }} - --container-name - {{ .Values.config.sdncChartName }} - --container-name @@ -87,9 +113,12 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: properties + - name: config-input configMap: name: {{ include "common.fullname" . }} defaultMode: 0644 + - name: properties + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdnc/charts/ueb-listener/templates/secret.yaml b/kubernetes/sdnc/charts/ueb-listener/templates/secret.yaml new file mode 100644 index 0000000000..dee311c336 --- /dev/null +++ b/kubernetes/sdnc/charts/ueb-listener/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/sdnc/charts/ueb-listener/values.yaml b/kubernetes/sdnc/charts/ueb-listener/values.yaml index b4b42fdbc5..03fbf52f9b 100644 --- a/kubernetes/sdnc/charts/ueb-listener/values.yaml +++ b/kubernetes/sdnc/charts/ueb-listener/values.yaml @@ -21,6 +21,41 @@ global: readinessImage: readiness-check:2.0.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + # envsusbt + envsubstImage: dibi/envsubst + mariadbGalera: + #This flag allows SO to instantiate its own mariadb-galera cluster + #If shared instance is used, this chart assumes that DB already exists + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + name: '{{ include "common.release" . }}-sdnc-ueb-listener-db-secret' + type: basicAuth + # This is a nasty trick that allows you override this secret using external one + # with the same field that is used to pass this to subchart + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-ueb-listener-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "config" "userName" }}' + password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' + passwordPolicy: required + - uid: odl-creds + type: basicAuth + externalSecret: '{{ .Values.config.odlCredsExternalSecret }}' + login: '{{ .Values.config.odlUser }}' + password: '{{ .Values.config.odlPassword }}' + passwordPolicy: required + - uid: ueb-creds + type: basicAuth + externalSecret: '{{ .Values.config.odlCredsExternalSecret }}' + login: '{{ .Values.config.uebUser }}' + password: '{{ .Values.config.uebPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -40,11 +75,30 @@ config: sdcbeChartName: sdc-be msgRouterContainerName: message-router configDir: /opt/onap/sdnc/data/properties + uebUser: sdnc + uebPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + # uebCredsExternalSecret: some secret + odlUser: admin odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - mariadbGalera: - chartName: mariadb-galera - serviceName: mariadb-galera + # odlCredsExternalSecret: some secret + +mariadb-galera: + # '&mariadbConfig' means we "store" the values for later use in the file + # with '*mariadbConfig' pointer. + config: + userCredentialsExternalSecret: '{{ include "common.release" . }}-sdnc-ueb-listener-db-secret' + userName: sdnctl + userPassword: gamma + mysqlDatabase: sdnctl + nameOverride: ueb-listener-galera + service: + name: ueb-listener-galera + portName: ueb-listener-galera internalPort: 3306 + replicaCount: 1 + persistence: + enabled: true + mountSubPath: ueb-listener/maria/data # default number of instances replicaCount: 1 diff --git a/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml index 952642c48a..fb83e4e26b 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml @@ -69,7 +69,7 @@ cloud_config: admin_tenant: "{{ .Values.config.openStackServiceTenantName }}" member_role: "admin" tenant_metadata: true - identity_server_type: "KEYSTONE" + identity_server_type: "{{ .Values.config.openStackKeystoneVersion }}" identity_authentication_type: "USERNAME_PASSWORD" project_domain_name: "{{ .Values.config.openStackProjectDomainName }}" user_domain_name: "{{ .Values.config.openStackUserDomainName }}" diff --git a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml index 4685fd166a..c4e23164f2 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/values.yaml @@ -83,6 +83,8 @@ config: openStackTenantId: "d570c718cbc545029f40e50b75eb13df" openStackProjectDomainName: "openStackProjectDomainName" openStackUserDomainName: "openStackUserDomainName" + # "KEYSTONE" for keystone v2, "KEYSTONE_V3" for keystone v3 + openStackKeystoneVersion: "KEYSTONE" nodeSelector: {} tolerations: [] affinity: {} |