diff options
Diffstat (limited to 'kubernetes')
21 files changed, 229 insertions, 340 deletions
diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem new file mode 100644 index 0000000000..7d626d3922 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIGmjCCBIKgAwIBAgIUKY54WlWSTO1gukYe2chbzm9mVIowDQYJKoZIhvcNAQEL +BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxEzARBgNVBAcM +Ck1pZGRsZXRvd24xFzAVBgNVBAoMDk9OQVAgQ29tbXVuaXR5MQ4wDAYDVQQDDAVD +Q1NESzEdMBsGCSqGSIb3DQEJARYOYnMyNzk2QGF0dC5jb20wHhcNMjAwNjA1MDgx +NjAwWhcNMzAwNjAzMDgxNjAwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECAwKTmV3 +IEplcnNleTETMBEGA1UEBwwKTWlkZGxldG93bjEXMBUGA1UECgwOT05BUCBDb21t +dW5pdHkxDjAMBgNVBAMMBUNDU0RLMR0wGwYJKoZIhvcNAQkBFg5iczI3OTZAYXR0 +LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMNqVzDC+BpV9iV1 +2sB3ya9Bwx2qTqmygV/ZM/2/Bd6z4duUHd5dK3ZeRablfB2HmaFsjXTTvf+/nVC8 +Q0e4yrOBXRY6qGD27YEkwTebP1Mjvj5uOuamGr6bsZOuJr8HooIA5L25D5GZ37bV +H4Wq1xz1PG+PgldUf/YXOcwuzO2Nq3FS3I0xKeaNI5YmmlW8gFeGKtPR8vRwpg45 +I+orp2NnO7tFqjwxO3Ka7se9s9fy3GUg0Yn4N1So36r3G2NNbueN34I/d8IazT3Z +dnWT4amnMXy455ijr1yucaGwKkc7nQDn2cNGlQOIlpzEU90w/V8ne73hAfWKZ+7p +o3BFOE1X0PV1fFZ4d9rf7slUCWYiUcaKRBbCf+Tu3EBonpJJBQBJTb78pln/5x5r +d9av0eruCm0K8MZVgHPNRnZVeggi34YFGo1MmDMZDPAYSxBX7z106QmHJiuFvzdc +u2AIht5jMnXERGO1mzLtjUjWgdjN2zxpARiCPoR59jBuX/DO+vBeSJZ3dFjWFHrM +2bDg8328ZU6/cVoU30vKR9J+CrBv+V5mvpqRVx/atHIuJ6aQne1FW+qYE/aWw6CH +IrJbHXLYb1T6nMhzu7rX5YVXSDGu5wLTjnBZlh8XVjn3UBgopS4EnceJRW9Jn01L +sGlNoEamKVVZ8jS4dif+8zgLsznzAgMBAAGjggEMMIIBCDAdBgNVHQ4EFgQUaigR +IIb+2J4zJ4bi2IIxICIOSyMwHwYDVR0jBBgwFoAUaigRIIb+2J4zJ4bi2IIxICIO +SyMwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw +awYDVR0RBGQwYoIRKmNkcy1jb250cm9sbGVyLSqCEipjZHMtcHktZXhlY3V0b3It +KoIMKnB5LWV4ZWN1dG9ygg4qcHktZXhlY3V0b3ItKoIKKi1weWV4ZWMtKoIJbG9j +YWxob3N0hwR/AAABMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD +ZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAgEAMooc0ZyZVzLePmm0q2iU6jls +ORmfpNXe/MqCRfEPr7sZAy3jGtJK9+ShoVVbvQbXaQ2wDe9XxwnrblWB+SaAwZiL +A8gF7ozgwavatwZ70683fnCsPC061WDlC965UWCbPL5opxW4ulL3meSYEdzvS3hm +oxeMhaLJSZpkk4D9tyVHwPtLJBpWD5a3rp9y6e2Q87XhrQKB+y2/QHeaDs3l+tKa +o6GW/PqKKM3ktboXBlGDT7bLhCpg179dOzXgdtHNtqv7zmXLDbGKV0mbQpjBVu72 +tWKf6KoVFhvXQP2he6vgvcMeycOS9ff3RLePwt61WiDXnQ97kD2UubTrdsQ0QieZ +r5NHeDQEEnEMW9kHQrYDEGk5s881QTg8EmrKKdcUH9+65ka/0HnKF9cQ+MklRMtG +8QDiwTd8AIyeOLg/9l9VP09IglksrmkfxqWD7zFyFKlyZZbiBH5XrYGlnGgezIUx +T41ulfQyQ6Ef1z97EUzYTOmxWRWReoFbLsqFOg1KLD2Y0wZkT22IdBreEO9W/W+X +OQuLLA3qwOZMF/mKwzp6SSLbelVIOhhx4k1sQy95dqMMQQMuLK/uPNETlenE36fT +yhiCa7B6VyPKVsYDcte2Cs8wo2uhMb7i5VaFIZD8Cjswkx1GbcQs9X0Fm1W9g5J0 +j/cJjXSeCIp84F+fxZo= +-----END CERTIFICATE----- diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem new file mode 100644 index 0000000000..c6ef005641 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDDalcwwvgaVfYl +ddrAd8mvQcMdqk6psoFf2TP9vwXes+HblB3eXSt2XkWm5Xwdh5mhbI10073/v51Q +vENHuMqzgV0WOqhg9u2BJME3mz9TI74+bjrmphq+m7GTria/B6KCAOS9uQ+Rmd+2 +1R+Fqtcc9Txvj4JXVH/2FznMLsztjatxUtyNMSnmjSOWJppVvIBXhirT0fL0cKYO +OSPqK6djZzu7Rao8MTtymu7HvbPX8txlINGJ+DdUqN+q9xtjTW7njd+CP3fCGs09 +2XZ1k+GppzF8uOeYo69crnGhsCpHO50A59nDRpUDiJacxFPdMP1fJ3u94QH1imfu +6aNwRThNV9D1dXxWeHfa3+7JVAlmIlHGikQWwn/k7txAaJ6SSQUASU2+/KZZ/+ce +a3fWr9Hq7gptCvDGVYBzzUZ2VXoIIt+GBRqNTJgzGQzwGEsQV+89dOkJhyYrhb83 +XLtgCIbeYzJ1xERjtZsy7Y1I1oHYzds8aQEYgj6EefYwbl/wzvrwXkiWd3RY1hR6 +zNmw4PN9vGVOv3FaFN9LykfSfgqwb/leZr6akVcf2rRyLiemkJ3tRVvqmBP2lsOg +hyKyWx1y2G9U+pzIc7u61+WFV0gxrucC045wWZYfF1Y591AYKKUuBJ3HiUVvSZ9N +S7BpTaBGpilVWfI0uHYn/vM4C7M58wIDAQABAoICAGFZMGZSOlakTCMNOxR2mDp+ +gDzfAqD3FAwzn/rgloQDCJjiiJ6lu2kUPY6O8+2iB56q/S0d7qDhS/VUVA/+trwF +zeGtBwSG/no/XSHebQV14Ogo8Z7FUL1zwlrXfuXbX9FzsH/zGRZnmVLziOiF2vPK +F3lb/IqUxcpKd7iH9/6/fJDPvp93xm/cD8ZVJL1hUm5HoD41cNrk41RiksmtRY33 +d4IrikrCG+NT23AVyOnjSnf2iWw6AxZhqkr5HuOxR3aC7r1r8LT5tRUCqEiaiuiB +Kd4AHx+jK1D4dhMeN3GU+PnihlEJcGJ6QM2H4F9ocFBe0v4cgWVYtb4HFixvz0OY +E+4vsrMObxVBkJtEvEntdQqBEKxdHUotTzJvF3NocncM65VzKViyCBiFXyijQ2Aw +zFtyBNSzMLMBfkfJNXKhlDz4sOeDFjVaDTl6Rn3tnIHpjgbbbm5CXqNi0JRNi36C +/ANTAoxrol/FSkPxdsCdhYaU6CxZpelu2FbwjyV189dEyCROOTelqAC0k0YsmcOJ +FsQEkr8baWTIjgKta+kxo8SllPWntDeXfiM6iI4NeAwneIIJwqQb5WQiJWtnv0QX +eH/cbnXHJgxTw4Hb0LzDBYG3nY5LHW//eaXTt1vSwJh7AbPo0hl7JBe6JNUMT9ih ++LUE1zzOj3dJbnFh+QLBAoIBAQD601wIBHeGnm4TwnjpEWExb2VlC0uMYhik1uql +1zCsn7vgCFspq2tJugfALG4QEoti51AHkOybHX43jD6wvtPFT1HNL7yP63Zm27GP +3bkCsZLVWnIEtPCR266ENSdGr3cnoO91Pf4efINKlZPIo4jLwfYgJhcVbhHb57uw +j/VKhit9Cm+OnPD7PpKiGi4vUQPnbeIZsUTf5v4lYLR5r9uW91q07mS+jsoKcPyy +dHZBM1nz7vMQitTYAhL17x6rINtTl7ulBHfLxHpPZxvVN5z+pJpKhYJP2pIWwKZY +EBBMefiJhx6pR/T4YlFMdx0AmvVbeYZraIhh2vyNH5IeygNXAoIBAQDHclpbFNyd +ZfkufMIq7N0oGDOuYwfzfAYK93lHgAm6NXibbyY7v49WAViOILSSGo4edCB53mLq +9bLCsc0x9SL/OgZTCHwlY3cgc3WNAbICCsvinZS87XwPU3ZEMzy5T9AA1WlV0QSv +6FXffF71skKM7yaWRhNJ6zWLSVBZ5iRAcmg5IboWFseGx845RSp/M1FZTuRvX5Ne +7qQyJfJ0pu72Y6KkICpOqLmWYbxs3bcBpXdIGueUC4A6QlY+QrbGjGapkNhWzM1x +vMK+8cpuSNhIHDtEWf43jw0Oz59vmPws/iTENtk4RDgIncD7bJ4HWjb+ZZtjHnSG +r7L/HKS69ZjFAoIBAQDbpCwKBUdZhfCksv5IMeTnckHa+socU2Z7Kovtz4ObFoFh +jE+wLKDVvea9nOqAfoy6fg4xofHfXzNAlznqciBlvrDGOhAoAyv6pFVXwvQY7MDE +vd/sSToEr9ehhB4xosN321D1XOTjc2tQ66yu3K2Up/PMcS5zoKBY7hMIaPeGW/lH +FNVdkAbiLAghlUVuP8ZoaWu9zeKfItrYhldj2+Ax0ccHe16TE9zOyeQurRdEvx/9 +IPiOOtRpl19dJxi3CB2nlM5HkaMJt7LXR1YzHvEGd8N4kHLtVFvrOqYvpVlwbrp6 +S+1IlW9p9kZ07DVka02B3egctDwBXM8dEVFWTtYfAoIBAFOhB3IZlUgKcimj9ma5 +WyJsw37j13mpD3+ZtSjd7zY9JY1HVejHsfqGJfOykwSQTfdHCjcPoLqUu5gXpcrE +1x/d3LkEXcnvowvgXfH6PAHPNR6YpL1zdwmWHYkLUvMBHF69HaX2NtjrutYy+D5d +uLoPrUZlq8Da92CoJSEM9zZuwnTyR2zrsE47iaVJ8z/S7NFd2zs4ADtWJVNBxiBT +vu9hZ9kaA6Nn7Cm6YZ/kd9Ag6Zs6bNAO4n2LQ05n+uvWA1YmfhAnYB3I4H/gMtl7 +gfT6oX9PnOD/AqKrPFc29saG6jO8K+kD8drrCvhh2wGKOnUBdd5h7spq8cs233vl +b2ECggEAKL5rjbcUhRtJjobcIqnk1FeN43cXmFnlIICsY3ouskzGgDx5z4f8e9Oo +1fzoV4PVBf7uVPjgyiQy4Zio3qOcodvUi1xdv0mQEJzwyKpd12842pqVh3IvcVwf +V64Yr5m5CylDAfIsabT4uP9Cmh7TC87YD3Fiu2OPUTTIWfLY16iJfV8lvLyBxFNE +8VAqgnf3EH9VBNFWVUSaPcLO2BoduC1v74utK+T9+bqdLujBP5ZfQ1anfvYMlQVE +1e5twdnYJTHHWhlT6EtnaHmLJ0SuTFJfZNxxdAeRWyyqnS0vZvWvIonafnVi6g5X +m3FiOonz1SF53erfm5chlHxpQbUIhA== +-----END PRIVATE KEY----- diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf new file mode 100644 index 0000000000..547810b081 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf @@ -0,0 +1,46 @@ +[req] +default_bits = 4096 +default_keyfile = py-executor-key.pem +distinguished_name = subject +req_extensions = extensions +x509_extensions = extensions +string_mask = utf8only + +[ subject ] +countryName = Country Name (2 letter code) +countryName_default = US + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = New Jersey + +localityName = Locality Name (eg, city) +localityName_default = Middletown + +organizationName = Organization Name (eg, company) +organizationName_default = ONAP Community + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = CCSDK + +emailAddress = Email Address +emailAddress_default = bs2796@att.com + +[ extensions ] + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +nsComment = "OpenSSL Generated Certificate" + +[alt_names] +DNS.1 = *cds-controller-* +DNS.2 = *cds-py-executor-* +DNS.3 = *py-executor +DNS.4 = *py-executor-* +DNS.5 = *-pyexec-* +DNS.6 = localhost +IP.1 = 127.0.0.1 diff --git a/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml b/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml index f9c3377dd8..4210a0311a 100755 --- a/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml +++ b/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml @@ -66,15 +66,14 @@ spec: readOnly: true - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints - resources: -{{ include "common.resources" . | nindent 12 }} + - mountPath: /opt/app/onap/python/certs/py-executor/ + name: certificates + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | nindent 10 }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | nindent 10 }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} volumes: - name: localtime @@ -86,5 +85,8 @@ spec: - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints + - name: certificates + secret: + secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "cds-py-onap-certs") }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml b/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml index c36607b172..c13b7d814b 100644 --- a/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml +++ b/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{ include "common.secretFast" . }}
\ No newline at end of file +{{ include "common.secretFast" . }} diff --git a/kubernetes/cds/charts/cds-py-executor/values.yaml b/kubernetes/cds/charts/cds-py-executor/values.yaml index bbae1b9e5a..2b3ffa3971 100755 --- a/kubernetes/cds/charts/cds-py-executor/values.yaml +++ b/kubernetes/cds/charts/cds-py-executor/values.yaml @@ -79,6 +79,14 @@ secrets: login: '{{ .Values.config.apiUsername }}' password: '{{ .Values.config.apiPassword }}' passwordPolicy: required + - uid: "cds-py-onap-certs" + name: '{{ include "common.release" . }}-cds-py-certs' + externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' + type: generic + filePaths: + - resources/certs/py-executor.conf + - resources/certs/py-executor-chain.pem + - resources/certs/py-executor-key.pem config: # the api credentials below are used to authenticate communication with blueprint diff --git a/kubernetes/common/mariadb-galera/resources/create-deployment.yml b/kubernetes/common/mariadb-galera/resources/create-deployment.yml deleted file mode 100644 index 61bfc78945..0000000000 --- a/kubernetes/common/mariadb-galera/resources/create-deployment.yml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" (dict "suffix" "upgrade-deployment" "dot" .) | nindent 4 }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.fullname" . }} - template: - metadata: - labels: - app: {{ include "common.fullname" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: "{{ include "common.repository" . }}/{{ .Values.image }}" - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - containerPort: {{ .Values.service.sstPort }} - name: {{ .Values.service.sstPortName }} - - containerPort: {{ .Values.service.replicationPort }} - name: {{ .Values.service.replicationName }} - - containerPort: {{ .Values.service.istPort }} - name: {{ .Values.service.istPortName }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: MYSQL_USER - valueFrom: - secretKeyRef: - key: login - name: {{ include "common.fullname" . }}-temp-upgrade-usercred - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: {{ include "common.fullname" . }}-temp-upgrade-usercred - - name: MYSQL_DATABASE - value: {{ default "" .Values.config.mysqlDatabase | quote }} - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: {{ include "common.fullname" . }}-temp-upgrade-root - subdomain: {{ .Values.service.name }} - hostname: {{ .Values.nameOverride }}-upgrade-deployment
\ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/resources/post-upgrade-script.sh b/kubernetes/common/mariadb-galera/resources/post-upgrade-script.sh deleted file mode 100644 index 132ac27ea2..0000000000 --- a/kubernetes/common/mariadb-galera/resources/post-upgrade-script.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -TEMP_POD=$(kubectl get pod -n $NAMESPACE_ENV --selector \ - app='{{ include "common.fullname" . }}' -o \ - jsonpath='{.items[?(@.metadata.ownerReferences[].kind=="ReplicaSet")].metadata.name}') - -tmp_MYSQL_PASSWORD=$(echo -n $(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- printenv \ - MYSQL_PASSWORD) | base64) - -tmp_ROOT_PASSWORD=$(echo -n $(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- printenv \ - MYSQL_ROOT_PASSWORD) | base64) - -FLAG_EX_ROOT_SEC='{{ include "common.secret.getSecretNameFast" (dict "global" . "uid" (include "common.mariadb.secret.rootPassUID" .)) }}' - -FLAG_EX_SEC='{{ include "common.secret.getSecretNameFast" (dict "global" . "uid" (include "common.mariadb.secret.userCredentialsUID" .)) }}' - -kubectl patch secret $FLAG_EX_ROOT_SEC -p \ - '{"data":{"password":"'"$tmp_ROOT_PASSWORD"'"}}' - -kubectl patch secret $FLAG_EX_SEC -p \ - '{"data":{"password":"'"$tmp_MYSQL_PASSWORD"'"}}' - -kubectl delete pod -n $NAMESPACE_ENV {{ include "common.fullname" . }}-0 --now -kubectl delete deployment -n $NAMESPACE_ENV {{ include "common.fullname" . }}-upgrade-deployment -kubectl delete secret -n $NAMESPACE_ENV {{ include "common.fullname" . }}-temp-upgrade-root -kubectl delete secret -n $NAMESPACE_ENV {{ include "common.fullname" . }}-temp-upgrade-usercred
\ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/resources/upgrade-scripts.sh b/kubernetes/common/mariadb-galera/resources/upgrade-scripts.sh deleted file mode 100644 index ff44606e23..0000000000 --- a/kubernetes/common/mariadb-galera/resources/upgrade-scripts.sh +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/bash -MYSQL_USER=$(kubectl exec -n $NAMESPACE_ENV \ - {{ include "common.fullname" . }}-0 -- printenv MYSQL_USER) - -MYSQL_PASSWORD=$(kubectl exec -n $NAMESPACE_ENV \ - {{ include "common.fullname" . }}-0 -- printenv MYSQL_PASSWORD) - -MYSQL_ROOT_PASSWORD=$(kubectl exec -n $NAMESPACE_ENV \ - {{ include "common.fullname" . }}-0 -- printenv MYSQL_ROOT_PASSWORD) - -kubectl create secret generic \ - '{{ include "common.fullname" . }}'-temp-upgrade-root \ - --from-literal=password=$MYSQL_ROOT_PASSWORD - -kubectl create secret generic \ - '{{ include "common.fullname" . }}'-temp-upgrade-usercred \ - --from-literal=login=$MYSQL_USER --from-literal=password=$MYSQL_PASSWORD - -kubectl create -f /upgrade/create-deployment.yml - -TEMP_POD=$(kubectl get pod -n $NAMESPACE_ENV --selector \ - app='{{ include "common.fullname" . }}' -o \ - jsonpath='{.items[?(@.metadata.ownerReferences[].kind=="ReplicaSet")].metadata.name}') - -CLUSTER_NO=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- \ - mysql --skip-column-names -h{{ $.Values.service.name }} -u$MYSQL_USER \ - -p$MYSQL_PASSWORD -e "SHOW GLOBAL STATUS LIKE 'wsrep_cluster_size';" | \ - awk '{print $2}') - -CLUSTER_STATE=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- \ - mysql --skip-column-names -h{{ $.Values.service.name }} -u$MYSQL_USER \ - -p$MYSQL_PASSWORD -e "SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment';" \ - | awk '{print $2}') - -STS_REPLICA=$(kubectl get statefulsets -n $NAMESPACE_ENV \ - {{ include "common.fullname" . }} -o jsonpath='{.status.replicas}') - -DEPLOYMENT_REPLICA=$(kubectl get deployment -n $NAMESPACE_ENV \ - {{ include "common.fullname" . }}-upgrade-deployment -o \ - jsonpath='{.status.replicas}') - -while [[ ! $CLUSTER_NO == $((STS_REPLICA+DEPLOYMENT_REPLICA)) ]] \ - || [[ ! $CLUSTER_STATE == "Synced" ]] -do - echo "$CLUSTER_NO and $CLUSTER_STATE" - CLUSTER_NO=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- mysql \ - --skip-column-names -h{{ $.Values.service.name }} -u$MYSQL_USER \ - -p$MYSQL_PASSWORD -e "SHOW GLOBAL STATUS LIKE 'wsrep_cluster_size';" \ - | awk '{print $2}') - CLUSTER_STATE=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- mysql \ - --skip-column-names -h{{ $.Values.service.name }} -u$MYSQL_USER \ - -p$MYSQL_PASSWORD -e "SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment';" \ - | awk '{print $2}') - sleep 2 - if [[ $CLUSTER_NO == $((STS_REPLICA+DEPLOYMENT_REPLICA)) ]] \ - && [[ $CLUSTER_STATE == "Synced" ]] - then - echo "The cluster has $CLUSTER_NO members and $CLUSTER_STATE state." - break - fi -done - -MYSQL_STATUS=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- mysqladmin \ - -uroot -p$MYSQL_ROOT_PASSWORD ping) - -while [[ ! $MYSQL_STATUS == "mysqld is alive" ]] -do - echo "Mariadb deployment is not ready yet." - sleep 2 - MYSQL_STATUS=$(kubectl exec -n $NAMESPACE_ENV $TEMP_POD -- mysqladmin \ - -uroot -p$MYSQL_ROOT_PASSWORD ping) - if [[ $MYSQL_STATUS == "mysqld is alive" ]] - then - echo "Mariadb deployment is ready." - break - fi -done - -kubectl scale statefulsets {{ include "common.fullname" . }} --replicas=0 -MY_REPLICA_NUMBER=$(kubectl get statefulsets -n $NAMESPACE_ENV \ - {{ include "common.fullname" . }} -o jsonpath='{.status.replicas}') -echo "The the cluster has $MY_REPLICA_NUMBER replicas." - -while [[ ! $MY_REPLICA_NUMBER == "0" ]] -do - echo "The cluster is not scaled to 0 yet. Please wait ..." - MY_REPLICA_NUMBER=$(kubectl get statefulsets -n $NAMESPACE_ENV \ - {{ include "common.fullname" . }} -o jsonpath='{.status.replicas}') - echo "The current status of the cluster is $MY_REPLICA_NUMBER" - sleep 2 - if [[ $MY_REPLICA_NUMBER == "0" ]] - then - break - fi -done - -for (( index=0; index<$STS_REPLICA; index+=1 )) -do - kubectl delete pvc \ - "{{ include "common.fullname" . }}-data-{{ include "common.fullname" . }}-$index" -done diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml index 685901fa95..a7064d7ce4 100644 --- a/kubernetes/common/mariadb-galera/templates/configmap.yaml +++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml @@ -1,6 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics, and TATA Communications +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,6 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} + {{- if .Values.externalConfig }} apiVersion: v1 kind: ConfigMap @@ -42,37 +43,3 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-upgrade-deployment - annotations: - "helm.sh/hook": "pre-upgrade" - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": hook-succeeded - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-post-upgrade-deployment - annotations: - "helm.sh/hook": "post-upgrade" - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": hook-succeeded - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/post-upgrade-script.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/common/mariadb-galera/templates/job.yaml b/kubernetes/common/mariadb-galera/templates/job.yaml deleted file mode 100644 index cc71bb855c..0000000000 --- a/kubernetes/common/mariadb-galera/templates/job.yaml +++ /dev/null @@ -1,107 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-pre-upgrade - annotations: - "helm.sh/hook": "pre-upgrade" - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - template: - spec: - securityContext: - fsGroup: 1001 - runAsUser: 1001 - containers: - - name: mariadb-job-pre-upgrade - image: {{ .Values.global.kubectlImage}} - imagePullPolicy: IfNotPresent - env: - - name: NAMESPACE_ENV - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - command: ["/bin/bash", "-c", "--"] - args: ["/upgrade/upgrade-scripts.sh"] - volumeMounts: - - name: config-mariadb-upgrade - mountPath: /upgrade - volumes: - - name: config-mariadb-upgrade - configMap: - name: {{ include "common.fullname" . }}-upgrade-deployment - defaultMode: 0777 - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-post-upgrade - annotations: - "helm.sh/hook": "post-upgrade" - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - template: - spec: - securityContext: - fsGroup: 1001 - runAsUser: 0 - initContainers: - - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" - name: mariadb-galera-upgrade-readiness - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - command: - - /root/ready.py - args: - - --container-name - - mariadb-galera - containers: - - name: mariadb-job-post-upgrade - image: {{ .Values.global.kubectlImage}} - imagePullPolicy: IfNotPresent - env: - - name: NAMESPACE_ENV - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - command: ["/bin/bash", "-c", "--"] - args: ["/upgrade/post-upgrade-script.sh"] - volumeMounts: - - name: config-mariadb-upgrade - mountPath: /upgrade - volumes: - - name: config-mariadb-upgrade - configMap: - name: {{ include "common.fullname" . }}-post-upgrade-deployment - defaultMode: 0777 - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-post-delete - annotations: - "helm.sh/hook": "post-delete" - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - template: - spec: - containers: - - name: mariadb-job-post-delete - image: {{ .Values.global.kubectlImage}} - imagePullPolicy: IfNotPresent - command: ["/bin/bash", "-c", "--"] - args: - - for ((index=0;index<{{ $.Values.replicaCount }};index+=1)); - do kubectl delete pvc "{{ include "common.fullname" . }}-data-{{ include "common.fullname" . }}-$index"; - done; kubectl delete deployment {{ include "common.fullname" . }}-upgrade-deployment; - restartPolicy: OnFailure diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 4ccb0e5c6e..af08ea3d58 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -42,10 +42,7 @@ global: readinessRepository: oomk8s readinessImage: readiness-check:2.0.2 - busyboxImage: busybox:1.30 - busyboxRepository: docker.io - # kubeclt image - kubectlImage: "bitnami/kubectl:1.15" + ################################################################# # Application configuration defaults. diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 2f42223452..1723ad5d39 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -53,16 +53,6 @@ global: # logging agent - temporary repo until images migrated to nexus3 loggingRepository: docker.elastic.co - # dockerHub main repository - dockerHubRepository: docker.io - - # busybox repo and image - busyboxRepository: docker.io - busyboxImage: busybox:1.30 - - # kubeclt image - kubectlImage: "bitnami/kubectl:1.15" - # image pull policy pullPolicy: Always diff --git a/kubernetes/policy/charts/pap/templates/deployment.yaml b/kubernetes/policy/charts/pap/templates/deployment.yaml index 39ac8a81ec..6925d772d1 100644 --- a/kubernetes/policy/charts/pap/templates/deployment.yaml +++ b/kubernetes/policy/charts/pap/templates/deployment.yaml @@ -68,6 +68,11 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/pap/bin/policy-pap.sh"] args: ["/opt/app/policy/pap/etc/mounted/config.json"] + env: + - name: KEYSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger diff --git a/kubernetes/policy/charts/pap/values.yaml b/kubernetes/policy/charts/pap/values.yaml index dc7a58d804..47597f08c2 100644 --- a/kubernetes/policy/charts/pap/values.yaml +++ b/kubernetes/policy/charts/pap/values.yaml @@ -54,6 +54,17 @@ secrets: login: '{{ .Values.healthCheckRestClient.distribution.user }}' password: '{{ .Values.healthCheckRestClient.distribution.password }}' passwordPolicy: required + - uid: keystore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required + - uid: truststore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required + ################################################################# # Application configuration defaults. @@ -81,6 +92,9 @@ healthCheckRestClient: distribution: user: healthcheck password: zb!XztG34 +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/charts/policy-api/templates/deployment.yaml b/kubernetes/policy/charts/policy-api/templates/deployment.yaml index e1f699eccf..53f232af74 100644 --- a/kubernetes/policy/charts/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-api/templates/deployment.yaml @@ -61,6 +61,11 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/api/bin/policy-api.sh"] args: ["/opt/app/policy/api/etc/mounted/config.json"] + env: + - name: KEYSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger diff --git a/kubernetes/policy/charts/policy-api/values.yaml b/kubernetes/policy/charts/policy-api/values.yaml index ba12db21de..00675399b4 100644 --- a/kubernetes/policy/charts/policy-api/values.yaml +++ b/kubernetes/policy/charts/policy-api/values.yaml @@ -40,6 +40,16 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required + - uid: keystore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required + - uid: truststore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -59,6 +69,9 @@ db: restServer: user: healthcheck password: zb!XztG34 +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml b/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml index b3b017acd3..b0dbac9526 100644 --- a/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml @@ -53,6 +53,11 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/distribution/bin/policy-dist.sh"] args: ["/opt/app/policy/distribution/etc/mounted/config.json"] + env: + - name: KEYSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger diff --git a/kubernetes/policy/charts/policy-distribution/values.yaml b/kubernetes/policy/charts/policy-distribution/values.yaml index 73c9e99e61..dfed7648d4 100644 --- a/kubernetes/policy/charts/policy-distribution/values.yaml +++ b/kubernetes/policy/charts/policy-distribution/values.yaml @@ -45,6 +45,16 @@ secrets: login: '{{ .Values.sdcBe.user }}' password: '{{ .Values.sdcBe.password }}' passwordPolicy: required + - uid: keystore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required + - uid: truststore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required ################################################################# # Global configuration defaults. @@ -78,6 +88,9 @@ papParameters: sdcBe: user: policy password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml index bd126b810b..eb2c776f0d 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml @@ -63,6 +63,11 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"] args: ["/opt/app/policy/pdpx/etc/mounted/config.json"] + env: + - name: KEYSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger diff --git a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml index c9ced1fc13..e3feeab950 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml @@ -45,6 +45,16 @@ secrets: login: '{{ .Values.apiServer.user }}' password: '{{ .Values.apiServer.password }}' passwordPolicy: required + - uid: keystore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required + - uid: truststore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -68,6 +78,9 @@ restServer: apiServer: user: healthcheck password: zb!XztG34 +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap # default number of instances replicaCount: 1 |