summaryrefslogtreecommitdiffstats
path: root/kubernetes
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes')
-rw-r--r--kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem38
-rw-r--r--kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem52
-rw-r--r--kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf46
-rwxr-xr-xkubernetes/cds/charts/cds-py-executor/templates/deployment.yaml14
-rw-r--r--kubernetes/cds/charts/cds-py-executor/templates/secret.yaml2
-rwxr-xr-xkubernetes/cds/charts/cds-py-executor/values.yaml8
-rw-r--r--kubernetes/common/mariadb-galera/resources/create-deployment.yml50
-rw-r--r--kubernetes/common/mariadb-galera/resources/post-upgrade-script.sh26
-rw-r--r--kubernetes/common/mariadb-galera/resources/upgrade-scripts.sh101
-rw-r--r--kubernetes/common/mariadb-galera/templates/configmap.yaml37
-rw-r--r--kubernetes/common/mariadb-galera/templates/job.yaml107
-rw-r--r--kubernetes/common/mariadb-galera/values.yaml5
-rwxr-xr-xkubernetes/onap/values.yaml10
-rw-r--r--kubernetes/policy/charts/pap/templates/deployment.yaml5
-rw-r--r--kubernetes/policy/charts/pap/values.yaml14
-rw-r--r--kubernetes/policy/charts/policy-api/templates/deployment.yaml5
-rw-r--r--kubernetes/policy/charts/policy-api/values.yaml13
-rw-r--r--kubernetes/policy/charts/policy-distribution/templates/deployment.yaml5
-rw-r--r--kubernetes/policy/charts/policy-distribution/values.yaml13
-rw-r--r--kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml5
-rw-r--r--kubernetes/policy/charts/policy-xacml-pdp/values.yaml13
21 files changed, 229 insertions, 340 deletions
diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem
new file mode 100644
index 0000000000..7d626d3922
--- /dev/null
+++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGmjCCBIKgAwIBAgIUKY54WlWSTO1gukYe2chbzm9mVIowDQYJKoZIhvcNAQEL
+BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxEzARBgNVBAcM
+Ck1pZGRsZXRvd24xFzAVBgNVBAoMDk9OQVAgQ29tbXVuaXR5MQ4wDAYDVQQDDAVD
+Q1NESzEdMBsGCSqGSIb3DQEJARYOYnMyNzk2QGF0dC5jb20wHhcNMjAwNjA1MDgx
+NjAwWhcNMzAwNjAzMDgxNjAwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECAwKTmV3
+IEplcnNleTETMBEGA1UEBwwKTWlkZGxldG93bjEXMBUGA1UECgwOT05BUCBDb21t
+dW5pdHkxDjAMBgNVBAMMBUNDU0RLMR0wGwYJKoZIhvcNAQkBFg5iczI3OTZAYXR0
+LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMNqVzDC+BpV9iV1
+2sB3ya9Bwx2qTqmygV/ZM/2/Bd6z4duUHd5dK3ZeRablfB2HmaFsjXTTvf+/nVC8
+Q0e4yrOBXRY6qGD27YEkwTebP1Mjvj5uOuamGr6bsZOuJr8HooIA5L25D5GZ37bV
+H4Wq1xz1PG+PgldUf/YXOcwuzO2Nq3FS3I0xKeaNI5YmmlW8gFeGKtPR8vRwpg45
+I+orp2NnO7tFqjwxO3Ka7se9s9fy3GUg0Yn4N1So36r3G2NNbueN34I/d8IazT3Z
+dnWT4amnMXy455ijr1yucaGwKkc7nQDn2cNGlQOIlpzEU90w/V8ne73hAfWKZ+7p
+o3BFOE1X0PV1fFZ4d9rf7slUCWYiUcaKRBbCf+Tu3EBonpJJBQBJTb78pln/5x5r
+d9av0eruCm0K8MZVgHPNRnZVeggi34YFGo1MmDMZDPAYSxBX7z106QmHJiuFvzdc
+u2AIht5jMnXERGO1mzLtjUjWgdjN2zxpARiCPoR59jBuX/DO+vBeSJZ3dFjWFHrM
+2bDg8328ZU6/cVoU30vKR9J+CrBv+V5mvpqRVx/atHIuJ6aQne1FW+qYE/aWw6CH
+IrJbHXLYb1T6nMhzu7rX5YVXSDGu5wLTjnBZlh8XVjn3UBgopS4EnceJRW9Jn01L
+sGlNoEamKVVZ8jS4dif+8zgLsznzAgMBAAGjggEMMIIBCDAdBgNVHQ4EFgQUaigR
+IIb+2J4zJ4bi2IIxICIOSyMwHwYDVR0jBBgwFoAUaigRIIb+2J4zJ4bi2IIxICIO
+SyMwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
+awYDVR0RBGQwYoIRKmNkcy1jb250cm9sbGVyLSqCEipjZHMtcHktZXhlY3V0b3It
+KoIMKnB5LWV4ZWN1dG9ygg4qcHktZXhlY3V0b3ItKoIKKi1weWV4ZWMtKoIJbG9j
+YWxob3N0hwR/AAABMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
+ZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAgEAMooc0ZyZVzLePmm0q2iU6jls
+ORmfpNXe/MqCRfEPr7sZAy3jGtJK9+ShoVVbvQbXaQ2wDe9XxwnrblWB+SaAwZiL
+A8gF7ozgwavatwZ70683fnCsPC061WDlC965UWCbPL5opxW4ulL3meSYEdzvS3hm
+oxeMhaLJSZpkk4D9tyVHwPtLJBpWD5a3rp9y6e2Q87XhrQKB+y2/QHeaDs3l+tKa
+o6GW/PqKKM3ktboXBlGDT7bLhCpg179dOzXgdtHNtqv7zmXLDbGKV0mbQpjBVu72
+tWKf6KoVFhvXQP2he6vgvcMeycOS9ff3RLePwt61WiDXnQ97kD2UubTrdsQ0QieZ
+r5NHeDQEEnEMW9kHQrYDEGk5s881QTg8EmrKKdcUH9+65ka/0HnKF9cQ+MklRMtG
+8QDiwTd8AIyeOLg/9l9VP09IglksrmkfxqWD7zFyFKlyZZbiBH5XrYGlnGgezIUx
+T41ulfQyQ6Ef1z97EUzYTOmxWRWReoFbLsqFOg1KLD2Y0wZkT22IdBreEO9W/W+X
+OQuLLA3qwOZMF/mKwzp6SSLbelVIOhhx4k1sQy95dqMMQQMuLK/uPNETlenE36fT
+yhiCa7B6VyPKVsYDcte2Cs8wo2uhMb7i5VaFIZD8Cjswkx1GbcQs9X0Fm1W9g5J0
+j/cJjXSeCIp84F+fxZo=
+-----END CERTIFICATE-----
diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem
new file mode 100644
index 0000000000..c6ef005641
--- /dev/null
+++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDDalcwwvgaVfYl
+ddrAd8mvQcMdqk6psoFf2TP9vwXes+HblB3eXSt2XkWm5Xwdh5mhbI10073/v51Q
+vENHuMqzgV0WOqhg9u2BJME3mz9TI74+bjrmphq+m7GTria/B6KCAOS9uQ+Rmd+2
+1R+Fqtcc9Txvj4JXVH/2FznMLsztjatxUtyNMSnmjSOWJppVvIBXhirT0fL0cKYO
+OSPqK6djZzu7Rao8MTtymu7HvbPX8txlINGJ+DdUqN+q9xtjTW7njd+CP3fCGs09
+2XZ1k+GppzF8uOeYo69crnGhsCpHO50A59nDRpUDiJacxFPdMP1fJ3u94QH1imfu
+6aNwRThNV9D1dXxWeHfa3+7JVAlmIlHGikQWwn/k7txAaJ6SSQUASU2+/KZZ/+ce
+a3fWr9Hq7gptCvDGVYBzzUZ2VXoIIt+GBRqNTJgzGQzwGEsQV+89dOkJhyYrhb83
+XLtgCIbeYzJ1xERjtZsy7Y1I1oHYzds8aQEYgj6EefYwbl/wzvrwXkiWd3RY1hR6
+zNmw4PN9vGVOv3FaFN9LykfSfgqwb/leZr6akVcf2rRyLiemkJ3tRVvqmBP2lsOg
+hyKyWx1y2G9U+pzIc7u61+WFV0gxrucC045wWZYfF1Y591AYKKUuBJ3HiUVvSZ9N
+S7BpTaBGpilVWfI0uHYn/vM4C7M58wIDAQABAoICAGFZMGZSOlakTCMNOxR2mDp+
+gDzfAqD3FAwzn/rgloQDCJjiiJ6lu2kUPY6O8+2iB56q/S0d7qDhS/VUVA/+trwF
+zeGtBwSG/no/XSHebQV14Ogo8Z7FUL1zwlrXfuXbX9FzsH/zGRZnmVLziOiF2vPK
+F3lb/IqUxcpKd7iH9/6/fJDPvp93xm/cD8ZVJL1hUm5HoD41cNrk41RiksmtRY33
+d4IrikrCG+NT23AVyOnjSnf2iWw6AxZhqkr5HuOxR3aC7r1r8LT5tRUCqEiaiuiB
+Kd4AHx+jK1D4dhMeN3GU+PnihlEJcGJ6QM2H4F9ocFBe0v4cgWVYtb4HFixvz0OY
+E+4vsrMObxVBkJtEvEntdQqBEKxdHUotTzJvF3NocncM65VzKViyCBiFXyijQ2Aw
+zFtyBNSzMLMBfkfJNXKhlDz4sOeDFjVaDTl6Rn3tnIHpjgbbbm5CXqNi0JRNi36C
+/ANTAoxrol/FSkPxdsCdhYaU6CxZpelu2FbwjyV189dEyCROOTelqAC0k0YsmcOJ
+FsQEkr8baWTIjgKta+kxo8SllPWntDeXfiM6iI4NeAwneIIJwqQb5WQiJWtnv0QX
+eH/cbnXHJgxTw4Hb0LzDBYG3nY5LHW//eaXTt1vSwJh7AbPo0hl7JBe6JNUMT9ih
++LUE1zzOj3dJbnFh+QLBAoIBAQD601wIBHeGnm4TwnjpEWExb2VlC0uMYhik1uql
+1zCsn7vgCFspq2tJugfALG4QEoti51AHkOybHX43jD6wvtPFT1HNL7yP63Zm27GP
+3bkCsZLVWnIEtPCR266ENSdGr3cnoO91Pf4efINKlZPIo4jLwfYgJhcVbhHb57uw
+j/VKhit9Cm+OnPD7PpKiGi4vUQPnbeIZsUTf5v4lYLR5r9uW91q07mS+jsoKcPyy
+dHZBM1nz7vMQitTYAhL17x6rINtTl7ulBHfLxHpPZxvVN5z+pJpKhYJP2pIWwKZY
+EBBMefiJhx6pR/T4YlFMdx0AmvVbeYZraIhh2vyNH5IeygNXAoIBAQDHclpbFNyd
+ZfkufMIq7N0oGDOuYwfzfAYK93lHgAm6NXibbyY7v49WAViOILSSGo4edCB53mLq
+9bLCsc0x9SL/OgZTCHwlY3cgc3WNAbICCsvinZS87XwPU3ZEMzy5T9AA1WlV0QSv
+6FXffF71skKM7yaWRhNJ6zWLSVBZ5iRAcmg5IboWFseGx845RSp/M1FZTuRvX5Ne
+7qQyJfJ0pu72Y6KkICpOqLmWYbxs3bcBpXdIGueUC4A6QlY+QrbGjGapkNhWzM1x
+vMK+8cpuSNhIHDtEWf43jw0Oz59vmPws/iTENtk4RDgIncD7bJ4HWjb+ZZtjHnSG
+r7L/HKS69ZjFAoIBAQDbpCwKBUdZhfCksv5IMeTnckHa+socU2Z7Kovtz4ObFoFh
+jE+wLKDVvea9nOqAfoy6fg4xofHfXzNAlznqciBlvrDGOhAoAyv6pFVXwvQY7MDE
+vd/sSToEr9ehhB4xosN321D1XOTjc2tQ66yu3K2Up/PMcS5zoKBY7hMIaPeGW/lH
+FNVdkAbiLAghlUVuP8ZoaWu9zeKfItrYhldj2+Ax0ccHe16TE9zOyeQurRdEvx/9
+IPiOOtRpl19dJxi3CB2nlM5HkaMJt7LXR1YzHvEGd8N4kHLtVFvrOqYvpVlwbrp6
+S+1IlW9p9kZ07DVka02B3egctDwBXM8dEVFWTtYfAoIBAFOhB3IZlUgKcimj9ma5
+WyJsw37j13mpD3+ZtSjd7zY9JY1HVejHsfqGJfOykwSQTfdHCjcPoLqUu5gXpcrE
+1x/d3LkEXcnvowvgXfH6PAHPNR6YpL1zdwmWHYkLUvMBHF69HaX2NtjrutYy+D5d
+uLoPrUZlq8Da92CoJSEM9zZuwnTyR2zrsE47iaVJ8z/S7NFd2zs4ADtWJVNBxiBT
+vu9hZ9kaA6Nn7Cm6YZ/kd9Ag6Zs6bNAO4n2LQ05n+uvWA1YmfhAnYB3I4H/gMtl7
+gfT6oX9PnOD/AqKrPFc29saG6jO8K+kD8drrCvhh2wGKOnUBdd5h7spq8cs233vl
+b2ECggEAKL5rjbcUhRtJjobcIqnk1FeN43cXmFnlIICsY3ouskzGgDx5z4f8e9Oo
+1fzoV4PVBf7uVPjgyiQy4Zio3qOcodvUi1xdv0mQEJzwyKpd12842pqVh3IvcVwf
+V64Yr5m5CylDAfIsabT4uP9Cmh7TC87YD3Fiu2OPUTTIWfLY16iJfV8lvLyBxFNE
+8VAqgnf3EH9VBNFWVUSaPcLO2BoduC1v74utK+T9+bqdLujBP5ZfQ1anfvYMlQVE
+1e5twdnYJTHHWhlT6EtnaHmLJ0SuTFJfZNxxdAeRWyyqnS0vZvWvIonafnVi6g5X
+m3FiOonz1SF53erfm5chlHxpQbUIhA==
+-----END PRIVATE KEY-----
diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf
new file mode 100644
index 0000000000..547810b081
--- /dev/null
+++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf
@@ -0,0 +1,46 @@
+[req]
+default_bits = 4096
+default_keyfile = py-executor-key.pem
+distinguished_name = subject
+req_extensions = extensions
+x509_extensions = extensions
+string_mask = utf8only
+
+[ subject ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = New Jersey
+
+localityName = Locality Name (eg, city)
+localityName_default = Middletown
+
+organizationName = Organization Name (eg, company)
+organizationName_default = ONAP Community
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_default = CCSDK
+
+emailAddress = Email Address
+emailAddress_default = bs2796@att.com
+
+[ extensions ]
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+nsComment = "OpenSSL Generated Certificate"
+
+[alt_names]
+DNS.1 = *cds-controller-*
+DNS.2 = *cds-py-executor-*
+DNS.3 = *py-executor
+DNS.4 = *py-executor-*
+DNS.5 = *-pyexec-*
+DNS.6 = localhost
+IP.1 = 127.0.0.1
diff --git a/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml b/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml
index f9c3377dd8..4210a0311a 100755
--- a/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml
+++ b/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml
@@ -66,15 +66,14 @@ spec:
readOnly: true
- mountPath: {{ .Values.persistence.deployedBlueprint }}
name: {{ include "common.fullname" . }}-blueprints
- resources:
-{{ include "common.resources" . | nindent 12 }}
+ - mountPath: /opt/app/onap/python/certs/py-executor/
+ name: certificates
+ resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | nindent 10 }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | nindent 10 }}
+ affinity: {{ toYaml .Values.affinity | nindent 10 }}
{{- end }}
volumes:
- name: localtime
@@ -86,5 +85,8 @@ spec:
- name: {{ include "common.fullname" . }}-blueprints
persistentVolumeClaim:
claimName: {{ include "common.release" . }}-cds-blueprints
+ - name: certificates
+ secret:
+ secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "cds-py-onap-certs") }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml b/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml
index c36607b172..c13b7d814b 100644
--- a/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml
+++ b/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml
@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{ include "common.secretFast" . }} \ No newline at end of file
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/cds/charts/cds-py-executor/values.yaml b/kubernetes/cds/charts/cds-py-executor/values.yaml
index bbae1b9e5a..2b3ffa3971 100755
--- a/kubernetes/cds/charts/cds-py-executor/values.yaml
+++ b/kubernetes/cds/charts/cds-py-executor/values.yaml
@@ -79,6 +79,14 @@ secrets:
login: '{{ .Values.config.apiUsername }}'
password: '{{ .Values.config.apiPassword }}'
passwordPolicy: required
+ - uid: "cds-py-onap-certs"
+ name: '{{ include "common.release" . }}-cds-py-certs'
+ externalSecret: '{{ tpl (default "" .Values.certSecret) . }}'
+ type: generic
+ filePaths:
+ - resources/certs/py-executor.conf
+ - resources/certs/py-executor-chain.pem
+ - resources/certs/py-executor-key.pem
config:
# the api credentials below are used to authenticate communication with blueprint
diff --git a/kubernetes/common/mariadb-galera/resources/create-deployment.yml b/kubernetes/common/mariadb-galera/resources/create-deployment.yml
deleted file mode 100644
index 61bfc78945..0000000000
--- a/kubernetes/common/mariadb-galera/resources/create-deployment.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata: {{- include "common.resourceMetadata" (dict "suffix" "upgrade-deployment" "dot" .) | nindent 4 }}
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: {{ include "common.fullname" . }}
- template:
- metadata:
- labels:
- app: {{ include "common.fullname" . }}
- spec:
- containers:
- - name: {{ include "common.name" . }}
- image: "{{ include "common.repository" . }}/{{ .Values.image }}"
- ports:
- - containerPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
- - containerPort: {{ .Values.service.sstPort }}
- name: {{ .Values.service.sstPortName }}
- - containerPort: {{ .Values.service.replicationPort }}
- name: {{ .Values.service.replicationName }}
- - containerPort: {{ .Values.service.istPort }}
- name: {{ .Values.service.istPortName }}
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: MYSQL_USER
- valueFrom:
- secretKeyRef:
- key: login
- name: {{ include "common.fullname" . }}-temp-upgrade-usercred
- - name: MYSQL_PASSWORD
- valueFrom:
- secretKeyRef:
- key: password
- name: {{ include "common.fullname" . }}-temp-upgrade-usercred
- - name: MYSQL_DATABASE
- value: {{ default "" .Values.config.mysqlDatabase | quote }}
- - name: MYSQL_ROOT_PASSWORD
- valueFrom:
- secretKeyRef:
- key: password
- name: {{ include "common.fullname" . }}-temp-upgrade-root
- subdomain: {{ .Values.service.name }}
- hostname: {{ .Values.nameOverride }}-upgrade-deployment \ No newline at end of file
diff --git a/kubernetes/common/mariadb-galera/resources/post-upgrade-script.sh b/kubernetes/common/mariadb-galera/resources/post-upgrade-script.sh
deleted file mode 100644
index 132ac27ea2..0000000000
--- a/kubernetes/common/mariadb-galera/resources/post-upgrade-script.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-
-TEMP_POD=$(kubectl get pod -n $NAMESPACE_ENV --selector \
- app='{{ include "common.fullname" . }}' -o \
- jsonpath='{.items[?(@.metadata.ownerReferences[].kind=="ReplicaSet")].metadata.name}')
-
-tmp_MYSQL_PASSWORD=$(echo -n $(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- printenv \
- MYSQL_PASSWORD) | base64)
-
-tmp_ROOT_PASSWORD=$(echo -n $(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- printenv \
- MYSQL_ROOT_PASSWORD) | base64)
-
-FLAG_EX_ROOT_SEC='{{ include "common.secret.getSecretNameFast" (dict "global" . "uid" (include "common.mariadb.secret.rootPassUID" .)) }}'
-
-FLAG_EX_SEC='{{ include "common.secret.getSecretNameFast" (dict "global" . "uid" (include "common.mariadb.secret.userCredentialsUID" .)) }}'
-
-kubectl patch secret $FLAG_EX_ROOT_SEC -p \
- '{"data":{"password":"'"$tmp_ROOT_PASSWORD"'"}}'
-
-kubectl patch secret $FLAG_EX_SEC -p \
- '{"data":{"password":"'"$tmp_MYSQL_PASSWORD"'"}}'
-
-kubectl delete pod -n $NAMESPACE_ENV {{ include "common.fullname" . }}-0 --now
-kubectl delete deployment -n $NAMESPACE_ENV {{ include "common.fullname" . }}-upgrade-deployment
-kubectl delete secret -n $NAMESPACE_ENV {{ include "common.fullname" . }}-temp-upgrade-root
-kubectl delete secret -n $NAMESPACE_ENV {{ include "common.fullname" . }}-temp-upgrade-usercred \ No newline at end of file
diff --git a/kubernetes/common/mariadb-galera/resources/upgrade-scripts.sh b/kubernetes/common/mariadb-galera/resources/upgrade-scripts.sh
deleted file mode 100644
index ff44606e23..0000000000
--- a/kubernetes/common/mariadb-galera/resources/upgrade-scripts.sh
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/bin/bash
-MYSQL_USER=$(kubectl exec -n $NAMESPACE_ENV \
- {{ include "common.fullname" . }}-0 -- printenv MYSQL_USER)
-
-MYSQL_PASSWORD=$(kubectl exec -n $NAMESPACE_ENV \
- {{ include "common.fullname" . }}-0 -- printenv MYSQL_PASSWORD)
-
-MYSQL_ROOT_PASSWORD=$(kubectl exec -n $NAMESPACE_ENV \
- {{ include "common.fullname" . }}-0 -- printenv MYSQL_ROOT_PASSWORD)
-
-kubectl create secret generic \
- '{{ include "common.fullname" . }}'-temp-upgrade-root \
- --from-literal=password=$MYSQL_ROOT_PASSWORD
-
-kubectl create secret generic \
- '{{ include "common.fullname" . }}'-temp-upgrade-usercred \
- --from-literal=login=$MYSQL_USER --from-literal=password=$MYSQL_PASSWORD
-
-kubectl create -f /upgrade/create-deployment.yml
-
-TEMP_POD=$(kubectl get pod -n $NAMESPACE_ENV --selector \
- app='{{ include "common.fullname" . }}' -o \
- jsonpath='{.items[?(@.metadata.ownerReferences[].kind=="ReplicaSet")].metadata.name}')
-
-CLUSTER_NO=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- \
- mysql --skip-column-names -h{{ $.Values.service.name }} -u$MYSQL_USER \
- -p$MYSQL_PASSWORD -e "SHOW GLOBAL STATUS LIKE 'wsrep_cluster_size';" | \
- awk '{print $2}')
-
-CLUSTER_STATE=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- \
- mysql --skip-column-names -h{{ $.Values.service.name }} -u$MYSQL_USER \
- -p$MYSQL_PASSWORD -e "SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment';" \
- | awk '{print $2}')
-
-STS_REPLICA=$(kubectl get statefulsets -n $NAMESPACE_ENV \
- {{ include "common.fullname" . }} -o jsonpath='{.status.replicas}')
-
-DEPLOYMENT_REPLICA=$(kubectl get deployment -n $NAMESPACE_ENV \
- {{ include "common.fullname" . }}-upgrade-deployment -o \
- jsonpath='{.status.replicas}')
-
-while [[ ! $CLUSTER_NO == $((STS_REPLICA+DEPLOYMENT_REPLICA)) ]] \
- || [[ ! $CLUSTER_STATE == "Synced" ]]
-do
- echo "$CLUSTER_NO and $CLUSTER_STATE"
- CLUSTER_NO=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- mysql \
- --skip-column-names -h{{ $.Values.service.name }} -u$MYSQL_USER \
- -p$MYSQL_PASSWORD -e "SHOW GLOBAL STATUS LIKE 'wsrep_cluster_size';" \
- | awk '{print $2}')
- CLUSTER_STATE=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- mysql \
- --skip-column-names -h{{ $.Values.service.name }} -u$MYSQL_USER \
- -p$MYSQL_PASSWORD -e "SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment';" \
- | awk '{print $2}')
- sleep 2
- if [[ $CLUSTER_NO == $((STS_REPLICA+DEPLOYMENT_REPLICA)) ]] \
- && [[ $CLUSTER_STATE == "Synced" ]]
- then
- echo "The cluster has $CLUSTER_NO members and $CLUSTER_STATE state."
- break
- fi
-done
-
-MYSQL_STATUS=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- mysqladmin \
- -uroot -p$MYSQL_ROOT_PASSWORD ping)
-
-while [[ ! $MYSQL_STATUS == "mysqld is alive" ]]
-do
- echo "Mariadb deployment is not ready yet."
- sleep 2
- MYSQL_STATUS=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- mysqladmin \
- -uroot -p$MYSQL_ROOT_PASSWORD ping)
- if [[ $MYSQL_STATUS == "mysqld is alive" ]]
- then
- echo "Mariadb deployment is ready."
- break
- fi
-done
-
-kubectl scale statefulsets {{ include "common.fullname" . }} --replicas=0
-MY_REPLICA_NUMBER=$(kubectl get statefulsets -n $NAMESPACE_ENV \
- {{ include "common.fullname" . }} -o jsonpath='{.status.replicas}')
-echo "The the cluster has $MY_REPLICA_NUMBER replicas."
-
-while [[ ! $MY_REPLICA_NUMBER == "0" ]]
-do
- echo "The cluster is not scaled to 0 yet. Please wait ..."
- MY_REPLICA_NUMBER=$(kubectl get statefulsets -n $NAMESPACE_ENV \
- {{ include "common.fullname" . }} -o jsonpath='{.status.replicas}')
- echo "The current status of the cluster is $MY_REPLICA_NUMBER"
- sleep 2
- if [[ $MY_REPLICA_NUMBER == "0" ]]
- then
- break
- fi
-done
-
-for (( index=0; index<$STS_REPLICA; index+=1 ))
-do
- kubectl delete pvc \
- "{{ include "common.fullname" . }}-data-{{ include "common.fullname" . }}-$index"
-done
diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml
index 685901fa95..a7064d7ce4 100644
--- a/kubernetes/common/mariadb-galera/templates/configmap.yaml
+++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml
@@ -1,6 +1,6 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada
-# Copyright © 2020 Samsung Electronics, and TATA Communications
+# Copyright © 2020 Samsung Electronics
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,6 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
+
{{- if .Values.externalConfig }}
apiVersion: v1
kind: ConfigMap
@@ -42,37 +43,3 @@ metadata:
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-upgrade-deployment
- annotations:
- "helm.sh/hook": "pre-upgrade"
- "helm.sh/hook-weight": "0"
- "helm.sh/hook-delete-policy": hook-succeeded
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-post-upgrade-deployment
- annotations:
- "helm.sh/hook": "post-upgrade"
- "helm.sh/hook-weight": "0"
- "helm.sh/hook-delete-policy": hook-succeeded
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/post-upgrade-script.sh").AsConfig . | indent 2 }}
diff --git a/kubernetes/common/mariadb-galera/templates/job.yaml b/kubernetes/common/mariadb-galera/templates/job.yaml
deleted file mode 100644
index cc71bb855c..0000000000
--- a/kubernetes/common/mariadb-galera/templates/job.yaml
+++ /dev/null
@@ -1,107 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "common.fullname" . }}-pre-upgrade
- annotations:
- "helm.sh/hook": "pre-upgrade"
- "helm.sh/hook-weight": "1"
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
- template:
- spec:
- securityContext:
- fsGroup: 1001
- runAsUser: 1001
- containers:
- - name: mariadb-job-pre-upgrade
- image: {{ .Values.global.kubectlImage}}
- imagePullPolicy: IfNotPresent
- env:
- - name: NAMESPACE_ENV
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- command: ["/bin/bash", "-c", "--"]
- args: ["/upgrade/upgrade-scripts.sh"]
- volumeMounts:
- - name: config-mariadb-upgrade
- mountPath: /upgrade
- volumes:
- - name: config-mariadb-upgrade
- configMap:
- name: {{ include "common.fullname" . }}-upgrade-deployment
- defaultMode: 0777
- restartPolicy: OnFailure
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "common.fullname" . }}-post-upgrade
- annotations:
- "helm.sh/hook": "post-upgrade"
- "helm.sh/hook-weight": "1"
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
- template:
- spec:
- securityContext:
- fsGroup: 1001
- runAsUser: 0
- initContainers:
- - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
- name: mariadb-galera-upgrade-readiness
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- command:
- - /root/ready.py
- args:
- - --container-name
- - mariadb-galera
- containers:
- - name: mariadb-job-post-upgrade
- image: {{ .Values.global.kubectlImage}}
- imagePullPolicy: IfNotPresent
- env:
- - name: NAMESPACE_ENV
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- command: ["/bin/bash", "-c", "--"]
- args: ["/upgrade/post-upgrade-script.sh"]
- volumeMounts:
- - name: config-mariadb-upgrade
- mountPath: /upgrade
- volumes:
- - name: config-mariadb-upgrade
- configMap:
- name: {{ include "common.fullname" . }}-post-upgrade-deployment
- defaultMode: 0777
- restartPolicy: OnFailure
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "common.fullname" . }}-post-delete
- annotations:
- "helm.sh/hook": "post-delete"
- "helm.sh/hook-weight": "1"
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
- template:
- spec:
- containers:
- - name: mariadb-job-post-delete
- image: {{ .Values.global.kubectlImage}}
- imagePullPolicy: IfNotPresent
- command: ["/bin/bash", "-c", "--"]
- args:
- - for ((index=0;index<{{ $.Values.replicaCount }};index+=1));
- do kubectl delete pvc "{{ include "common.fullname" . }}-data-{{ include "common.fullname" . }}-$index";
- done; kubectl delete deployment {{ include "common.fullname" . }}-upgrade-deployment;
- restartPolicy: OnFailure
diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index 4ccb0e5c6e..af08ea3d58 100644
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -42,10 +42,7 @@ global:
readinessRepository: oomk8s
readinessImage: readiness-check:2.0.2
- busyboxImage: busybox:1.30
- busyboxRepository: docker.io
- # kubeclt image
- kubectlImage: "bitnami/kubectl:1.15"
+
#################################################################
# Application configuration defaults.
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index 2f42223452..1723ad5d39 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -53,16 +53,6 @@ global:
# logging agent - temporary repo until images migrated to nexus3
loggingRepository: docker.elastic.co
- # dockerHub main repository
- dockerHubRepository: docker.io
-
- # busybox repo and image
- busyboxRepository: docker.io
- busyboxImage: busybox:1.30
-
- # kubeclt image
- kubectlImage: "bitnami/kubectl:1.15"
-
# image pull policy
pullPolicy: Always
diff --git a/kubernetes/policy/charts/pap/templates/deployment.yaml b/kubernetes/policy/charts/pap/templates/deployment.yaml
index 39ac8a81ec..6925d772d1 100644
--- a/kubernetes/policy/charts/pap/templates/deployment.yaml
+++ b/kubernetes/policy/charts/pap/templates/deployment.yaml
@@ -68,6 +68,11 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/pap/bin/policy-pap.sh"]
args: ["/opt/app/policy/pap/etc/mounted/config.json"]
+ env:
+ - name: KEYSTORE_PASSWD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }}
+ - name: TRUSTSTORE_PASSWD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }}
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
diff --git a/kubernetes/policy/charts/pap/values.yaml b/kubernetes/policy/charts/pap/values.yaml
index dc7a58d804..47597f08c2 100644
--- a/kubernetes/policy/charts/pap/values.yaml
+++ b/kubernetes/policy/charts/pap/values.yaml
@@ -54,6 +54,17 @@ secrets:
login: '{{ .Values.healthCheckRestClient.distribution.user }}'
password: '{{ .Values.healthCheckRestClient.distribution.password }}'
passwordPolicy: required
+ - uid: keystore-password
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}'
+ password: '{{ .Values.certStores.keyStorePassword }}'
+ passwordPolicy: required
+ - uid: truststore-password
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}'
+ password: '{{ .Values.certStores.trustStorePassword }}'
+ passwordPolicy: required
+
#################################################################
# Application configuration defaults.
@@ -81,6 +92,9 @@ healthCheckRestClient:
distribution:
user: healthcheck
password: zb!XztG34
+certStores:
+ keyStorePassword: Pol1cy_0nap
+ trustStorePassword: Pol1cy_0nap
# default number of instances
replicaCount: 1
diff --git a/kubernetes/policy/charts/policy-api/templates/deployment.yaml b/kubernetes/policy/charts/policy-api/templates/deployment.yaml
index e1f699eccf..53f232af74 100644
--- a/kubernetes/policy/charts/policy-api/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-api/templates/deployment.yaml
@@ -61,6 +61,11 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/api/bin/policy-api.sh"]
args: ["/opt/app/policy/api/etc/mounted/config.json"]
+ env:
+ - name: KEYSTORE_PASSWD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }}
+ - name: TRUSTSTORE_PASSWD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }}
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
diff --git a/kubernetes/policy/charts/policy-api/values.yaml b/kubernetes/policy/charts/policy-api/values.yaml
index ba12db21de..00675399b4 100644
--- a/kubernetes/policy/charts/policy-api/values.yaml
+++ b/kubernetes/policy/charts/policy-api/values.yaml
@@ -40,6 +40,16 @@ secrets:
login: '{{ .Values.restServer.user }}'
password: '{{ .Values.restServer.password }}'
passwordPolicy: required
+ - uid: keystore-password
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}'
+ password: '{{ .Values.certStores.keyStorePassword }}'
+ passwordPolicy: required
+ - uid: truststore-password
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}'
+ password: '{{ .Values.certStores.trustStorePassword }}'
+ passwordPolicy: required
#################################################################
# Application configuration defaults.
@@ -59,6 +69,9 @@ db:
restServer:
user: healthcheck
password: zb!XztG34
+certStores:
+ keyStorePassword: Pol1cy_0nap
+ trustStorePassword: Pol1cy_0nap
# default number of instances
replicaCount: 1
diff --git a/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml b/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml
index b3b017acd3..b0dbac9526 100644
--- a/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml
@@ -53,6 +53,11 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/distribution/bin/policy-dist.sh"]
args: ["/opt/app/policy/distribution/etc/mounted/config.json"]
+ env:
+ - name: KEYSTORE_PASSWD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }}
+ - name: TRUSTSTORE_PASSWD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }}
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
diff --git a/kubernetes/policy/charts/policy-distribution/values.yaml b/kubernetes/policy/charts/policy-distribution/values.yaml
index 73c9e99e61..dfed7648d4 100644
--- a/kubernetes/policy/charts/policy-distribution/values.yaml
+++ b/kubernetes/policy/charts/policy-distribution/values.yaml
@@ -45,6 +45,16 @@ secrets:
login: '{{ .Values.sdcBe.user }}'
password: '{{ .Values.sdcBe.password }}'
passwordPolicy: required
+ - uid: keystore-password
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}'
+ password: '{{ .Values.certStores.keyStorePassword }}'
+ passwordPolicy: required
+ - uid: truststore-password
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}'
+ password: '{{ .Values.certStores.trustStorePassword }}'
+ passwordPolicy: required
#################################################################
# Global configuration defaults.
@@ -78,6 +88,9 @@ papParameters:
sdcBe:
user: policy
password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+certStores:
+ keyStorePassword: Pol1cy_0nap
+ trustStorePassword: Pol1cy_0nap
# default number of instances
replicaCount: 1
diff --git a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
index bd126b810b..eb2c776f0d 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
@@ -63,6 +63,11 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"]
args: ["/opt/app/policy/pdpx/etc/mounted/config.json"]
+ env:
+ - name: KEYSTORE_PASSWD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }}
+ - name: TRUSTSTORE_PASSWD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }}
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
diff --git a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
index c9ced1fc13..e3feeab950 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
+++ b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
@@ -45,6 +45,16 @@ secrets:
login: '{{ .Values.apiServer.user }}'
password: '{{ .Values.apiServer.password }}'
passwordPolicy: required
+ - uid: keystore-password
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}'
+ password: '{{ .Values.certStores.keyStorePassword }}'
+ passwordPolicy: required
+ - uid: truststore-password
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}'
+ password: '{{ .Values.certStores.trustStorePassword }}'
+ passwordPolicy: required
#################################################################
# Application configuration defaults.
@@ -68,6 +78,9 @@ restServer:
apiServer:
user: healthcheck
password: zb!XztG34
+certStores:
+ keyStorePassword: Pol1cy_0nap
+ trustStorePassword: Pol1cy_0nap
# default number of instances
replicaCount: 1