diff options
Diffstat (limited to 'kubernetes')
8 files changed, 166 insertions, 18 deletions
diff --git a/kubernetes/dcaegen2-services/Chart.yaml b/kubernetes/dcaegen2-services/Chart.yaml index 83b344b303..83732e8298 100644 --- a/kubernetes/dcaegen2-services/Chart.yaml +++ b/kubernetes/dcaegen2-services/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 appVersion: "Oslo" description: DCAE Microservices name: dcaegen2-services -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 5e39d51844..183cde0024 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -85,7 +85,7 @@ This template generates a list of volumes associated with the pod, based on information provided in .Values.externalVolumes. This template works in conjunction with dcaegen2-services-common._externalVolumeMounts to give the microservice access to data in volumes created else. -This initial implementation supports ConfigMaps only, as this is the only +This implementation supports ConfigMaps & EmptyDirs only, as this is the only external volume mounting required by current microservices. .Values.externalVolumes is a list of objects. Each object has 3 required fields and 2 optional fields: @@ -94,7 +94,7 @@ external volume mounting required by current microservices. names of resources are sometimes set at deployment time (for instance, to prefix the Helm release to the name), the string can be a Helm template fragment that will be expanded at deployment time. - - type: the type of the resource (in the current implementation, only "ConfigMap" is supported). + - type: the type of the resource (in the current implementation, only "ConfigMap" & "emptyDir" is supported). The value is a case-INsensitive string. - mountPoint: the path to the mount point for the volume in the container file system. The value is a case-sensitive string. @@ -113,7 +113,7 @@ externalVolumes: type: configmap mountPath: /opt/app/config - name: '{{ include "common.release" . }}-another-example' - type: configmap + type: emptyDir mountPath: /opt/app/otherconfig optional: false */}} @@ -121,14 +121,18 @@ externalVolumes: {{- $global := . -}} {{- if .Values.externalVolumes }} {{- range $vol := .Values.externalVolumes }} + {{- $vname := (tpl $vol.name $global) -}} {{- if eq (lower $vol.type) "configmap" }} - {{- $vname := (tpl $vol.name $global) -}} {{- $opt := hasKey $vol "optional" | ternary $vol.optional true }} - configMap: defaultMode: 420 name: {{ $vname }} optional: {{ $opt }} name: {{ $vname }} + {{- else if eq (lower $vol.type) "emptydir" }} +- name: {{ $vname }} + emptyDir: + sizeLimit: {{ $vol.sizeLimit }} {{- end }} {{- end }} {{- end }} @@ -141,7 +145,7 @@ This template generates a list of volume mounts for the microservice container, based on information provided in .Values.externalVolumes. This template works in conjunction with dcaegen2-services-common._externalVolumes to give the microservice access to data in volumes created else. -This initial implementation supports ConfigMaps only, as this is the only +This initial implementation supports ConfigMaps & EmptyDirs, as this is the only external volume mounting required by current microservices. See the documentation for dcaegen2-services-common._externalVolumes for @@ -152,16 +156,20 @@ the microservice. {{- $global := . -}} {{- if .Values.externalVolumes }} {{- range $vol := .Values.externalVolumes }} + {{- $vname := (tpl $vol.name $global) -}} {{- if eq (lower $vol.type) "configmap" }} - {{- $vname := (tpl $vol.name $global) -}} {{- $readOnly := $vol.readOnly | default false }} - mountPath: {{ $vol.mountPath }} name: {{ $vname }} readOnly: {{ $readOnly }} + {{- else if eq (lower $vol.type) "emptydir" }} +- mountPath: {{ $vol.mountPath }} + name: {{ $vname }} {{- end }} {{- end }} {{- end }} {{- end }} + {{/* dcaegen2-services-common.microserviceDeployment: This template produces a Kubernetes Deployment for a DCAE microservice. @@ -236,6 +244,7 @@ post-processing. {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $log := default dict .Values.log -}} {{- $logDir := default "" $log.path -}} +{{- $ves := default false .Values.ves -}} {{- $certDir := (eq "true" (include "common.needTLS" .)) | ternary (default "" .Values.certDirectory . ) "" -}} {{- $commonRelease := print (include "common.release" .) -}} {{- $policy := default dict .Values.policies -}} @@ -253,9 +262,15 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: + + {{- if $ves }} + {{- include "dcaegen2-ves-collector.vesCollectorCopyEtc" . | nindent 6 }} + {{- end }} {{- if .Values.readinessCheck }} - {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} {{- end }} {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} @@ -263,6 +278,8 @@ spec: - image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 10 }} env: {{- range $cred := .Values.credentials }} - name: {{ $cred.name }} @@ -307,6 +324,26 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.liveness }} + livenessProbe: + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds | default 5 }} + periodSeconds: {{ .Values.liveness.periodSeconds | default 15 }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds | default 1 }} + {{- $probeType := .Values.liveness.type | default "httpGet" -}} + {{- if eq $probeType "httpGet" }} + httpGet: + scheme: {{ .Values.liveness.scheme }} + path: {{ .Values.liveness.path }} + port: {{ .Values.liveness.port }} + {{- end }} + {{- if eq $probeType "exec" }} + exec: + command: + {{- range $cmd := .Values.liveness.command }} + - {{ $cmd }} + {{- end }} + {{- end }} + {{- end }} resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /app-config @@ -314,7 +351,7 @@ spec: - mountPath: /app-config-input name: app-config-input - mountPath: /tmp - name: tmp-volume + name: tmp {{- if $logDir }} - mountPath: {{ $logDir}} name: logs @@ -387,12 +424,13 @@ spec: - emptyDir: medium: Memory name: app-config - - name: tmp-volume + - name: tmp emptyDir: sizeLimit: 128Mi {{- if $logDir }} - - emptyDir: {} - name: logs + - name: logs + emptyDir: + sizeLimit: 128Mi {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} {{- end }} {{- if $certDir }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl new file mode 100644 index 0000000000..a3a724741f --- /dev/null +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl @@ -0,0 +1,26 @@ +{{- define "dcaegen2-ves-collector.vesCollectorCopyEtc" -}} +- name: dcae-ves-collector-copy-etc + command: ["cp", "-R", "/opt/app/VESCollector/etc/.", "/opt/app/VESCollector/etc_rw/"] + image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} + imagePullPolicy: Always + resources: + limits: + cpu: {{ .Values.copyEtc.resources.limits.cpu }} + memory: {{ .Values.copyEtc.resources.limits.memory }} + requests: + cpu: {{ .Values.copyEtc.resources.requests.cpu }} + memory: {{ .Values.copyEtc.resources.requests.memory }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/app/VESCollector/etc_rw + name: ves-collector-etc +{{- end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml index fefc06e805..408c0a9300 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml @@ -19,10 +19,10 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "NewDelhi" +appVersion: "Oslo" description: DCAE PRH name: dcae-prh -version: 13.1.0 +version: 13.1.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index 11cb72690c..2c9612f4e0 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -55,7 +55,14 @@ secrets: # probe configuration readiness: - initialDelaySeconds: 5 + initialDelaySeconds: 25 + periodSeconds: 15 + path: /heartbeat + scheme: HTTP + port: 8100 + timeoutSeconds: 30 +liveness: + initialDelaySeconds: 25 periodSeconds: 15 path: /heartbeat scheme: HTTP @@ -197,3 +204,32 @@ serviceAccount: nameOverride: dcae-prh roles: - read + +# Pod Security context +podSecurityContext: + runAsGroup: 1414 + runAsUser: 1414 + fsGroup: 1414 + seccompProfile: + type: RuntimeDefault + +# Container Security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + +# PRH volumes +externalVolumes: + - name: prh-logs + mountPath: /var/log/ONAP/prh/prh-app-server/ + type: emptyDir + sizeLimit: 64Mi + +# PRH pod annotations +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml index 61a5f03b7e..6c03c1a6b2 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml @@ -19,10 +19,10 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "NewDelhi" +appVersion: "Oslo" description: DCAE VES Collector name: dcae-ves-collector -version: 13.1.0 +version: 13.1.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index ae75bacb57..0007b9cd52 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -85,6 +85,12 @@ readiness: path: /healthcheck scheme: HTTP port: 8080 +liveness: + initialDelaySeconds: 5 + periodSeconds: 15 + path: /healthcheck + scheme: HTTP + port: 8080 # service configuration service: @@ -288,3 +294,45 @@ serviceAccount: nameOverride: dcae-ves-collector roles: - read + +# Pod Security context +podSecurityContext: + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + +# Container Security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + +# Flag which can be used to put VES-COLLECTOR specific properties in template +ves: true + +# VES-COLLECTOR volumes +externalVolumes: + - name: ves-collector-etc + type: emptyDir + sizeLimit: 50Mi + mountPath: /opt/app/VESCollector/etc + +# VES-COLLECTOR pod annotations +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + +# Resources for init container copy-etc +copyEtc: + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 30m + memory: 32Mi diff --git a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml index af62dc30ca..cae85bfb90 100644 --- a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml +++ b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml @@ -70,7 +70,7 @@ output.logstash: #ssl.key_passphrase: $ssl.key_passphrase logging: - level: debug + level: info # enable file rotation with default configuration to_files: true |