diff options
Diffstat (limited to 'kubernetes')
245 files changed, 2301 insertions, 1096 deletions
diff --git a/kubernetes/Makefile b/kubernetes/Makefile index b25381fd81..dfad45ff24 100644 --- a/kubernetes/Makefile +++ b/kubernetes/Makefile @@ -19,6 +19,7 @@ ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) OUTPUT_DIR := $(ROOT_DIR)/dist PACKAGE_DIR := $(OUTPUT_DIR)/packages SECRET_DIR := $(OUTPUT_DIR)/secrets +HELM_VER := $(shell helm version --template "{{.Version}}") ifneq ($(SKIP_LINT),TRUE) HELM_LINT_CMD := helm lint @@ -65,7 +66,12 @@ lint-%: dep-% package-%: lint-% @mkdir -p $(PACKAGE_DIR) +ifeq "$(findstring v3,$(HELM_VER))" "v3" + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$(helm package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && helm push -f $$PACKAGE_NAME local; fi +else @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi +endif + @helm repo index $(PACKAGE_DIR) clean: diff --git a/kubernetes/aai b/kubernetes/aai -Subproject 944970742185cccb73110875d1b4ad9f7305337 +Subproject fa694e0feb325333cfffb7d7852aa97264f96b6 diff --git a/kubernetes/clamp/components/clamp-backend/resources/config/application.properties b/kubernetes/clamp/components/clamp-backend/resources/config/application.properties index b2cee395b9..5bea37aaa3 100644 --- a/kubernetes/clamp/components/clamp-backend/resources/config/application.properties +++ b/kubernetes/clamp/components/clamp-backend/resources/config/application.properties @@ -43,7 +43,7 @@ server.ssl.trust-store-password=${cadi_truststore_password} spring.datasource.username=${MYSQL_USER} spring.datasource.password=${MYSQL_PASSWORD} spring.datasource.url=jdbc:mariadb:sequential://clampdb.{{ include "common.namespace" . }}:3306/${MYSQL_DATABASE}?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3 -spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,legacy-operational-policy,default-dictionary-elements +spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements #The log folder that will be used in logback.xml file clamp.config.files.sdcController=file:/opt/clamp/sdc-controllers-config.json @@ -66,4 +66,4 @@ clamp.config.dcae.deployment.userName=none clamp.config.dcae.deployment.password=none #AAF related parameters -clamp.config.cadi.aafLocateUrl=https://aaf-locate.{{ include "common.namespace" . }}:8095
\ No newline at end of file +clamp.config.cadi.aafLocateUrl=https://aaf-locate.{{ include "common.namespace" . }}:8095 diff --git a/kubernetes/clamp/components/clamp-backend/templates/deployment.yaml b/kubernetes/clamp/components/clamp-backend/templates/deployment.yaml index f86c636a43..e0b441b46c 100644 --- a/kubernetes/clamp/components/clamp-backend/templates/deployment.yaml +++ b/kubernetes/clamp/components/clamp-backend/templates/deployment.yaml @@ -65,7 +65,7 @@ spec: - -c - | export $(grep '^cadi_' {{ .Values.certInitializer.credsPath }}/org.onap.clamp.cred.props | xargs -0) - java -Djava.security.egd=file:/dev/./urandom -Xms256m -Xmx1g -jar ./app.jar + java -Djava.security.egd=file:/dev/./urandom -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=75 -jar ./app.jar {{- else }} args: - "" diff --git a/kubernetes/clamp/components/clamp-backend/values.yaml b/kubernetes/clamp/components/clamp-backend/values.yaml index a6d5ca0b4c..c3fee5d79e 100644 --- a/kubernetes/clamp/components/clamp-backend/values.yaml +++ b/kubernetes/clamp/components/clamp-backend/values.yaml @@ -66,7 +66,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/clamp-backend:5.1.0 +image: onap/clamp-backend:5.1.3 pullPolicy: Always # flag to enable debugging - application support required @@ -105,6 +105,7 @@ affinity: {} liveness: initialDelaySeconds: 120 periodSeconds: 10 + timeoutSeconds: 3 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true @@ -112,7 +113,7 @@ liveness: readiness: initialDelaySeconds: 10 periodSeconds: 10 - + timeoutSeconds: 3 service: type: ClusterIP @@ -139,15 +140,15 @@ resources: small: limits: cpu: 1 - memory: 1.2Gi + memory: 1Gi requests: cpu: 10m - memory: 800Mi + memory: 1Gi large: limits: cpu: 1 - memory: 1.2Gi + memory: 3Gi requests: cpu: 10m - memory: 800Mi + memory: 3Gi unlimited: {} diff --git a/kubernetes/clamp/components/clamp-mariadb/values.yaml b/kubernetes/clamp/components/clamp-mariadb/values.yaml index 492145ae07..f9a31b6b86 100644 --- a/kubernetes/clamp/components/clamp-mariadb/values.yaml +++ b/kubernetes/clamp/components/clamp-mariadb/values.yaml @@ -55,15 +55,17 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 10 + initialDelaySeconds: 30 periodSeconds: 10 + timeoutSeconds: 3 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true readiness: - initialDelaySeconds: 10 + initialDelaySeconds: 30 periodSeconds: 10 + timeoutSeconds: 3 ## Persist data to a persitent volume persistence: diff --git a/kubernetes/clamp/values.yaml b/kubernetes/clamp/values.yaml index d180fbf729..0a8a7b643a 100644 --- a/kubernetes/clamp/values.yaml +++ b/kubernetes/clamp/values.yaml @@ -93,7 +93,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/clamp-frontend:5.1.0 +image: onap/clamp-frontend:5.1.3 pullPolicy: Always # flag to enable debugging - application support required @@ -123,6 +123,7 @@ affinity: {} liveness: initialDelaySeconds: 120 periodSeconds: 10 + timeoutSeconds: 3 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true @@ -130,7 +131,7 @@ liveness: readiness: initialDelaySeconds: 10 periodSeconds: 10 - + timeoutSeconds: 3 service: type: NodePort diff --git a/kubernetes/common/mongo/templates/statefulset.yaml b/kubernetes/common/mongo/templates/statefulset.yaml index abc71b3133..df922ed004 100644 --- a/kubernetes/common/mongo/templates/statefulset.yaml +++ b/kubernetes/common/mongo/templates/statefulset.yaml @@ -71,8 +71,7 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-data mountPath: /var/lib/mongo - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{ include "common.containerSecurityContext" . | indent 10 }} {{- if .Values.nodeSelector }} nodeSelector: diff --git a/kubernetes/common/mongo/values.yaml b/kubernetes/common/mongo/values.yaml index d8988c3ae7..b21b0bf758 100644 --- a/kubernetes/common/mongo/values.yaml +++ b/kubernetes/common/mongo/values.yaml @@ -90,7 +90,6 @@ securityContext: ingress: enabled: false -resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -101,13 +100,22 @@ resources: {} # ref: http://kubernetes.io/docs/user-guide/compute-resources/ # Minimum memory for development is 2 CPU cores and 4GB memory # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi +resources: + small: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 10m + memory: 50Mi + large: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + unlimited: {} sdnctlPrefix: mongo diff --git a/kubernetes/contrib/components/awx/charts/awx/templates/job.yaml b/kubernetes/contrib/components/awx/charts/awx/templates/job.yaml index 4d80c9e448..74c02bcd5f 100644 --- a/kubernetes/contrib/components/awx/charts/awx/templates/job.yaml +++ b/kubernetes/contrib/components/awx/charts/awx/templates/job.yaml @@ -37,7 +37,7 @@ spec: restartPolicy: Never initContainers: - name: {{ include "common.name" . }}-init-readiness - image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /app/ready.py @@ -122,4 +122,4 @@ spec: name: {{ include "common.fullname" . }}-rabbitmq name: rabbitmq-config imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key"
\ No newline at end of file + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/charts/awx/templates/statefulset.yaml b/kubernetes/contrib/components/awx/charts/awx/templates/statefulset.yaml index cfc517660a..6023bb4fdb 100644 --- a/kubernetes/contrib/components/awx/charts/awx/templates/statefulset.yaml +++ b/kubernetes/contrib/components/awx/charts/awx/templates/statefulset.yaml @@ -44,7 +44,7 @@ spec: initContainers: - name: {{ include "common.name" . }}-init-readiness - image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /app/ready.py @@ -210,4 +210,4 @@ spec: name: {{ include "common.fullname" . }}-rabbitmq name: rabbitmq-config imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key"
\ No newline at end of file + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/values.yaml b/kubernetes/contrib/components/awx/values.yaml index bf862b6b63..1ed35c2c23 100755 --- a/kubernetes/contrib/components/awx/values.yaml +++ b/kubernetes/contrib/components/awx/values.yaml @@ -16,6 +16,7 @@ # Global configuration defaults. ################################################################# global: + readinessRepository: nexus3.onap.org:10001 nodePortPrefixExt: 304 commonConfigPrefix: awx readinessImage: onap/oom/readiness:3.0.1 diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml index 060dcd98a7..1a9a34bcd1 100644 --- a/kubernetes/contrib/components/ejbca/values.yaml +++ b/kubernetes/contrib/components/ejbca/values.yaml @@ -37,6 +37,7 @@ secrets: password: '{{ .Values.config.ejbca.clientIak }}' # application configuration +repository: nexus3.onap.org:10001 config: db: userName: ejbca diff --git a/kubernetes/contrib/components/netbox/charts/netbox-app/templates/job.yaml b/kubernetes/contrib/components/netbox/charts/netbox-app/templates/job.yaml index 2c4e668699..a1b8cf1aae 100644 --- a/kubernetes/contrib/components/netbox/charts/netbox-app/templates/job.yaml +++ b/kubernetes/contrib/components/netbox/charts/netbox-app/templates/job.yaml @@ -33,7 +33,7 @@ spec: restartPolicy: Never initContainers: - name: {{ include "common.name" . }}-init-readiness - image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /app/ready.py diff --git a/kubernetes/contrib/components/netbox/charts/netbox-nginx/templates/service.yaml b/kubernetes/contrib/components/netbox/charts/netbox-nginx/templates/service.yaml index ed761374fa..c01612e0f4 100755 --- a/kubernetes/contrib/components/netbox/charts/netbox-nginx/templates/service.yaml +++ b/kubernetes/contrib/components/netbox/charts/netbox-nginx/templates/service.yaml @@ -31,7 +31,7 @@ spec: - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} {{- else -}} - - port: {{ .Values.service.externalPort }} + - port: {{ .Values.service.internalPort }} targetPort: {{ .Values.service.internalPort }} {{- end}} selector: diff --git a/kubernetes/contrib/components/netbox/charts/netbox-nginx/values.yaml b/kubernetes/contrib/components/netbox/charts/netbox-nginx/values.yaml index f67ff06410..e94e50bc4f 100755 --- a/kubernetes/contrib/components/netbox/charts/netbox-nginx/values.yaml +++ b/kubernetes/contrib/components/netbox/charts/netbox-nginx/values.yaml @@ -75,7 +75,7 @@ persistence: staticPvName: netbox-static service: - type: NodePort + type: ClusterIP name: netbox-nginx portName: netbox-nginx internalPort: 8080 diff --git a/kubernetes/contrib/components/netbox/values.yaml b/kubernetes/contrib/components/netbox/values.yaml index 0749d2d948..5dc4535ca3 100755 --- a/kubernetes/contrib/components/netbox/values.yaml +++ b/kubernetes/contrib/components/netbox/values.yaml @@ -16,6 +16,7 @@ # Global configuration defaults. ################################################################# global: + readinessRepository: nexus3.onap.org:10001 nodePortPrefixExt: 304 commonConfigPrefix: netbox readinessImage: onap/oom/readiness:3.0.1 diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-tcagen2-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-tcagen2-inputs.yaml index 5074cb8a7f..02e4dd68fd 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-tcagen2-inputs.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-tcagen2-inputs.yaml @@ -19,4 +19,4 @@ tag_version: {{ include "common.repository" . }}/{{ .Values.componentImages.tcagen2 }} {{ end }} tca_handle_in_subscribe_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT/" -tca_handle_out_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.TCAGEN2_OUTPUT/" +tca_handle_out_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.DCAE_CL_OUTPUT/" diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs-tls.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs-tls.yaml index 15f5ab9006..4ff23b7b2d 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs-tls.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs-tls.yaml @@ -30,6 +30,10 @@ ves_fault_publish_url: "http://{{ .Values.config.address.message_router }}:3904/ ves_measurement_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT/" ves_pnfRegistration_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_PNFREG_OUTPUT/" ves_notification_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT/" +ves_3gpp_fault_supervision_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT/" +ves_3gpp_provisioning_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT/" +ves_3gpp_hearbeat_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT/" +ves_3gpp_performance_assurance_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT/" user_list: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6|demouser,$2a$10$1cc.COcqV/d3iT2N7BjPG.S6ZKv2jpb9a5MV.o7lMih/GpjJRX.Ce" external_cert_ca_name: "RA" external_cert_common_name: "dcae-ves-collector" diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs.yaml index dda75dd874..0cbe71a224 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs.yaml @@ -31,3 +31,7 @@ ves_fault_publish_url: "http://{{ .Values.config.address.message_router }}:3904/ ves_measurement_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT/" ves_pnfRegistration_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_PNFREG_OUTPUT/" ves_notification_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT/" +ves_3gpp_fault_supervision_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT/" +ves_3gpp_provisioning_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT/" +ves_3gpp_hearbeat_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT/" +ves_3gpp_performance_assurance_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT/"
\ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml index 3ef6d551bf..f35a6863d4 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml @@ -117,7 +117,7 @@ componentImages: holmes_rules: onap/holmes/rule-management:1.2.7 holmes_engine: onap/holmes/engine-management:1.2.6 tcagen2: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.2.0 - ves: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.7.5 + ves: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.7.6 snmptrap: onap/org.onap.dcaegen2.collectors.snmptrap:1.4.0 prh: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.5.4 hv_ves: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.5.0 diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index 0de6f03b72..bb2987881c 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -54,7 +54,7 @@ config: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.deployments.cm-container:3.3.3 +image: onap/org.onap.dcaegen2.deployments.cm-container:3.3.4 pullPolicy: Always # name of shared ConfigMap with kubeconfig for multiple clusters @@ -95,21 +95,23 @@ service: # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) +# Due to memory issues in ONAP integration environment, +# we've increased the memory amounts for both flavors. resources: small: limits: cpu: 2 - memory: 2Gi + memory: 4Gi requests: cpu: 1 - memory: 1Gi + memory: 2Gi large: limits: cpu: 4 - memory: 4Gi + memory: 8Gi requests: cpu: 2 - memory: 2Gi + memory: 4Gi unlimited: {} # Kubernetes namespace for components deployed via Cloudify manager # If empty, use the common namespace diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml index aa3e245a0b..2d136c8324 100644 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml @@ -34,7 +34,7 @@ config: #dashboardPassword: doesntmatter mrTopicURL: http://message-router:3904/events importCloudify: https://www.getcloudify.org/spec/cloudify/4.5.5/types.yaml - importK8S: plugin:k8splugin?version=3.3.0 + importK8S: plugin:k8splugin?version=3.4.2 importPostgres: plugin:pgaas?version=1.3.0 importClamp: plugin:clamppolicyplugin?version=1.1.0 importDMaaP: plugin:dmaap?version=1.5.0 @@ -71,7 +71,7 @@ readiness: # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.1.0 +image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.1.1 # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml index fd4a67acfb..8a4caf6747 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml @@ -40,29 +40,12 @@ spec: prometheus.io/port: {{ .Values.prometheus.jmx.port | quote }} {{- end }} spec: - podAntiAffinity: - {{if eq .Values.podAntiAffinityType "hard" -}} - requiredDuringSchedulingIgnoredDuringExecution: - {{- else -}} - preferredDuringSchedulingIgnoredDuringExecution: - {{- end}} - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: "app" - operator: In - values: - - {{ include "common.name" . }} - - key: "release" - operator: In - values: - - {{ include "common.release" . }} - topologyKey: "kubernetes.io/hostname" {{- if .Values.nodeAffinity }} nodeAffinity: {{ toYaml .Values.nodeAffinity | indent 10 }} {{- end }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" initContainers: - name: {{ include "common.name" . }}-initcontainer image: "{{ .Values.global.ubuntuInitRepository }}/{{ .Values.ubuntuInitImage }}" @@ -286,5 +269,3 @@ spec: requests: storage: {{ .Values.persistence.size | quote }} {{ end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/statefulset.yaml index 169e898ca6..ad9e5319f4 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/statefulset.yaml @@ -45,25 +45,12 @@ spec: prometheus.io/port: {{ .Values.prometheus.jmx.port | quote }} {{- end }} spec: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: "app" - operator: In - values: - - {{ include "common.name" . }} - - key: "release" - operator: In - values: - - {{ include "common.release" . }} - topologyKey: "kubernetes.io/hostname" {{- if .Values.nodeAffinity }} nodeAffinity: {{ toYaml .Values.nodeAffinity | indent 10 }} {{- end }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" initContainers: - name: {{ include "common.name" . }}-permission-fixer command: @@ -234,5 +221,3 @@ spec: requests: storage: {{ .Values.persistence.size | quote }} {{ end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/modeling/charts/modeling-etsicatalog/templates/deployment.yaml b/kubernetes/modeling/charts/modeling-etsicatalog/templates/deployment.yaml index 014013ab7a..52d675a39e 100644 --- a/kubernetes/modeling/charts/modeling-etsicatalog/templates/deployment.yaml +++ b/kubernetes/modeling/charts/modeling-etsicatalog/templates/deployment.yaml @@ -82,12 +82,12 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - - name: MSB_PROTO - value: "{{ .Values.config.msbProtocol }}" + - name: MSB_ADDR + value: "{{ .Values.config.msbProtocol }}://{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPort }}" - name: SSL_ENABLED value: "{{ .Values.config.ssl_enabled }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPort }}" + - name: MSB_ENABLED + value: "{{ .Values.config.msb_enabled }}" - name: DB_IP value: "{{ include "common.mariadbService" . }}" - name: DB_PORT diff --git a/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml b/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml index 5926584ef9..9bc8aa0433 100644 --- a/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml +++ b/kubernetes/modeling/charts/modeling-etsicatalog/values.yaml @@ -82,6 +82,7 @@ config: msbProtocol: https msbServiceName: msb-iag msbPort: 443 + msb_enabled: true #application configuration user password about mariadb db: userName: etsicatalog diff --git a/kubernetes/multicloud/charts/multicloud-k8s/values.yaml b/kubernetes/multicloud/charts/multicloud-k8s/values.yaml index b9fa617d94..4b7e6f7816 100644 --- a/kubernetes/multicloud/charts/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/charts/multicloud-k8s/values.yaml @@ -26,7 +26,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/multicloud/k8s:0.6.0 +image: onap/multicloud/k8s:0.7.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml index 631cb7cba8..febb8a9624 100644 --- a/kubernetes/nbi/templates/deployment.yaml +++ b/kubernetes/nbi/templates/deployment.yaml @@ -51,7 +51,7 @@ spec: # so K8s doesn't restart unresponsive container {{- if .Values.global.aafEnabled }} command: - - bash + - sh args: - -c - | diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index 1fc1600374..0f3fd1a352 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -71,7 +71,7 @@ subChartsOnly: # application image repository: nexus3.onap.org:10001 -image: onap/externalapi/nbi:7.0.0 +image: onap/externalapi/nbi:7.0.2 pullPolicy: IfNotPresent sdc_authorization: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU= aai_authorization: Basic QUFJOkFBSQ== diff --git a/kubernetes/onap/resources/overrides/environment.yaml b/kubernetes/onap/resources/overrides/environment.yaml index 5f2336382f..61b1838b83 100644 --- a/kubernetes/onap/resources/overrides/environment.yaml +++ b/kubernetes/onap/resources/overrides/environment.yaml @@ -92,6 +92,11 @@ clamp: initialDelaySeconds: 60 readiness: initialDelaySeconds: 60 + clamp-mariadb: + liveness: + initialDelaySeconds: 30 + readiness: + initialDelaySeconds: 30 dcaegen2: dcae-cloudify-manager: liveness: diff --git a/kubernetes/onap/templates/clusterrolebinding.yaml b/kubernetes/onap/templates/clusterrolebinding.yaml index 2367143b11..c2f48d9ba8 100644 --- a/kubernetes/onap/templates/clusterrolebinding.yaml +++ b/kubernetes/onap/templates/clusterrolebinding.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "common.namespace" . }}-binding diff --git a/kubernetes/oof/Makefile b/kubernetes/oof/Makefile index 8af301d7ae..4628206e87 100644 --- a/kubernetes/oof/Makefile +++ b/kubernetes/oof/Makefile @@ -19,6 +19,7 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell helm version --template "{{.Version}}") .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,7 +40,12 @@ lint-%: dep-% package-%: lint-% @mkdir -p $(PACKAGE_DIR) +ifeq "$(findstring v3,$(HELM_VER))" "v3" + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$(helm package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && helm push -f $$PACKAGE_NAME local; fi +else @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi +endif + @helm repo index $(PACKAGE_DIR) clean: diff --git a/kubernetes/oof/components/Makefile b/kubernetes/oof/components/Makefile index 2fc0cbe4ab..02371366f6 100755 --- a/kubernetes/oof/components/Makefile +++ b/kubernetes/oof/components/Makefile @@ -19,6 +19,7 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell helm version --template "{{.Version}}") .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,7 +40,11 @@ lint-%: dep-% package-%: lint-% @mkdir -p $(PACKAGE_DIR) +ifeq "$(findstring v3,$(HELM_VER))" "v3" + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$(helm package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && helm push -f $$PACKAGE_NAME local; fi +else @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi +endif @helm repo index $(PACKAGE_DIR) clean: diff --git a/kubernetes/oof/components/oof-cmso/Makefile b/kubernetes/oof/components/oof-cmso/Makefile index 52df18adad..48cebe96e7 100644 --- a/kubernetes/oof/components/oof-cmso/Makefile +++ b/kubernetes/oof/components/oof-cmso/Makefile @@ -19,6 +19,7 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell helm version --template "{{.Version}}") .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,7 +40,11 @@ lint-%: dep-% package-%: lint-% @mkdir -p $(PACKAGE_DIR) +ifeq "$(findstring v3,$(HELM_VER))" "v3" + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$(helm package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && helm push -f $$PACKAGE_NAME local; fi +else @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi +endif @helm repo index $(PACKAGE_DIR) clean: diff --git a/kubernetes/oof/components/oof-cmso/components/Makefile b/kubernetes/oof/components/oof-cmso/components/Makefile index 35be2140e1..f7a698d0ec 100755 --- a/kubernetes/oof/components/oof-cmso/components/Makefile +++ b/kubernetes/oof/components/oof-cmso/components/Makefile @@ -19,6 +19,7 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell helm version --template "{{.Version}}") .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,7 +40,11 @@ lint-%: dep-% package-%: lint-% @mkdir -p $(PACKAGE_DIR) +ifeq "$(findstring v3,$(HELM_VER))" "v3" + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$(helm package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && helm push -f $$PACKAGE_NAME local; fi +else @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi +endif @helm repo index $(PACKAGE_DIR) clean: diff --git a/kubernetes/oof/components/oof-has/Makefile b/kubernetes/oof/components/oof-has/Makefile index 52df18adad..48cebe96e7 100644 --- a/kubernetes/oof/components/oof-has/Makefile +++ b/kubernetes/oof/components/oof-has/Makefile @@ -19,6 +19,7 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell helm version --template "{{.Version}}") .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,7 +40,11 @@ lint-%: dep-% package-%: lint-% @mkdir -p $(PACKAGE_DIR) +ifeq "$(findstring v3,$(HELM_VER))" "v3" + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$(helm package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && helm push -f $$PACKAGE_NAME local; fi +else @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi +endif @helm repo index $(PACKAGE_DIR) clean: diff --git a/kubernetes/oof/components/oof-has/components/Makefile b/kubernetes/oof/components/oof-has/components/Makefile index 35be2140e1..f7a698d0ec 100755 --- a/kubernetes/oof/components/oof-has/components/Makefile +++ b/kubernetes/oof/components/oof-has/components/Makefile @@ -19,6 +19,7 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell helm version --template "{{.Version}}") .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,7 +40,11 @@ lint-%: dep-% package-%: lint-% @mkdir -p $(PACKAGE_DIR) +ifeq "$(findstring v3,$(HELM_VER))" "v3" + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$(helm package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && helm push -f $$PACKAGE_NAME local; fi +else @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi +endif @helm repo index $(PACKAGE_DIR) clean: diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/ingress.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/ingress.yaml index 0cd8cfbd36..2afc5dad2a 100644 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/ingress.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/ingress.yaml @@ -1,4 +1,4 @@ -# Copyright © 2020 Samsung, Orange +{{/*# Copyright © 2020 Samsung, Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,5 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +*/}} {{ include "common.ingress" . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json index 767d1452cc..539ef5a465 100755 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -14,10 +14,6 @@ "description":"Pdp Heartbeat", "supportedPolicyTypes": [ { - "name": "onap.policies.controlloop.operational.Apex", - "version": "1.0.0" - }, - { "name": "onap.policies.native.Apex", "version": "1.0.0" }, diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml index 4deb21a79b..6b27103660 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml @@ -44,7 +44,7 @@ spec: - sh args: - -c - - "export TRUSTSTORE_PASSWORD_BASE64=`echo -n ${TRUSTSTORE_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: TRUSTSTORE_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 10 }} diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index e149aa596a..ee40ac8359 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -52,7 +52,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-apex-pdp:2.4.1 +image: onap/policy-apex-pdp:2.4.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-api/resources/config/config.json b/kubernetes/policy/components/policy-api/resources/config/config.json index cdc477c3e1..cebfbc1628 100755 --- a/kubernetes/policy/components/policy-api/resources/config/config.json +++ b/kubernetes/policy/components/policy-api/resources/config/config.json @@ -31,7 +31,7 @@ "databaseDriver": "org.mariadb.jdbc.Driver", "databaseUrl": "jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin", "databaseUser": "${SQL_USER}", - "databasePassword": "${SQL_PASSWORD_BASE64}", + "databasePassword": "${SQL_PASSWORD}", "persistenceUnit": "PolicyMariaDb" }, "preloadPolicyTypes": [ diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index 5774344fd3..021b49dc6d 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -38,7 +38,7 @@ spec: - sh args: - -c - - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: SQL_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index a94031ac95..b108fd8d8d 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -84,7 +84,7 @@ certInitializer: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-api:2.3.1 +image: onap/policy-api:2.3.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index 9d20941773..748c5ccc61 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -70,7 +70,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-distribution:2.4.1 +image: onap/policy-distribution:2.4.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 5e8c8be179..bf969b0451 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -39,7 +39,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pdpd-cl:1.7.1 +image: onap/policy-pdpd-cl:1.7.3 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-pap/resources/config/config.json b/kubernetes/policy/components/policy-pap/resources/config/config.json index 72c318042f..065e5c47ea 100755 --- a/kubernetes/policy/components/policy-pap/resources/config/config.json +++ b/kubernetes/policy/components/policy-pap/resources/config/config.json @@ -42,7 +42,7 @@ "databaseDriver": "org.mariadb.jdbc.Driver", "databaseUrl": "jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin", "databaseUser": "${SQL_USER}", - "databasePassword": "${SQL_PASSWORD_BASE64}", + "databasePassword": "${SQL_PASSWORD}", "persistenceUnit": "PolicyMariaDb" }, "topicParameterGroup": { diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index f07ed4a7ba..a756beed34 100755 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -44,7 +44,7 @@ spec: - sh args: - -c - - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: SQL_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 008fefd1a9..5c3efcda9c 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -98,7 +98,7 @@ certInitializer: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pap:2.3.1 +image: onap/policy-pap:2.3.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties index b53200be9a..a4b3309e80 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties @@ -50,4 +50,4 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome javax.persistence.jdbc.driver=org.mariadb.jdbc.Driver javax.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/operationshistory javax.persistence.jdbc.user=${SQL_USER} -javax.persistence.jdbc.password=${SQL_PASSWORD_BASE64} +javax.persistence.jdbc.password=${SQL_PASSWORD} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index 40f0fab1b5..bdf4e6cf9b 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -56,7 +56,7 @@ spec: - sh args: - -c - - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 81196e1236..cdfa5bde56 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -89,7 +89,7 @@ certInitializer: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-xacml-pdp:2.3.1 +image: onap/policy-xacml-pdp:2.3.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml index ece708914e..e707e259ca 100644 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml +++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml @@ -69,7 +69,7 @@ value="%X{MetricsLogBeginTimestamp}|%X{MetricsLogEndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread|%X{VirtualServerName}|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{Timer}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ClassName}|%X{Unused}|%X{ProcessKey}|%X{TargetVisualEntity}|%X{CustomField1}|%X{CustomField2}|%X{CustomField3}|%X{CustomField4}| %msg%n" />
<property name="errorLoggerPattern"
- value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{AlertSeverity}|%X{ErrorCode}|%X{ErrorDescription}| %msg%n" />
+ value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{ErrorCategory}|%X{ErrorCode}|%X{ErrorDescription}| %msg%n" />
<property name="defaultLoggerPattern"
value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ClassName}| %msg%n" />
diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties index b5b4e48b97..c8a292f60b 100755 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties +++ b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties @@ -16,8 +16,8 @@ #mysql db.driver = org.mariadb.jdbc.Driver db.connectionURL = jdbc:mariadb:failover://portal-db:3306/portal -db.userName =root -db.password =Aa123456 +db.userName =${PORTAL_DB_USER} +db.password =${PORTAL_DB_PASSWORD} db.hib.dialect = org.hibernate.dialect.MySQLDialect db.min_pool_size = 5 db.max_pool_size = 10 @@ -122,4 +122,4 @@ remote_centralized_system_access = {{.Values.global.aafEnabled}} ext_central_access_user_name = aaf_admin@people.osaaf.org ext_central_access_password = demo123456! ext_central_access_url = {{.Values.aafURL}} -ext_central_access_user_domain = @people.osaaf.org
\ No newline at end of file +ext_central_access_user_domain = @people.osaaf.org diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml index 0be1fdc91f..8c434c55ff 100644 --- a/kubernetes/portal/components/portal-app/templates/deployment.yaml +++ b/kubernetes/portal/components/portal-app/templates/deployment.yaml @@ -52,8 +52,23 @@ spec: - name: {{ include "common.name" . }}-portal-config image: "{{ .Values.global.envsubstImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/sh"] - args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"] + command: + - sh + args: + - "-c" + - | + cd /config-input && \ + for PFILE in `ls -1 *.xml` + do + cp ${PFILE} /config + chmod 0755 /config/${PFILE} + done + cd /config-input && \ + for PFILE in `ls -1 *.properties` + do + envsubst <${PFILE} >/config/${PFILE} + chmod 0755 /config/${PFILE} + done env: - name: CASSA_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }} @@ -61,6 +76,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }} - name: CIPHER_ENC_KEY {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }} + - name: PORTAL_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} + - name: PORTAL_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} volumeMounts: - mountPath: /config-input name: properties-onapportal-scrubbed diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml index 55a7ccca38..3f55f4a08e 100644 --- a/kubernetes/portal/components/portal-app/values.yaml +++ b/kubernetes/portal/components/portal-app/values.yaml @@ -43,6 +43,12 @@ secrets: externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}' password: '{{ .Values.config.cipherEncKey }}' passwordPolicy: required + - uid: portal-backend-db + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' + login: '{{ .Values.mariadb.config.backendUserName }}' + password: '{{ .Values.mariadb.config.backendPassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -50,7 +56,7 @@ secrets: # application image repository: nexus3.onap.org:10001 -image: onap/portal-app:3.2.3 +image: onap/portal-app:3.4.1 pullPolicy: Always # application configuration @@ -120,6 +126,10 @@ service: mariadb: service: name: portal-db + config: + # backendDbExternalSecret: some secret + backendUserName: portal + backendPassword: portal widget: service: name: portal-widget diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh index 28fcee1551..390241fa1d 100644 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh @@ -2,21 +2,21 @@ set -eo pipefail shopt -s nullglob -# if command starts with an option, prepend mysqld -if [ "${1:0:1}" = '-' ]; then - set -- mysqld "$@" -fi - -# skip setup if they want an option that stops mysqld -wantHelp= -for arg; do - case "$arg" in - -'?'|--help|--print-defaults|-V|--version) - wantHelp=1 - break - ;; - esac -done +# logging functions +mysql_log() { + local type="$1"; shift + printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" +} +mysql_note() { + mysql_log Note "$@" +} +mysql_warn() { + mysql_log Warn "$@" >&2 +} +mysql_error() { + mysql_log ERROR "$@" >&2 + exit 1 +} # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -27,8 +27,7 @@ file_env() { local fileVar="${var}_FILE" local def="${2:-}" if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - echo >&2 "error: both $var and $fileVar are set (but are exclusive)" - exit 1 + mysql_error "Both $var and $fileVar are set (but are exclusive)" fi local val="$def" if [ "${!var:-}" ]; then @@ -40,157 +39,328 @@ file_env() { unset "$fileVar" } -_check_config() { - toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions +docker_process_init_files() { + # mysql here for backwards compatibility "${mysql[@]}" + mysql=( docker_process_sql ) + + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + mysql_note "$0: running $f" + "$f" + else + mysql_note "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; + *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; + *) mysql_warn "$0: ignoring $f" ;; + esac + echo + done +} + +mysql_check_config() { + local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then - cat >&2 <<-EOM - ERROR: mysqld failed while attempting to check config - command was: "${toRun[*]}" - $errors - EOM - exit 1 + mysql_error $'mysqld failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" fi } # Fetch value from server config # We use mysqld --verbose --help instead of my_print_defaults because the # latter only show values present in config files, and not server defaults -_get_config() { +mysql_get_config() { local conf="$1"; shift "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \ - | awk '$1 == "'"$conf"'" && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' + | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" } -# allow the container to be started with `--user` -if [ "$1" = 'mysqld' -a -z "$wantHelp" -a "$(id -u)" = '0' ]; then - _check_config "$@" - DATADIR="$(_get_config 'datadir' "$@")" +# Do a temporary startup of the MySQL server, for init purposes +docker_temp_server_start() { + "$@" --skip-networking --socket="${SOCKET}" & + mysql_note "Waiting for server startup" + local i + for i in {30..0}; do + # only use the root password if the database has already been initializaed + # so that it won't try to fill in a password file when it hasn't been set yet + extraArgs=() + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + extraArgs+=( '--dont-use-mysql-root-password' ) + fi + if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then + break + fi + sleep 1 + done + if [ "$i" = 0 ]; then + mysql_error "Unable to start server." + fi +} + +# Stop the server. When using a local socket file mysqladmin will block until +# the shutdown is complete. +docker_temp_server_stop() { + if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then + mysql_error "Unable to shut down server." + fi +} + +# Verify that the minimally required password settings are set for new databases. +docker_verify_minimum_env() { + if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then + mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD' + fi +} + +# creates folders for the database +# also ensures permission for user mysql of run as root +docker_create_db_directories() { + local user; user="$(id -u)" + + # TODO other directories that are used by default? like /var/lib/mysql-files + # see https://github.com/docker-library/mysql/issues/562 mkdir -p "$DATADIR" - find "$DATADIR" \! -user mysql -exec chown mysql '{}' + - exec gosu mysql "$BASH_SOURCE" "$@" -fi -if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then - # still need to check config, container may have started with --user - _check_config "$@" + if [ "$user" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql '{}' + + fi +} + +# initializes the database directory +docker_init_database_dir() { + mysql_note "Initializing database files" + installArgs=( --datadir="$DATADIR" --rpm ) + if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then + # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password + # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3 + # (this flag doesn't exist in 10.0 and below) + installArgs+=( --auth-root-authentication-method=normal ) + fi + # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) + mysql_install_db "${installArgs[@]}" "${@:2}" + mysql_note "Database files initialized" +} + +# Loads various settings that are used elsewhere in the script +# This should be called after mysql_check_config, but before any other functions +docker_setup_env() { # Get config - DATADIR="$(_get_config 'datadir' "$@")" - - if [ ! -d "$DATADIR/mysql" ]; then - file_env 'MYSQL_ROOT_PASSWORD' - if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then - echo >&2 'error: database is uninitialized and password option is not specified ' - echo >&2 ' You need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD' - exit 1 - fi + declare -g DATADIR SOCKET + DATADIR="$(mysql_get_config 'datadir' "$@")" + SOCKET="$(mysql_get_config 'socket' "$@")" - mkdir -p "$DATADIR" + # Initialize values that might be stored in a file + file_env 'MYSQL_ROOT_HOST' '%' + file_env 'MYSQL_DATABASE' + file_env 'MYSQL_USER' + file_env 'MYSQL_PASSWORD' + file_env 'MYSQL_ROOT_PASSWORD' + file_env 'PORTAL_DB_TABLES' - echo 'Initializing database' - installArgs=( --datadir="$DATADIR" --rpm ) - if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then - # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password - # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3 - # (this flag doesn't exist in 10.0 and below) - installArgs+=( --auth-root-authentication-method=normal ) - fi - # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) - mysql_install_db "${installArgs[@]}" "${@:2}" - echo 'Database initialized' - - SOCKET="$(_get_config 'socket' "$@")" - "$@" --skip-networking --socket="${SOCKET}" & - pid="$!" - - mysql=( mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" ) - - for i in {60..0}; do - if echo 'SELECT 1' | "${mysql[@]}" &> /dev/null; then - break - fi - echo 'MySQL init process in progress...' - sleep 1 - done - if [ "$i" = 0 ]; then - echo >&2 'MySQL init process failed.' - exit 1 - fi + declare -g DATABASE_ALREADY_EXISTS + if [ -d "$DATADIR/mysql" ]; then + DATABASE_ALREADY_EXISTS='true' + fi +} - if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then - # sed is for https://bugs.mysql.com/bug.php?id=20545 - mysql_tzinfo_to_sql /usr/share/zoneinfo | sed 's/Local time zone must be set--see zic manual page/FCTY/' | "${mysql[@]}" mysql - fi +# Execute sql script, passed via stdin +# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args] +# ie: docker_process_sql --database=mydb <<<'INSERT ...' +# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb <my-file.sql +docker_process_sql() { + passfileArgs=() + if [ '--dont-use-mysql-root-password' = "$1" ]; then + passfileArgs+=( "$1" ) + shift + fi + # args sent in can override this db, since they will be later in the command + if [ -n "$MYSQL_DATABASE" ]; then + set -- --database="$MYSQL_DATABASE" "$@" + fi - if [ ! -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then - export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)" - echo "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD" - fi + mysql --defaults-extra-file=<( _mysql_passfile "${passfileArgs[@]}") --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@" +} - rootCreate= - # default root to listen for connections from anywhere - file_env 'MYSQL_ROOT_HOST' '%' - if [ ! -z "$MYSQL_ROOT_HOST" -a "$MYSQL_ROOT_HOST" != 'localhost' ]; then - # no, we don't care if read finds a terminating character in this heredoc - # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 - read -r -d '' rootCreate <<-EOSQL || true - CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ; - GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ; - EOSQL - fi +# Initializes database with timezone info and root password, plus optional extra db/user +docker_setup_db() { + # Load timezone info into database + if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then + { + # Aria in 10.4+ is slow due to "transactional" (crash safety) + # https://jira.mariadb.org/browse/MDEV-23326 + # https://github.com/docker-library/mariadb/issues/262 + local tztables=( time_zone time_zone_leap_second time_zone_name time_zone_transition time_zone_transition_type ) + for table in "${tztables[@]}"; do + echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=0 */;" + done - "${mysql[@]}" <<-EOSQL - -- What's done in this file shouldn't be replicated - -- or products like mysql-fabric won't work - SET @@SESSION.SQL_LOG_BIN=0; - DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ; - SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ; - GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ; - ${rootCreate} - DROP DATABASE IF EXISTS test ; - FLUSH PRIVILEGES ; + # sed is for https://bugs.mysql.com/bug.php?id=20545 + mysql_tzinfo_to_sql /usr/share/zoneinfo \ + | sed 's/Local time zone must be set--see zic manual page/FCTY/' + + for table in "${tztables[@]}"; do + echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=1 */;" + done + } | docker_process_sql --dont-use-mysql-root-password --database=mysql + # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet + fi + # Generate random root password + if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then + export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)" + mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD" + fi + # Sets root password and creates root users for non-localhost hosts + local rootCreate= + # default root to listen for connections from anywhere + if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then + # no, we don't care if read finds a terminating character in this heredoc + # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ; + GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ; EOSQL + fi - if [ ! -z "$MYSQL_ROOT_PASSWORD" ]; then - mysql+=( -p"${MYSQL_ROOT_PASSWORD}" ) - fi + # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set + docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL + -- What's done in this file shouldn't be replicated + -- or products like mysql-fabric won't work + SET @@SESSION.SQL_LOG_BIN=0; - file_env 'MYSQL_DATABASE' - if [ "$MYSQL_DATABASE" ]; then - echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" | "${mysql[@]}" - mysql+=( "$MYSQL_DATABASE" ) - fi + DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mariadb.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ; + SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ; + -- 10.1: https://github.com/MariaDB/server/blob/d925aec1c10cebf6c34825a7de50afe4e630aff4/scripts/mysql_secure_installation.sh#L347-L365 + -- 10.5: https://github.com/MariaDB/server/blob/00c3a28820c67c37ebbca72691f4897b57f2eed5/scripts/mysql_secure_installation.sh#L351-L369 + DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ; - file_env 'MYSQL_USER' - file_env 'MYSQL_PASSWORD' - if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then - echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" | "${mysql[@]}" + GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ; + FLUSH PRIVILEGES ; + ${rootCreate} + DROP DATABASE IF EXISTS test ; + EOSQL - if [ "$MYSQL_DATABASE" ]; then - echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" - fi + # Creates a custom database and user if specified + if [ -n "$MYSQL_DATABASE" ]; then + mysql_note "Creating database ${MYSQL_DATABASE}" + docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" + fi + + if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then + mysql_note "Creating user ${MYSQL_USER}" + docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" + + if [ -n "$MYSQL_DATABASE" ]; then + mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}" + docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" fi - echo - for f in /docker-entrypoint-initdb.d/*; do - case "$f" in - *.sh) echo "$0: running $f"; . "$f" ;; - *.sql) echo "$0: running $f"; "${mysql[@]}" < "$f"; echo ;; - *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${mysql[@]}"; echo ;; - *) echo "$0: ignoring $f" ;; - esac - echo - done + docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;" + fi +} - if ! kill -s TERM "$pid" || ! wait "$pid"; then - echo >&2 'MySQL init process failed.' - exit 1 +_mysql_passfile() { + # echo the password to the "file" the client uses + # the client command will use process substitution to create a file on the fly + # ie: --defaults-extra-file=<( _mysql_passfile ) + if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then + cat <<-EOF + [client] + password="${MYSQL_ROOT_PASSWORD}" + EOF + fi +} + +# check arguments for an option that would cause mysqld to stop +# return true if there is one +_mysql_want_help() { + local arg + for arg; do + case "$arg" in + -'?'|--help|--print-defaults|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if command starts with an option, prepend mysqld + if [ "${1:0:1}" = '-' ]; then + set -- mysqld "$@" + fi + + # skip setup if they aren't running mysqld or want an option that stops mysqld + if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then + mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started." + + mysql_check_config "$@" + # Load various environment variables + docker_setup_env "$@" + docker_create_db_directories + + # If container is started as root user, restart as dedicated mysql user + if [ "$(id -u)" = "0" ]; then + mysql_note "Switching to dedicated user 'mysql'" + exec gosu mysql "$BASH_SOURCE" "$@" fi - echo - echo 'MySQL init process done. Ready for start up.' - echo + # there's no database, so it needs to be initialized + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir "$@" + + mysql_note "Starting temporary server" + docker_temp_server_start "$@" + mysql_note "Temporary server started." + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g") + do + echo "Granting portal user ALL PRIVILEGES for table $i" + echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" + done + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + echo + mysql_note "MySQL init process done. Ready for start up." + echo + fi fi -fi + exec "$@" +} -exec "$@"
\ No newline at end of file +# If we are sourced from elsewhere, don't perform any further actions +if ! _is_sourced; then + _main "$@" +fi diff --git a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml index ec6cc50634..196a2d1ad4 100644 --- a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml +++ b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml @@ -69,6 +69,18 @@ spec: secretKeyRef: name: {{ template "common.fullname" . }} key: db-root-password + - name: MYSQL_USER + valueFrom: + secretKeyRef: + name: {{ template "common.fullname" . }} + key: backend-db-user + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "common.fullname" . }} + key: backend-db-password + - name: PORTAL_DB_TABLES + value: {{ .Values.config.backend_portal_tables }} volumeMounts: - mountPath: /var/lib/mysql name: mariadb-data diff --git a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml index ad1db77298..4415c5ebd0 100644 --- a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml +++ b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml @@ -26,3 +26,6 @@ metadata: type: Opaque data: db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }} +stringData: + backend-db-user: {{ .Values.config.backendDbUser }} + backend-db-password: {{ .Values.config.backendDbPassword }} diff --git a/kubernetes/portal/components/portal-mariadb/values.yaml b/kubernetes/portal/components/portal-mariadb/values.yaml index 3435feb43e..5061593739 100644 --- a/kubernetes/portal/components/portal-mariadb/values.yaml +++ b/kubernetes/portal/components/portal-mariadb/values.yaml @@ -25,7 +25,7 @@ global: # global defaults # application image repository: nexus3.onap.org:10001 -image: onap/portal-db:3.2.3 +image: onap/portal-db:3.4.1 pullPolicy: Always @@ -35,6 +35,11 @@ mariadbInitImage: "oomk8s/mariadb-client-init:3.0.0" config: mariadbUser: root mariadbRootPassword: Aa123456 + backendDbUser: portal + backendDbPassword: portal + #backend_portal_tables is a comma delimited string listing back-end tables + #that backendDbUser needs access to, such as to portal and ecomp_sdk tables + backend_portal_tables: portal,ecomp_sdk #The directory where sql files are found in the projects gerrit repo. sqlSourceDirectory: portal/deliveries # sdc frontend assignment for port 9443 diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml index e1fee17381..2c2cd00f1c 100644 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml +++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml @@ -62,7 +62,7 @@ <!-- 1610 Logging Fields Format Revisions -->
<property name="auditLoggerPattern" value="%X{AuditLogBeginTimestamp}|%X{AuditLogEndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread|%X{VirtualServerName}|%X{ServiceName}|%X{PartnerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{Timer}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ClassName}|%X{Unused}|%X{ProcessKey}|%X{CustomField1}|%X{CustomField2}|%X{CustomField3}|%X{CustomField4}| %msg%n" />
<property name="metricsLoggerPattern" value="%X{MetricsLogBeginTimestamp}|%X{MetricsLogEndTimestamp}|%X{RequestId}|%X{ServiceInstanceId}|%thread|%X{VirtualServerName}|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{Timer}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ClassName}|%X{Unused}|%X{ProcessKey}|%X{TargetVisualEntity}|%X{CustomField1}|%X{CustomField2}|%X{CustomField3}|%X{CustomField4}| %msg%n" />
- <property name="errorLoggerPattern" value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{AlertSeverity}|%X{ErrorCode}|%X{ErrorDescription}| %msg%n" />
+ <property name="errorLoggerPattern" value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ServiceName}|%X{PartnerName}|%X{TargetEntity}|%X{TargetServiceName}|%X{ErrorCategory}|%X{ErrorCode}|%X{ErrorDescription}| %msg%n" />
<property name="defaultLoggerPattern" value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%X{ClassName}| %msg%n" />
<!-- use %class so library logging calls yield their class name -->
<property name="applicationLoggerPattern" value="%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%X{RequestId}|%thread|%class{36}| %msg%n" />
diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties index 2a2ec59d5c..1faed41b85 100755 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties +++ b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties @@ -40,8 +40,8 @@ decryption_key = AGLDdG4D04BKm2IxIWEr8o== db.driver = org.mariadb.jdbc.Driver db.connectionURL = jdbc:mariadb://portal-db:3306/ecomp_sdk -db.userName = root -db.password = Aa123456 +db.userName =${PORTAL_DB_USER} +db.password =${PORTAL_DB_PASSWORD} db.min_pool_size = 5 db.max_pool_size = 10 hb.dialect = org.hibernate.dialect.MySQLDialect @@ -90,4 +90,4 @@ remote_centralized_system_access = {{.Values.global.aafEnabled}} ext_central_access_user_name = aaf_admin@people.osaaf.org ext_central_access_password = demo123456! ext_central_access_url = {{.Values.aafURL}} -ext_central_access_user_domain = @people.osaaf.org
\ No newline at end of file +ext_central_access_user_domain = @people.osaaf.org diff --git a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml index f79098fade..52bf49b972 100644 --- a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml +++ b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml @@ -52,8 +52,23 @@ spec: - name: {{ include "common.name" . }}-portalsdk-config image: "{{ .Values.global.envsubstImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/sh"] - args: [ "-c", "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"] + command: + - sh + args: + - "-c" + - | + cd /config-input && \ + for PFILE in `ls -1 *.xml` + do + cp ${PFILE} /config + chmod 0755 /config/${PFILE} + done + cd /config-input && \ + for PFILE in `ls -1 *.properties` + do + envsubst <${PFILE} >/config/${PFILE} + chmod 0755 /config/${PFILE} + done env: - name: CASSA_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }} @@ -61,6 +76,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }} - name: CIPHER_ENC_KEY {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }} + - name: PORTAL_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} + - name: PORTAL_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} volumeMounts: - mountPath: /config-input name: properties-onapportalsdk-scrubbed diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml index c0f1b58c9a..ae373a2f54 100644 --- a/kubernetes/portal/components/portal-sdk/values.yaml +++ b/kubernetes/portal/components/portal-sdk/values.yaml @@ -39,6 +39,12 @@ secrets: login: '{{ .Values.cassandra.config.cassandraUsername }}' password: '{{ .Values.cassandra.config.cassandraPassword }}' passwordPolicy: required + - uid: portal-backend-db + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' + login: '{{ .Values.mariadb.config.backendUserName }}' + password: '{{ .Values.mariadb.config.backendPassword }}' + passwordPolicy: required - uid: cipher-enc-key type: password externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}' @@ -51,7 +57,7 @@ secrets: # application image repository: nexus3.onap.org:10001 -image: onap/portal-sdk:3.2.0 +image: onap/portal-sdk:3.4.1 pullPolicy: Always # application configuration @@ -115,6 +121,10 @@ service: mariadb: service: name: portal-db + config: + # backendDbExternalSecret: some secret + backendUserName: portal + backendPassword: portal widget: service: name: portal-widget diff --git a/kubernetes/portal/components/portal-widget/values.yaml b/kubernetes/portal/components/portal-widget/values.yaml index 3afb4c6f60..94da33019c 100644 --- a/kubernetes/portal/components/portal-widget/values.yaml +++ b/kubernetes/portal/components/portal-widget/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/portal-wms:3.2.3 +image: onap/portal-wms:3.4.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/portal/values.yaml b/kubernetes/portal/values.yaml index 2a760cdd98..0d4b023b12 100644 --- a/kubernetes/portal/values.yaml +++ b/kubernetes/portal/values.yaml @@ -32,12 +32,19 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.casandraCredsExternalSecret) . }}' login: '{{ .Values.config.cassandraUsername }}' password: '{{ .Values.config.cassandraPassword }}' + - uid: portal-backend-db + name: &backendDbSecretName '{{ include "common.release" . }}-portal-backend-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' + login: '{{ .Values.mariadb.config.backendUserName }}' + password: '{{ .Values.mariadb.config.backendPassword }}' + passwordPolicy: required config: logstashServiceName: log-ls logstashPort: 5044 cassandraUsername: root -# cassandraPassword: Aa123456 + cassandraPassword: Aa123456 # casandraCredsExternalSecret: some secret portal-mariadb: @@ -45,6 +52,11 @@ portal-mariadb: mariadb: service: name: portal-db + config: +# backendDbExternalSecret: some secret + backendUserName: portal + backendPassword: portal + widget: service: name: portal-widget @@ -54,10 +66,16 @@ cassandra: config: cassandraExternalSecret: *dbSecretName portal-app: + mariadb: + config: + backendDbExternalSecret: *backendDbSecretName cassandra: config: cassandraExternalSecret: *dbSecretName portal-sdk: + mariadb: + config: + backendDbExternalSecret: *backendDbSecretName cassandra: config: cassandraExternalSecret: *dbSecretName diff --git a/kubernetes/robot b/kubernetes/robot -Subproject 0611262fbb68714cfdb922f13ffb009b58a43f7 +Subproject c4aa2a9a01ad435b20b242b76edeea2e8dcc5bc diff --git a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml index e2329d7ca5..d3a47de65b 100644 --- a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml @@ -37,6 +37,13 @@ spec: fieldPath: metadata.namespace image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi - name: {{ include "common.name" . }}-job-completion image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" @@ -51,6 +58,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- if .Values.global.aafEnabled }} - name: {{ include "common.name" . }}-update-config image: "{{ .Values.global.envsubstImage }}" @@ -72,6 +86,13 @@ spec: envsubst <${PFILE} >/config-output/${PFILE} chmod 0755 /config-output/${PFILE} done + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - name: {{ include "common.fullname" . }}-environments mountPath: /config-input/ @@ -154,6 +175,13 @@ spec: mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-data-filebeat mountPath: /usr/share/filebeat/data + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: {{ include "common.fullname" . }}-localtime hostPath: diff --git a/kubernetes/sdc/components/sdc-be/templates/job.yaml b/kubernetes/sdc/components/sdc-be/templates/job.yaml index f1bdabb59c..554b3c357e 100644 --- a/kubernetes/sdc/components/sdc-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/job.yaml @@ -39,12 +39,21 @@ spec: args: - --container-name - sdc-be + - "-t" + - "35" env: - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi containers: - name: {{ include "common.name" . }}-job image: "{{ include "common.repository" . }}/{{ .Values.backendInitImage }}" @@ -61,6 +70,13 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + resources: + limits: + cpu: 800m + memory: 1024Mi + requests: + cpu: 200m + memory: 200Mi volumes: - name: {{ include "common.fullname" . }}-environments configMap: diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index c71bb755eb..b825b703b4 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -140,15 +140,15 @@ resources: small: limits: cpu: 1 - memory: 4Gi + memory: 2Gi requests: - cpu: 10m + cpu: 100m memory: 1Gi large: limits: cpu: 2 - memory: 8Gi + memory: 4Gi requests: - cpu: 20m + cpu: 200m memory: 2Gi unlimited: {} diff --git a/kubernetes/sdc/components/sdc-cs/templates/job.yaml b/kubernetes/sdc/components/sdc-cs/templates/job.yaml index 0c98d67be4..19dd11281f 100644 --- a/kubernetes/sdc/components/sdc-cs/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-cs/templates/job.yaml @@ -45,12 +45,21 @@ spec: {{- else }} - cassandra {{- end }} + - "-t" + - "15" env: - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi containers: - name: {{ include "common.name" . }}-job image: "{{ include "common.repository" . }}/{{ .Values.cassandraInitImage }}" @@ -78,6 +87,13 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + resources: + limits: + cpu: 800m + memory: 1024Mi + requests: + cpu: 200m + memory: 300Mi volumes: - name: {{ include "common.fullname" . }}-environments configMap: diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml index 4cf6e4d5f3..e80f64844e 100644 --- a/kubernetes/sdc/components/sdc-cs/values.yaml +++ b/kubernetes/sdc/components/sdc-cs/values.yaml @@ -104,23 +104,3 @@ persistence: ingress: enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 10m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 20m - memory: 2Gi - unlimited: {} diff --git a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml index 0571f4bb5d..bca3c477a1 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml @@ -43,12 +43,21 @@ spec: args: - --job-name - {{ include "common.release" . }}-sdc-be-config-backend + - "-t" + - "35" env: - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- if .Values.global.aafEnabled }} - name: {{ include "common.name" . }}-update-config image: "{{ .Values.global.envsubstImage }}" @@ -75,6 +84,13 @@ spec: mountPath: /config-input/ - name: sdc-environments-output mountPath: /config-output/ + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- end }} containers: - name: {{ include "common.name" . }} @@ -106,8 +122,7 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} env: - name: ENVNAME value: {{ .Values.env.name }} @@ -153,6 +168,13 @@ spec: mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-data-filebeat mountPath: /usr/share/filebeat/data + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: {{ include "common.fullname" . }}-localtime hostPath: diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index 6501698388..1389d05c02 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -123,16 +123,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: 500m + memory: 2Gi requests: - cpu: 10m + cpu: 40m memory: 1Gi large: limits: - cpu: 2 - memory: 8Gi + cpu: 1 + memory: 4Gi requests: - cpu: 20m + cpu: 80m memory: 2Gi unlimited: {} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 6f1e2a9b61..527dddef89 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -49,6 +49,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- if .Values.global.aafEnabled }} - name: {{ include "common.name" . }}-update-config image: "{{ .Values.global.envsubstImage }}" @@ -75,6 +82,13 @@ spec: mountPath: /config-input/ - name: sdc-environments-output mountPath: /config-output/ + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- end }} containers: - name: {{ include "common.name" . }} @@ -99,8 +113,7 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} env: - name: ENVNAME value: {{ .Values.env.name }} @@ -155,6 +168,13 @@ spec: mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-data-filebeat mountPath: /usr/share/filebeat/data + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: {{ include "common.fullname" . }}-localtime hostPath: diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml index 936c7c41b5..c3003e2d1d 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml @@ -41,12 +41,21 @@ spec: args: - --job-name - {{ include "common.release" . }}-sdc-cs-config-cassandra + - "-t" + - "20" env: - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi containers: - name: {{ include "common.name" . }}-job image: "{{ include "common.repository" . }}/{{ .Values.onboardingInitImage }}" @@ -72,6 +81,13 @@ spec: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: cs_password} - name: CS_HOST_IP value: "{{ .Values.global.cassandra.serviceName }}" + resources: + limits: + cpu: 800m + memory: 1024Mi + requests: + cpu: 200m + memory: 200Mi volumes: - name: {{ include "common.fullname" . }}-environments configMap: diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index ff10a64b5a..6ec08db43a 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -155,16 +155,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: 500m + memory: 2Gi requests: - cpu: 10m + cpu: 40m memory: 1Gi large: limits: - cpu: 2 - memory: 8Gi + cpu: 1 + memory: 4Gi requests: - cpu: 20m + cpu: 80m memory: 2Gi unlimited: {} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml index b188cdae98..c61c41fc85 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml @@ -50,6 +50,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{ end }} containers: - name: {{ include "common.name" . }} @@ -123,6 +130,7 @@ spec: - name: SERVER_SSL_TRUSTSTORE_TYPE value: "{{ .Values.config.serverSSLTrustStoreType }}" volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + resources: {{ include "common.resources" . | nindent 12 }} volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml index 9235cb441c..be7d519924 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml @@ -34,37 +34,47 @@ spec: spec: restartPolicy: Never initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-sdc-cs-config-cassandra - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + - name: {{ include "common.name" . }}-init-readiness + image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.release" . }}-sdc-cs-config-cassandra + - "-t" + - "20" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi containers: - - name: {{ include "common.name" . }}-job - image: "{{ include "common.repository" . }}/{{ .Values.configInitImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: CS_HOST - value: "{{ .Values.global.cassandra.serviceName }}" - - name: CS_PORT - value: "{{ .Values.config.cassandraClientPort }}" - - name: CS_AUTHENTICATE - value: "{{ .Values.config.cassandraAuthenticationEnabled }}" - - name: CS_USER - valueFrom: - secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user} - - name: CS_PASSWORD - valueFrom: - secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password} + - name: {{ include "common.name" . }}-job + image: "{{ include "common.repository" . }}/{{ .Values.configInitImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: CS_HOST + value: "{{ .Values.global.cassandra.serviceName }}" + - name: CS_PORT + value: "{{ .Values.config.cassandraClientPort }}" + - name: CS_AUTHENTICATE + value: "{{ .Values.config.cassandraAuthenticationEnabled }}" + - name: CS_USER + valueFrom: + secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user} + - name: CS_PASSWORD + valueFrom: + secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password} + resources: {{ include "common.resources" . | nindent 12 }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" {{ end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml index 6147b064ce..893a1b9f31 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -123,21 +123,22 @@ ingress: config: ssl: "redirect" -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi +# Resource Limit flavor -By Default using small +# Segregation for Different environment (Small and Large) +flavor: small +resources: + small: + limits: + cpu: 500m + memory: 2Gi + requests: + cpu: 40m + memory: 1Gi + large: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 80m + memory: 2Gi + unlimited: {} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml index ad10480a3f..a5d312f308 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml @@ -48,6 +48,13 @@ spec: fieldPath: metadata.namespace image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- if .Values.global.aafEnabled }} - name: {{ include "common.fullname" . }}-move-cert command: @@ -63,6 +70,13 @@ spec: volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - name: sdc-certs mountPath: /sdc-certs + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi {{- end }} containers: - name: {{ include "common.name" . }} @@ -114,8 +128,8 @@ spec: readOnly: true {{- if .Values.global.aafEnabled }} - name: sdc-certs - mountPath: /sdc-certs - subpath: mycreds.prop + mountPath: /sdc-certs/mycreds.prop + subPath: mycreds.prop - name: sdc-certs mountPath: /var/lib/jetty/etc/{{ .Values.certInitializer.keystoreFile }} subPath: {{ .Values.certInitializer.keystoreFile }} @@ -123,8 +137,7 @@ spec: mountPath: /var/lib/jetty/etc/{{ .Values.certInitializer.truststoreFile }} subPath: {{ .Values.certInitializer.truststoreFile }} {{ end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -145,6 +158,13 @@ spec: mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-data-filebeat mountPath: /usr/share/filebeat/data + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 3m + memory: 20Mi volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: {{ include "common.fullname" . }}-localtime hostPath: diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml index 56804924ca..e88139832f 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml @@ -114,21 +114,22 @@ ingress: nginx.ingress.kubernetes.io/backend-protocol: "HTTP" nginx.ingress.kubernetes.io/rewrite-target: "/workflows/" -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi +# Resource Limit flavor -By Default using small +# Segregation for Different environment (Small and Large) +flavor: small +resources: + small: + limits: + cpu: 500m + memory: 2Gi + requests: + cpu: 40m + memory: 1Gi + large: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 80m + memory: 2Gi + unlimited: {} diff --git a/kubernetes/sdnc/components/dmaap-listener/values.yaml b/kubernetes/sdnc/components/dmaap-listener/values.yaml index 4c8ff3992a..f3a2b98397 100644 --- a/kubernetes/sdnc/components/dmaap-listener/values.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/values.yaml @@ -55,7 +55,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-dmaap-listener-image:2.0.1 +image: onap/sdnc-dmaap-listener-image:2.0.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml index 654867fcc8..e4024c7d77 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml @@ -55,7 +55,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-ansible-server-image:2.0.1 +image: onap/sdnc-ansible-server-image:2.0.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml index 9eb8495da6..2c0b3eabe2 100644 --- a/kubernetes/sdnc/components/sdnc-web/values.yaml +++ b/kubernetes/sdnc/components/sdnc-web/values.yaml @@ -27,7 +27,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: "onap/sdnc-web-image:2.0.1" +image: "onap/sdnc-web-image:2.0.2" pullPolicy: Always config: diff --git a/kubernetes/sdnc/components/ueb-listener/values.yaml b/kubernetes/sdnc/components/ueb-listener/values.yaml index ad5cbda4f3..a32628df6f 100644 --- a/kubernetes/sdnc/components/ueb-listener/values.yaml +++ b/kubernetes/sdnc/components/ueb-listener/values.yaml @@ -61,7 +61,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdnc-ueb-listener-image:2.0.1 +image: onap/sdnc-ueb-listener-image:2.0.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml index aa156b598f..42b3f25483 100755 --- a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml +++ b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml @@ -51,7 +51,7 @@ spec: image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/bin/bash"] - args: ["-c", "{{ .Values.config.binDir }}/startODL.oom.sh"] + args: ["-c", "{{ .Values.config.binDir }}/startODL.sh"] env: - name: SDNC_AAF_ENABLED value: "{{ .Values.global.aafEnabled}}" diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 8eec50e9ab..488c050bfb 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -282,8 +282,10 @@ spec: - mountPath: {{ .Values.config.odl.etcDir }}/mountpoint-state-provider.properties name: properties subPath: mountpoint-state-provider.properties + {{ if .Values.global.cmpv2Enabled }} - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }} name: certs + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -334,12 +336,14 @@ spec: - name: properties emptyDir: medium: Memory + {{ if .Values.global.cmpv2Enabled }} - name: certs emptyDir: medium: Memory - name: certservice-tls-volume secret: secretName: {{ .Values.global.platform.certServiceClient.secret.name }} + {{- end }} {{ if not .Values.persistence.enabled }} - name: {{ include "common.fullname" . }}-data emptyDir: {} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 52a21ea370..c41f5eadbf 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -135,7 +135,7 @@ secrets: # application images repository: nexus3.onap.org:10001 pullPolicy: Always -image: onap/sdnc-image:2.0.1 +image: onap/sdnc-image:2.0.2 busyboxRepository: docker.io busyboxImage: busybox:1.30 diff --git a/kubernetes/sniro-emulator/templates/deployment.yaml b/kubernetes/sniro-emulator/templates/deployment.yaml index 2e76895278..0a1525c280 100644 --- a/kubernetes/sniro-emulator/templates/deployment.yaml +++ b/kubernetes/sniro-emulator/templates/deployment.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "common.fullname" . }} @@ -24,6 +24,10 @@ metadata: heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} template: metadata: labels: diff --git a/kubernetes/so/Makefile b/kubernetes/so/Makefile new file mode 100644 index 0000000000..8af301d7ae --- /dev/null +++ b/kubernetes/so/Makefile @@ -0,0 +1,50 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts docker +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/requirements.yaml ]; then helm dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then helm lint $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi + @helm repo index $(PACKAGE_DIR) + +clean: + @rm -f */requirements.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/so/components/Makefile b/kubernetes/so/components/Makefile new file mode 100644 index 0000000000..4bf77eecf1 --- /dev/null +++ b/kubernetes/so/components/Makefile @@ -0,0 +1,50 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := soHelpers +HELM_CHARTS := soHelpers $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/requirements.yaml ]; then helm dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then helm lint $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then helm package -d $(PACKAGE_DIR) $*; fi + @helm repo index $(PACKAGE_DIR) + +clean: + @rm -f */requirements.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/so/charts/so-appc-orchestrator/Chart.yaml b/kubernetes/so/components/so-appc-orchestrator/Chart.yaml index ab2bad332a..ab2bad332a 100644 --- a/kubernetes/so/charts/so-appc-orchestrator/Chart.yaml +++ b/kubernetes/so/components/so-appc-orchestrator/Chart.yaml diff --git a/kubernetes/so/components/so-appc-orchestrator/requirements.yaml b/kubernetes/so/components/so-appc-orchestrator/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-appc-orchestrator/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-appc-orchestrator/resources/config/overrides/override.yaml b/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml index c897f48e4a..9b6fb26d61 100644 --- a/kubernetes/so/charts/so-appc-orchestrator/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml @@ -19,11 +19,11 @@ server: ssl-enable: false mso: logPath: ./logs/soappcorch - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.auth.rest.aafEncrypted "value2" .Values.mso.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.auth.rest.aafEncrypted "value2" .Values.mso.auth )}} msoKey: {{ .Values.global.app.msoKey }} config: - {{ if eq .Values.global.security.aaf.enabled true }} - cadi: {{ include "cadi.keys" . | nindent 8}} + {{ if .Values.global.security.aaf.enabled }} + cadi: {{ include "so.cadi.keys" . | nindent 8}} {{- else }} cadi: aafId: {{ .Values.mso.basicUser }} diff --git a/kubernetes/so/charts/so-appc-orchestrator/templates/configmap.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml index 8c0ee290ce..cfa106adaf 100755 --- a/kubernetes/so/charts/so-appc-orchestrator/templates/configmap.yaml +++ b/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml @@ -16,7 +16,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-appc-orchestrator/templates/deployment.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml index b9a39fe8c3..f0615ad56a 100644 --- a/kubernetes/so/charts/so-appc-orchestrator/templates/deployment.yaml +++ b/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml @@ -50,18 +50,28 @@ spec: - sh args: - -c - - export ACTUATOR_PASSWORD="$(cat /tmp/app/encoded)"; ./start-app.sh + - | + export ACTUATOR_PASSWORD="$(cat /tmp/app/encoded)" + {{- if .Values.global.aafEnabled }} + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + {{- end }} + /app/start-app.sh image: {{ include "common.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} env: - name: ACTUATOR_USERNAME {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 10 }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ports: {{- include "common.containerPorts" . | nindent 10 }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: encoder @@ -69,7 +79,7 @@ spec: - name: config mountPath: /app/config readOnly: true -{{ include "helpers.livenessProbe" .| indent 8 }} +{{ include "so.helpers.livenessProbe" .| indent 8 }} volumes: {{ include "so.certificate.volumes" . | nindent 6 }} - name: logs emptyDir: {} @@ -78,6 +88,6 @@ spec: medium: Memory - name: config configMap: - name: {{ include "common.fullname" . }}-app-configmap + name: {{ include "common.fullname" . }}-app-configmap imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/charts/so-appc-orchestrator/templates/secret.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-appc-orchestrator/templates/secret.yaml +++ b/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml diff --git a/kubernetes/so/charts/so-appc-orchestrator/templates/service.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml index fc3e2879ce..fc3e2879ce 100644 --- a/kubernetes/so/charts/so-appc-orchestrator/templates/service.yaml +++ b/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml diff --git a/kubernetes/so/charts/so-appc-orchestrator/values.yaml b/kubernetes/so/components/so-appc-orchestrator/values.yaml index b35d6a03af..7570116fd5 100644 --- a/kubernetes/so/charts/so-appc-orchestrator/values.yaml +++ b/kubernetes/so/components/so-appc-orchestrator/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2020 AT&T USA +# Copyright © 2020 Huawei # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,10 +21,17 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + envsubstImage: dibi/envsubst + aafAgentImage: onap/aaf/aaf_agent:2.1.20 persistence: mountPath: /dockerdata-nfs htpasswdImage: xmartlabs/htpasswd dockerHubRepository: docker.io + security: + aaf: + enabled: false + app: + msoKey: 07a7159d3bf51a0e53be7a8f89699be7 ################################################################# # Secrets metaconfig ################################################################# @@ -40,10 +48,6 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: server-actuator-creds name: '{{ include "common.release" . }}-so-appc-actuator-creds' type: basicAuth @@ -76,14 +80,14 @@ server: password: password1$ replicaCount: 1 minReadySeconds: 10 -containerPort: 8080 +containerPort: &containerPort 8080 logPath: ./logs/soappcorch app: appc-orchestrator service: name: so-appc-orchestrator type: ClusterIP ports: - - port: 8080 + - port: *containerPort name: http updateStrategy: type: RollingUpdate @@ -91,6 +95,21 @@ updateStrategy: maxSurge: 1 # Resource Limit flavor -By Default using small flavor: small + + +################################################################# +# soHelper part +################################################################# + +soHelpers: + nameOverride: so-appc-cert-init + certInitializer: + nameOverride: so-appc-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.openStackAdapterPerm + containerPort: *containerPort + # Segregation for Different environment (Small and Large) resources: small: @@ -122,3 +141,27 @@ ingress: nodeSelector: {} tolerations: [] affinity: {} + +auth: + rest: + encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 + +mso: + auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 + basicUser: poBpmn + +appc: + client: + topic: + read: + name: APPC-LCM-WRITE + timeout: 360000 + write: APPC-LCM-READ + sdnc: + read: SDNC-LCM-WRITE + write: SDNC-LCM-READ + response: + timeout: 3600000 + key: VIlbtVl6YLhNUrtU + secret: 64AG2hF4pYeG2pq7CT6XwUOT + service: ueb diff --git a/kubernetes/so/charts/so-bpmn-infra/Chart.yaml b/kubernetes/so/components/so-bpmn-infra/Chart.yaml index 17fa3459ad..faba23eb16 100755 --- a/kubernetes/so/charts/so-bpmn-infra/Chart.yaml +++ b/kubernetes/so/components/so-bpmn-infra/Chart.yaml @@ -13,6 +13,6 @@ # limitations under the License. apiVersion: v1 appVersion: "1.0" -description: A Helm chart for Kubernetes +description: A Helm chart for SO Bpmn Infra name: so-bpmn-infra -version: 6.0.0
\ No newline at end of file +version: 6.0.0 diff --git a/kubernetes/so/components/so-bpmn-infra/requirements.yaml b/kubernetes/so/components/so-bpmn-infra/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml index e57ea34f43..028b698657 100755 --- a/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. aai: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} dme2: timeout: '30000' endpoint: https://aai.{{ include "common.namespace" . }}:8443 @@ -56,7 +56,7 @@ mso: timeout: 60 logPath: logs config: - cadi: {{ include "cadi.keys" . | nindent 8}} + cadi: {{ include "so.cadi.keys" . | nindent 8}} async: core-pool-size: 50 max-pool-size: 50 @@ -66,7 +66,7 @@ mso: endpoint: http://so-openstack-adapter.{{ include "common.namespace" . }}:8087/CompleteMsoProcess requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.adapters.requestDb.auth )}} db: auth: {{ .Values.mso.adapters.db.auth }} password: {{ .Values.mso.adapters.db.password }} @@ -116,7 +116,7 @@ mso: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} default: adapter: namespace: http://org.onap.mso diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml b/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml index a2e27548ba..747941610f 100755 --- a/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml index a8b7bdc966..de76901865 100755 --- a/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml @@ -55,8 +55,20 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh + {{- end }} env: - name: DB_HOST valueFrom: @@ -76,27 +88,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - - name: KEYSTORE - value: /app/org.onap.so.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config @@ -104,7 +101,7 @@ spec: readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap -{{ include "helpers.livenessProbe" .| indent 8 }} +{{ include "so.helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/secret.yaml b/kubernetes/so/components/so-bpmn-infra/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-bpmn-infra/templates/secret.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/secret.yaml diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/service.yaml b/kubernetes/so/components/so-bpmn-infra/templates/service.yaml index 6711c3b2e7..6711c3b2e7 100755 --- a/kubernetes/so/charts/so-bpmn-infra/templates/service.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/service.yaml diff --git a/kubernetes/so/charts/so-bpmn-infra/values.yaml b/kubernetes/so/components/so-bpmn-infra/values.yaml index ef57e7173d..b6f315aa3d 100755 --- a/kubernetes/so/charts/so-bpmn-infra/values.yaml +++ b/kubernetes/so/components/so-bpmn-infra/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 AT&T USA -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -19,11 +19,19 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs #This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 + security: + aaf: + enabled: false + aaf: + auth: + encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 ################################################################# # Secrets metaconfig @@ -43,15 +51,13 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' #secretsFilePaths: | # - 'my file 1' # - '{{ include "templateThatGeneratesFileName" . }}' + + ################################################################# # Application configuration defaults. ################################################################# @@ -66,20 +72,64 @@ db: adminName: so_admin adminPassword: so_Admin123 # adminCredsExternalSecret: some secret + +aai: + auth: 221187EFA3AD4E33600DE0488F287099934CE65C3D0697BCECC00BB58E784E07CD74A24581DC31DBC086FF63DF116378776E9BE3D1325885 + +cds: + auth: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== + +mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + db: + auth: A3745B5DBE165EFCF101D85A6FC81C211AB8BF604F8861B6C413D5DC90F8F30E0139DE44B8A342F4EF70AF + password: wLg4sjrAFUS8rfVfdvTXeQ== + po: + auth: A3745B5DBE165EFCF101D85A6FC81C211AB8BF604F8861B6C413D5DC90F8F30E0139DE44B8A342F4EF70AF + sdnc: + password: 1D78CFC35382B6938A989066A7A7EAEF4FE933D2919BABA99EB4763737F39876C333EE5F + sniro: + auth: test:testpwd + oof: + auth: test:testpwd +so: + vnfm: + adapter: + auth: Basic dm5mbTpwYXNzd29yZDEk +sniro: + endpoint: http://replaceme:28090/optimizationInstance/V1/create + replicaCount: 1 minReadySeconds: 10 -containerPort: 8081 +containerPort: &containerPort 8081 logPath: ./logs/bpmn/ app: so-bpmn-infra service: - type: ClusterIP - internalPort: 8081 - externalPort: 8081 - portName: so-bpmn-port + type: ClusterIP + internalPort: *containerPort + externalPort: 8081 + portName: so-bpmn-port updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 + +################################################################# +# soHelper part +################################################################# +soHelpers: + nameOverride: so-bpmn-cert-init + certInitializer: + nameOverride: so-bpmn-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.bpmnPerm + containerPort: *containerPort + + # Resource Limit flavor -By Default using small flavor: large # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/charts/so-catalog-db-adapter/Chart.yaml b/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml index 8c5a846df9..8c5a846df9 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml diff --git a/kubernetes/so/components/so-catalog-db-adapter/requirements.yaml b/kubernetes/so/components/so-catalog-db-adapter/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-catalog-db-adapter/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml index fb83e4e26b..f267d86b29 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml @@ -20,13 +20,13 @@ mso: logPath: logs site-name: onapheat config: - cadi: {{ include "cadi.keys" . | nindent 8}} + cadi: {{ include "so.cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.db.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.db.auth )}} spring: datasource: hikari: diff --git a/kubernetes/so/charts/so-vfc-adapter/templates/configmap.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml index b57205223e..d351be32fc 100755 --- a/kubernetes/so/charts/so-vfc-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml index 0e5e24b5ec..159d2e7f13 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml @@ -55,8 +55,20 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh + {{- end }} env: - name: DB_HOST valueFrom: @@ -76,33 +88,18 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - - name: KEYSTORE - value: /app/org.onap.so.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true -{{ include "helpers.livenessProbe" .| indent 8 }} +{{ include "so.helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-catalog-db-adapter/templates/secret.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-catalog-db-adapter/templates/secret.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/secret.yaml diff --git a/kubernetes/so/charts/so-catalog-db-adapter/templates/service.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml index 6711c3b2e7..6711c3b2e7 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml diff --git a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml b/kubernetes/so/components/so-catalog-db-adapter/values.yaml index 6b363c6c77..2fadf41e01 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 AT&T USA -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -19,8 +19,18 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs + security: + aaf: + enabled: false + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= + app: + msoKey: 07a7159d3bf51a0e53be7a8f89699be7 ################################################################# # Secrets metaconfig @@ -40,10 +50,6 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' #secretsFilePaths: | # - 'my file 1' @@ -64,20 +70,38 @@ db: adminPassword: so_Admin123 # adminCredsExternalSecret: some secret +mso: + adapters: + db: + auth: Basic YnBlbDpwYXNzd29yZDEk + replicaCount: 1 minReadySeconds: 10 -containerPort: 8082 +containerPort: &containerPort 8082 logPath: ./logs/catdb/ app: catalog-db-adapter service: type: ClusterIP - internalPort: 8082 - externalPort: 8082 + internalPort: *containerPort + externalPort: *containerPort portName: so-catdb-port updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +################################################################# +# soHelper part +################################################################# +soHelpers: + nameOverride: so-catalogdb-cert-init + certInitializer: + nameOverride: so-catalogdb-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.catalogDbAdapterPerm + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/charts/so-db-secrets/Chart.yaml b/kubernetes/so/components/so-db-secrets/Chart.yaml index 1739d1fe36..1739d1fe36 100755 --- a/kubernetes/so/charts/so-db-secrets/Chart.yaml +++ b/kubernetes/so/components/so-db-secrets/Chart.yaml diff --git a/kubernetes/so/components/so-db-secrets/requirements.yaml b/kubernetes/so/components/so-db-secrets/requirements.yaml new file mode 100755 index 0000000000..2eb32d00ed --- /dev/null +++ b/kubernetes/so/components/so-db-secrets/requirements.yaml @@ -0,0 +1,20 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' diff --git a/kubernetes/so/charts/so-db-secrets/templates/secrets.yaml b/kubernetes/so/components/so-db-secrets/templates/secrets.yaml index d636fad4a7..d636fad4a7 100755 --- a/kubernetes/so/charts/so-db-secrets/templates/secrets.yaml +++ b/kubernetes/so/components/so-db-secrets/templates/secrets.yaml diff --git a/kubernetes/so/charts/so-db-secrets/values.yaml b/kubernetes/so/components/so-db-secrets/values.yaml index 63b6852d50..7e51e3ce5d 100644 --- a/kubernetes/so/charts/so-db-secrets/values.yaml +++ b/kubernetes/so/components/so-db-secrets/values.yaml @@ -11,8 +11,11 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +global: + mariadbGalera: + serviceName: mariadb-galera + servicePort: "3306" db_admin_username: so_admin db_admin_password: so_Admin123 db_username: so_user db_password: so_User123 - diff --git a/kubernetes/so/charts/so-mariadb/Chart.yaml b/kubernetes/so/components/so-mariadb/Chart.yaml index 2c6f0278b0..2c6f0278b0 100755 --- a/kubernetes/so/charts/so-mariadb/Chart.yaml +++ b/kubernetes/so/components/so-mariadb/Chart.yaml diff --git a/kubernetes/so/components/so-mariadb/requirements.yaml b/kubernetes/so/components/so-mariadb/requirements.yaml new file mode 100755 index 0000000000..2eb32d00ed --- /dev/null +++ b/kubernetes/so/components/so-mariadb/requirements.yaml @@ -0,0 +1,20 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh index 08adb4a407..08adb4a407 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh index 0f404466ca..0f404466ca 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh index 3115ec6199..3115ec6199 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-nfvo-db.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-nfvo-db.sh index 3ed03aa0b9..3ed03aa0b9 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-nfvo-db.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-nfvo-db.sh diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh index a8f772b947..a8f772b947 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh index adb28fe8e6..adb28fe8e6 100755 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/db-sql-scripts/mariadb_engine_7.10.0.sql b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/db-sql-scripts/mariadb_engine_7.10.0.sql index 41377fb9eb..41377fb9eb 100644 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/db-sql-scripts/mariadb_engine_7.10.0.sql +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/db-sql-scripts/mariadb_engine_7.10.0.sql diff --git a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/db-sql-scripts/mariadb_identity_7.10.0.sql b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/db-sql-scripts/mariadb_identity_7.10.0.sql index 35cb979781..35cb979781 100644 --- a/kubernetes/so/charts/so-mariadb/resources/config/docker-entrypoint-initdb.d/db-sql-scripts/mariadb_identity_7.10.0.sql +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/db-sql-scripts/mariadb_identity_7.10.0.sql diff --git a/kubernetes/so/charts/so-mariadb/templates/configmap.yaml b/kubernetes/so/components/so-mariadb/templates/configmap.yaml index 842e562fd7..842e562fd7 100644 --- a/kubernetes/so/charts/so-mariadb/templates/configmap.yaml +++ b/kubernetes/so/components/so-mariadb/templates/configmap.yaml diff --git a/kubernetes/so/charts/so-mariadb/templates/job.yaml b/kubernetes/so/components/so-mariadb/templates/job.yaml index f24ec25c47..f24ec25c47 100644 --- a/kubernetes/so/charts/so-mariadb/templates/job.yaml +++ b/kubernetes/so/components/so-mariadb/templates/job.yaml diff --git a/kubernetes/so/charts/so-mariadb/templates/pv.yaml b/kubernetes/so/components/so-mariadb/templates/pv.yaml index 7d81805cda..7d81805cda 100644 --- a/kubernetes/so/charts/so-mariadb/templates/pv.yaml +++ b/kubernetes/so/components/so-mariadb/templates/pv.yaml diff --git a/kubernetes/so/charts/so-mariadb/templates/pvc.yaml b/kubernetes/so/components/so-mariadb/templates/pvc.yaml index ad10f18f16..ad10f18f16 100644 --- a/kubernetes/so/charts/so-mariadb/templates/pvc.yaml +++ b/kubernetes/so/components/so-mariadb/templates/pvc.yaml diff --git a/kubernetes/so/charts/so-mariadb/templates/secrets.yaml b/kubernetes/so/components/so-mariadb/templates/secrets.yaml index 7c7d4f9fe5..7c7d4f9fe5 100644 --- a/kubernetes/so/charts/so-mariadb/templates/secrets.yaml +++ b/kubernetes/so/components/so-mariadb/templates/secrets.yaml diff --git a/kubernetes/so/charts/so-mariadb/values.yaml b/kubernetes/so/components/so-mariadb/values.yaml index 0a5a056464..9ecf3b0ca6 100755 --- a/kubernetes/so/charts/so-mariadb/values.yaml +++ b/kubernetes/so/components/so-mariadb/values.yaml @@ -23,7 +23,16 @@ global: repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 ubuntuInitRepository: registry.hub.docker.com - + mariadbGalera: + nameOverride: mariadb-galera + serviceName: mariadb-galera + servicePort: "3306" + migration: + enabled: false + dbHost: mariadb-galera + dbPort: 3306 + dbUser: root + dbPassword: secretpassword ################################################################# # Secrets metaconfig ################################################################# diff --git a/kubernetes/so/charts/so-monitoring/Chart.yaml b/kubernetes/so/components/so-monitoring/Chart.yaml index ede67ab54f..ede67ab54f 100644 --- a/kubernetes/so/charts/so-monitoring/Chart.yaml +++ b/kubernetes/so/components/so-monitoring/Chart.yaml diff --git a/kubernetes/so/components/so-monitoring/requirements.yaml b/kubernetes/so/components/so-monitoring/requirements.yaml new file mode 100755 index 0000000000..2eb32d00ed --- /dev/null +++ b/kubernetes/so/components/so-monitoring/requirements.yaml @@ -0,0 +1,20 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' diff --git a/kubernetes/so/charts/so-monitoring/resources/config/overrides/override.yaml b/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml index c2e6ad06f3..c2e6ad06f3 100644 --- a/kubernetes/so/charts/so-monitoring/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml diff --git a/kubernetes/so/charts/so-monitoring/templates/configmap.yaml b/kubernetes/so/components/so-monitoring/templates/configmap.yaml index a6d8b469f8..a6d8b469f8 100644 --- a/kubernetes/so/charts/so-monitoring/templates/configmap.yaml +++ b/kubernetes/so/components/so-monitoring/templates/configmap.yaml diff --git a/kubernetes/so/charts/so-monitoring/templates/deployment.yaml b/kubernetes/so/components/so-monitoring/templates/deployment.yaml index 82ca53dcf8..f5969738f6 100644 --- a/kubernetes/so/charts/so-monitoring/templates/deployment.yaml +++ b/kubernetes/so/components/so-monitoring/templates/deployment.yaml @@ -42,7 +42,7 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} + initContainers: - name: so-chown image: alpine:3.6 volumeMounts: @@ -54,8 +54,7 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} env: - name: DB_HOST valueFrom: @@ -79,7 +78,7 @@ spec: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -102,7 +101,7 @@ spec: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} protocol: TCP - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config diff --git a/kubernetes/so/charts/so-monitoring/templates/ingress.yaml b/kubernetes/so/components/so-monitoring/templates/ingress.yaml index 8f87c68f1e..8f87c68f1e 100644 --- a/kubernetes/so/charts/so-monitoring/templates/ingress.yaml +++ b/kubernetes/so/components/so-monitoring/templates/ingress.yaml diff --git a/kubernetes/so/charts/so-monitoring/templates/secret.yaml b/kubernetes/so/components/so-monitoring/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-monitoring/templates/secret.yaml +++ b/kubernetes/so/components/so-monitoring/templates/secret.yaml diff --git a/kubernetes/so/charts/so-monitoring/templates/service.yaml b/kubernetes/so/components/so-monitoring/templates/service.yaml index c4c2ae9d13..c4c2ae9d13 100644 --- a/kubernetes/so/charts/so-monitoring/templates/service.yaml +++ b/kubernetes/so/components/so-monitoring/templates/service.yaml diff --git a/kubernetes/so/charts/so-monitoring/values.yaml b/kubernetes/so/components/so-monitoring/values.yaml index 6f38f3c263..e746baf1bb 100644 --- a/kubernetes/so/charts/so-monitoring/values.yaml +++ b/kubernetes/so/components/so-monitoring/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. +# Copyright (C) 2020 Huawei # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,6 +25,8 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs @@ -43,16 +46,21 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' #secretsFilePaths: | # - 'my file 1' # - '{{ include "templateThatGeneratesFileName" . }}' ################################################################# +# AAF part +################################################################# +soHelpers: + nameOverride: so-monitoring-cert-init + certInitializer: + nameOverride: so-monitoring-cert-init + credsPath: /opt/app/osaaf/local + +################################################################# # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 diff --git a/kubernetes/so/charts/so-nssmf-adapter/Chart.yaml b/kubernetes/so/components/so-nssmf-adapter/Chart.yaml index b3311d1c8c..b3311d1c8c 100755 --- a/kubernetes/so/charts/so-nssmf-adapter/Chart.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/Chart.yaml diff --git a/kubernetes/so/components/so-nssmf-adapter/requirements.yaml b/kubernetes/so/components/so-nssmf-adapter/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-nssmf-adapter/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-nssmf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml index 10741b75e7..d1158a0898 100755 --- a/kubernetes/so/charts/so-nssmf-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. aai: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} endpoint: https://aai.{{ include "common.namespace" . }}:8443 logging: path: logs @@ -50,7 +50,7 @@ mso: adapters: requestDb: endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} #Actuator management: endpoints: diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/configmap.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml index 85d00fddf3..811da004ee 100755 --- a/kubernetes/so/charts/so-nssmf-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml index 2354f127b9..d07f58e84e 100755 --- a/kubernetes/so/charts/so-nssmf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml @@ -48,7 +48,17 @@ spec: - sh args: - -c - - export BPEL_PASSWORD=`htpasswd -bnBC 10 "" $BPEL_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'`; export ACTUATOR_PASSWORD=`htpasswd -bnBC 10 "" $ACTUATOR_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'`; ./start-app.sh + - | + export BPEL_PASSWORD=`htpasswd -bnBC 10 "" $BPEL_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` + export ACTUATOR_PASSWORD=`htpasswd -bnBC 10 "" $ACTUATOR_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` + {{- if .Values.global.aafEnabled }} + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + {{- end }} + ./start-app.sh image: {{ include "common.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} ports: {{- include "common.containerPorts" . | nindent 12 }} @@ -71,13 +81,6 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} - - name: TRUSTSTORE - value: {{ .Values.global.client.certs.truststore }} - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - name: BPEL_USERNAME {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-bpel-creds" "key" "login") | indent 14 }} - name: BPEL_PASSWORD_INPUT @@ -86,20 +89,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} - name: ACTUATOR_PASSWORD_INPUT {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: KEYSTORE - value: {{ .Values.global.client.certs.keystore }} - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-env imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 12 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} - name: logs mountPath: /app/logs - name: config diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/secret.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/secret.yaml index a39363ffdd..a39363ffdd 100644 --- a/kubernetes/so/charts/so-nssmf-adapter/templates/secret.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/secret.yaml diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/service.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/service.yaml index cf08482ad2..cf08482ad2 100755 --- a/kubernetes/so/charts/so-nssmf-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/service.yaml diff --git a/kubernetes/so/charts/so-nssmf-adapter/values.yaml b/kubernetes/so/components/so-nssmf-adapter/values.yaml index d8f3db6e83..3bfe1b212f 100755 --- a/kubernetes/so/charts/so-nssmf-adapter/values.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/values.yaml @@ -19,8 +19,16 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs + security: + aaf: + enabled: false + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= ################################################################# # Secrets metaconfig @@ -40,10 +48,6 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: server-bpel-creds name: '{{ include "common.release" . }}-so-server-bpel-creds' type: basicAuth @@ -59,7 +63,6 @@ secrets: password: '{{ .Values.server.actuator.password }}' passwordPolicy: required - #secretsFilePaths: | # - 'my file 1' # - '{{ include "templateThatGeneratesFileName" . }}' @@ -85,21 +88,37 @@ server: bpel: username: bpel password: password1$ +aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 +mso: + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk replicaCount: 1 minReadySeconds: 10 -containerPort: 8088 +containerPort: &containerPort 8088 logPath: ./logs/nssmf/ app: nssmf-adapter service: type: ClusterIP ports: - name: api - port: 8088 + port: *containerPort updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +soHelpers: + nameOverride: so-nssmf-cert-init + certInitializer: + nameOverride: so-nssmf-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.nssmfAdapterPerm + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/charts/so-openstack-adapter/Chart.yaml b/kubernetes/so/components/so-openstack-adapter/Chart.yaml index cf257d3239..cf257d3239 100755 --- a/kubernetes/so/charts/so-openstack-adapter/Chart.yaml +++ b/kubernetes/so/components/so-openstack-adapter/Chart.yaml diff --git a/kubernetes/so/components/so-openstack-adapter/requirements.yaml b/kubernetes/so/components/so-openstack-adapter/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-openstack-adapter/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml index dde3b3ee63..bc556c5d47 100755 --- a/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. aai: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} endpoint: https://aai.{{ include "common.namespace" . }}:8443 server: port: {{ index .Values.containerPort }} @@ -58,7 +58,7 @@ org: default_keystone_url_version: /v2.0 default_keystone_reg_ex: "/[vV][0-9]" vnf: - bpelauth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} + bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} checkRequiredParameters: true addGetFilesOnVolumeReq: false sockettimeout: 30 @@ -69,7 +69,7 @@ org: valet_enabled: false fail_requests_on_valet_failure: false network: - bpelauth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} + bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} sockettimeout: 5 connecttimeout: 5 retrycount: 5 @@ -99,8 +99,8 @@ mso: adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.encrypted "value2" .Values.mso.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.encrypted "value2" .Values.mso.auth )}} logPath: ./logs/openstack msb-ip: msb-iag msb-port: 443 @@ -110,7 +110,7 @@ mso: msoKey: {{ .Values.mso.msoKey }} config: {{ if eq .Values.global.security.aaf.enabled true }} - cadi: {{ include "cadi.keys" . | nindent 8}} + cadi: {{ include "so.cadi.keys" . | nindent 8}} {{- else }} cadi: aafId: {{ .Values.mso.basicUser }} @@ -120,7 +120,7 @@ mso: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} site-name: localDevEnv async: core-pool-size: 50 diff --git a/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml b/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml index 21544798cf..137fdb7016 100755 --- a/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml index 7f7ef01ae2..de76901865 100755 --- a/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml @@ -55,8 +55,20 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh + {{- end }} env: - name: DB_HOST valueFrom: @@ -76,27 +88,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - - name: KEYSTORE - value: /app/org.onap.so.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config @@ -104,7 +101,7 @@ spec: readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap -{{ include "helpers.livenessProbe" .| indent 8 }} +{{ include "so.helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-openstack-adapter/templates/secret.yaml b/kubernetes/so/components/so-openstack-adapter/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-openstack-adapter/templates/secret.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/secret.yaml diff --git a/kubernetes/so/charts/so-openstack-adapter/templates/service.yaml b/kubernetes/so/components/so-openstack-adapter/templates/service.yaml index 6711c3b2e7..6711c3b2e7 100755 --- a/kubernetes/so/charts/so-openstack-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/service.yaml diff --git a/kubernetes/so/charts/so-openstack-adapter/values.yaml b/kubernetes/so/components/so-openstack-adapter/values.yaml index c9b446d80e..16bbac2afd 100755 --- a/kubernetes/so/charts/so-openstack-adapter/values.yaml +++ b/kubernetes/so/components/so-openstack-adapter/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 AT&T USA -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -19,8 +19,16 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs + security: + aaf: + enabled: false + aaf: + auth: + encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 ################################################################# # Secrets metaconfig @@ -38,10 +46,6 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' #secretsFilePaths: | # - 'my file 1' @@ -62,20 +66,50 @@ db: adminPassword: so_Admin123 # adminCredsExternalSecret: some secret +aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 +aaf: + auth: + encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F +org: + onap: + so: + adapters: + bpelauth: D1A67FA93B6A6419132D0F83CC771AF774FD3C60853C50C22C8C6FC5088CC79E9E81EDE9EA39F22B2F66A0068E +mso: + msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + basicUser: poBpmn + auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 + db: + auth: Basic YnBlbDpwYXNzd29yZDEk + replicaCount: 1 minReadySeconds: 10 -containerPort: 8087 +containerPort: &containerPort 8087 logPath: ./logs/openstack/ app: openstack-adapter service: type: ClusterIP - internalPort: 8087 - externalPort: 8087 + internalPort: *containerPort + externalPort: *containerPort portName: so-optack-port updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +################################################################# +# soHelper part +################################################################# +soHelpers: + nameOverride: so-openstack-cert-init + certInitializer: + nameOverride: so-openstack-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.openStackAdapterPerm + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/charts/so-request-db-adapter/Chart.yaml b/kubernetes/so/components/so-request-db-adapter/Chart.yaml index 499a8950e6..499a8950e6 100755 --- a/kubernetes/so/charts/so-request-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-request-db-adapter/Chart.yaml diff --git a/kubernetes/so/components/so-request-db-adapter/requirements.yaml b/kubernetes/so/components/so-request-db-adapter/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-request-db-adapter/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-request-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml index 8dde3b7f99..089d80c774 100755 --- a/kubernetes/so/charts/so-request-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml @@ -21,10 +21,10 @@ mso: logPath: logs site-name: localSite config: - cadi: {{- include "cadi.keys" . | nindent 8}} + cadi: {{- include "so.cadi.keys" . | nindent 8}} adapters: requestDb: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 spring: datasource: diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/configmap.yaml b/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml index b57205223e..d351be32fc 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-request-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml index 0e5e24b5ec..159d2e7f13 100755 --- a/kubernetes/so/charts/so-request-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml @@ -55,8 +55,20 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh + {{- end }} env: - name: DB_HOST valueFrom: @@ -76,33 +88,18 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - - name: KEYSTORE - value: /app/org.onap.so.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true -{{ include "helpers.livenessProbe" .| indent 8 }} +{{ include "so.helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-request-db-adapter/templates/secret.yaml b/kubernetes/so/components/so-request-db-adapter/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-request-db-adapter/templates/secret.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/secret.yaml diff --git a/kubernetes/so/charts/so-request-db-adapter/templates/service.yaml b/kubernetes/so/components/so-request-db-adapter/templates/service.yaml index 6711c3b2e7..6711c3b2e7 100755 --- a/kubernetes/so/charts/so-request-db-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/service.yaml diff --git a/kubernetes/so/charts/so-request-db-adapter/values.yaml b/kubernetes/so/components/so-request-db-adapter/values.yaml index d4be6ed763..5a3721abbe 100755 --- a/kubernetes/so/charts/so-request-db-adapter/values.yaml +++ b/kubernetes/so/components/so-request-db-adapter/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 AT&T USA -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -19,8 +19,16 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs + security: + aaf: + enabled: false + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= ################################################################# # Secrets metaconfig @@ -38,10 +46,6 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' #secretsFilePaths: | # - 'my file 1' @@ -62,20 +66,38 @@ db: adminPassword: so_Admin123 # adminCredsExternalSecret: some secret +mso: + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + replicaCount: 1 minReadySeconds: 10 -containerPort: 8083 +containerPort: &containerPort 8083 logPath: ./logs/reqdb/ app: request-db-adapter service: type: ClusterIP - internalPort: 8083 - externalPort: 8083 + internalPort: *containerPort + externalPort: *containerPort portName: so-reqdb-port updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# +soHelpers: + nameOverride: so-requestdb-cert-init + certInitializer: + nameOverride: so-requestdb-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.requestDbAdapterPerm + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/charts/so-sdc-controller/Chart.yaml b/kubernetes/so/components/so-sdc-controller/Chart.yaml index 6151e1beae..6151e1beae 100755 --- a/kubernetes/so/charts/so-sdc-controller/Chart.yaml +++ b/kubernetes/so/components/so-sdc-controller/Chart.yaml diff --git a/kubernetes/so/components/so-sdc-controller/requirements.yaml b/kubernetes/so/components/so-sdc-controller/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-sdc-controller/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-sdc-controller/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml index 8d02cc1f5c..8fa49ba3e7 100755 --- a/kubernetes/so/charts/so-sdc-controller/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml @@ -47,19 +47,19 @@ mso: msoKey: {{ index .Values.mso.msoKey }} logPath: ./logs/sdc config: - cadi: {{ include "cadi.keys" . | nindent 8}} + cadi: {{ include "so.cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} site-name: onapheat camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} aai: endpoint: https://aai.{{ include "common.namespace" . }}:8443 asdc-connections: diff --git a/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml b/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml index 104daae051..4859112580 100755 --- a/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml index 7f7ef01ae2..de76901865 100755 --- a/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml @@ -55,8 +55,20 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh + {{- end }} env: - name: DB_HOST valueFrom: @@ -76,27 +88,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - - name: KEYSTORE - value: /app/org.onap.so.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config @@ -104,7 +101,7 @@ spec: readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap -{{ include "helpers.livenessProbe" .| indent 8 }} +{{ include "so.helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-sdc-controller/templates/secret.yaml b/kubernetes/so/components/so-sdc-controller/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-sdc-controller/templates/secret.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/secret.yaml diff --git a/kubernetes/so/charts/so-sdc-controller/templates/service.yaml b/kubernetes/so/components/so-sdc-controller/templates/service.yaml index 6711c3b2e7..6711c3b2e7 100755 --- a/kubernetes/so/charts/so-sdc-controller/templates/service.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/service.yaml diff --git a/kubernetes/so/charts/so-sdc-controller/values.yaml b/kubernetes/so/components/so-sdc-controller/values.yaml index 57fc44d263..24de2c6862 100755 --- a/kubernetes/so/charts/so-sdc-controller/values.yaml +++ b/kubernetes/so/components/so-sdc-controller/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 AT&T USA -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -19,8 +19,16 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs + security: + aaf: + enabled: false + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= ################################################################# # Secrets metaconfig @@ -38,10 +46,6 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' #secretsFilePaths: | # - 'my file 1' @@ -62,20 +66,46 @@ db: adminPassword: so_Admin123 # adminCredsExternalSecret: some secret +aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 +mso: + msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + asdc: + config: + key: 566B754875657232314F5548556D3665 + asdc-connections: + asdc-controller1: + password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F + replicaCount: 1 minReadySeconds: 10 -containerPort: 8085 +containerPort: &containerPort 8085 logPath: ./logs/sdc/ app: sdc-controller service: type: ClusterIP - internalPort: 8085 - externalPort: 8085 + internalPort: *containerPort + externalPort: *containerPort portName: so-sdc-port updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# +soHelpers: + nameOverride: so-sdc-cert-init + certInitializer: + nameOverride: so-sdc-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.sdcControllerPerm + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/charts/so-sdnc-adapter/Chart.yaml b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml index 1ab7a2b0b4..1ab7a2b0b4 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/Chart.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml diff --git a/kubernetes/so/components/so-sdnc-adapter/requirements.yaml b/kubernetes/so/components/so-sdnc-adapter/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-sdnc-adapter/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-sdnc-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml index d363122a33..3e4e355eba 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml @@ -20,13 +20,13 @@ mso: queue-capacity: 500 logPath: ./logs/sdnc config: - cadi: {{ include "cadi.keys" . | nindent 14}} + cadi: {{ include "so.cadi.keys" . | nindent 14}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} site-name: onapheat org: onap: @@ -102,7 +102,7 @@ org: changedelete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf delete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf rollback: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf - bpelauth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.bpelauth )}} + bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.bpelauth )}} bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/SDNCAdapterCallbackService opticalservice: optical-service-create: @@ -146,7 +146,7 @@ org: myurl: http://so-sdnc-adapter.{{ include "common.namespace" . }}:8086/adapters/rest/SDNCNotify rest: bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - sdncauth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.sdncauth )}} + sdncauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.sdncauth )}} sdncconnecttime: 5000 sdncurl10: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/GENERIC-RESOURCE-API:' sdncurl11: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/VNFTOPOLOGYAIC-API:' diff --git a/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml index 104daae051..4859112580 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml index d4bd389296..16342ad19a 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml @@ -41,8 +41,20 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh + {{- end }} env: - name: DB_HOST valueFrom: @@ -62,27 +74,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - - name: KEYSTORE - value: /app/org.onap.so.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config @@ -90,7 +87,7 @@ spec: readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap -{{ include "helpers.livenessProbe" .| indent 8 }} +{{ include "so.helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-sdnc-adapter/templates/secret.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-sdnc-adapter/templates/secret.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/secret.yaml diff --git a/kubernetes/so/charts/so-sdnc-adapter/templates/service.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml index 6711c3b2e7..6711c3b2e7 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml diff --git a/kubernetes/so/charts/so-sdnc-adapter/values.yaml b/kubernetes/so/components/so-sdnc-adapter/values.yaml index 92a262b929..4b36815d3d 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 AT&T USA -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -19,11 +19,19 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs #This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 + security: + aaf: + enabled: false + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= ################################################################# # Secrets metaconfig @@ -41,10 +49,6 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' #secretsFilePaths: | # - 'my file 1' @@ -57,6 +61,20 @@ repository: nexus3.onap.org:10001 image: onap/so/sdnc-adapter:1.6.4 pullPolicy: Always +org: + onap: + so: + adapters: + sdnc: + bpelauth: 4C18603C5AE7E3A42A6CED95CDF9C0BA9B2109B3725747662E5D34E5FDF63DA9ADEBB08185098F14699195FDE9475100 + sdncauth: ED07A7EE5F099FA53369C3DF2240AD68A00154676EEDBC6F8C16BAA83B1912941B8941ABD48683D2C1072DA7040659692DE936A59BBF42A038CF71DE67B4A375190071EC76EA657801B033C135 + network: + encryptionKey: 07a7159d3bf51a0e53be7a8f89699be7 +mso: + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + db: userName: so_user userPassword: so_User123 @@ -67,18 +85,32 @@ db: replicaCount: 1 minReadySeconds: 10 -containerPort: 8086 +containerPort: &containerPort 8086 logPath: ./logs/sdnc/ app: sdnc-adapter service: type: ClusterIP - internalPort: 8086 - externalPort: 8086 + internalPort: *containerPort + externalPort: *containerPort portName: so-sdnc-port updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + + +################################################################# +# soHelpers part +################################################################# +soHelpers: + nameOverride: so-sdnc-cert-init + certInitializer: + nameOverride: so-sdnc-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.sdncAdapterPerm + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/charts/so-secrets/Chart.yaml b/kubernetes/so/components/so-secrets/Chart.yaml index d96245d752..d96245d752 100644 --- a/kubernetes/so/charts/so-secrets/Chart.yaml +++ b/kubernetes/so/components/so-secrets/Chart.yaml diff --git a/kubernetes/so/components/so-secrets/requirements.yaml b/kubernetes/so/components/so-secrets/requirements.yaml new file mode 100755 index 0000000000..2eb32d00ed --- /dev/null +++ b/kubernetes/so/components/so-secrets/requirements.yaml @@ -0,0 +1,20 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' diff --git a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks b/kubernetes/so/components/so-secrets/resources/certs/org.onap.so.trust.jks Binary files differindex 31ea6ba650..31ea6ba650 100644 --- a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks +++ b/kubernetes/so/components/so-secrets/resources/certs/org.onap.so.trust.jks diff --git a/kubernetes/so/charts/so-secrets/templates/secrets.yaml b/kubernetes/so/components/so-secrets/templates/secrets.yaml index 5be2cc7c41..5be2cc7c41 100644 --- a/kubernetes/so/charts/so-secrets/templates/secrets.yaml +++ b/kubernetes/so/components/so-secrets/templates/secrets.yaml diff --git a/kubernetes/so/components/so-secrets/values.yaml b/kubernetes/so/components/so-secrets/values.yaml new file mode 100644 index 0000000000..602ea79084 --- /dev/null +++ b/kubernetes/so/components/so-secrets/values.yaml @@ -0,0 +1,20 @@ +# Copyright (c) 2020 Orange +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + client: + certs: + trustStorePassword: LHN4Iy5DKlcpXXdWZ0pDNmNjRkhJIzpI diff --git a/kubernetes/so/charts/so-ve-vnfm-adapter/Chart.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml index b78051ff14..b78051ff14 100755 --- a/kubernetes/so/charts/so-ve-vnfm-adapter/Chart.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/requirements.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-ve-vnfm-adapter/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-ve-vnfm-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml index 89b6ada3fd..89b6ada3fd 100755 --- a/kubernetes/so/charts/so-ve-vnfm-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml diff --git a/kubernetes/so/charts/so-ve-vnfm-adapter/templates/configmap.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/configmap.yaml index e940811883..e940811883 100755 --- a/kubernetes/so/charts/so-ve-vnfm-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/configmap.yaml diff --git a/kubernetes/so/charts/so-ve-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml index b7040044c5..1f9dfb5a5c 100755 --- a/kubernetes/so/charts/so-ve-vnfm-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: image: {{ include "common.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 12 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} - name: logs mountPath: /app/logs - name: config diff --git a/kubernetes/so/charts/so-ve-vnfm-adapter/templates/secret.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-ve-vnfm-adapter/templates/secret.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/secret.yaml diff --git a/kubernetes/so/charts/so-ve-vnfm-adapter/templates/service.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/service.yaml index f3ef1138b8..f3ef1138b8 100755 --- a/kubernetes/so/charts/so-ve-vnfm-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/service.yaml diff --git a/kubernetes/so/charts/so-ve-vnfm-adapter/values.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml index 0620a0b052..6511af320b 100755 --- a/kubernetes/so/charts/so-ve-vnfm-adapter/values.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml @@ -17,23 +17,12 @@ global: repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs ################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - -#secretsFilePaths: | -# - 'my file 1' -# - '{{ include "templateThatGeneratesFileName" . }}' - -################################################################# # Application configuration defaults. ################################################################# image: onap/so/ve-vnfm-adapter:1.6.4 @@ -57,6 +46,16 @@ service: ports: - name: http port: 9098 + +################################################################# +# soHelpers part +################################################################# +soHelpers: + nameOverride: so-vevnfm-cert-init + certInitializer: + nameOverride: so-vevnfm-cert-init + credsPath: /opt/app/osaaf/local + flavor: small resources: small: diff --git a/kubernetes/so/charts/so-vfc-adapter/Chart.yaml b/kubernetes/so/components/so-vfc-adapter/Chart.yaml index 2ce175d9c1..2ce175d9c1 100755 --- a/kubernetes/so/charts/so-vfc-adapter/Chart.yaml +++ b/kubernetes/so/components/so-vfc-adapter/Chart.yaml diff --git a/kubernetes/so/components/so-vfc-adapter/requirements.yaml b/kubernetes/so/components/so-vfc-adapter/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-vfc-adapter/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-vfc-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-vfc-adapter/resources/config/overrides/override.yaml index dec34485bc..59028bcce8 100755 --- a/kubernetes/so/charts/so-vfc-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-vfc-adapter/resources/config/overrides/override.yaml @@ -38,13 +38,13 @@ mso: site-name: localSite logPath: ./logs/vfc config: - cadi: {{ include "cadi.keys" . | nindent 8}} + cadi: {{ include "so.cadi.keys" . | nindent 8}} msb-ip: msb-iag msb-port: 80 adapters: requestDb: endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} #Actuator management: security: diff --git a/kubernetes/so/charts/so-request-db-adapter/templates/configmap.yaml b/kubernetes/so/components/so-vfc-adapter/templates/configmap.yaml index b57205223e..d351be32fc 100755 --- a/kubernetes/so/charts/so-request-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-vfc-adapter/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-vfc-adapter/templates/deployment.yaml b/kubernetes/so/components/so-vfc-adapter/templates/deployment.yaml index d2d72d07cf..c0575106cc 100755 --- a/kubernetes/so/charts/so-vfc-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-vfc-adapter/templates/deployment.yaml @@ -55,8 +55,20 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh + {{- end }} env: - name: DB_HOST valueFrom: @@ -76,27 +88,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - - name: KEYSTORE - value: /app/org.onap.so.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config diff --git a/kubernetes/so/charts/so-vfc-adapter/templates/secret.yaml b/kubernetes/so/components/so-vfc-adapter/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-vfc-adapter/templates/secret.yaml +++ b/kubernetes/so/components/so-vfc-adapter/templates/secret.yaml diff --git a/kubernetes/so/charts/so-vfc-adapter/templates/service.yaml b/kubernetes/so/components/so-vfc-adapter/templates/service.yaml index 5e29af8ab5..5e29af8ab5 100755 --- a/kubernetes/so/charts/so-vfc-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-vfc-adapter/templates/service.yaml diff --git a/kubernetes/so/charts/so-vfc-adapter/values.yaml b/kubernetes/so/components/so-vfc-adapter/values.yaml index 8eb991430c..d0e1d20e75 100755 --- a/kubernetes/so/charts/so-vfc-adapter/values.yaml +++ b/kubernetes/so/components/so-vfc-adapter/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 AT&T USA -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -19,8 +19,15 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 persistence: mountPath: /dockerdata-nfs + security: + aaf: + enabled: false + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= ################################################################# # Secrets metaconfig @@ -38,10 +45,6 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' #secretsFilePaths: | # - 'my file 1' @@ -62,20 +65,39 @@ db: adminPassword: so_Admin123 # adminCredsExternalSecret: some secret +mso: + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + replicaCount: 1 minReadySeconds: 10 -containerPort: 8084 +containerPort: &containerPort 8084 logPath: ./logs/vfc/ app: vfc-adapter service: type: ClusterIP - internalPort: 8084 - externalPort: 8084 + internalPort: *containerPort + externalPort: *containerPort portName: so-vfc-port updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + + +################################################################# +# soHelpers part +################################################################# +soHelpers: + nameOverride: so-vfc-cert-init + certInitializer: + nameOverride: so-vfc-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.vfcAdapterPerm + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/charts/so-vnfm-adapter/Chart.yaml b/kubernetes/so/components/so-vnfm-adapter/Chart.yaml index 3ef796acd7..3ef796acd7 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/Chart.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/Chart.yaml diff --git a/kubernetes/so/components/so-vnfm-adapter/requirements.yaml b/kubernetes/so/components/so-vnfm-adapter/requirements.yaml new file mode 100755 index 0000000000..1feea23842 --- /dev/null +++ b/kubernetes/so/components/so-vnfm-adapter/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/charts/so-vnfm-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-vnfm-adapter/resources/config/overrides/override.yaml index 4128bc36ee..e8d625ed7a 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/resources/config/overrides/override.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. aai: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} version: v15 endpoint: https://aai.{{ include "common.namespace" . }}:8443 spring: @@ -41,12 +41,12 @@ mso: site-name: localSite logPath: ./logs/vnfm-adapter config: - cadi: {{ include "cadi.keys" . | nindent 8}} + cadi: {{ include "so.cadi.keys" . | nindent 8}} msb-ip: msb-iag msb-port: 80 sdc: - username: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.username "value2" .Values.sdc.username )}} - password: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.password "value2" .Values.sdc.password )}} + username: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.username "value2" .Values.sdc.username )}} + password: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.password "value2" .Values.sdc.password )}} key: {{ .Values.sdc.key }} endpoint: https://sdc-be.{{ include "common.namespace" . }}:8443 vnfmadapter: diff --git a/kubernetes/so/charts/so-catalog-db-adapter/templates/configmap.yaml b/kubernetes/so/components/so-vnfm-adapter/templates/configmap.yaml index b57205223e..d351be32fc 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/components/so-vnfm-adapter/templates/deployment.yaml index ee84d60905..caf218fb6d 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/templates/deployment.yaml @@ -41,30 +41,27 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} - env: - - name: TRUSTSTORE - value: {{ .Values.global.client.certs.truststore }} - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - {{ if eq .Values.global.security.aaf.enabled true }} - - name: KEYSTORE - value: {{ .Values.global.client.certs.keystore }} - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh {{- end }} + env: + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/ingress.yaml b/kubernetes/so/components/so-vnfm-adapter/templates/ingress.yaml index 8f87c68f1e..8f87c68f1e 100644 --- a/kubernetes/so/charts/so-vnfm-adapter/templates/ingress.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/templates/ingress.yaml diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/secret.yaml b/kubernetes/so/components/so-vnfm-adapter/templates/secret.yaml index bd7eb8ea40..bd7eb8ea40 100644 --- a/kubernetes/so/charts/so-vnfm-adapter/templates/secret.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/templates/secret.yaml diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/service.yaml b/kubernetes/so/components/so-vnfm-adapter/templates/service.yaml index b445f7553b..b445f7553b 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/templates/service.yaml diff --git a/kubernetes/so/charts/so-vnfm-adapter/values.yaml b/kubernetes/so/components/so-vnfm-adapter/values.yaml index 8580df2bf9..f15fffb055 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/values.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2019 Nordix Foundation -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -18,22 +18,16 @@ global: nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 readinessImage: onap/oom/readiness:3.0.1 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + envsubstImage: dibi/envsubst persistence: mountPath: /dockerdata-nfs - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: "so-onap-certs" - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - -#secretsFilePaths: | -# - 'my file 1' -# - '{{ include "templateThatGeneratesFileName" . }}' - + security: + aaf: + enabled: false + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= ################################################################# # Application configuration defaults. @@ -42,21 +36,47 @@ repository: nexus3.onap.org:10001 image: onap/so/vnfm-adapter:1.6.4 pullPolicy: Always +aaf: + auth: + username: so@so.onap.org + password: 8DB1C939BFC6A35C3832D0E52E452D0E05AE2537AF142CECD125FF827C05A972FDD0F4700547DA +aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 +mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 +sdc: + username: mso + password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F + key: 566B754875657232314F5548556D3665 + replicaCount: 1 minReadySeconds: 10 -containerPort: 9092 +containerPort: &containerPort 9092 logPath: ./logs/vnfm-adapter/ app: vnfm-adapter service: type: NodePort - internalPort: 9092 - externalPort: 9092 + internalPort: *containerPort + externalPort: *containerPort nodePort: "06" portName: so-vnfm-port updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# +soHelpers: + nameOverride: so-vnfm-cert-init + certInitializer: + nameOverride: so-vnfm-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.vnfmAdapterPerm + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) diff --git a/kubernetes/so/components/soHelpers/Chart.yaml b/kubernetes/so/components/soHelpers/Chart.yaml new file mode 100755 index 0000000000..a91111a33a --- /dev/null +++ b/kubernetes/so/components/soHelpers/Chart.yaml @@ -0,0 +1,17 @@ +# Copyright © 2018 AT&T USA +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +description: A Helm chart for SO helpers +name: soHelpers +version: 6.0.0 diff --git a/kubernetes/so/components/soHelpers/requirements.yaml b/kubernetes/so/components/soHelpers/requirements.yaml new file mode 100755 index 0000000000..aa972a525b --- /dev/null +++ b/kubernetes/so/components/soHelpers/requirements.yaml @@ -0,0 +1,23 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: certInitializer + version: ~6.x-0 + repository: '@local' diff --git a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl b/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl new file mode 100644 index 0000000000..d16b4f7cf8 --- /dev/null +++ b/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl @@ -0,0 +1,21 @@ +{{- define "so.cadi.keys" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} +cadiLoglevel: {{ $initRoot.cadi.logLevel }} +cadiKeyFile: {{ $initRoot.certInitializer.credsPath }}/{{ $initRoot.aaf.keyFile }} +cadiTrustStore: {{ $initRoot.certInitializer.credsPath }}/{{ $initRoot.aaf.trustore }} +cadiTruststorePassword: ${TRUSTSTORE_PASSWORD} +cadiLatitude: {{ $initRoot.cadi.latitude }} +cadiLongitude: {{ $initRoot.cadi.longitude }} +aafEnv: {{ $initRoot.cadi.aafEnv }} +aafApiVersion: {{ $initRoot.cadi.aafApiVersion }} +aafRootNs: {{ $initRoot.cadi.aafRootNs }} +aafId: {{ $initRoot.cadi.aafId }} +aafPassword: {{ $initRoot.cadi.aafPassword }} +aafLocateUrl: {{ $initRoot.cadi.aafLocateUrl }} +aafUrl: {{ $initRoot.cadi.aafUrl }} +apiEnforcement: {{ $initRoot.cadi.apiEnforcement }} +{{- if ($initRoot.cadi.noAuthn) }} +noAuthn: {{ $initRoot.cadi.noAuthn }} +{{- end }} +{{- end }} diff --git a/kubernetes/so/components/soHelpers/templates/_certificates.tpl b/kubernetes/so/components/soHelpers/templates/_certificates.tpl new file mode 100644 index 0000000000..fa25ba5177 --- /dev/null +++ b/kubernetes/so/components/soHelpers/templates/_certificates.tpl @@ -0,0 +1,58 @@ +{{- define "so.certificate.container_importer" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +{{ include "common.certInitializer.initContainer" $subchartDot }} +{{- if $dot.Values.global.aafEnabled }} +- name: {{ include "common.name" $dot }}-msb-cert-importer + image: "{{ include "common.repository" $dot }}/{{ $dot.Values.global.aafAgentImage }}" + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }} + command: + - "/bin/sh" + args: + - "-c" + - | + export $(grep '^c' {{ $subchartDot.Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) + keytool -import -trustcacerts -alias msb_root -file \ + /certificates/msb-ca.crt -keystore \ + "{{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.aaf.trustore }}" \ + -keypass $cadi_truststore_password -noprompt + volumeMounts: + {{ include "common.certInitializer.volumeMount" $subchartDot | indent 2 | trim }} + - name: {{ include "common.name" $dot }}-msb-certificate + mountPath: /certificates +{{- end }} +{{- end -}} + +{{- define "so.certificate.volumes" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +{{ include "common.certInitializer.volumes" $subchartDot }} +{{- if $dot.Values.global.aafEnabled }} +- name: {{ include "common.name" $dot }}-msb-certificate + secret: + secretName: {{ include "common.secret.getSecretNameFast" (dict "global" $subchartDot "uid" "so-onap-certs") }} +{{- end }} +{{- end -}} + +{{- define "so.certificate.volumeMount" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +{{ include "common.certInitializer.volumeMount" $subchartDot }} +{{- end -}} + +{{- define "so.certificates.env" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +{{- if $dot.Values.global.aafEnabled }} +- name: TRUSTSTORE + value: {{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.aaf.trustore }} +{{- if $dot.Values.global.security.aaf.enabled }} +- name: KEYSTORE + value: {{ $subchartDot.Values.certInitializer.credsPath }}/org.onap.so.jks +{{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl b/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl new file mode 100644 index 0000000000..cde94742c6 --- /dev/null +++ b/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl @@ -0,0 +1,20 @@ +{{- define "so.helpers.livenessProbe" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +livenessProbe: + httpGet: + path: {{ $subchartDot.Values.livenessProbe.path }} + port: {{ $subchartDot.Values.containerPort }} + scheme: {{ $subchartDot.Values.livenessProbe.scheme }} + {{- if $subchartDot.Values.global.security.aaf.enabled }} + httpHeaders: + - name: Authorization + value: {{ $subchartDot.Values.global.aaf.auth.header }} + {{- end }} + initialDelaySeconds: {{ $subchartDot.Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ $subchartDot.Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ $subchartDot.Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ $subchartDot.Values.livenessProbe.successThreshold }} + failureThreshold: {{ $subchartDot.Values.livenessProbe.failureThreshold }} +{{- end -}} diff --git a/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl b/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl new file mode 100644 index 0000000000..56910ebebd --- /dev/null +++ b/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl @@ -0,0 +1,3 @@ +{{- define "so.helpers.profileProperty" -}} + {{ if .condition }}{{ .value1 }}{{ else }}{{ .value2 }}{{ end }} +{{- end -}} diff --git a/kubernetes/so/components/soHelpers/values.yaml b/kubernetes/so/components/soHelpers/values.yaml new file mode 100755 index 0000000000..5dbe46cf9e --- /dev/null +++ b/kubernetes/so/components/soHelpers/values.yaml @@ -0,0 +1,98 @@ +# Copyright © 2018 AT&T USA +# Copyright © 2020 Huawei +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + soBaseImage: onap/so/base-image:1.0 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + msbEnabled: true + security: + aaf: + enabled: false + app: + msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + client: + certs: + truststore: /app/client/org.onap.so.trust.jks + keystore: /app/client/org.onap.so.jks + trustStorePassword: LHN4Iy5DKlcpXXdWZ0pDNmNjRkhJIzpI + keyStorePassword: c280b25hcA== + certificates: + path: /etc/ssl/certs + share_path: /usr/local/share/ca-certificates/ + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: "so-onap-certs" + name: '{{ include "common.release" . }}-so-certs' + externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' + type: generic + filePaths: + - resources/config/certificates/msb-ca.crt + +################################################################# +# AAF part +################################################################# +certInitializer: + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: so + fqi: so@so.onap.org + public_fqdn: so.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh local showpass + {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + +aafConfig: + permission_user: 1000 + permission_group: 999 + +aaf: + trustore: org.onap.so.trust.jks + keyFile: org.onap.so.keyfile + +################################################################# +# Application configuration defaults. +################################################################# + +livenessProbe: + path: /manage/health + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + +cadi: + logLevel: DEBUG + latitude: 38.4329 + longitude: -90.43248 + aafEnv: IST + aafApiVersion: 2.1 + aafRootNs: org.onap.so + aafLocateUrl: https://aaf-locate.onap:8095 + aafUrl: https://aaf-locate.onap:8095/locate/org.osaaf.aaf.service:2.1 + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.apihPerm + noAuthn: /manage/health diff --git a/kubernetes/so/requirements.yaml b/kubernetes/so/requirements.yaml index 4f4eac48cb..66e16a9562 100755 --- a/kubernetes/so/requirements.yaml +++ b/kubernetes/so/requirements.yaml @@ -22,3 +22,61 @@ dependencies: version: ~6.x-0 repository: '@local' condition: global.mariadbGalera.localCluster + - name: soHelpers + version: ~6.x-0 + repository: 'file://components/soHelpers' + - name: so-appc-orchestrator + version: ~6.x-0 + repository: 'file://components/so-appc-orchestrator' + condition: so-appc-orchestrator.enabled + - name: so-bpmn-infra + version: ~6.x-0 + repository: 'file://components/so-bpmn-infra' + - name: so-catalog-db-adapter + version: ~6.x-0 + repository: 'file://components/so-catalog-db-adapter' + condition: so-catalog-db-adapter.enabled + - name: so-db-secrets + version: ~6.x-0 + repository: 'file://components/so-db-secrets' + condition: so-etsi-nfvo-ns-lcm.enabled + - name: so-mariadb + version: ~6.x-0 + repository: 'file://components/so-mariadb' + - name: so-monitoring + version: ~6.x-0 + repository: 'file://components/so-monitoring' + condition: so-monitoring.enabled + - name: so-nssmf-adapter + version: ~6.x-0 + repository: 'file://components/so-nssmf-adapter' + condition: so-nssmf-adapter.enabled + - name: so-openstack-adapter + version: ~6.x-0 + repository: 'file://components/so-openstack-adapter' + condition: so-openstack-adapter.enabled + - name: so-request-db-adapter + version: ~6.x-0 + repository: 'file://components/so-request-db-adapter' + - name: so-sdc-controller + version: ~6.x-0 + repository: 'file://components/so-sdc-controller' + - name: so-sdnc-adapter + version: ~6.x-0 + repository: 'file://components/so-sdnc-adapter' + condition: so-sdnc-adapter.enabled + - name: so-secrets + version: ~6.x-0 + repository: 'file://components/so-secrets' + - name: so-ve-vnfm-adapter + version: ~6.x-0 + repository: 'file://components/so-ve-vnfm-adapter' + condition: so-ve-vnfm-adapter.enabled + - name: so-vfc-adapter + version: ~6.x-0 + repository: 'file://components/so-vfc-adapter' + condition: so-vfc-adapter.enabled + - name: so-vnfm-adapter + version: ~6.x-0 + repository: 'file://components/so-vnfm-adapter' + condition: so-vnfm-adapter.enabled diff --git a/kubernetes/so/resources/config/certificates/onap-ca.crt b/kubernetes/so/resources/config/certificates/onap-ca.crt deleted file mode 100755 index e9a50d7ea0..0000000000 --- a/kubernetes/so/resources/config/certificates/onap-ca.crt +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- diff --git a/kubernetes/so/resources/config/overrides/override.yaml b/kubernetes/so/resources/config/overrides/override.yaml index 6bd930d7b1..efcf029fbc 100755 --- a/kubernetes/so/resources/config/overrides/override.yaml +++ b/kubernetes/so/resources/config/overrides/override.yaml @@ -1,6 +1,6 @@ aai: endpoint: https://aai.{{ include "common.namespace" . }}:8443 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} server: port: {{ index .Values.containerPort }} tomcat: @@ -13,16 +13,16 @@ mso: adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} config: path: /src/main/resources/ - cadi: {{ include "cadi.keys" . | nindent 10}} + cadi: {{ include "so.cadi.keys" . | nindent 10}} infra: default: alacarte: @@ -34,14 +34,14 @@ mso: default: testApi: GR_API camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ - camundaAuth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.camundaAuth )}} + camundaAuth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.camundaAuth )}} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 sdc: client: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.sdc.client.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.sdc.client.auth )}} activate: instanceid: test userid: cs0008 @@ -52,7 +52,7 @@ mso: count: 3 aai: endpoint: https://aai.{{ include "common.namespace" . }}:8443 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} extApi: endpoint: http://nbi.onap:8080/nbi/api/v3 @@ -62,11 +62,11 @@ mso: username: testuser password: VjR5NDcxSzA= host: http://dmaap-bc.{{ include "common.namespace" . }}:8080 - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.so.operationalEnv.dmaap.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.so.operationalEnv.dmaap.auth )}} publisher: topic: com.att.ecomp.mso.operationalEnvironmentEvent health: - auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.health.auth )}} + auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.health.auth )}} endpoints: - subsystem: apih uri: http://so-bpmn-infra:8081 diff --git a/kubernetes/so/templates/_cadiValues.tpl b/kubernetes/so/templates/_cadiValues.tpl deleted file mode 100644 index 426facc4b1..0000000000 --- a/kubernetes/so/templates/_cadiValues.tpl +++ /dev/null @@ -1,19 +0,0 @@ -{{- define "cadi.keys" -}} -cadiLoglevel: DEBUG -cadiKeyFile: /org.onap.so.keyfile -cadiTrustStore: /app/org.onap.so.trust.jks -cadiTruststorePassword: {{ .Values.global.app.cadi.cadiTruststorePassword }} -cadiLatitude: {{ .Values.global.app.cadi.cadiLatitude }} -cadiLongitude: {{ .Values.global.app.cadi.cadiLongitude }} -aafEnv: {{ .Values.global.app.cadi.aafEnv }} -aafApiVersion: 2.0 -aafRootNs: {{ .Values.global.app.cadi.aafRootNs }} -aafId: {{ .Values.mso.config.cadi.aafId }} -aafPassword: {{ .Values.mso.config.cadi.aafPassword }} -aafLocateUrl: {{ .Values.global.app.cadi.aafLocateUrl }} -aafUrl: {{ .Values.global.app.cadi.aafUrl }} -apiEnforcement: {{ .Values.mso.config.cadi.apiEnforcement }} -{{- if (.Values.global.app.cadi.noAuthn) }} -noAuthn: {{ .Values.mso.config.cadi.noAuthn }} -{{- end }} -{{- end }} diff --git a/kubernetes/so/templates/_certificates.tpl b/kubernetes/so/templates/_certificates.tpl deleted file mode 100644 index 8bd25d27a1..0000000000 --- a/kubernetes/so/templates/_certificates.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{- define "so.certificate.container_importer" -}} -- name: {{ include "common.name" . }}-certs-importer - image: "{{ include "common.repository" . }}/{{ .Values.global.soBaseImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - "/bin/sh" - args: - - "-c" - - "update-ca-certificates --fresh && \ - cp -r {{ .Values.global.certificates.path }}/* /certificates" - volumeMounts: - - name: {{ include "common.name" . }}-certificates - mountPath: /certificates - - name: {{ include "common.name" . }}-onap-certificates - mountPath: {{ .Values.global.certificates.share_path }} -{{- end -}} - -{{- define "so.certificate.volume-mounts" -}} -- name: {{ include "common.name" . }}-certificates - mountPath: {{ .Values.global.certificates.path }} -- name: {{ include "common.name" . }}-onap-certificates - mountPath: {{ .Values.global.certificates.share_path }} -{{- end -}} - -{{- define "so.certificate.volumes" -}} -- name: {{ include "common.name" . }}-certificates - emptyDir: - medium: Memory -- name: {{ include "common.name" . }}-onap-certificates - secret: - secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "so-onap-certs") }} -{{- end -}} diff --git a/kubernetes/so/templates/_livenessProbe.tpl b/kubernetes/so/templates/_livenessProbe.tpl deleted file mode 100644 index 4181beb1f8..0000000000 --- a/kubernetes/so/templates/_livenessProbe.tpl +++ /dev/null @@ -1,17 +0,0 @@ -{{- define "helpers.livenessProbe" -}} -livenessProbe: - httpGet: - path: {{- index .Values.livenessProbe.path|indent 2}} - port: {{ index .Values.containerPort }} - scheme: {{- index .Values.livenessProbe.scheme| indent 2}} - {{- if eq .Values.global.security.aaf.enabled true }} - httpHeaders: - - name: Authorization - value: {{ index .Values.global.aaf.auth.header }} - {{- end }} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} - periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} - timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} - successThreshold: {{ index .Values.livenessProbe.successThreshold}} - failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} -{{- end -}} diff --git a/kubernetes/so/templates/_profileProperty.tpl b/kubernetes/so/templates/_profileProperty.tpl deleted file mode 100644 index 113bc343d0..0000000000 --- a/kubernetes/so/templates/_profileProperty.tpl +++ /dev/null @@ -1,3 +0,0 @@ -{{- define "helpers.profileProperty" -}} - {{ if eq .condition true }}{{.value1}}{{else}}{{.value2}} {{ end }} -{{- end -}} diff --git a/kubernetes/so/templates/configmap.yaml b/kubernetes/so/templates/configmap.yaml index 6aa4b5f4f0..ab7b5f3624 100755 --- a/kubernetes/so/templates/configmap.yaml +++ b/kubernetes/so/templates/configmap.yaml @@ -15,7 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index 83452ccba8..d378cae606 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -37,7 +37,8 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} + initContainers: + {{ include "so.certificate.container_importer" . | indent 6 | trim }} - name: {{ include "common.name" . }}-readiness command: - /app/ready.py @@ -52,12 +53,23 @@ spec: fieldPath: metadata.namespace image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness containers: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + {{- if .Values.global.security.aaf.enabled }} + export KEYSTORE_PASSWORD="${cadi_keystore_password}" + {{- end }} + /app/start-app.sh + {{- end }} env: - name: DB_HOST valueFrom: @@ -77,27 +89,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{- if eq .Values.global.security.aaf.enabled true }} - - name: TRUSTSTORE - value: /app/org.onap.so.trust.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: trustStorePassword - - name: KEYSTORE - value: /app/org.onap.so.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name}}-so-client-certs-secret - key: keyStorePassword - {{- end }} + {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }} + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config @@ -105,7 +102,7 @@ spec: readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap -{{ include "helpers.livenessProbe" .| indent 8 }} +{{ include "so.helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 328f4f296e..8c31e71040 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 AT&T USA -# +# Copyright © 2020 Huawei # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -22,6 +22,7 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 soBaseImage: onap/so/base-image:1.0 + aafAgentImage: onap/aaf/aaf_agent:2.1.20 mariadbGalera: nameOverride: mariadb-galera serviceName: mariadb-galera @@ -57,18 +58,6 @@ global: siteName: onapheat auth: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 defaultCloudOwner: onap - cadi: - cadiLoglevel: DEBUG - cadiKeyFile: /app/client/org.onap.so.keyfile - cadiTrustStore: /app/client/org.onap.so.trust.jks - cadiTruststorePassword: enc:MFpuxKeYK6Eo6QXjDUjtOBbp0FthY7SB4mKSIJm_RWC - cadiLatitude: 38.4329 - cadiLongitude: -90.43248 - aafEnv: IST - aafApiVersion: 2.1 - aafRootNs: org.onap.so - aafLocateUrl: https://aaf-locate.onap:8095 - aafUrl: https://aaf-locate.onap:8095/locate/org.osaaf.aaf.service:2.1 msoKey: 07a7159d3bf51a0e53be7a8f89699be7 client: certs: @@ -119,9 +108,15 @@ secrets: externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' type: generic filePaths: - - resources/config/certificates/onap-ca.crt - resources/config/certificates/msb-ca.crt +aafConfig: + permission_user: 1000 + permission_group: 999 + +aaf: + trustore: org.onap.so.trust.jks + ################################################################# # Application configuration defaults. ################################################################# @@ -140,19 +135,31 @@ image: onap/so/api-handler-infra:1.6.4 pullPolicy: Always replicaCount: 1 minReadySeconds: 10 -containerPort: 8080 +containerPort: &containerPort 8080 logPath: ./logs/apih/ app: api-handler-infra service: - type: NodePort - nodePort: 77 - internalPort: 8080 - externalPort: 8080 - portName: so-apih-port + type: NodePort + nodePort: 77 + internalPort: *containerPort + externalPort: *containerPort + portName: so-apih-port updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# +soHelpers: + nameOverride: so-apih-cert-init + certInitializer: + nameOverride: so-apih-cert-init + credsPath: /opt/app/osaaf/local + certSecret: *so-certs + containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) @@ -174,14 +181,6 @@ resources: cpu: 1000m memory: 2Gi unlimited: {} -livenessProbe: - path: /manage/health - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 nodeSelector: {} affinity: {} @@ -220,12 +219,6 @@ mso: adapters: requestDb: auth: Basic YnBlbDpwYXNzd29yZDEk - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.apihPerm - noAuthn: /manage/health camundaAuth: AE2E9BE6EF9249085AF98689C4EE087736A5500629A72F35068FFB88813A023581DD6E765071F1C04075B36EA4213A sdc: client: @@ -239,215 +232,58 @@ mso: health: auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ= +so-appc-orchestrator: + enabled: true + db: + <<: *dbSecrets + so-bpmn-infra: - certSecret: *so-certs db: <<: *dbSecrets - cds: - auth: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== - aai: - auth: 221187EFA3AD4E33600DE0488F287099934CE65C3D0697BCECC00BB58E784E07CD74A24581DC31DBC086FF63DF116378776E9BE3D1325885 - mso: - key: 07a7159d3bf51a0e53be7a8f89699be7 - adapters: - requestDb: - auth: Basic YnBlbDpwYXNzd29yZDEk - db: - auth: A3745B5DBE165EFCF101D85A6FC81C211AB8BF604F8861B6C413D5DC90F8F30E0139DE44B8A342F4EF70AF - password: wLg4sjrAFUS8rfVfdvTXeQ== - po: - auth: A3745B5DBE165EFCF101D85A6FC81C211AB8BF604F8861B6C413D5DC90F8F30E0139DE44B8A342F4EF70AF - config: - cadi: - aafId: so@so.onap.org - aaafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.bpmnPerm - noAuthn: /manage/health - sdnc: - password: 1D78CFC35382B6938A989066A7A7EAEF4FE933D2919BABA99EB4763737F39876C333EE5F - sniro: - auth: test:testpwd - endpoint: http://replaceme:28090/optimizationInstance/V1/create - oof: - auth: test:testpwd - so: - vnfm: - adapter: - auth: Basic dm5mbTpwYXNzd29yZDEk so-catalog-db-adapter: - certSecret: *so-certs + enabled: true db: <<: *dbSecrets - mso: - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.catalogDbAdapterPerm - noAuthn: /manage/health - adapters: - db: - auth: Basic YnBlbDpwYXNzd29yZDEk so-monitoring: - certSecret: *so-certs + enabled: true db: <<: *dbSecrets so-openstack-adapter: - certSecret: *so-certs + enabled: true db: <<: *dbSecrets - aaf: - auth: - encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F - aai: - auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 - org: - onap: - so: - adapters: - bpelauth: D1A67FA93B6A6419132D0F83CC771AF774FD3C60853C50C22C8C6FC5088CC79E9E81EDE9EA39F22B2F66A0068E - valet: - basic_auth: bXNvOkphY2tkYXdzIGxvdmUgbXkgYmlnIHNwaGlueCBvZiBxdWFydHouCg== - mso: - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 - auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 - basicUser: poBpmn - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.openStackAdapterPerm - noAuthn: /manage/health - db: - auth: Basic YnBlbDpwYXNzd29yZDEk so-request-db-adapter: - certSecret: *so-certs db: <<: *dbSecrets - mso: - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.requestDbAdapterPerm - noAuthn: /manage/health - adapters: - requestDb: - auth: Basic YnBlbDpwYXNzd29yZDEk so-sdc-controller: - certSecret: *so-certs db: <<: *dbSecrets - aai: - auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 - mso: - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.sdcControllerPerm - noAuthn: /manage/health - asdc: - config: - key: 566B754875657232314F5548556D3665 - requestDb: - auth: Basic YnBlbDpwYXNzd29yZDEk - asdc-connections: - asdc-controller1: - password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F so-sdnc-adapter: - certSecret: *so-certs + enabled: true db: <<: *dbSecrets - org: - onap: - so: - adapters: - sdnc: - bpelauth: 4C18603C5AE7E3A42A6CED95CDF9C0BA9B2109B3725747662E5D34E5FDF63DA9ADEBB08185098F14699195FDE9475100 - sdncauth: ED07A7EE5F099FA53369C3DF2240AD68A00154676EEDBC6F8C16BAA83B1912941B8941ABD48683D2C1072DA7040659692DE936A59BBF42A038CF71DE67B4A375190071EC76EA657801B033C135 - network: - encryptionKey: 07a7159d3bf51a0e53be7a8f89699be7 - mso: - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.sdncAdapterPerm - noAuthn: /manage/health - adapters: - requestDb: - auth: Basic YnBlbDpwYXNzd29yZDEk - rest: - aafEncrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 so-ve-vnfm-adapter: - certSecret: *so-certs + enabled: true so-vfc-adapter: - certSecret: *so-certs + enabled: true db: <<: *dbSecrets - mso: - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.vfcAdapterPerm - noAuthn: /manage/health - adapters: - requestDb: - auth: Basic YnBlbDpwYXNzd29yZDEk so-nssmf-adapter: - certSecret: *so-certs + enabled: true db: <<: *dbSecrets - aaf: - auth: - username: so@so.onap.org - password: 8DB1C939BFC6A35C3832D0E52E452D0E05AE2537AF142CECD125FF827C05A972FDD0F4700547DA - aai: - auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 - mso: - key: 07a7159d3bf51a0e53be7a8f89699be7 - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.nssmfAdapterPerm - noAuthn: /manage/health - adapters: - requestDb: - auth: Basic YnBlbDpwYXNzd29yZDEk so-vnfm-adapter: - certSecret: *so-certs - aaf: - auth: - username: so@so.onap.org - password: 8DB1C939BFC6A35C3832D0E52E452D0E05AE2537AF142CECD125FF827C05A972FDD0F4700547DA - aai: - auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 - sdc: - username: mso - password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F - key: 566B754875657232314F5548556D3665 - mso: - key: 07a7159d3bf51a0e53be7a8f89699be7 - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.vnfmAdapterPerm - noAuthn: /manage/health + enabled: true so-mariadb: db: @@ -456,35 +292,3 @@ so-mariadb: backupCredsExternalSecret: *dbBackupCredsSecretName userCredsExternalSecret: *dbUserCredsSecretName adminCredsExternalSecret: *dbAdminCredsSecretName -so-appc-orchestrator: - certSecret: *so-certs - db: - <<: *dbSecrets - mso: - basicUser: poBpmn - auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 - config: - cadi: - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.openStackAdapterPerm - noAuthn: /manage/health - appc: - client: - topic: - read: - name: APPC-LCM-WRITE - timeout: 360000 - write: APPC-LCM-READ - sdnc: - read: SDNC-LCM-WRITE - write: SDNC-LCM-READ - response: - timeout: 3600000 - key: VIlbtVl6YLhNUrtU - secret: 64AG2hF4pYeG2pq7CT6XwUOT - service: ueb - auth: - rest: - aaf: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= - aafEncrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 diff --git a/kubernetes/uui/charts/uui-server/values.yaml b/kubernetes/uui/charts/uui-server/values.yaml index e8acab2350..a43ae6eff0 100644 --- a/kubernetes/uui/charts/uui-server/values.yaml +++ b/kubernetes/uui/charts/uui-server/values.yaml @@ -25,7 +25,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui-server:3.0.4 +image: onap/usecase-ui-server:3.0.6 pullPolicy: Always # application configuration diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index 758200eede..77351f9f3e 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -26,7 +26,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui:3.0.4 +image: onap/usecase-ui:3.0.6 pullPolicy: Always # application configuration diff --git a/kubernetes/vfc/charts/vfc-generic-vnfm-driver/resources/config/logging/log.yml b/kubernetes/vfc/charts/vfc-generic-vnfm-driver/resources/config/logging/log.yml index 123bb298ab..844f993df1 100644 --- a/kubernetes/vfc/charts/vfc-generic-vnfm-driver/resources/config/logging/log.yml +++ b/kubernetes/vfc/charts/vfc-generic-vnfm-driver/resources/config/logging/log.yml @@ -11,6 +11,9 @@ loggers: level: "DEBUG" propagate: False handlers: + console: + class: "logging.StreamHandler" + formatter: "standard" gvnfmdriverlocal_handler: level: "DEBUG" class: diff --git a/kubernetes/vfc/charts/vfc-nslcm/resources/config/logging/log.yml b/kubernetes/vfc/charts/vfc-nslcm/resources/config/logging/log.yml index 4ae7ab16a8..c88606239e 100644 --- a/kubernetes/vfc/charts/vfc-nslcm/resources/config/logging/log.yml +++ b/kubernetes/vfc/charts/vfc-nslcm/resources/config/logging/log.yml @@ -11,6 +11,9 @@ loggers: level: "DEBUG" propagate: False handlers: + console: + class: "logging.StreamHandler" + formatter: "standard" nslcmlocal_handler: level: "DEBUG" class: diff --git a/kubernetes/vfc/charts/vfc-vnflcm/resources/config/logging/log.yml b/kubernetes/vfc/charts/vfc-vnflcm/resources/config/logging/log.yml index 4af8faa40f..9dbf475beb 100644 --- a/kubernetes/vfc/charts/vfc-vnflcm/resources/config/logging/log.yml +++ b/kubernetes/vfc/charts/vfc-vnflcm/resources/config/logging/log.yml @@ -11,6 +11,9 @@ loggers: level: "DEBUG" propagate: False handlers: + console: + class: "logging.StreamHandler" + formatter: "standard" vnfmgrlocal_handler: level: "DEBUG" class: diff --git a/kubernetes/vfc/charts/vfc-vnfmgr/resources/config/logging/log.yml b/kubernetes/vfc/charts/vfc-vnfmgr/resources/config/logging/log.yml index 4af8faa40f..9dbf475beb 100644 --- a/kubernetes/vfc/charts/vfc-vnfmgr/resources/config/logging/log.yml +++ b/kubernetes/vfc/charts/vfc-vnfmgr/resources/config/logging/log.yml @@ -11,6 +11,9 @@ loggers: level: "DEBUG" propagate: False handlers: + console: + class: "logging.StreamHandler" + formatter: "standard" vnfmgrlocal_handler: level: "DEBUG" class: diff --git a/kubernetes/vfc/charts/vfc-vnfres/resources/config/logging/log.yml b/kubernetes/vfc/charts/vfc-vnfres/resources/config/logging/log.yml index c4cc1e3072..7644af1e1b 100644 --- a/kubernetes/vfc/charts/vfc-vnfres/resources/config/logging/log.yml +++ b/kubernetes/vfc/charts/vfc-vnfres/resources/config/logging/log.yml @@ -11,6 +11,9 @@ loggers: level: "DEBUG" propagate: False handlers: + console: + class: "logging.StreamHandler" + formatter: "standard" vnflcmlocal_handler: level: "DEBUG" class: diff --git a/kubernetes/vfc/charts/vfc-zte-vnfm-driver/resources/config/logging/log.yml b/kubernetes/vfc/charts/vfc-zte-vnfm-driver/resources/config/logging/log.yml index a0bf170fe6..6c00048ff7 100644 --- a/kubernetes/vfc/charts/vfc-zte-vnfm-driver/resources/config/logging/log.yml +++ b/kubernetes/vfc/charts/vfc-zte-vnfm-driver/resources/config/logging/log.yml @@ -11,6 +11,9 @@ loggers: level: "DEBUG" propagate: False handlers: + console: + class: "logging.StreamHandler" + formatter: "standard" ztevnfmdriverlocal_handler: level: "DEBUG" class: diff --git a/kubernetes/vfc/charts/vfc-zte-vnfm-driver/values.yaml b/kubernetes/vfc/charts/vfc-zte-vnfm-driver/values.yaml index 7ebd3a5c0e..8c349e0098 100644 --- a/kubernetes/vfc/charts/vfc-zte-vnfm-driver/values.yaml +++ b/kubernetes/vfc/charts/vfc-zte-vnfm-driver/values.yaml @@ -28,7 +28,7 @@ global: flavor: small repository: nexus3.onap.org:10001 -image: onap/vfc/ztevnfmdriver:1.3.7 +image: onap/vfc/ztevnfmdriver:1.3.8 pullPolicy: Always #Istio sidecar injection policy diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml index 4cd3321b7d..3c9b8ceb63 100644 --- a/kubernetes/vid/values.yaml +++ b/kubernetes/vid/values.yaml @@ -38,7 +38,7 @@ subChartsOnly: # application image repository: nexus3.onap.org:10001 -image: onap/vid:6.0.4 +image: onap/vid:7.0.0 pullPolicy: Always # mariadb image for initializing diff --git a/kubernetes/vnfsdk/resources/config/configuration.xml b/kubernetes/vnfsdk/resources/config/configuration.xml index 6bd4e1c8eb..09b6551c00 100644 --- a/kubernetes/vnfsdk/resources/config/configuration.xml +++ b/kubernetes/vnfsdk/resources/config/configuration.xml @@ -23,7 +23,7 @@ PUBLIC "//mybatis.org//DTD Config 3.0//EN" <transactionManager type="JDBC" /> <dataSource type="UNPOOLED"> <property name="driver" value="org.postgresql.Driver" /> - <property name="url" value="jdbc:postgresql://{{ .Values.postgres.service.name }}:{{ .Values.postgres.service.externalPort }}/marketplaceDB" /> + <property name="url" value="jdbc:postgresql://{{.Values.postgres.service.name2}}:{{.Values.postgres.service.externalPort}}/marketplaceDB" /> <property name="username" value="${PG_USER}" /> <property name="password" value="${PG_PASSWORD}" /> </dataSource> diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index b72f39652c..3e0e235717 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -43,7 +43,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/vnfsdk/refrepo:1.5.2 +image: onap/vnfsdk/refrepo:1.6.0 postgresRepository: crunchydata postgresImage: crunchy-postgres:centos7-10.3-1.8.2 pullPolicy: Always |