summaryrefslogtreecommitdiffstats
path: root/kubernetes
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes')
-rw-r--r--kubernetes/aai/Chart.yaml8
-rw-r--r--kubernetes/aai/components/aai-babel/Chart.yaml8
-rw-r--r--kubernetes/aai/components/aai-babel/resources/config/application.properties10
-rw-r--r--kubernetes/aai/components/aai-babel/templates/deployment.yaml40
-rw-r--r--kubernetes/aai/components/aai-babel/templates/service.yaml27
-rw-r--r--kubernetes/aai/components/aai-babel/values.yaml43
-rw-r--r--kubernetes/aai/components/aai-graphadmin/Chart.yaml8
-rw-r--r--kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties15
-rw-r--r--kubernetes/aai/components/aai-graphadmin/resources/config/application.properties33
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml55
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml55
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml55
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml104
-rw-r--r--kubernetes/aai/components/aai-graphadmin/templates/service.yaml4
-rw-r--r--kubernetes/aai/components/aai-graphadmin/values.yaml57
-rw-r--r--kubernetes/aai/components/aai-modelloader/Chart.yaml8
-rw-r--r--kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12bin4357 -> 0 bytes
-rw-r--r--kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties24
-rw-r--r--kubernetes/aai/components/aai-modelloader/templates/deployment.yaml59
-rw-r--r--kubernetes/aai/components/aai-modelloader/values.yaml41
-rw-r--r--kubernetes/aai/components/aai-resources/Chart.yaml8
-rw-r--r--kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv27
-rw-r--r--kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties8
-rw-r--r--kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props15
-rw-r--r--kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props24
-rw-r--r--kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties2
-rw-r--r--kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties14
-rw-r--r--kubernetes/aai/components/aai-resources/resources/config/application.properties26
-rw-r--r--kubernetes/aai/components/aai-resources/templates/configmap.yaml16
-rw-r--r--kubernetes/aai/components/aai-resources/templates/deployment.yaml38
-rw-r--r--kubernetes/aai/components/aai-resources/values.yaml40
-rw-r--r--kubernetes/aai/components/aai-schema-service/Chart.yaml8
-rw-r--r--kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties13
-rw-r--r--kubernetes/aai/components/aai-schema-service/config/application.properties11
-rw-r--r--kubernetes/aai/components/aai-schema-service/templates/deployment.yaml40
-rw-r--r--kubernetes/aai/components/aai-schema-service/values.yaml40
-rw-r--r--kubernetes/aai/components/aai-sparky-be/Chart.yaml8
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties11
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties14
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties10
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties9
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties1
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties49
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties49
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile27
-rw-r--r--kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties36
-rw-r--r--kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml26
-rw-r--r--kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml89
-rw-r--r--kubernetes/aai/components/aai-sparky-be/templates/service.yaml22
-rw-r--r--kubernetes/aai/components/aai-sparky-be/values.yaml55
-rw-r--r--kubernetes/aai/components/aai-traversal/Chart.yaml8
-rw-r--r--kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv27
-rw-r--r--kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties8
-rw-r--r--kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props16
-rw-r--r--kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props23
-rw-r--r--kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties2
-rw-r--r--kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties15
-rw-r--r--kubernetes/aai/components/aai-traversal/resources/config/application.properties26
-rw-r--r--kubernetes/aai/components/aai-traversal/templates/configmap.yaml17
-rw-r--r--kubernetes/aai/components/aai-traversal/templates/deployment.yaml39
-rw-r--r--kubernetes/aai/components/aai-traversal/templates/job.yaml11
-rw-r--r--kubernetes/aai/components/aai-traversal/templates/secret.yaml30
-rw-r--r--kubernetes/aai/components/aai-traversal/values.yaml45
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg1
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy.cfg56
-rw-r--r--kubernetes/aai/templates/deployment.yaml13
-rw-r--r--kubernetes/aai/templates/service.yaml15
-rw-r--r--kubernetes/aai/values.yaml59
-rw-r--r--kubernetes/common/common/templates/_labels.tpl1
-rw-r--r--kubernetes/common/common/templates/_serviceMesh.tpl79
-rw-r--r--kubernetes/common/network-name-gen/Chart.yaml2
-rw-r--r--kubernetes/common/network-name-gen/values.yaml3
-rw-r--r--kubernetes/contrib/components/ejbca/Chart.yaml2
-rw-r--r--kubernetes/contrib/components/ejbca/values.yaml5
-rw-r--r--kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml1
-rw-r--r--kubernetes/cps/templates/cps-kafka-topic.yaml40
-rw-r--r--kubernetes/cps/templates/cps-kafka-user.yaml32
-rwxr-xr-xkubernetes/cps/values.yaml20
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml2
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml2
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml3
-rw-r--r--kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml6
-rw-r--r--kubernetes/holmes/components/holmes-engine-mgmt/values.yaml4
-rw-r--r--kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml6
-rw-r--r--kubernetes/holmes/components/holmes-rule-mgmt/values.yaml6
-rw-r--r--kubernetes/holmes/values.yaml3
-rw-r--r--kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml2
-rw-r--r--kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml9
-rw-r--r--kubernetes/modeling/components/modeling-etsicatalog/values.yaml5
-rw-r--r--kubernetes/msb/components/msb-eag/values.yaml2
-rw-r--r--kubernetes/msb/components/msb-iag/values.yaml2
-rw-r--r--kubernetes/nbi/Chart.yaml2
-rw-r--r--kubernetes/nbi/values.yaml3
-rwxr-xr-xkubernetes/onap/values.yaml5
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml3
-rw-r--r--kubernetes/robot/values.yaml2
-rw-r--r--kubernetes/sdc/components/sdc-be/values.yaml4
-rw-r--r--kubernetes/sdc/components/sdc-cs/values.yaml4
-rw-r--r--kubernetes/sdc/components/sdc-fe/values.yaml2
-rw-r--r--kubernetes/sdc/components/sdc-onboarding-be/values.yaml4
-rw-r--r--kubernetes/sdc/components/sdc-wfd-be/values.yaml4
-rw-r--r--kubernetes/sdc/components/sdc-wfd-fe/values.yaml2
-rwxr-xr-xkubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml6
-rwxr-xr-xkubernetes/so/components/so-sdc-controller/templates/deployment.yaml9
-rw-r--r--kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml (renamed from kubernetes/aai/components/aai-sparky-be/templates/secret.yaml)17
-rwxr-xr-xkubernetes/so/components/so-sdc-controller/values.yaml33
-rw-r--r--kubernetes/so/templates/authorizationpolicy.yaml (renamed from kubernetes/aai/components/aai-modelloader/templates/secret.yaml)16
-rwxr-xr-xkubernetes/so/values.yaml13
-rw-r--r--kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml20
-rw-r--r--kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml137
-rw-r--r--kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml44
-rw-r--r--kubernetes/strimzi/templates/configmap.yaml (renamed from kubernetes/aai/components/aai-resources/templates/secret.yaml)24
-rw-r--r--kubernetes/strimzi/templates/kafka-rebalance.yaml (renamed from kubernetes/so/components/so-sdc-controller/templates/so-sdc-dist-kakfa-user.yaml)26
-rw-r--r--kubernetes/strimzi/templates/pod-monitor.yaml45
-rw-r--r--kubernetes/strimzi/templates/strimzi-kafka.yaml46
-rw-r--r--kubernetes/strimzi/values.yaml48
-rw-r--r--kubernetes/uui/components/uui-server/values.yaml3
-rw-r--r--kubernetes/uui/values.yaml4
127 files changed, 807 insertions, 1784 deletions
diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml
index e02c624e59..f760aa170a 100644
--- a/kubernetes/aai/Chart.yaml
+++ b/kubernetes/aai/Chart.yaml
@@ -1,7 +1,7 @@
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,9 +23,6 @@ version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
repository: '@local'
- name: cassandra
version: ~12.x-0
@@ -34,9 +31,6 @@ dependencies:
# be published independently to a repo (at this point)
repository: '@local'
condition: global.cassandra.localCluster
- - name: certInitializer
- version: ~12.x-0
- repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml
index 11b561cc9f..7fd8d99f13 100644
--- a/kubernetes/aai/components/aai-babel/Chart.yaml
+++ b/kubernetes/aai/components/aai-babel/Chart.yaml
@@ -1,7 +1,7 @@
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,12 +23,6 @@ version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
- version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties
index 6a3a74c0a6..96f1a3eb89 100644
--- a/kubernetes/aai/components/aai-babel/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,17 +16,8 @@
# limitations under the License.
*/}}
server.port=9516
-{{ if ( include "common.needTLS" .) }}
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-server.ssl.client-auth=need
-server.ssl.key-store-type=PKCS12
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
spring.main.allow-bean-definition-overriding=true
server.servlet.context-path=/services/babel-service
diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
index 5a9618c5b7..397e8fd556 100644
--- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
@@ -2,6 +2,7 @@
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
# Modifications Copyright © 2020,2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,18 +19,9 @@
apiVersion: apps/v1
kind: Deployment
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
spec:
- selector:
- matchLabels:
- app: {{ include "common.name" . }}
+ selector: {{- include "common.selectors" . | nindent 4 }}
replicas: {{ .Values.replicaCount }}
strategy:
type: {{ .Values.updateStrategy.type }}
@@ -39,29 +31,13 @@ spec:
maxSurge: {{ .Values.updateStrategy.maxSurge }}
{{- end }}
template:
- metadata:
- labels:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{- if .Values.global.aafEnabled }}
- command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
- echo "*** actual launch of AAI Babel"
- /bin/bash /opt/app/babel/bin/start.sh
- {{- end }}
- ports:
- - containerPort: {{ .Values.service.internalPort }}
+ ports: {{ include "common.containerPorts" . | nindent 12 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{ if .Values.liveness.enabled }}
@@ -77,13 +53,11 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
- {{- if not (include "common.needTLS" .) }}
- name: KEY_STORE_PASSWORD
value: NotUsed
- {{- end }}
- name: CONFIG_HOME
value: /opt/app/babel/config
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -119,7 +93,7 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 8 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
diff --git a/kubernetes/aai/components/aai-babel/templates/service.yaml b/kubernetes/aai/components/aai-babel/templates/service.yaml
index 87a29db457..86141abe90 100644
--- a/kubernetes/aai/components/aai-babel/templates/service.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/service.yaml
@@ -16,29 +16,4 @@
# limitations under the License.
*/}}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "common.servicename" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-spec:
- type: {{ .Values.service.type }}
- ports:
- {{- if eq .Values.service.type "NodePort" }}
- - port: {{ .Values.service.internalPort }}
- nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- {{- else }}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- {{- end }}
-
- selector:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
+{{ include "common.service" . }}
diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml
index ca23bc96c1..bbc64d2113 100644
--- a/kubernetes/aai/components/aai-babel/values.yaml
+++ b/kubernetes/aai/components/aai-babel/values.yaml
@@ -1,6 +1,7 @@
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
# Modifications Copyright © 2020, 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,41 +21,6 @@
global: {}
#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-babel-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai
- fqi: aai@aai.onap.org
- public_fqdn: aai.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
- echo "KEY_STORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "KEY_MANAGER_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
-
-#################################################################
# Application configuration defaults.
#################################################################
@@ -90,10 +56,11 @@ readiness:
service:
type: NodePort
- portName: http
- externalPort: 9516
internalPort: 9516
- nodePort: 79
+ ports:
+ - name: http
+ port: 9516
+ nodePort: 79
ingress:
enabled: false
diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml
index 239bcad749..646be46337 100644
--- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml
@@ -4,7 +4,7 @@
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,12 +27,6 @@ version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
- version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
index f768338d99..8f63ac85ab 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
@@ -5,6 +5,7 @@
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,16 +25,9 @@ aai.config.checktime=1000
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
-
-{{ if ( include "common.needTLS" .) }}
-aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
-aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
-aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
-{{ else }}
aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
-{{ end }}
{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
@@ -41,13 +35,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }}
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
-{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
-aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
-{{ end }}
-
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }}
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
index 6e64fd8400..37d02a0629 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
@@ -5,6 +5,7 @@
# ================================================================================
# Copyright � 2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -34,7 +35,7 @@ server.servlet.context-path=/
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
-spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }}
+spring.profiles.active={{ .Values.config.profiles.active }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
@@ -49,23 +50,13 @@ server.local.startpath=/opt/app/aai-graphadmin/resources/
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8449
-{{ if ( include "common.needTLS" .) }}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
-server.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
-server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61649
-dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
-dmaap.ribbon.transportType={{ include "common.scheme" . }}
+dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904
+dmaap.ribbon.transportType=http
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
@@ -101,26 +92,14 @@ schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{
schema.service.nodes.endpoint=nodes?version=
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
-schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+schema.service.client=no-auth
-{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
-schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-schema.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
-schema.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
-{{ end }}
aperture.rdbmsname=aai_relational
-aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+aperture.service.client=no-auth
aperture.service.base.url=http://localhost:8457/aai/aperture
-{{ if ( include "common.needTLS" .) }}
-aperture.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
-aperture.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aperture.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
-aperture.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
-{{ end }}
aperture.service.timeout-in-milliseconds=300000
#To Expose the Prometheus scraping endpoint
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
index a8564b0766..033cfa02bc 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
@@ -6,6 +6,7 @@
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -53,50 +54,7 @@ spec:
hostname: aai-graphadmin
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
{{ if .Values.global.initContainers.enabled }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
- command:
{{ if .Values.global.jobs.migration.enabled }}
- /app/ready.py
@@ -145,7 +103,7 @@ spec:
value: {{ .Values.service.internalPort2 | quote }}
- name: INTERNAL_PORT_3
value: {{ .Values.service.internalPort3 | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -215,7 +173,7 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
@@ -226,11 +184,6 @@ spec:
configMap:
name: {{ include "common.fullname" . }}
- name: properties
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: properties-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-properties
restartPolicy: {{ .Values.restartPolicy }}
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
index a93c6107e7..2973245dfd 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
@@ -6,6 +6,7 @@
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,50 +59,7 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- command:
- /bin/bash
@@ -135,7 +93,7 @@ spec:
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -168,7 +126,7 @@ spec:
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
@@ -178,11 +136,6 @@ spec:
configMap:
name: {{ include "common.fullname" . }}
- name: properties
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: properties-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-properties
- name: migration
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
index a9349028f4..538b5aed50 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
@@ -6,6 +6,7 @@
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -53,50 +54,7 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
- command:
- /app/ready.py
args:
@@ -135,7 +93,7 @@ spec:
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -166,7 +124,7 @@ spec:
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
@@ -177,11 +135,6 @@ spec:
configMap:
name: {{ include "common.fullname" . }}
- name: properties
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: properties-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-properties
restartPolicy: Never
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
index 10b8255c50..7e9f866d5f 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
@@ -6,6 +6,7 @@
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,50 +59,7 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
- command:
- /app/ready.py
args:
@@ -133,7 +91,7 @@ spec:
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -180,7 +138,7 @@ spec:
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -211,7 +169,7 @@ spec:
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
@@ -225,11 +183,6 @@ spec:
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
- name: properties
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: properties-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-properties
restartPolicy: Never
@@ -259,50 +212,7 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- command:
- /bin/bash
@@ -336,7 +246,7 @@ spec:
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
index 6350f858f1..a6e1d32b8a 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
@@ -36,7 +36,7 @@ spec:
{{if eq .Values.service.type "NodePort" -}}
- port: {{ .Values.service.internalPort }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
+ name: {{ .Values.service.portName }}
- port: {{ .Values.service.internalPort2 }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
name: {{ .Values.service.portName2 }}
@@ -45,7 +45,7 @@ spec:
name: {{ .Values.service.portName3 }}
{{- else -}}
- port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
+ name: {{ .Values.service.portName }}
- port: {{ .Values.service.internalPort2 }}
name: {{ .Values.service.portName2 }}
- port: {{ .Values.service.internalPort3 }}
diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml
index ff7a7d6130..d333448f8d 100644
--- a/kubernetes/aai/components/aai-graphadmin/values.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/values.yaml
@@ -5,6 +5,7 @@
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -61,7 +62,7 @@ global: # global defaults
# Specifies if the connection should be one way ssl, two way ssl or no auth
# will be set to no-auth if tls is disabled
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will
# make a rest request to schema service
translator:
@@ -98,51 +99,6 @@ global: # global defaults
realtime:
clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-graphadmin-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai
- fqi: aai@aai.onap.org
- public_fqdn: aai.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai
- user_id: &user_id 1000
- group_id: &group_id 1000
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export KEYSTORE_JKS_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- keytool -storepasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
- -storepass "${cadi_keystore_password_jks}" \
- -keystore {{ .Values.fqi_namespace }}.jks
- echo "*** set key password as same password as keystore password"
- keytool -keypasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
- -keystore {{ .Values.fqi_namespace }}.jks \
- -keypass "${cadi_keystore_password_jks}" \
- -storepass "${KEYSTORE_JKS_PLAIN_PASSWORD}" -alias {{ .Values.fqi }}
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
- echo "KEYSTORE_JKS_PLAIN_PASSWORD=${KEYSTORE_JKS_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
-
# application image
image: onap/aai-graphadmin:1.11.2
pullPolicy: Always
@@ -165,9 +121,8 @@ config:
# Specify the profiles for the graphadmin microservice
profiles:
- # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and
- # serviceMesh.tls is set to tru
- active: dmaap #,one-way-ssl"
+
+ active: dmaap
# Specifies the timeout limit for the REST API requests
timeout:
@@ -318,8 +273,8 @@ metrics:
# Not fully used for now
securityContext:
- user_id: *user_id
- group_id: *group_id
+ user_id: 1000
+ group_id: 1000
#Pods Service Account
serviceAccount:
diff --git a/kubernetes/aai/components/aai-modelloader/Chart.yaml b/kubernetes/aai/components/aai-modelloader/Chart.yaml
index 56aad3ecec..65da29473c 100644
--- a/kubernetes/aai/components/aai-modelloader/Chart.yaml
+++ b/kubernetes/aai/components/aai-modelloader/Chart.yaml
@@ -1,6 +1,6 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,12 +22,6 @@ version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
- version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 b/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12
deleted file mode 100644
index ee57120fa0..0000000000
--- a/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
index a3e27f5517..e32f48f77f 100644
--- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
+++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,19 +18,11 @@
# Model Loader Distribution Client Configuration
*/}}
ml.distribution.ACTIVE_SERVER_TLS_AUTH=false
-{{ if ( include "common.needTLS" .) }}
-ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443
-ml.distribution.ASDC_USE_HTTPS=true
-ml.distribution.KEYSTORE_PASSWORD=
-ml.distribution.KEYSTORE_FILE=
-ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp
-{{ else }}
ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080
ml.distribution.ASDC_USE_HTTPS=false
ml.distribution.KEYSTORE_PASSWORD=
ml.distribution.KEYSTORE_FILE=
ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp
-{{ end }}
{{- with (first .Values.kafkaUser.acls) }}
ml.distribution.CONSUMER_GROUP={{ .name }}
ml.distribution.CONSUMER_ID={{ .name }}-model-loader
@@ -41,15 +34,8 @@ ml.distribution.USER={{ .name }}
ml.distribution.ARTIFACT_TYPES=MODEL_QUERY_SPEC,TOSCA_CSAR
# Model Loader AAI REST Client Configuration
-{{ if ( include "common.needTLS" .) }}
-ml.aai.BASE_URL=https://aai.{{.Release.Namespace}}:8443
-ml.aai.KEYSTORE_FILE=aai-os-cert.p12
-ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o
-ml.aai.USE_HTTPS= true
-{{ else }}
ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:80
ml.aai.USE_HTTPS= false
-{{ end }}
ml.aai.MODEL_URL=/aai/v*/service-design-and-creation/models/model/
ml.aai.NAMED_QUERY_URL=/aai/v*/service-design-and-creation/named-queries/named-query/
ml.aai.VNF_IMAGE_URL=/aai/v*/service-design-and-creation/vnf-images
@@ -60,16 +46,8 @@ ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw
# Model Loader Babel REST Client Configuration\r
ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516
ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts
-{{ if ( include "common.needTLS" .) }}
-ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12
-ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
-ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}
-ml.babel.USE_HTTPS= true
-{{ else }}
ml.babel.KEYSTORE_FILE=
ml.babel.KEYSTORE_PASSWORD=
ml.babel.TRUSTSTORE_FILE=
ml.babel.TRUSTSTORE_PASSWORD=
ml.babel.USE_HTTPS= false
-{{ end }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
index bab0e0cc8f..b32602810d 100644
--- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
@@ -2,6 +2,7 @@
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
# Modifications Copyright © 2020-2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -51,50 +52,6 @@ spec:
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- {{- if .Values.global.aafEnabled }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
- export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: prop-config-input
- - mountPath: /config
- name: prop-config
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
@@ -107,15 +64,13 @@ spec:
secretKeyRef:
name: {{ include "common.name" . }}-ku
key: sasl.jaas.config
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/model-loader/config/model-loader.properties
subPath: model-loader.properties
name: prop-config
- - mountPath: /opt/app/model-loader/config/auth/
- name: auth-config
- mountPath: {{ .Values.log.path }}
name: logs
- mountPath: /opt/app/model-loader/logback.xml
@@ -125,21 +80,13 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
- name: prop-config
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: prop-config-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-prop
- - name: auth-config
- secret:
- secretName: {{ include "common.fullname" . }}
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml
index 825ef06cf1..0a6a640ce3 100644
--- a/kubernetes/aai/components/aai-modelloader/values.yaml
+++ b/kubernetes/aai/components/aai-modelloader/values.yaml
@@ -1,5 +1,6 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2020-2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,42 +20,6 @@
global: # global defaults
nodePortPrefix: 302
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-ml-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai
- fqi: aai@aai.onap.org
- public_fqdn: aai.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- appMountPath: /opt/app/model-loader/config/auth/aaf
- fqi_namespace: org.onap.aai
- user_id: &user_id 1000
- group_id: &group_id 1000
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
-
# application image
image: onap/model-loader:1.12.0
pullPolicy: Always
@@ -122,8 +87,8 @@ serviceAccount:
# Not fully used for now
securityContext:
- user_id: *user_id
- group_id: *group_id
+ user_id: 1000
+ group_id: 1000
#Log configuration
log:
diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml
index fc8ad97b45..362e0e4795 100644
--- a/kubernetes/aai/components/aai-resources/Chart.yaml
+++ b/kubernetes/aai/components/aai-resources/Chart.yaml
@@ -1,6 +1,6 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,12 +23,6 @@ version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
- version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv b/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv
deleted file mode 100644
index ec60ef7e53..0000000000
--- a/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv
+++ /dev/null
@@ -1,27 +0,0 @@
-# AAI -> aai@aai.onap.org
-Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# ModelLoader -> aai@aai.onap.org
-Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# AaiUI -> aai@aai.onap.org,
-Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# MSO -> so@so.onap.org
-Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03
-
-# SDNC -> sdnc@sdnc.onap.org
-Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03
-
-# DCAE -> dcae@dcae.onap.org
-Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03
-
-# POLICY -> policy@policy.onap.org
-Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# ASDC -> sdc@sdc.onap.org
-Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# OOF -> oof@oof.onap.org
-Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03
-
diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties b/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties
deleted file mode 100644
index ec5fd55e06..0000000000
--- a/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties
+++ /dev/null
@@ -1,8 +0,0 @@
-
-cadi_loglevel=INFO
-cadi_prop_files=/opt/app/aai-resources/resources/aaf/org.osaaf.location.props:/opt/app/aai-resources/resources/aaf/org.onap.aai.props
-
-# OAuth2
-aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token
-aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect
-
diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props b/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props
deleted file mode 100644
index f4bb9ee89c..0000000000
--- a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props
+++ /dev/null
@@ -1,15 +0,0 @@
-############################################################
-# Properties Generated by AT&T Certificate Manager
-# @copyright 2016, AT&T
-# Modifications Copyright © 2020 Orange
-############################################################
-cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
-cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile
-cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-cadi_keystore_password=${KEYSTORE_PASSWORD}
-
-cadi_alias=aai@aai.onap.org
-cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks
-cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD}
-cadi_loglevel=INFO
-cadi_bath_convert=/opt/app/aai-resources/resources/aaf/bath_config.csv
diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props b/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props
deleted file mode 100644
index 8ae66aaf79..0000000000
--- a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props
+++ /dev/null
@@ -1,24 +0,0 @@
-##
-## org.osaaf.location.props
-##
-## Localized Machine Information
-##
-# Almeda California ?
-cadi_latitude=37.78187
-cadi_longitude=-122.26147
-
-# Locate URL (which AAF Env)
-aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
-
-
-# AAF URL
-aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
-
-# AAF Environment Designation
-aaf_env=DEV
-
-# OAuth2 Endpoints
-aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token
-aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect
-
-
diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties b/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties
deleted file mode 100644
index 4234121a2d..0000000000
--- a/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties
+++ /dev/null
@@ -1,2 +0,0 @@
-permission.type=org.onap.aai.resources
-permission.instance=* \ No newline at end of file
diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties
index a569b5366b..adabae3ac7 100644
--- a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties
@@ -5,6 +5,7 @@
# ================================================================================
# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -38,15 +39,9 @@ aai.config.checktime=1000
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
-{{ if ( include "common.needTLS" .) }}
-aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
-aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
-aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
-{{ else }}
aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
-{{ end }}
{{ if .Values.global.config.basic.auth.enabled }}
aai.tools.enableBasicAuth=true
@@ -54,13 +49,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }}
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
-{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
-aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
-{{ end }}
-
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }}
diff --git a/kubernetes/aai/components/aai-resources/resources/config/application.properties b/kubernetes/aai/components/aai-resources/resources/config/application.properties
index b5b64bec4b..40b89eabb4 100644
--- a/kubernetes/aai/components/aai-resources/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-resources/resources/config/application.properties
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -29,7 +30,7 @@ server.servlet.context-path=/
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
-spring.profiles.active={{ .Values.global.config.profiles.active }}{{ .Values.global.aafEnabled | ternary ",aaf-auth" "" }}
+spring.profiles.active={{ .Values.global.config.profiles.active }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
@@ -44,23 +45,13 @@ server.local.startpath=aai-resources/src/main/resources/
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8447
-{{ if ( include "common.needTLS" .) }}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61647
-dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
-dmaap.ribbon.transportType={{ include "common.scheme" . }}
+dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904
+dmaap.ribbon.transportType=http
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
@@ -96,14 +87,7 @@ schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{
schema.service.nodes.endpoint=nodes?version=
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
-schema.service.client={{ (eq "true" ( include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
-
-{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD}
-schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-{{ end }}
+schema.service.client=no-auth
#to expose the Prometheus scraping endpoint
management.port=8448
diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml
index 99973565f8..eccc4ba491 100644
--- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml
@@ -34,19 +34,3 @@ data:
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-aaf-props
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }}
diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
index f4e56c24b6..11008aea96 100644
--- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
@@ -3,6 +3,7 @@
# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -79,7 +80,7 @@ spec:
spec:
hostname: aai-resources
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ initContainers:
- name: {{ include "common.name" . }}-readiness
command:
- /app/ready.py
@@ -119,8 +120,6 @@ spec:
args:
- -c
- |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
echo "*** actual launch of AAI Resources"
/bin/bash /opt/app/aai-resources/docker-entrypoint.sh
env:
@@ -128,17 +127,13 @@ spec:
value: {{ .Values.global.config.userId | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.global.config.groupId | quote }}
- - name: POST_JAVA_OPTS
- value: '-Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword={{ .Values.certInitializer.truststorePassword }}'
- - name: TRUSTORE_ALL_PASSWORD
- value: {{ .Values.certInitializer.truststorePassword }}
- name: INTERNAL_PORT_1
value: {{ .Values.service.internalPort | quote }}
- name: INTERNAL_PORT_2
value: {{ .Values.service.internalPort2 | quote }}
- name: INTERNAL_PORT_3
value: {{ .Values.service.internalPort3 | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -162,21 +157,6 @@ spec:
- mountPath: /opt/app/aai-resources/resources/etc/auth/realm.properties
name: {{ include "common.fullname" . }}-config
subPath: realm.properties
- - mountPath: /opt/app/aai-resources/resources/aaf/bath_config.csv
- name: {{ include "common.fullname" . }}-aaf-certs
- subPath: bath_config.csv
- - mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.props
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: org.onap.aai.props
- - mountPath: /opt/app/aai-resources/resources/aaf/org.osaaf.location.props
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: org.osaaf.location.props
- - mountPath: /opt/app/aai-resources/resources/aaf/permissions.properties
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: permissions.properties
- - mountPath: /opt/app/aai-resources/resources/cadi.properties
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: cadi.properties
- mountPath: /opt/app/aai-resources/resources/application.properties
name: {{ include "common.fullname" . }}-config
subPath: application.properties
@@ -206,7 +186,7 @@ spec:
httpGet:
path: /aai/util/echo?action=checkDB
port: {{ .Values.service.internalPort }}
- scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: LivenessCheck
@@ -221,7 +201,7 @@ spec:
httpGet:
path: /aai/util/echo?action=checkDB
port: {{ .Values.service.internalPort }}
- scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: ReadinessCheck
@@ -241,7 +221,7 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
@@ -251,12 +231,6 @@ spec:
- name: {{ include "common.fullname" . }}-config
configMap:
name: {{ include "common.fullname" . }}
- - name: {{ include "common.fullname" . }}-aaf-properties
- configMap:
- name: {{ include "common.fullname" . }}-aaf-props
- - name: {{ include "common.fullname" . }}-aaf-certs
- secret:
- secretName: {{ include "common.fullname" . }}-aaf-keys
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml
index de7bf2dd84..0f09643bba 100644
--- a/kubernetes/aai/components/aai-resources/values.yaml
+++ b/kubernetes/aai/components/aai-resources/values.yaml
@@ -1,6 +1,7 @@
# Copyright (c) 2018 Amdocs, Bell Canada, AT&T
# Copyright (c) 2020 Nokia, Orange
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -33,8 +34,6 @@ global: # global defaults
migration:
enabled: false
- aafEnabled: false
-
config:
# Specifies that the cluster connected to a dynamic
# cluster being spinned up by kubernetes deployment
@@ -51,8 +50,7 @@ global: # global defaults
# Active spring profiles for the resources microservice
profiles:
- # aaf-auth profile will be automatically set if aaf enabled is set to true
- active: production,dmaap #,aaf-auth
+ active: production,dmaap
# Notification event specific properties
notification:
@@ -63,7 +61,7 @@ global: # global defaults
schema:
# Specifies if the connection should be one way ssl, two way ssl or no auth
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will make a rest request to schema service
translator:
list: schema-service
@@ -123,38 +121,6 @@ aai_enpoints:
url: network
- name: aai-externalSystem
url: external-system
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-resources-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai-resources
- fqi: aai-resources@aai-resources.onap.org
- public_fqdn: aai-resources.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai-resources
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** save the generated passwords"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
# application image
image: onap/aai-resources:1.11.0
diff --git a/kubernetes/aai/components/aai-schema-service/Chart.yaml b/kubernetes/aai/components/aai-schema-service/Chart.yaml
index c04342fdd9..cdf9bd8f77 100644
--- a/kubernetes/aai/components/aai-schema-service/Chart.yaml
+++ b/kubernetes/aai/components/aai-schema-service/Chart.yaml
@@ -1,6 +1,6 @@
# Copyright © 2019 AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,12 +23,6 @@ version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
- version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
diff --git a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
index a2abaf3785..4c620a0028 100644
--- a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright © 2019 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,15 +20,9 @@
# ============LICENSE_END=========================================================
*/}}
-{{ if ( include "common.needTLS" .) }}
-aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
-aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
-aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
-{{ else }}
aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
-{{ end }}
{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
@@ -35,12 +30,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }}
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
-{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
-aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
-{{ end }}
aai.default.api.version={{ .Values.global.config.schema.version.api.default }}
diff --git a/kubernetes/aai/components/aai-schema-service/config/application.properties b/kubernetes/aai/components/aai-schema-service/config/application.properties
index a3f7998a8f..20dc6bc520 100644
--- a/kubernetes/aai/components/aai-schema-service/config/application.properties
+++ b/kubernetes/aai/components/aai-schema-service/config/application.properties
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -37,18 +38,8 @@ server.local.startpath=aai-schema-service/src/main/resources/
server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties
server.port=8452
-{{ if ( include "common.needTLS" .) }}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-server.ssl.client-auth=want
-server.ssl.key-store-type=PKCS12
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
schema.configuration.location=N/A
schema.source.name={{ .Values.global.config.schema.source.name }}
diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
index fbb67ad35b..3322918ae5 100644
--- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
@@ -2,6 +2,7 @@
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -47,51 +48,16 @@ spec:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
- {{- if .Values.global.aafEnabled }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
- export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{- if .Values.global.aafEnabled }}
- command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
- echo "*** actual launch of AAI Schema Service"
- /bin/bash /opt/app/aai-schema-service/docker-entrypoint.sh
- {{- end }}
env:
- name: LOCAL_USER_ID
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -142,7 +108,7 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: aai-common-aai-auth-mount
secret:
secretName: aai-common-aai-auth
diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml
index 50e12e8e4d..19ee9d491c 100644
--- a/kubernetes/aai/components/aai-schema-service/values.yaml
+++ b/kubernetes/aai/components/aai-schema-service/values.yaml
@@ -1,5 +1,6 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,41 +59,6 @@ global: # global defaults
edge:
label: v12
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-schema-service-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai-schema-service
- fqi: aai-schema-service@aai-schema-service.onap.org
- public_fqdn: aai-schema-service.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai-schema-service
- user_id: &user_id 1000
- group_id: &group_id 1000
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
-
# application image
image: onap/aai-schema-service:1.11.0
pullPolicy: Always
@@ -174,8 +140,8 @@ serviceAccount:
# Not fully used for now
securityContext:
- user_id: *user_id
- group_id: *group_id
+ user_id: 1000
+ group_id: 1000
#Log configuration
log:
diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml
index 2bfb7f231a..da2523834a 100644
--- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml
@@ -1,6 +1,6 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,12 +22,6 @@ version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
- version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties
index ee1341751f..178adb80b3 100644
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties
+++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,15 +19,9 @@ oxm.schemaNodeDir=/opt/app/sparky/onap/oxm
#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config
oxm.schemaServiceTranslatorList=config
# The end point for onap is https://<hostname>:<port>/onap/schema-service/v1/
-{{ if ( include "common.needTLS" .) }}
-oxm.schemaServiceBaseUrl=https://<schema-service/config>/aai/schema-service/v1/
-oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD}
-oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD}
-{{ else }}
+
oxm.schemaServiceBaseUrl=http://<schema-service/config>/aai/schema-service/v1/
-{{ end }}
+
# Schema Service need this variable for the time being
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties
index 7c82d1f90d..e9ed63e76e 100644
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties
+++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,16 +16,7 @@
*/}}
resources.hostname=aai
-{{ if ( include "common.needTLS" .) }}
-resources.port=8443
-resources.authType=SSL_BASIC
-resources.basicAuthUserName=aai@aai.onap.org
-resources.basicAuthPassword=1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek
-resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-resources.trust-store-password=${TRUSTSTORE_PASSWORD}
-resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-resources.client-cert-password=${KEYSTORE_PASSWORD}
-{{ else }}
+
resources.port=80
resources.authType=HTTP_NOAUTH
-{{ end }}
+
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties
index 422e7ce150..c6e1baac2a 100644
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties
+++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties
@@ -1,4 +1,5 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -13,13 +14,6 @@
# limitations under the License.
server.port=8000
-{{ if ( include "common.needTLS" .) }}
-server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
+
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties
index 90cb00069e..b5ad6b3f4a 100644
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties
+++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties
@@ -1,4 +1,5 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,16 +23,10 @@ spring.mvc.favicon.enabled=false
# and in the values.yaml change the internalPort to 9517
#
-spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,{{ ( eq "true" ( include "common.needTLS" .)) | ternary "ssl" "http" }}
+spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,http
portal.cadiFileLocation={{.Values.config.cadiFileLocation}}
searchservice.hostname={{.Values.global.searchData.serviceName}}
searchservice.port=9509
-{{ if ( include "common.needTLS" .) }}
-searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-searchservice.client-cert-password=${KEYSTORE_PASSWORD}
-searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-searchservice.truststore-password=${TRUSTSTORE_PASSWORD}
-{{ end }}
schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties
deleted file mode 100644
index 67268e33e2..0000000000
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties
+++ /dev/null
@@ -1 +0,0 @@
-cipher.enc.key=AGLDdG4D04BKm2IxIWEr8o==!
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties
deleted file mode 100644
index 7a0fb8250b..0000000000
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties
+++ /dev/null
@@ -1,49 +0,0 @@
-{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-################################################################################
-############################## Portal properties ###############################
-################################################################################
-
-# Java class that implements the ECOMP role and user mgt API
-*/}}
-portal.api.impl.class = org.onap.aai.sparky.security.portal.PortalRestAPICentralServiceImpl
-
-# Instance of ECOMP Portal where the app has been on-boarded
-# use insecure http for dev purposes to avoid self-signed certificate
-ecomp_rest_url = https://portal-app:8443/ONAPPORTAL/auxapi
-
-# Standard global logon page
-ecomp_redirect_url = https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm
-
-# Name of cookie to extract on login request
-csp_cookie_name = EPService
-# Alternate values: DEVL, V_DEVL, V_PROD
-csp_gate_keeper_prod_key = PROD
-
-# Toggles use of UEB
-ueb_listeners_enable = false
-# IDs application withing UEB flow
-ueb_app_key=ueb_key_7
-# Use this tag if the app is centralized
-role_access_centralized=remote
-
-# Connection and Read timeout values
-ext_req_connection_timeout=15000
-ext_req_read_timeout=20000
-
-#Add AAF namespace if the app is centralized
-auth_namespace={{ .Values.certInitializer.fqi_namespace }}
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties
deleted file mode 100644
index baefd9806b..0000000000
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties
+++ /dev/null
@@ -1,49 +0,0 @@
-# Configure AAF
-aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
-aaf_url=<%=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
-
-#aaf_url=https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE
-# AAF Environment Designation
-
-#if you are running aaf service from a docker image you have to use aaf service IP and port number
-aaf_id={{ .Values.certInitializer.fqi }}
-#Encrypt the password using AAF Jar
-aaf_password={{ .Values.certInitializer.aafDeployPass }}
-# Sample CADI Properties, from CADI 1.4.2
-#hostname=org.onap.aai.orr
-csp_domain=PROD
-# Add Absolute path to Keyfile
-cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile
-cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-cadi_keystore_password=${KEYSTORE_PASSWORD}
-
-cadi_alias={{ .Values.certInitializer.fqi }}
-
-# This is required to accept Certificate Authentication from Certman certificates.
-# can be TEST, IST or PROD
-aaf_env=DEV
-
-# DEBUG prints off all the properties. Use to get started.
-cadi_loglevel=DEBUG
-
-# Add Absolute path to truststore2018.jks
-cadi_truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-# Note: This is the ONLY password that doesn't have to be encrypted. All Java's TrustStores are this passcode by default, because they are public certs
-cadi_truststore_password=${TRUSTSTORE_PASSWORD}
-
-# how to turn on SSL Logging
-#javax.net.debug=ssl
-
-# Use "maps.bing.com" to get Lat and Long for an Address
-AFT_LATITUDE=32.780140
-AFT_LONGITUDE=-96.800451
-AFT_ENVIRONMENT=AFTUAT
-AFT_DME2_CLIENT_IGNORE_SSL_CONFIG=true
-DME2.DEBUG=true
-AFT_DME2_HTTP_EXCHANGE_TRACE_ON=true
-
-cadi_latitude=32.780140
-cadi_longitude=-96.800451
-
-aaf_root_ns=com.att.aaf
-aaf_api_version=2.0
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile
deleted file mode 100644
index 921ce6714a..0000000000
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile
+++ /dev/null
@@ -1,27 +0,0 @@
-77E_fh-8gTjeg8egAo-JgNkXYm1FGEBPMo44vKPgKyGCJj9Dn0xJqIBct2Ko35X4_HSU3wPq3I2q
-YHIvJCjmzXTVu2zvu4rIGTlwycTtLGDkgPyhOYFytv4GgazbpSs9331MPUeVVrdpkDCQmjtHSB4m
-DThhfEe2lkbZ35ljX3sVSf3JDy4ngRot0ktQwnnY4vxFdgVUl7LzVinXWgFLoqMyXmKh_bGw9aUH
-VMgqFsF_YmqLZY5ZARAraeywktvrU5kXYh5SnfXoJy7XIk0TBjHKqO-1mW-TcIgS3_v6GIGkZnpq
-e1FyE8cS21gTPFlc1KDoWUZE2yoEsQKJc4RFWfjid_mE6nckxym1TOsEn3G2_TlkZvliN_QMDB_c
-RuFLDB9HCChm4YYHpSn-RBqtJFz29bMTHQX8VNVfZ_Zhh-4dWOlEfpSzJvAqm_boo-8y8YDGIusx
-mvKyPXEKVCuBOljHaKhYg0d43nAXIFsssKpjmtQizA2L_TP1Mo_lDFIlCsPcRlHKTvzkTstEAhRj
-JnepzA--olBMwBkPxjm1Y5XQBGZH72i_o4Hr7_NqHb9sP486I2Nd1-owjHkhacGrLO1oORnuBUxp
-_SnaXYywe9tTz3BcfFupXSoDv4Sj7g9B53yPIWmjGggigidql3SNJsui6qOtwDHOejzEDFm23Lj7
-fXD6sb52U_ul9ahi4CoLTzpvMsPRYOqyRCk8K8FVBauZbG5D42oaFPn0S0rCSHOCU1TXbRdTF-Cs
-I2R0pEHNgb33yx6vtInaTSYIQ5cxa3XDA_50AQearV5SuYSlp8dK0BkpVCKgvSQdTn-2WiaV_hvO
-KzG7D2adT1kYY6TjYMXIaUiJ33y1XSNDG0s6r4NG5dNE6Jj7thdpnV-AAZoi0uZh1_bsHKLVmHRr
-NCXAc6DZm1D4N9y5lOJwUprUlJisZXLFTQThGMRY5dtiY_eK9Xjj4FQygXXhuhFXHz2-e4YApORv
-lXDcT29IZuuI1j26bxdNdhNr1wZsqqievBN6l6OQMiP21eIrxAUu1BEmiVOrfOzaEjxldDN2gFum
-4-zf9gsQT9UT8KEuOje64wVeHr09JpWuddV9HOAMvqc6mKTWmvUv_QiLgtK_b39QccMrOfOA1usM
-biRJ9wuTYIr584Q9CjHEcm5e2YufcbF-IDZ4IDui8gNXyYJuusTYdspeKzrtiLKfgI56ZWA3it9G
-SOkN18YyUmhk7HFkx9qEifb4UEbUQPb0dyXBRotf-91c5CPkct-36uV4sZBA_AR1tX3-aRKKB_SQ
-B0zaG-eaEdEqKv-ZYHqk23ZxiEsCX3ZdY7VSMWztE3_D5n8UgEl4et5LVfnjvU-arVVO93WUbXk0
-zi2QrOwytOZ0StAvFdF1nVwWllPg4EYcn8qLJIaaBRvLMlpHixtwRhltwJeMmJl3ExImOxNhVbhF
-6LxVXW6JK8JfMIwb_TE4EShDBjemq76BojQOwrO4OAyPG7B5iUtefdY-Zu1EtjXPhrUgljI_A1tg
-5_2WNjNTCT7Bvig3saFsIRi3cvgIcMAF2H7kJYw3UDvCFnx4LIom2u6vSeyatPxEOhRfpP0KvgEU
-koM9DFJW7VWQ11mB_DcU2NoYHdFKFy_cM62kIvoRwZTADGryEtkLSWEDT8MLpVrGXP2RjSZ3HHqC
-vVpVqQHC2VIqNKi2uHtYCiTEfj81Z0rCrnH3hYIRoOSe5W6m17xyb0RloG0G44uK0oNCfDYLwK0L
-TJaBdWSIBYI__ISsKx8o8r-3XLtbwQPPhv4-LpGwJYd7sIcqnpTYAyNGSrbEM4ECzHCH9Hwf9Duy
-cAQGWqXIbTV9i8ryw8OhcCZPTf3noPZyhzzdegiv6KNT-BBbxsgtDehtP-jvpd9eAhjlfUV_hoFJ
-rBUVMFrIOEDnnItVqBDmnavRdhn6N9ObVjVMv_4inhkvtpBCEVxtVQT2kFuBmZvPu_uHHbXi7_g8
-SVs3AjJ2ya3pZraK6gH3IOYoGtTAH3rKl7XdTMjqWnUCbhepuJqeEOF-DhpsEW7Oo0Lqzbjg \ No newline at end of file
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties
deleted file mode 100644
index e1ddd326f9..0000000000
--- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties
+++ /dev/null
@@ -1,36 +0,0 @@
-{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#####################################################################################
-############################## Portal Auth Properties ##############################
-#####################################################################################
-
-############################## Auth ##############################
-*/}}
-username={{.Values.config.portalUsername}}
-password={{.Values.config.portalPassword}}
-
-{{/*
-############################## ##############################
-#
-# ONAP Cookie Processing - During initial development, this flag, if true, will
-# prevent the portal interface's login processing from searching for a user
-# specific cookie, and will instead allow passage if a valid session cookie is
-# discovered.
-*/}}
-onap_enabled={{.Values.config.portalOnapEnabled}}
-onap.user_id_cookie_name={{.Values.config.portalCookieName}}
-cookie_decryptor_classname={{.Values.config.cookieDecryptorClass}}
-app_roles={{.Values.config.portalAppRoles}}
diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml
index fee07d8acf..7c958fa410 100644
--- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml
@@ -27,29 +27,3 @@ metadata:
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-portal
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/portal/*").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-portal-props
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/portal/BOOT-INF/classes/*").AsConfig . | indent 2 }}
diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
index 8f696007a6..cf7a309ef0 100644
--- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
@@ -2,6 +2,7 @@
# Copyright (c) 2017 Amdocs, Bell Canada
# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,15 +19,9 @@
apiVersion: apps/v1
kind: Deployment
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
spec:
+ selector: {{- include "common.selectors" . | nindent 4 }}
replicas: {{ .Values.replicaCount }}
strategy:
type: {{ .Values.updateStrategy.type }}
@@ -35,48 +30,10 @@ spec:
maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }}
maxSurge: {{ .Values.updateStrategy.maxSurge }}
{{- end }}
- selector:
- matchLabels:
- app: {{ include "common.name" . }}
template:
- metadata:
- annotations:
- sidecar.istio.io/rewriteAppHTTPProbers: "false"
- labels:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
- name: {{ include "common.name" . }}
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if ( include "common.needTLS" .) }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \
- | xargs -0)
- if [ -z "$KEYSTORE_PASSWORD" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- fi
- echo "*** write them in portal part"
- cd /config-input
- for PFILE in `ls -1 .`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: portal-config-input
- - mountPath: /config
- name: portal-config
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
- command:
- /app/ready.py
args:
@@ -100,22 +57,12 @@ spec:
args:
- -c
- |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \
- | xargs -0)
echo "*** actual launch of AAI Sparky BE"
/opt/app/sparky/bin/start.sh
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
- - mountPath: /opt/app/sparky/config/auth/csp-cookie-filter.properties
- name: auth-config
- subPath: csp-cookie-filter.properties
- - mountPath: /opt/app/sparky/config/portal/
- name: portal-config
- - mountPath: /opt/app/sparky/config/portal/BOOT-INF/classes/
- name: portal-config-props
- mountPath: {{ .Values.log.path }}
name: logs
- mountPath: /opt/app/sparky/config/application.properties
@@ -145,21 +92,19 @@ spec:
- mountPath: /opt/app/sparky/config/logging/logback.xml
name: config
subPath: logback.xml
- ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPlainPort }}
+ ports: {{ include "common.containerPorts" . | nindent 10 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
readinessProbe:
tcpSocket:
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
resources: {{ include "common.resources" . | nindent 10 }}
@@ -175,27 +120,13 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
- name: config
configMap:
name: {{ include "common.fullname" . }}
- - name: portal-config
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: portal-config-input
- {{- end }}
- configMap:
- name: {{ include "common.fullname" . }}-portal
- - name: portal-config-props
- configMap:
- name: {{ include "common.fullname" . }}-portal-props
- - name: auth-config
- secret:
- secretName: {{ include "common.fullname" . }}
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
diff --git a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml
index 9e3ffd6f56..10d9e2a07d 100644
--- a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml
@@ -14,24 +14,4 @@
# limitations under the License.
*/}}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "common.servicename" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-spec:
- ports:
- - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }}
- port: {{ .Values.service.externalPort }}
- targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
- {{- if eq .Values.service.type "NodePort" }}
- nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- {{- end }}
- type: {{ .Values.service.type }}
- selector:
- app: {{ include "common.name" . }}
+{{ include "common.service" . }}
diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml
index 29953b4b66..8ec45536b8 100644
--- a/kubernetes/aai/components/aai-sparky-be/values.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/values.yaml
@@ -1,5 +1,6 @@
# Copyright (c) 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,40 +28,6 @@ global: # global defaults
searchData:
serviceName: aai-search-data
-
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-sparky-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: "aai"
- app_ns: "org.osaaf.aaf"
- fqi_namespace: "org.onap.aai"
- fqi: "aai@aai.onap.org"
- public_fqdn: "aaf.osaaf.org"
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- credsPath: /opt/app/osaaf/local
- aaf_add_config: |
- echo "*** changing passwords into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** save the generated passwords"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
-
# application image
image: onap/sparky-be:2.0.3
pullPolicy: Always
@@ -78,7 +45,6 @@ config:
portalPassword: OBF:1t2v1vfv1unz1vgz1t3b # aaiui
portalCookieName: UserId
portalAppRoles: ui_view
- cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties
cookieDecryptorClass: org.onap.aai.sparky.security.BaseCookieDecryptor
# ONAP Cookie Processing - During initial development, the following flag, if true, will
@@ -87,11 +53,6 @@ config:
portalOnapEnabled: true
#
-# override chart name (sparky-be) to share a common namespace
-# suffix with parent chart (aai)
-nsSuffix: aai
-
-
# default number of instances
replicaCount: 1
@@ -118,11 +79,12 @@ readiness:
service:
type: NodePort
- portName: http
- externalPort: 8000
- internalPort: 8000
- internalPlainPort: 9517
- nodePort: 20
+ internalPort: 9517
+ ports:
+ - name: http
+ port: 8000
+ internal_port: 9517
+ nodePort: 20
ingress:
enabled: false
@@ -133,6 +95,9 @@ ingress:
config:
ssl: "redirect"
+podAnnotations:
+ sidecar.istio.io/rewriteAppHTTPProbers: "false"
+
# Configure resource requests and limits
# ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
diff --git a/kubernetes/aai/components/aai-traversal/Chart.yaml b/kubernetes/aai/components/aai-traversal/Chart.yaml
index f5a6a923a6..866f18fb4a 100644
--- a/kubernetes/aai/components/aai-traversal/Chart.yaml
+++ b/kubernetes/aai/components/aai-traversal/Chart.yaml
@@ -1,6 +1,6 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,12 +22,6 @@ version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
- version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv b/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv
deleted file mode 100644
index ec60ef7e53..0000000000
--- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv
+++ /dev/null
@@ -1,27 +0,0 @@
-# AAI -> aai@aai.onap.org
-Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# ModelLoader -> aai@aai.onap.org
-Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# AaiUI -> aai@aai.onap.org,
-Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# MSO -> so@so.onap.org
-Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03
-
-# SDNC -> sdnc@sdnc.onap.org
-Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03
-
-# DCAE -> dcae@dcae.onap.org
-Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03
-
-# POLICY -> policy@policy.onap.org
-Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# ASDC -> sdc@sdc.onap.org
-Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# OOF -> oof@oof.onap.org
-Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03
-
diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties
deleted file mode 100644
index 2b19da9f6f..0000000000
--- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties
+++ /dev/null
@@ -1,8 +0,0 @@
-
-cadi_loglevel=INFO
-cadi_prop_files=/opt/app/aai-traversal/resources/aaf/org.osaaf.location.props:/opt/app/aai-traversal/resources/aaf/org.onap.aai.props
-
-# OAuth2
-aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token
-aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect
-
diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props b/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props
deleted file mode 100644
index b46defa6b7..0000000000
--- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props
+++ /dev/null
@@ -1,16 +0,0 @@
-############################################################
-# Properties Generated by AT&T Certificate Manager
-# @copyright 2016, AT&T
-# Modifications Copyright (c) 2020 Orange
-############################################################
-cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
-cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile
-cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-cadi_keystore_password=${KEYSTORE_PASSWORD}
-
-#cadi_key_password=enc:9xs_lJ9QQRDoMcHqLbGg40-gefGrw-sLMjWL40ejbyqdC7Jt_pQfY6ajBLGcbLuL
-cadi_alias=aai@aai.onap.org
-cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks
-cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD}
-cadi_loglevel=INFO
-cadi_bath_convert=/opt/app/aai-traversal/resources/aaf/bath_config.csv
diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props b/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props
deleted file mode 100644
index b9ec6b4641..0000000000
--- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props
+++ /dev/null
@@ -1,23 +0,0 @@
-##
-## org.osaaf.location.props
-##
-## Localized Machine Information
-##
-# Almeda California ?
-cadi_latitude=37.78187
-cadi_longitude=-122.26147
-
-# Locate URL (which AAF Env)
-aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
-
-# AAF URL
-aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
-
-# AAF Environment Designation
-aaf_env=DEV
-
-# OAuth2 Endpoints
-aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token
-aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect
-
-
diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties
deleted file mode 100644
index d4956f577c..0000000000
--- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties
+++ /dev/null
@@ -1,2 +0,0 @@
-permission.type=org.onap.aai.traversal
-permission.instance=* \ No newline at end of file
diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties
index b8a2b5fe03..559166ba8e 100644
--- a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties
@@ -5,6 +5,7 @@
# ================================================================================
# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,16 +28,9 @@ aai.config.checktime=1000
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
-
-{{ if ( include "common.needTLS" .) }}
-aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
-aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
-aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
-{{else}}
aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
-{{ end }}
{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
@@ -44,13 +38,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }}
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
-{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
-aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
-{{ end }}
-
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }}
diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application.properties b/kubernetes/aai/components/aai-traversal/resources/config/application.properties
index 3022b17f97..caed64513a 100644
--- a/kubernetes/aai/components/aai-traversal/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-traversal/resources/config/application.properties
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -28,7 +29,7 @@ spring.main.allow-bean-definition-overriding=true
server.servlet.context-path=/
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
-spring.profiles.active={{ .Values.global.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }}
+spring.profiles.active={{ .Values.global.config.profiles.active }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
@@ -43,23 +44,13 @@ server.local.startpath=aai-traversal/src/main/resources/
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8446
-{{ if ( include "common.needTLS" .) }}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61647
-dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
-dmaap.ribbon.transportType={{ include "common.scheme" . }}
+dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904
+dmaap.ribbon.transportType=http
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
@@ -98,14 +89,7 @@ schema.service.nodes.endpoint=nodes?version=
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
schema.service.custom.queries.endpoint=stored-queries
-schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
-
-{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD}
-schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-{{ end }}
+schema.service.client=no-auth
#to expose the Prometheus scraping endpoint
management.port=8448
diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml
index 8f1bd2ddc8..e3d7299c3a 100644
--- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -34,19 +35,3 @@ data:
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-aaf-props
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }}
diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
index 9f77d1d686..f390b1c9bf 100644
--- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
@@ -3,6 +3,7 @@
# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -98,7 +99,7 @@ spec:
spec:
hostname: aai-traversal
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ initContainers:
- command:
- /app/ready.py
args:
@@ -138,13 +139,9 @@ spec:
args:
- -c
- |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
echo "*** actual launch of AAI Resources"
/bin/bash /opt/app/aai-traversal/docker-entrypoint.sh
env:
- - name: TRUSTORE_ALL_PASSWORD
- value: {{ .Values.certInitializer.truststorePassword }}
- name: DISABLE_UPDATE_QUERY
value: {{ .Values.config.disableUpdateQuery | quote }}
- name: LOCAL_USER_ID
@@ -157,7 +154,7 @@ spec:
value: {{ .Values.service.internalPort2 | quote }}
- name: INTERNAL_PORT_3
value: {{ .Values.service.internalPort3 | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -183,21 +180,6 @@ spec:
- mountPath: /opt/app/aai-traversal/resources/etc/auth/realm.properties
name: {{ include "common.fullname" . }}-config
subPath: realm.properties
- - mountPath: /opt/app/aai-traversal/resources/aaf/bath_config.csv
- name: {{ include "common.fullname" . }}-aaf-certs
- subPath: bath_config.csv
- - mountPath: /opt/app/aai-traversal/resources/aaf/org.onap.aai.props
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: org.onap.aai.props
- - mountPath: /opt/app/aai-traversal/resources/aaf/org.osaaf.location.props
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: org.osaaf.location.props
- - mountPath: /opt/app/aai-traversal/resources/aaf/permissions.properties
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: permissions.properties
- - mountPath: /opt/app/aai-traversal/resources/cadi.properties
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: cadi.properties
- mountPath: /opt/app/aai-traversal/resources/application.properties
name: {{ include "common.fullname" . }}-config
subPath: application.properties
@@ -227,7 +209,7 @@ spec:
httpGet:
path: /aai/util/echo?action=checkDB
port: {{ .Values.service.internalPort }}
- scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: LivenessCheck
@@ -242,7 +224,7 @@ spec:
httpGet:
path: /aai/util/echo?action=checkDB
port: {{ .Values.service.internalPort }}
- scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: ReadinessCheck
@@ -265,7 +247,7 @@ spec:
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
@@ -277,15 +259,6 @@ spec:
- name: {{ include "common.fullname" . }}-config
configMap:
name: {{ include "common.fullname" . }}
- - name: {{ include "common.fullname" . }}-aaf-properties
- configMap:
- name: {{ include "common.fullname" . }}-aaf-props
- - name: {{ include "common.fullname" . }}-aaf-certs
- secret:
- secretName: {{ include "common.fullname" . }}-aaf
- - name: aai-common-aai-auth-mount
- secret:
- secretName: aai-common-aai-auth
restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml
index f37610b217..13839973c3 100644
--- a/kubernetes/aai/components/aai-traversal/templates/job.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml
@@ -2,6 +2,7 @@
# Copyright (c) 2017-2018 AT&T
# Modifications Copyright (c) 2018 Amdocs, Bell Canada
# Modifications Copyright (c) 2020 Nokia, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -48,10 +49,6 @@ spec:
args:
- --container-name
- aai
- {{ if eq .Values.global.aafEnabled true }}
- - --container-name
- - aaf-locate
- {{ end }}
env:
- name: NAMESPACE
valueFrom:
@@ -71,14 +68,10 @@ spec:
- |
set -x
if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi
- {{- if (include "common.needTLS" .) }}
- until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done;
- bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh
- {{- else }}
until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do echo "Retrying to reach aai on port 80"; done;
bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh ;
{{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
- {{- end }}
+
env:
- name: LOCAL_USER_ID
value: {{ .Values.global.config.userId | quote }}
diff --git a/kubernetes/aai/components/aai-traversal/templates/secret.yaml b/kubernetes/aai/components/aai-traversal/templates/secret.yaml
deleted file mode 100644
index 8e022fe6b0..0000000000
--- a/kubernetes/aai/components/aai-traversal/templates/secret.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
-# Copyright © 2021 Orange
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-aaf
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} \ No newline at end of file
diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml
index 8dfe8438ab..9cf1d89946 100644
--- a/kubernetes/aai/components/aai-traversal/values.yaml
+++ b/kubernetes/aai/components/aai-traversal/values.yaml
@@ -1,6 +1,7 @@
# Copyright (c) 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright (c) 2020 Nokia
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,6 @@
# Declare variables to be passed into your templates.
global: # global defaults
nodePortPrefix: 302
- aafEnabled: true
cassandra:
#Service Name of the cassandra cluster to connect to.
@@ -59,7 +59,7 @@ global: # global defaults
# Active spring profiles for the resources microservice
profiles:
- active: production,dmaap #,aaf-auth ,keycloak
+ active: production,dmaap
# Notification event specific properties
notification:
@@ -70,7 +70,7 @@ global: # global defaults
schema:
# Specifies if the connection should be one way ssl, two way ssl or no auth
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will make a rest request to schema service
translator:
list: schema-service
@@ -106,39 +106,6 @@ global: # global defaults
realtime:
clients: SDNC,MSO,SO,robot-ete
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-traversal-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai-traversal
- fqi: aai-traversal@aai-traversal.onap.org
- public_fqdn: aai-traversal.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai-traversal
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** save the generated passwords"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
-
# application image
image: onap/aai-traversal:1.11.2
pullPolicy: Always
@@ -231,12 +198,6 @@ persistence:
# default number of instances
replicaCount: 1
-minReadySeconds: 10
-updateStrategy:
- type: RollingUpdate
- maxUnavailable: 0
- maxSurge: 1
-
nodeSelector: {}
affinity: {}
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
index 03212b9f2d..307260e766 100644
--- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
index 8c2554efea..a953a508bf 100644
--- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -39,9 +40,6 @@ defaults
log global
mode http
option httplog
-{{- if ( include "common.needTLS" .) }}
- option ssl-hello-chk
-{{- end }}
option httpchk
http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ=='
default-server init-addr none
@@ -101,50 +99,6 @@ frontend IST_8080
default_backend IST_Default_8447
-{{- if ( include "common.needTLS" .) }}
-frontend IST_8443
- mode http
- bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
-# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
- option httplog
- log global
- option logasap
- option forwardfor
- capture request header Host len 100
- capture response header Host len 100
- option log-separate-errors
- option forwardfor
-
- http-request set-header X-Forwarded-Proto https
- http-request add-header X-Forwarded-Port 8443
-
- http-request set-header X-Forwarded-Proto https if { ssl_fc }
- http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
- http-request set-header X-AAI-SSL %[ssl_fc]
- http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
- http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
- http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
- http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
- http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
- http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
- http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
- http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
- http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
- http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
- http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
- http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
-#######################################
-## Request blocking configuration ###
-#######################################
- {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
- {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
- {{ $custom_config }}
- {{- end }}
- {{- end }}
-
-{{- end }}
-
#######################
#ACLS FOR PORT 8446####
#######################
@@ -169,11 +123,7 @@ backend IST_Default_8447
stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
-{{- if ( include "common.needTLS" .) }}
- server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
-{{- else }}
server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
-{{- end }}
#######################
# BACKEND 8446#########
@@ -185,8 +135,4 @@ backend IST_AAI_8446
stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
-{{- if ( include "common.needTLS" .) }}
- server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
-{{- else }}
server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
-{{- end }}
diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml
index 03663454d7..2722412bb6 100644
--- a/kubernetes/aai/templates/deployment.yaml
+++ b/kubernetes/aai/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# Copyright (c) 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -47,7 +48,7 @@ spec:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ initContainers:
- command:
- /app/ready.py
args:
@@ -90,26 +91,23 @@ spec:
subPath: haproxy.cfg
{{ end }}
name: haproxy-cfg
- {{- include "common.certInitializer.volumeMount" . | nindent 8 }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPlainPort }}
- containerPort: {{ .Values.metricsService.internalPort }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
readinessProbe:
httpGet:
path: /aai/util/echo
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
- #scheme: HTTPS
- scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }}
+ port: {{ .Values.service.internalPort }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: OOM_ReadinessCheck
@@ -143,6 +141,5 @@ spec:
- name: haproxy-cfg
configMap:
name: aai-deployment-configmap
- {{ include "common.certInitializer.volumes" . | nindent 8 }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml
index a8c3c3957e..5bb5c8bf28 100644
--- a/kubernetes/aai/templates/service.yaml
+++ b/kubernetes/aai/templates/service.yaml
@@ -26,16 +26,17 @@ metadata:
heritage: {{ .Release.Service }}
spec:
ports:
- - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }}
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort .Values.service.externalPlainPort }}
- targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ - name: {{ .Values.service.portName }}
+ port: {{ .Values.service.externalPort }}
+ targetPort: {{ .Values.service.internalPort }}
{{- if eq .Values.service.type "NodePort" }}
+ {{ if not (include "common.ingressEnabled" .) }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
+ {{ end }}
{{- end }}
- type: {{ .Values.service.type }}
+ type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }}
selector:
app: {{ include "common.name" . }}
- clusterIP: {{ .Values.service.aaiServiceClusterIp }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
---
apiVersion: v1
@@ -51,8 +52,8 @@ metadata:
spec:
ports:
- name: {{ .Values.service.portName }}
- port: {{ .Values.service.externalPlainPort }}
- targetPort: {{ .Values.service.internalPlainPort }}
+ port: {{ .Values.service.externalPort }}
+ targetPort: {{ .Values.service.internalPort }}
type: ClusterIP
selector:
app: {{ include "common.name" . }}
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index f30222a2cf..2c67da036d 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -2,6 +2,7 @@
# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -31,9 +32,8 @@ global: # global defaults
restartPolicy: Always
- aafEnabled: true
- msbEnabled: true
- centralizedLoggingEnabled: true
+ msbEnabled: false
+ centralizedLoggingEnabled: false
cassandra:
#This will instantiate AAI cassandra cluster, default:shared cassandra.
@@ -61,10 +61,6 @@ global: # global defaults
serviceName: aai-resources
sparkyBe:
serviceName: aai-sparky-be
- dataRouter:
- serviceName: aai-data-router
- gizmo:
- serviceName: aai-gizmo
modelloader:
serviceName: aai-modelloader
searchData:
@@ -73,8 +69,6 @@ global: # global defaults
serviceName: aai-traversal
graphadmin:
serviceName: aai-graphadmin
- spike:
- serviceName: aai-spike
initContainers:
enabled: true
@@ -217,7 +211,7 @@ global: # global defaults
# Specifies if the connection should be one way ssl, two way ssl or no auth
# will be set to no-auth if tls is disabled
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will make a rest request to schema service
translator:
list: schema-service
@@ -292,40 +286,6 @@ aai-sparky-be:
aai-traversal:
logConfigMapNamePrefix: '{{ include "common.release" . }}-aai'
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: "aai"
- app_ns: "org.osaaf.aaf"
- fqi_namespace: "org.onap.aai"
- fqi: "aai@aai.onap.org"
- public_fqdn: "aaf.osaaf.org"
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- credsPath: /opt/app/osaaf/local
- aaf_add_config: |
- echo "*** transform AAF certs into pem files"
- mkdir -p {{ .Values.credsPath }}/certs
- keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
- -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
- -alias ca_local_0 \
- -storepass $cadi_truststore_password
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** generating needed file"
- cat {{ .Values.credsPath }}/certs/cert.pem \
- {{ .Values.credsPath }}/certs/cacert.pem \
- {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
- > {{ .Values.credsPath }}/certs/fullchain.pem;
- chown 1001 {{ .Values.credsPath }}/certs/*
-
# application image
dockerhubRepository: registry.hub.docker.com
image: onap/aai-haproxy:1.11.0
@@ -398,13 +358,9 @@ readiness:
service:
type: NodePort
portName: http
- externalPort: 8443
- internalPort: 8443
+ externalPort: 80
+ internalPort: 8080
nodePort: 33
- externalPlainPort: 80
- internalPlainPort: 8080
- nodeport: 33
- aaiServiceClusterIp:
sessionAffinity: None
metricsService:
@@ -436,8 +392,7 @@ ingress:
service:
- baseaddr: "aai-api"
name: "aai"
- port: 8443
- plain_port: 80
+ port: 80
config:
ssl: "redirect"
diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl
index 993fb7dfac..f2bd1a1141 100644
--- a/kubernetes/common/common/templates/_labels.tpl
+++ b/kubernetes/common/common/templates/_labels.tpl
@@ -26,6 +26,7 @@ The function takes several arguments (inside a dictionary):
{{- define "common.labels" -}}
{{- $dot := default . .dot -}}
app.kubernetes.io/name: {{ include "common.name" $dot }}
+app: {{ include "common.name" $dot }}
{{ if not .ignoreHelmChart }}
helm.sh/chart: {{ include "common.chart" $dot }}
{{- end }}
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl
index a685a73627..3ba945ee8b 100644
--- a/kubernetes/common/common/templates/_serviceMesh.tpl
+++ b/kubernetes/common/common/templates/_serviceMesh.tpl
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2020 Amdocs, Bell Canada, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -66,3 +67,81 @@ exit "$RCODE"
fieldPath: metadata.namespace
{{- end }}
{{- end }}
+
+{{/*
+ Use Authorization Policies or not.
+*/}}
+{{- define "common.useAuthorizationPolicies" -}}
+{{- if (include "common.onServiceMesh" .) }}
+{{- if .Values.global.authorizationPolicies -}}
+{{- if (default false .Values.global.authorizationPolicies.enabled) -}}
+true
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ Create Authorization Policy template.
+ If common.useAuthorizationPolicies returns true:
+ Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals
+ in the format:
+ authorizedPrincipals:
+ - serviceAccount: <serviceaccount name> (Mandatory)
+ namespace: <namespace name> (Optional, will default to onap)
+ allowedOperationMethods: <list of allowed HTTP operations (Optional, will default to ["GET", "POST", "PUT", "PATCH", "DELETE"])
+
+ If no authorizedPrincipals provided, will default to denying all requests to the app matched under the
+ spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: <app-to-match> ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service")
+
+ If common.useAuthorizationPolicies returns false:
+ Will not create an authorization policy
+*/}}
+{{- define "common.authorizationPolicy" -}}
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}}
+{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}}
+{{- $relName := include "common.release" . -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: {{ include "common.servicename" . }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipals }}
+{{- range $principal := $authorizedPrincipals }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ methods:
+{{- if $principal.allowedOperationMethods }}
+{{- range $method := $principal.allowedOperationMethods }}
+ - {{ $method }}
+{{- end }}
+{{- else }}
+{{- range $method := $defaultOperationMethods }}
+ - {{ $method }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end -}}
diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml
index 17eaa684d8..08d50145ec 100644
--- a/kubernetes/common/network-name-gen/Chart.yaml
+++ b/kubernetes/common/network-name-gen/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
- name: mariadb-init
version: ~12.x-0
repository: 'file://../mariadb-init'
- condition: not global.mariadbGalera.localCluster \ No newline at end of file
+ condition: global.mariadbGalera.globalCluster \ No newline at end of file
diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml
index dcf85fee39..8b8848b8aa 100644
--- a/kubernetes/common/network-name-gen/values.yaml
+++ b/kubernetes/common/network-name-gen/values.yaml
@@ -26,7 +26,10 @@ global:
mariadbGalera: &mariadbGalera
#This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
+ globalCluster: true
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
diff --git a/kubernetes/contrib/components/ejbca/Chart.yaml b/kubernetes/contrib/components/ejbca/Chart.yaml
index e8a0134298..5c7ec253ed 100644
--- a/kubernetes/contrib/components/ejbca/Chart.yaml
+++ b/kubernetes/contrib/components/ejbca/Chart.yaml
@@ -30,7 +30,7 @@ dependencies:
- name: mariadb-init
version: ~12.x-0
repository: '@local'
- condition: not global.mariadbGalera.localCluster
+ condition: global.mariadbGalera.globalCluster
- name: repositoryGenerator
version: ~12.x-0
repository: '@local'
diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml
index b777a7d388..c223f41f79 100644
--- a/kubernetes/contrib/components/ejbca/values.yaml
+++ b/kubernetes/contrib/components/ejbca/values.yaml
@@ -13,8 +13,11 @@
# limitations under the License.
global:
mariadbGalera: &mariadbGalera
- #This flag allows EJBCA to instantiate its own mariadb-galera cluster
+ #This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
+ globalCluster: true
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml
index 2a31c73303..1c15a2dbce 100644
--- a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml
+++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml
@@ -54,7 +54,6 @@ spring.kafka.security.protocol: SASL_PLAINTEXT
spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512
spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG}
-
{{- if .Values.config.additional }}
{{ toYaml .Values.config.additional | nindent 2 }}
{{- end }}
diff --git a/kubernetes/cps/templates/cps-kafka-topic.yaml b/kubernetes/cps/templates/cps-kafka-topic.yaml
index c3592bcec5..88076471f7 100644
--- a/kubernetes/cps/templates/cps-kafka-topic.yaml
+++ b/kubernetes/cps/templates/cps-kafka-topic.yaml
@@ -43,4 +43,44 @@ metadata:
spec:
config:
retention.ms: {{ .Values.config.dmiCmEventsTopic.retentionMs }}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+ name: {{ .Values.config.ncmpCmAvcSubscriptionTopic.name }}
+ labels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+spec:
+ config:
+ retention.ms: {{ .Values.config.ncmpCmAvcSubscriptionTopic.retentionMs }}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+ name: {{ .Values.config.ncmpCmEventsTopic.name }}
+ labels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+spec:
+ config:
+ retention.ms: {{ .Values.config.ncmpCmEventsTopic.retentionMs }}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+ name: {{ .Values.config.dmiCmAvcSubscriptionTopic.name }}
+ labels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+spec:
+ config:
+ retention.ms: {{ .Values.config.dmiCmAvcSubscriptionTopic.retentionMs }}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+ name: {{ .Values.config.dmiCmAvcSubscriptionResponseTopic.name }}
+ labels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+spec:
+ config:
+ retention.ms: {{ .Values.config.dmiCmAvcSubscriptionResponseTopic.retentionMs }}
{{- end }} \ No newline at end of file
diff --git a/kubernetes/cps/templates/cps-kafka-user.yaml b/kubernetes/cps/templates/cps-kafka-user.yaml
index 469dddae86..154c116bd1 100644
--- a/kubernetes/cps/templates/cps-kafka-user.yaml
+++ b/kubernetes/cps/templates/cps-kafka-user.yaml
@@ -50,4 +50,36 @@ spec:
type: topic
name: {{ .Values.config.dmiCmEventsTopic.name }}
operation: All
+ - resource:
+ type: group
+ name: {{ .Values.config.ncmpCmAvcSubscriptionTopic.consumer.groupId }}
+ operation: All
+ - resource:
+ type: topic
+ name: {{ .Values.config.ncmpCmAvcSubscriptionTopic.name }}
+ operation: All
+ - resource:
+ type: group
+ name: {{ .Values.config.ncmpCmEventsTopic.consumer.groupId }}
+ operation: All
+ - resource:
+ type: topic
+ name: {{ .Values.config.ncmpCmEventsTopic.name }}
+ operation: All
+ - resource:
+ type: group
+ name: {{ .Values.config.dmiCmAvcSubscriptionTopic.consumer.groupId }}
+ operation: All
+ - resource:
+ type: topic
+ name: {{ .Values.config.dmiCmAvcSubscriptionTopic.name }}
+ operation: All
+ - resource:
+ type: group
+ name: {{ .Values.config.dmiCmAvcSubscriptionResponseTopic.consumer.groupId }}
+ operation: All
+ - resource:
+ type: topic
+ name: {{ .Values.config.dmiCmAvcSubscriptionResponseTopic.name }}
+ operation: All
{{- end }} \ No newline at end of file
diff --git a/kubernetes/cps/values.yaml b/kubernetes/cps/values.yaml
index dccc4d039c..a08690ed53 100755
--- a/kubernetes/cps/values.yaml
+++ b/kubernetes/cps/values.yaml
@@ -63,6 +63,26 @@ config:
retentionMs: 7200000
consumer:
groupId: ncmp-group
+ ncmpCmAvcSubscriptionTopic:
+ name: cm-avc-subscription
+ retentionMs: 7200000
+ consumer:
+ groupId: ncmp-group
+ ncmpCmEventsTopic:
+ name: cm-events
+ retentionMs: 7200000
+ consumer:
+ groupId: ncmp-group
+ dmiCmAvcSubscriptionTopic:
+ name: ncmp-dmi-cm-avc-subscription-ncmp-dmi-plugin
+ retentionMs: 7200000
+ consumer:
+ groupId: ncmp-group
+ dmiCmAvcSubscriptionResponseTopic:
+ name: dmi-ncmp-cm-avc-subscription
+ retentionMs: 7200000
+ consumer:
+ groupId: ncmp-group
# Enable all CPS components by default
cps-core:
diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml
index eaabfa3808..40a2d0767a 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml
@@ -3,6 +3,7 @@
# Copyright (C) 2021 Nordix Foundation.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE DataFile Collector Helm charts
name: dcae-datafile-collector
version: 12.0.0
diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
index 1cc450d936..7c6b3e9649 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
@@ -3,6 +3,7 @@
# Copyright (c) 2021 Nordix Foundation.
# Copyright (c) 2022 Nokia. All rights reserved.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# =========================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -51,7 +52,7 @@ certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.9.0
+image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.10.0
pullPolicy: Always
# Log directory where logging sidecar should look for log files
diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
index 115bd257c6..cc33dd144b 100644
--- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
@@ -47,7 +47,7 @@ secrets:
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.heartbeat:2.6.0
+image: onap/org.onap.dcaegen2.services.heartbeat:2.6.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml
index 10ce14028a..0903a310cd 100644
--- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml
@@ -3,6 +3,7 @@
# Copyright (c) 2021 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE RESTConf Collector
name: dcae-restconf-collector
version: 12.0.0
diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
index 92467f4a7c..bed8f9cb3d 100644
--- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
@@ -2,6 +2,7 @@
# ============================================================================
# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -45,7 +46,7 @@ secrets:
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.3.4
+image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.4.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml
index 57a182b8f4..8d99454988 100644
--- a/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml
@@ -3,6 +3,7 @@
# Copyright (C) 2021 Wipro Limited.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
# ============= LICENSE_END ==================================================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE Son-handler helm chart
name: dcae-son-handler
version: 12.0.0
diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
index 6b007a330b..037c5866e2 100644
--- a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
@@ -2,6 +2,7 @@
# ============================================================================
# Copyright (C) 2021-2022 Wipro Limited.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -52,7 +53,7 @@ secrets:
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.son-handler:2.1.11
+image: onap/org.onap.dcaegen2.services.son-handler:2.2.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
index 25a54014d6..37c6cee75f 100644
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
@@ -3,6 +3,7 @@
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
# ============LICENSE_END=========================================================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE TCA (Gen 2)
name: dcae-tcagen2
version: 12.0.0
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
index 40a7c13dca..fcdcb525c5 100644
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
@@ -2,6 +2,7 @@
# ================================================================================
# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved.
# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -35,7 +36,7 @@ filebeatConfig:
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.4
+image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.4.0
pullPolicy: Always
# log directory where logging sidecar should look for log files
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
index 2ee3eb2ee4..526d75077c 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
@@ -41,7 +41,7 @@ certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.11.1
+image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.3
pullPolicy: Always
# log directory where logging sidecar should look for log files
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml
index 1978ae4df4..5121ad90d3 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml
@@ -3,6 +3,7 @@
# Copyright (c) 2021 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE VES-Mapper Microservice
name: dcae-ves-mapper
version: 12.0.0
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
index 4ee6ee72f4..ff1f7481e0 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
@@ -2,6 +2,7 @@
# ============================================================================
# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -35,7 +36,7 @@ filebeatConfig:
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.4.0
+image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.5.0
pullPolicy: Always
# Log directory where logging sidecar should look for log files
diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml
index cdf5327eab..fdbca09be0 100644
--- a/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml
+++ b/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml
@@ -34,8 +34,10 @@ spec:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
initContainers:
- {{- if not .Values.global.postgres.localCluster }}
- {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }}
+ {{- if .Values.global.postgres.localCluster }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }}
+ {{ else }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }}
{{- end }}
- name: {{ include "common.name" . }}-env-config
image: {{ include "repositoryGenerator.image.envsubst" . }}
diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml
index c9c62e78a3..028ca8d71e 100644
--- a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml
+++ b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml
@@ -123,9 +123,11 @@ resources:
unlimited: {}
readinessCheck:
- wait_for:
+ wait_for_global:
jobs:
- '{{ include "common.release" . }}-holmes-postgres-init-config-job'
+ wait_for_local:
+ - '{{ .Values.global.postgres.container.name }}'
#Pods Service Account
serviceAccount:
diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml
index 05def922c4..db0eb16092 100644
--- a/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml
+++ b/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml
@@ -33,8 +33,10 @@ spec:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
initContainers:
- {{- if not .Values.global.postgres.localCluster }}
- {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }}
+ {{- if .Values.global.postgres.localCluster }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }}
+ {{ else }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }}
{{- end }}
- name: {{ include "common.name" . }}-env-config
image: {{ include "repositoryGenerator.image.envsubst" . }}
diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml
index bc6639f7dd..d91bb1eeeb 100644
--- a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml
+++ b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml
@@ -94,7 +94,7 @@ ingress:
path: "/api/holmes-rule-mgmt/v1"
plain_port: 9101
- baseaddr: "holmes-rule-mgmt-ui"
- name: "holmes-rule-mgmt-ui"
+ name: "holmes-rule-mgmt"
path: "/iui/holmes"
plain_port: 9104
config:
@@ -135,9 +135,11 @@ resources:
unlimited: {}
readinessCheck:
- wait_for:
+ wait_for_global:
jobs:
- '{{ include "common.release" . }}-holmes-postgres-init-config-job'
+ wait_for_local:
+ - '{{ .Values.global.postgres.container.name }}'
#Pods Service Account
serviceAccount:
diff --git a/kubernetes/holmes/values.yaml b/kubernetes/holmes/values.yaml
index 75521062f4..40c3d872ff 100644
--- a/kubernetes/holmes/values.yaml
+++ b/kubernetes/holmes/values.yaml
@@ -22,6 +22,9 @@ global:
#Service Names of the postgres db to connect to.
#Override it to dbc-pg if localCluster is enabled.
postgres:
+ #This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
globalCluster: true
service:
diff --git a/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml b/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml
index a90c700a8e..b1f6c4105a 100644
--- a/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml
+++ b/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml
@@ -30,7 +30,7 @@ dependencies:
- name: mariadb-init
version: ~12.x-0
repository: '@local'
- condition: not global.mariadbGalera.localCluster
+ condition: global.mariadbGalera.globalCluster
- name: readinessCheck
version: ~12.x-0
repository: '@local'
diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml
index dd9c020c22..bfbff215db 100644
--- a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml
+++ b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml
@@ -41,8 +41,13 @@ spec:
- command:
- /app/ready.py
args:
- - -j
- - "{{ include "common.release" . }}-{{ include "common.name" . }}-config-job"
+{{- if .Values.global.mariadbGalera.localCluster }}
+ - --container-name
+ - {{ index .Values "mariadb-galera" "nameOverride" }}
+{{- else }}
+ - --job-name
+ - {{ include "common.release" . }}-{{ include "common.name" . }}-config-job
+{{- end }}
env:
- name: NAMESPACE
valueFrom:
diff --git a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml
index 21abce3dda..c2b0dcff7d 100644
--- a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml
+++ b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml
@@ -22,8 +22,11 @@ global:
mountPath: /dockerdata-nfs
mariadbGalera:
- #This flag allows Modeling to instantiate its own mariadb-galera cluster
+ #This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
+ globalCluster: true
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml
index 1c3f3131d6..0a91363470 100644
--- a/kubernetes/msb/components/msb-eag/values.yaml
+++ b/kubernetes/msb/components/msb-eag/values.yaml
@@ -52,7 +52,7 @@ certInitializer:
# Application configuration defaults.
#################################################################
# application image
-image: onap/msb/msb_apigateway:1.4.0
+image: onap/msb/msb_apigateway:1.6.0
pullPolicy: Always
istioSidecar: true
diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml
index 4bb772da16..c53dcca982 100644
--- a/kubernetes/msb/components/msb-iag/values.yaml
+++ b/kubernetes/msb/components/msb-iag/values.yaml
@@ -52,7 +52,7 @@ certInitializer:
# Application configuration defaults.
#################################################################
# application image
-image: onap/msb/msb_apigateway:1.4.0
+image: onap/msb/msb_apigateway:1.6.0
pullPolicy: Always
istioSidecar: true
diff --git a/kubernetes/nbi/Chart.yaml b/kubernetes/nbi/Chart.yaml
index 5f277876a3..5365075b32 100644
--- a/kubernetes/nbi/Chart.yaml
+++ b/kubernetes/nbi/Chart.yaml
@@ -36,7 +36,7 @@ dependencies:
- name: mariadb-init
version: ~12.x-0
repository: '@local'
- condition: not global.mariadbGalera.localCluster
+ condition: global.mariadbGalera.globalCluster
- name: repositoryGenerator
version: ~12.x-0
repository: '@local'
diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml
index e2b7341b7c..fbdf1fe199 100644
--- a/kubernetes/nbi/values.yaml
+++ b/kubernetes/nbi/values.yaml
@@ -20,7 +20,10 @@ global:
nodePortPrefix: 302
mariadbGalera: &mariadbGalera
#This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
+ globalCluster: true
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index c7399b3f1b..40ac5edab6 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -1,6 +1,7 @@
# Copyright © 2019 Amdocs, Bell Canada
# Copyright (c) 2020 Nordix Foundation, Modifications
# Modifications Copyright © 2020-2021 Nokia
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -187,6 +188,10 @@ global:
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
+ # Global Istio Authorization Policy configuration
+ authorizationPolicies:
+ enabled: false
+
# metrics part
# If enabled, exporters (for prometheus) will be deployed
# if custom resources set to yes, CRD from prometheus operartor will be
diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
index ee5a5722c0..1bd94eed0b 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
@@ -74,8 +74,7 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"]
args: ["/opt/app/policy/pdpx/etc/mounted/config.json"]
- ports:
- - containerPort: {{ .Values.service.internalPort }}
+ ports: {{ include "common.containerPorts" . | nindent 12 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml
index e87a76d137..1f084a6bc6 100644
--- a/kubernetes/robot/values.yaml
+++ b/kubernetes/robot/values.yaml
@@ -22,7 +22,7 @@ global: # global defaults
# application image
repository: nexus3.onap.org:10001
-image: onap/testsuite:1.11.1
+image: onap/testsuite:1.12.1
pullPolicy: Always
ubuntuInitImage: oomk8s/ubuntu-init:2.0.0
diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml
index 7b5b2b0efc..a0a04887ae 100644
--- a/kubernetes/sdc/components/sdc-be/values.yaml
+++ b/kubernetes/sdc/components/sdc-be/values.yaml
@@ -39,8 +39,8 @@ global:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-backend-all-plugins:1.12.2
-backendInitImage: onap/sdc-backend-init:1.12.2
+image: onap/sdc-backend-all-plugins:1.12.3
+backendInitImage: onap/sdc-backend-init:1.12.3
pullPolicy: Always
diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml
index 07c8e065a4..c9eb535808 100644
--- a/kubernetes/sdc/components/sdc-cs/values.yaml
+++ b/kubernetes/sdc/components/sdc-cs/values.yaml
@@ -51,8 +51,8 @@ cassandra:
# application image
repository: nexus3.onap.org:10001
-image: onap/sdc-cassandra:1.12.2
-cassandraInitImage: onap/sdc-cassandra-init:1.12.2
+image: onap/sdc-cassandra:1.12.3
+cassandraInitImage: onap/sdc-cassandra-init:1.12.3
pullPolicy: Always
config:
diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml
index b4a8bd6bfe..ca8b42a0ff 100644
--- a/kubernetes/sdc/components/sdc-fe/values.yaml
+++ b/kubernetes/sdc/components/sdc-fe/values.yaml
@@ -23,7 +23,7 @@ global:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-frontend:1.12.2
+image: onap/sdc-frontend:1.12.3
pullPolicy: Always
config:
diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml
index 2066835fcf..3c6458b4c5 100644
--- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml
+++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml
@@ -35,8 +35,8 @@ global:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-onboard-backend:1.12.2
-onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.2
+image: onap/sdc-onboard-backend:1.12.3
+onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.3
pullPolicy: Always
# flag to enable debugging - application support required
diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml
index b011a03969..b6735a4687 100644
--- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml
@@ -35,8 +35,8 @@ global:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-workflow-backend:1.11.1
-configInitImage: onap/sdc-workflow-init:1.11.1
+image: onap/sdc-workflow-backend:1.12.0
+configInitImage: onap/sdc-workflow-init:1.12.0
pullPolicy: Always
initJob:
diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml
index 9a7f6acfa4..c9905bc630 100644
--- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml
@@ -23,7 +23,7 @@ global:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-workflow-frontend:1.11.1
+image: onap/sdc-workflow-frontend:1.12.0
pullPolicy: Always
# flag to enable debugging - application support required
diff --git a/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml
index 0630497bdb..473b1c3bcf 100755
--- a/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml
+++ b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml
@@ -68,8 +68,10 @@ mso:
asdc-connections:
asdc-controller1:
user: mso
- consumerGroup: {{ .Values.config.kafka.sdcTopic.consumerGroup }}
- consumerId: {{ .Values.config.kafka.sdcTopic.clientId }}
+ {{ with (first .Values.kafkaUser.acls) }}
+ consumerId: {{ .name }}-sdc-controller
+ consumerGroup: {{ .name }}
+ {{ end }}
environmentName: AUTO
sdcAddress: sdc-be.{{ include "common.namespace" . }}:8080
password: {{ index .Values "mso" "asdc-connections" "asdc-controller1" "password" }}
diff --git a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml
index 4becf41897..12de6bd382 100755
--- a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml
+++ b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml
@@ -47,12 +47,11 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }}
- name: DB_ADMIN_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }}
- - name: SECURITY_PROTOCOL
- value: {{ .Values.config.kafka.securityProtocol }}
- - name: SASL_MECHANISM
- value: {{ .Values.config.kafka.saslMechanism }}
- name: SASL_JAAS_CONFIG
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.name" . }}-ku
+ key: sasl.jaas.config
envFrom:
- configMapRef:
name: {{ include "common.fullname" . }}-configmap
diff --git a/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml b/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml
index d6013c832e..6fc37c3d01 100644
--- a/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml
+++ b/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml
@@ -1,5 +1,5 @@
{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -13,17 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
+{{ include "common.kafkauser" . }}
diff --git a/kubernetes/so/components/so-sdc-controller/values.yaml b/kubernetes/so/components/so-sdc-controller/values.yaml
index dbde74808b..81ae6ae7fd 100755
--- a/kubernetes/so/components/so-sdc-controller/values.yaml
+++ b/kubernetes/so/components/so-sdc-controller/values.yaml
@@ -45,13 +45,6 @@ secrets:
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
- - uid: so-sdc-kafka-secret
- externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}'
- type: genericKV
- envs:
- - name: sasl.jaas.config
- value: '{{ .Values.config.someConfig }}'
- policy: generate
#secretsFilePaths: |
# - 'my file 1'
@@ -83,27 +76,19 @@ mso:
asdc-connections:
asdc-controller1:
password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F
-config:
- someConfig: blah
- kafka:
- securityProtocol: SASL_PLAINTEXT
- saslMechanism: SCRAM-SHA-512
- authType: simple
- sdcTopic:
- pattern: SDC-DIST
- consumerGroup: so
- clientId: SO-sdc-controller
replicaCount: 1
minReadySeconds: 10
containerPort: &containerPort 8085
logPath: ./logs/sdc/
app: sdc-controller
+
service:
type: ClusterIP
ports:
- name: http
port: *containerPort
+
updateStrategy:
type: RollingUpdate
maxUnavailable: 1
@@ -134,6 +119,7 @@ resources:
memory: 2Gi
cpu: 1000m
unlimited: {}
+
livenessProbe:
path: /manage/health
port: 8085
@@ -143,12 +129,25 @@ livenessProbe:
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
+
ingress:
enabled: false
+
nodeSelector: {}
tolerations: []
affinity: {}
+# Strimzi KafkaUser config
+kafkaUser:
+ acls:
+ - name: SO
+ type: group
+ operations: [Read]
+ - name: SDC-DISTR
+ type: topic
+ patternType: prefix
+ operations: [Read, Write]
+
#Pods Service Account
serviceAccount:
nameOverride: so-sdc-controller
diff --git a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml b/kubernetes/so/templates/authorizationpolicy.yaml
index d6013c832e..7158c0263f 100644
--- a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml
+++ b/kubernetes/so/templates/authorizationpolicy.yaml
@@ -1,5 +1,5 @@
{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,16 +14,4 @@
# limitations under the License.
*/}}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
+{{ include "common.authorizationPolicy" . }} \ No newline at end of file
diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml
index 014cbadbab..68905358c3 100755
--- a/kubernetes/so/values.yaml
+++ b/kubernetes/so/values.yaml
@@ -51,8 +51,6 @@ global:
auth: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456
defaultCloudOwner: onap
- soSdcListenerKafkaUser: so-sdc-list-user
-
readinessCheck:
wait_for:
jobs:
@@ -599,6 +597,15 @@ ingress:
name: 'so'
port: 8080
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: consul-read
+ - serviceAccount: consul-server-read
+ - serviceAccount: nbi-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
mso:
adapters:
requestDb:
@@ -696,8 +703,6 @@ so-sdc-controller:
db:
<<: *dbSecrets
logConfigMapNamePrefix: '{{ include "common.release" . }}-so'
- config:
- jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.soSdcListenerKafkaUser }}'
so-sdnc-adapter:
enabled: true
diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml
new file mode 100644
index 0000000000..12c742ef35
--- /dev/null
+++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml
@@ -0,0 +1,20 @@
+{{/*
+# Copyright (c) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License..
+*/}}
+lowercaseOutputName: true
+rules:
+ - pattern: kafka.cruisecontrol<name=(.+)><>(\w+)
+ name: kafka_cruisecontrol_$1_$2
+ type: GAUGE \ No newline at end of file
diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml
new file mode 100644
index 0000000000..7ad971fc16
--- /dev/null
+++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml
@@ -0,0 +1,137 @@
+{{/*
+# Copyright (c) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License..
+*/}}
+lowercaseOutputName: true
+rules:
+ # Special cases and very specific rules
+ - pattern: kafka.server<type=(.+), name=(.+), clientId=(.+), topic=(.+), partition=(.*)><>Value
+ name: kafka_server_$1_$2
+ type: GAUGE
+ labels:
+ clientId: "$3"
+ topic: "$4"
+ partition: "$5"
+ - pattern: kafka.server<type=(.+), name=(.+), clientId=(.+), brokerHost=(.+), brokerPort=(.+)><>Value
+ name: kafka_server_$1_$2
+ type: GAUGE
+ labels:
+ clientId: "$3"
+ broker: "$4:$5"
+ - pattern: kafka.server<type=(.+), cipher=(.+), protocol=(.+), listener=(.+), networkProcessor=(.+)><>connections
+ name: kafka_server_$1_connections_tls_info
+ type: GAUGE
+ labels:
+ cipher: "$2"
+ protocol: "$3"
+ listener: "$4"
+ networkProcessor: "$5"
+ - pattern: kafka.server<type=(.+), clientSoftwareName=(.+), clientSoftwareVersion=(.+), listener=(.+), networkProcessor=(.+)><>connections
+ name: kafka_server_$1_connections_software
+ type: GAUGE
+ labels:
+ clientSoftwareName: "$2"
+ clientSoftwareVersion: "$3"
+ listener: "$4"
+ networkProcessor: "$5"
+ - pattern: "kafka.server<type=(.+), listener=(.+), networkProcessor=(.+)><>(.+):"
+ name: kafka_server_$1_$4
+ type: GAUGE
+ labels:
+ listener: "$2"
+ networkProcessor: "$3"
+ - pattern: kafka.server<type=(.+), listener=(.+), networkProcessor=(.+)><>(.+)
+ name: kafka_server_$1_$4
+ type: GAUGE
+ labels:
+ listener: "$2"
+ networkProcessor: "$3"
+ # Some percent metrics use MeanRate attribute
+ # Ex) kafka.server<type=(KafkaRequestHandlerPool), name=(RequestHandlerAvgIdlePercent)><>MeanRate
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*><>MeanRate
+ name: kafka_$1_$2_$3_percent
+ type: GAUGE
+ # Generic gauges for percents
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*><>Value
+ name: kafka_$1_$2_$3_percent
+ type: GAUGE
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*, (.+)=(.+)><>Value
+ name: kafka_$1_$2_$3_percent
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ # Generic per-second counters with 0-2 key/value pairs
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*, (.+)=(.+), (.+)=(.+)><>Count
+ name: kafka_$1_$2_$3_total
+ type: COUNTER
+ labels:
+ "$4": "$5"
+ "$6": "$7"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*, (.+)=(.+)><>Count
+ name: kafka_$1_$2_$3_total
+ type: COUNTER
+ labels:
+ "$4": "$5"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*><>Count
+ name: kafka_$1_$2_$3_total
+ type: COUNTER
+ # Generic gauges with 0-2 key/value pairs
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+), (.+)=(.+)><>Value
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ "$6": "$7"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+)><>Value
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)><>Value
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ # Emulate Prometheus 'Summary' metrics for the exported 'Histogram's.
+ # Note that these are missing the '_sum' metric!
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+), (.+)=(.+)><>Count
+ name: kafka_$1_$2_$3_count
+ type: COUNTER
+ labels:
+ "$4": "$5"
+ "$6": "$7"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.*), (.+)=(.+)><>(\d+)thPercentile
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ "$6": "$7"
+ quantile: "0.$8"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+)><>Count
+ name: kafka_$1_$2_$3_count
+ type: COUNTER
+ labels:
+ "$4": "$5"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.*)><>(\d+)thPercentile
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ quantile: "0.$6"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)><>Count
+ name: kafka_$1_$2_$3_count
+ type: COUNTER
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)><>(\d+)thPercentile
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ quantile: "0.$4" \ No newline at end of file
diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml
new file mode 100644
index 0000000000..6a1eab7825
--- /dev/null
+++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml
@@ -0,0 +1,44 @@
+{{/*
+# Copyright (c) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License..
+*/}}
+lowercaseOutputName: true
+rules:
+ # replicated Zookeeper
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+)><>(\\w+)"
+ name: "zookeeper_$2"
+ type: GAUGE
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+)><>(\\w+)"
+ name: "zookeeper_$3"
+ type: GAUGE
+ labels:
+ replicaId: "$2"
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+)><>(Packets\\w+)"
+ name: "zookeeper_$4"
+ type: COUNTER
+ labels:
+ replicaId: "$2"
+ memberType: "$3"
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+)><>(\\w+)"
+ name: "zookeeper_$4"
+ type: GAUGE
+ labels:
+ replicaId: "$2"
+ memberType: "$3"
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+), name3=(\\w+)><>(\\w+)"
+ name: "zookeeper_$4_$5"
+ type: GAUGE
+ labels:
+ replicaId: "$2"
+ memberType: "$3" \ No newline at end of file
diff --git a/kubernetes/aai/components/aai-resources/templates/secret.yaml b/kubernetes/strimzi/templates/configmap.yaml
index a0d8629459..ace51f78ba 100644
--- a/kubernetes/aai/components/aai-resources/templates/secret.yaml
+++ b/kubernetes/strimzi/templates/configmap.yaml
@@ -1,5 +1,5 @@
{{/*
-# Copyright © 2021 Orange
+# Copyright (c) 2023 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -11,21 +11,11 @@
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License..
*/}}
-
+{{- if .Values.metrics.enabled }}
apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-aaf-keys
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }}
----
-{{ include "common.secretFast" . }}
+kind: ConfigMap
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+data: {{ tpl (.Files.Glob "resources/metrics/*").AsConfig . | nindent 2 }}
+{{ end }}
diff --git a/kubernetes/so/components/so-sdc-controller/templates/so-sdc-dist-kakfa-user.yaml b/kubernetes/strimzi/templates/kafka-rebalance.yaml
index 4619c8ebc0..6d5f143220 100644
--- a/kubernetes/so/components/so-sdc-controller/templates/so-sdc-dist-kakfa-user.yaml
+++ b/kubernetes/strimzi/templates/kafka-rebalance.yaml
@@ -1,5 +1,5 @@
{{/*
-# Copyright © 2022 Nordix Foundation
+# Copyright (c) 2023 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -11,26 +11,14 @@
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License..
*/}}
+{{- if .Values.cruiseControl.kafkaRebalance.enabled }}
apiVersion: kafka.strimzi.io/v1beta2
-kind: KafkaUser
+kind: KafkaRebalance
metadata:
- name: {{ include "common.release" . }}-{{ .Values.global.soSdcListenerKafkaUser }}
+ name: {{ include "common.fullname" . }}-kafka-rebalance
labels:
strimzi.io/cluster: {{ include "common.release" . }}-strimzi
-spec:
- authentication:
- type: {{ .Values.config.kafka.saslMechanism | lower }}
- authorization:
- type: {{ .Values.config.kafka.authType }}
- acls:
- - resource:
- type: group
- name: {{ .Values.config.kafka.sdcTopic.consumerGroup }}
- operation: All
- - resource:
- type: topic
- patternType: prefix
- name: {{ .Values.config.kafka.sdcTopic.pattern }}
- operation: All
+spec: {}
+{{- end }}
diff --git a/kubernetes/strimzi/templates/pod-monitor.yaml b/kubernetes/strimzi/templates/pod-monitor.yaml
new file mode 100644
index 0000000000..be288a4d75
--- /dev/null
+++ b/kubernetes/strimzi/templates/pod-monitor.yaml
@@ -0,0 +1,45 @@
+{{/*
+# Copyright (c) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License..
+*/}}
+{{- if .Values.metrics.podMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+ name: {{ include "common.fullname" . }}-podmonitor
+ ## podMonitor labels for prometheus to pick up the podMonitor
+ ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PodMonitor
+ ##
+ # labels:
+ # prometheus: kube-prometheus
+ labels: {{- toYaml $.Values.metrics.podMonitor.labels | nindent 4 }}
+spec:
+ selector:
+ matchLabels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+ podMetricsEndpoints:
+ - port: {{ .Values.metrics.podMonitor.port }}
+ {{- if .Values.metrics.podMonitor.relabelings }}
+ ## RelabelConfigs to apply to samples before scraping
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
+ ## Value is evalued as a template
+ relabelings: {{- toYaml .Values.metrics.podMonitor.relabelings | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.podMonitor.metricRelabelings }}
+ metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }}
+ ## MetricRelabelConfigs to apply to samples before ingestion
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
+ ## Value is evalued as a template
+ {{- end }}
+{{- end }}
diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml
index 3ce7b1d627..421d93a6cb 100644
--- a/kubernetes/strimzi/templates/strimzi-kafka.yaml
+++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml
@@ -89,6 +89,14 @@ spec:
size: {{ .Values.persistence.kafka.size }}
deleteClaim: true
class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }}
+ {{- if .Values.metrics.kafkaExporter.enabled }}
+ metricsConfig:
+ type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }}
+ valueFrom:
+ configMapKeyRef:
+ name: {{ include "common.fullname" . }}
+ key: kafka-metrics-config.yml
+ {{- end }}
zookeeper:
template:
pod:
@@ -107,7 +115,43 @@ spec:
size: {{ .Values.persistence.zookeeper.size }}
deleteClaim: true
class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }}
+ {{- if .Values.metrics.kafkaExporter.enabled }}
+ metricsConfig:
+ type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }}
+ valueFrom:
+ configMapKeyRef:
+ name: {{ include "common.fullname" . }}
+ key: zookeeper-metrics-config.yml
+ {{- end }}
entityOperator:
topicOperator: {}
userOperator: {}
-
+ {{- if .Values.cruiseControl.enabled }}
+ cruiseControl:
+ metricsConfig:
+ type: {{ .Values.cruiseControl.metricsConfig.type }}
+ valueFrom:
+ configMapKeyRef:
+ name: {{ include "common.fullname" . }}
+ key: cruisecontrol-metrics-config.yml
+ {{- end }}
+ {{- if .Values.metrics.kafkaExporter.enabled }}
+ kafkaExporter:
+ topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }}
+ groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }}
+ resources:
+ requests:
+ cpu: {{ .Values.metrics.kafkaExporter.resources.requests.cpu }}
+ memory: {{ .Values.metrics.kafkaExporter.resources.requests.memory }}
+ limits:
+ cpu: {{ .Values.metrics.kafkaExporter.resources.limits.cpu }}
+ memory: {{ .Values.metrics.kafkaExporter.resources.limits.memory }}
+ logging: {{ .Values.metrics.kafkaExporter.logging }}
+ enableSaramaLogging: {{ .Values.metrics.kafkaExporter.enableSaramaLogging }}
+ readinessProbe:
+ initialDelaySeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.timeoutSeconds }}
+ livenessProbe:
+ initialDelaySeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.timeoutSeconds }}
+ {{- end }}
diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml
index 057f2003c7..8963cf3cda 100644
--- a/kubernetes/strimzi/values.yaml
+++ b/kubernetes/strimzi/values.yaml
@@ -90,6 +90,54 @@ ingress:
exposedPort: *advertizedPortBroker2
exposedProtocol: TLS
+# Kafka Exporter for metrics
+metrics:
+ enabled: false
+ kafkaExporter:
+ enabled: false
+ metricsConfig:
+ type: jmxPrometheusExporter
+ topicRegex: ".*"
+ groupRegex: ".*"
+ resources:
+ requests:
+ cpu: 2000m
+ memory: 640Mi
+ limits:
+ cpu: 5000m
+ memory: 1280Mi
+ logging: debug
+ enableSaramaLogging: true
+ readinessProbe:
+ initialDelaySeconds: 15
+ timeoutSeconds: 5
+ livenessProbe:
+ initialDelaySeconds: 15
+ timeoutSeconds: 5
+ podMonitor:
+ # Prometheus pre requisite. Currently an optional addon in the OOM docs
+ enabled: false
+ # default port for strimzi metrics
+ port: "tcp-prometheus"
+ # podMonitor labels for prometheus to pick up the podMonitor
+ # dummy value
+ labels:
+ release: dummy
+ relabelings: []
+ metricRelabelings: []
+
+cruiseControl:
+## Cruise Control provides a Kafka metrics reporter implementation
+## once installed into the Kafka brokers, filters and records a wide range of metrics provided by the brokers themselves.
+## pre requisite is having 2 or more broker nodes
+ enabled: false
+ metricsConfig:
+ type: jmxPrometheusExporter
+ ## Custom resource for Kafka that can rebalance your cluster
+ # ref. https://strimzi.io/blog/2020/06/15/cruise-control/
+ kafkaRebalance:
+ enabled: false
+
######################
# Component overrides
######################
diff --git a/kubernetes/uui/components/uui-server/values.yaml b/kubernetes/uui/components/uui-server/values.yaml
index 05c7b3c32c..4ae01bd82b 100644
--- a/kubernetes/uui/components/uui-server/values.yaml
+++ b/kubernetes/uui/components/uui-server/values.yaml
@@ -118,7 +118,8 @@ service:
"path":"/iui/usecaseui",
"protocol": "REST",
"visualRange":"1",
- "port": "{{ .Values.service.port }}",
+ "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}",
+ "enable_ssl": false
}
]{{ end }}
diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml
index ef1af205f8..325e5ccde2 100644
--- a/kubernetes/uui/values.yaml
+++ b/kubernetes/uui/values.yaml
@@ -73,8 +73,8 @@ service:
"path":"/iui/usecaseui",
"protocol": "UI",
"visualRange":"1",
- "port": "http",
- "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}"
+ "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}",
+ "enable_ssl": false
}
]{{ end }}