diff options
Diffstat (limited to 'kubernetes')
93 files changed, 1520 insertions, 688 deletions
diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml index 05287b99d6..b06609a0c4 100644 --- a/kubernetes/aai/Chart.yaml +++ b/kubernetes/aai/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Active and Available Inventory name: aai -version: 14.0.2 +version: 14.0.3 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml index f305a2287e..50a7c24ee0 100644 --- a/kubernetes/aai/components/aai-babel/Chart.yaml +++ b/kubernetes/aai/components/aai-babel/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Babel microservice name: aai-babel -version: 14.0.1 +version: 14.0.2 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties index 96f1a3eb89..56560d5cb2 100644 --- a/kubernetes/aai/components/aai-babel/resources/config/application.properties +++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties @@ -1,7 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Copyright © 2021 Orange -# Modifications Copyright © 2023 Nordix Foundation +# Modifications Copyright � 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,3 +23,5 @@ spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/services/babel-service logging.config=${CONFIG_HOME}/logback.xml tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json + +management.endpoints.web.exposure.include=* diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml index cb40883365..f3fc04c00c 100644 --- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml @@ -22,7 +22,11 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} + {{- if .Values.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} @@ -38,10 +42,19 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} + ports: + {{- if .Values.debug.enabled }} + - containerPort: {{ .Values.debug.port }} + name: {{ .Values.debug.portName }} + {{- end }} + {{- if .Values.profiling.enabled }} + - containerPort: {{ .Values.profiling.port }} + name: {{ .Values.profiling.portName }} + {{- end }} + {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when + # debugging.enabled=true or profiling.enabled=true + {{- if and .Values.liveness.enabled (not (or .Values.debug.enabled .Values.profiling.enabled)) }} livenessProbe: tcpSocket: port: {{ .Values.service.internalPort }} @@ -58,6 +71,14 @@ spec: value: NotUsed - name: CONFIG_HOME value: /opt/app/babel/config + {{- if .Values.profiling.enabled }} + - name: JVM_OPTS + value: '{{ join " " .Values.profiling.args }}' + {{- end }} + {{- if .Values.debug.enabled }} + - name: JVM_OPTS + value: {{ .Values.debug.args | quote }} + {{- end }} volumeMounts: - mountPath: /opt/app/babel/config/application.properties name: config diff --git a/kubernetes/aai/components/aai-babel/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-babel/templates/servicemonitor.yaml new file mode 100644 index 0000000000..dc706029bf --- /dev/null +++ b/kubernetes/aai/components/aai-babel/templates/servicemonitor.yaml @@ -0,0 +1,3 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index 21cc72291d..54f8c5ea98 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -25,7 +25,7 @@ global: {} ################################################################# # application image -image: onap/babel:1.13.2 +image: onap/babel:1.13.3 flavor: small flavorOverride: small @@ -98,6 +98,41 @@ resources: memory: "2Gi" unlimited: {} +tracing: + collector: + baseUrl: http://jaeger-collector.istio-system:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + +# adds jvm args for remote debugging the application +debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + port: 5005 + portName: debug + +# adds jvm args for remote profiling the application +profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + port: 9999 + portName: jmx + +metrics: + serviceMonitor: + enabled: true + targetPort: 9516 + path: /services/babel-service/actuator/prometheus + basicAuth: + enabled: false + #Pods Service Account serviceAccount: nameOverride: aai-babel diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml index c0bcbfd074..7c86fed9dd 100644 --- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml +++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties index 83689da093..d124f63141 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties @@ -55,7 +55,6 @@ server.ssl.enabled=false # JMS bind address host port jms.bind.address=tcp://localhost:61649 - # dmaap is deprecated now kafka is used spring.kafka.producer.bootstrap-servers=${BOOTSTRAP_SERVERS} spring.kafka.producer.properties.security.protocol=SASL_PLAINTEXT @@ -110,8 +109,7 @@ aperture.service.base.url=http://localhost:8457/aai/aperture aperture.service.timeout-in-milliseconds=300000 #To Expose the Prometheus scraping endpoint -management.server.port=8448 +management.server.port={{ .Values.service.actuatorPort }} management.endpoints.enabled-by-default=true management.endpoints.web.exposure.include=info,health,prometheus -endpoints.enabled=false -management.security.enabled=false
\ No newline at end of file +management.security.enabled=false diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-cached.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-cached.properties deleted file mode 100644 index 5962ebd6fc..0000000000 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-cached.properties +++ /dev/null @@ -1,99 +0,0 @@ -{{/* -# -# ============LICENSE_START======================================================= -# org.onap.aai -# ================================================================================ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -query.fast-property=true -query.smart-limit=false - -{{ if .Values.global.config.cluster.cassandra.dynamic }} - -storage.backend=cql -storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph -storage.username={{.Values.global.cassandra.username}} -storage.password={{.Values.global.cassandra.password}} - -storage.cql.read-consistency-level=LOCAL_QUORUM -storage.cql.write-consistency-level=LOCAL_QUORUM -storage.cql.replication-factor={{.Values.global.cassandra.replicas}} -storage.cql.only-use-local-consistency-for-system-operations=true - -{{ else }} - -{{ if .Values.global.config.storage }} - -storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cassandra" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} - -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "cql" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cql.keyspace={{ .Values.global.config.storage.name }} - -storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationFactor | int }} - -storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} -storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "hbase" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.hbase.table={{ .Values.global.config.storage.name }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ end }} - -{{ end }} - -{{ end }} - -storage.lock.wait-time=300 -#caching on -cache.db-cache = true -cache.db-cache-clean-wait = 20 -cache.db-cache-time = 180000 -cache.db-cache-size = 0.3 - -#load graphson file on startup -load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-realtime.properties index 72c35e6603..d1797a407e 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-realtime.properties @@ -20,7 +20,7 @@ query.fast-property=true query.smart-limit=false -{{ if .Values.global.config.cluster.cassandra.dynamic }} +{{- if .Values.global.config.cluster.cassandra.dynamic }} storage.backend=cql storage.hostname={{.Values.global.cassandra.serviceName}} @@ -34,25 +34,25 @@ storage.cql.write-consistency-level=LOCAL_QUORUM storage.cql.replication-factor={{.Values.global.cassandra.replicas}} storage.cql.only-use-local-consistency-for-system-operations=true -{{ if .Values.global.cassandra.partitionerName }} +{{- if .Values.global.cassandra.partitionerName }} storage.cql.partitioner-name={{ .Values.global.cassandra.partitionerName }} -{{ end }} +{{- end }} {{- if .Values.config.janusgraph.cassandraDriver }} storage.cql.internal.string-configuration = datastax-java-driver { {{ .Values.config.janusgraph.cassandraDriver.configuration }} } {{- end }} -{{ else }} +{{- else -}} -{{ if .Values.global.config.storage }} +{{- if .Values.global.config.storage }} storage.backend={{ .Values.global.config.storage.backend }} -{{ if eq .Values.global.config.storage.backend "cql" }} +{{- if eq .Values.global.config.storage.backend "cql" }} storage.hostname={{ .Values.global.config.storage.hostname }} storage.cql.keyspace={{ .Values.global.config.storage.name }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} @@ -60,13 +60,13 @@ storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationF storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} -{{ else if eq .Values.global.config.storage.backend "hbase" }} +{{- else if eq .Values.global.config.storage.backend "hbase" }} storage.hostname={{ .Values.global.config.storage.hostname }} storage.hbase.table={{ .Values.global.config.storage.name }} @@ -75,11 +75,9 @@ storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} -{{ end }} - -{{ end }} - -{{ end }} +{{- end }} +{{- end }} +{{- end }} storage.lock.wait-time=300 # Setting db-cache to false ensure the fastest propagation of changes across servers @@ -87,6 +85,6 @@ cache.db-cache=false #load graphson file on startup load.snapshot.file=false -{{ if .Values.config.janusgraph.allowUpgrade }} +{{- if .Values.config.janusgraph.allowUpgrade }} graph.allow-upgrade=true -{{ end }} +{{- end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml index 8eb4a4a781..ddf752b480 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml @@ -40,7 +40,6 @@ data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} --- apiVersion: v1 diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 01dc44123c..6ac078b756 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -38,7 +38,11 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: + {{- if .Values.config.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: @@ -66,59 +70,36 @@ spec: spec: hostname: aai-graphadmin terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} - {{ if .Values.global.initContainers.enabled }} + {{- if .Values.global.initContainers.enabled }} initContainers: - - command: - {{ if .Values.global.jobs.migration.enabled }} - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{ else if .Values.global.jobs.createSchema.enabled }} - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{ else }} - - /app/ready.py - args: - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - {{ end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" - {{ end }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForWithCreateSchemaDisabled ) | indent 6 | trim}} + {{- end }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if eq .Values.flavor "small" }} + - name: MAX_HEAP_SIZE + value: {{ .Values.small.maxHeapSize | quote }} + {{- else if eq .Values.flavor "large" }} + - name: MAX_HEAP_SIZE + value: {{ .Values.large.maxHeapSize | quote }} + {{- end }} - name: INTERNAL_PORT_1 value: {{ .Values.service.appPort | quote }} - name: INTERNAL_PORT_2 value: {{ .Values.service.debugPort | quote }} - name: INTERNAL_PORT_3 - value: {{ .Values.service.internalPort3 | quote }} + value: {{ .Values.service.actuatorPort | quote }} - name: BOOTSTRAP_SERVERS value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 - name: JAAS_CONFIG @@ -138,14 +119,13 @@ spec: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties name: properties subPath: aaiconfig.properties - mountPath: /opt/aai/logroot/AAI-RES name: logs + - mountPath: /opt/app/aai-graphadmin/logs + name: script-logs - mountPath: /opt/app/aai-graphadmin/resources/logback.xml name: config subPath: logback.xml @@ -158,6 +138,8 @@ spec: - mountPath: /opt/app/aai-graphadmin/resources/application.properties name: properties subPath: application.properties + - mountPath: /tmp + name: tmp-volume ports: - containerPort: {{ .Values.service.appPort }} name: {{ .Values.service.appPortName }} @@ -169,8 +151,8 @@ spec: - containerPort: {{ .Values.service.profilingPort }} name: {{ .Values.service.profilingPortName }} {{- end }} - - containerPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName3 }} + - containerPort: {{ .Values.service.actuatorPort }} + name: {{ .Values.service.actuatorPortName }} lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -188,16 +170,28 @@ spec: # debugging.enabled=true or profiling.enabled=true {{- if and .Values.liveness.enabled (not (or .Values.config.debug.enabled .Values.config.profiling.enabled)) }} livenessProbe: - tcpSocket: - port: {{ .Values.service.appPort }} + httpGet: + port: {{ .Values.service.actuatorPort }} + path: {{ .Values.liveness.path }} + {{- if .Values.liveness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} + {{- end }} readinessProbe: - tcpSocket: - port: {{ .Values.service.appPort }} + httpGet: + port: {{ .Values.service.actuatorPort }} + path: {{ .Values.readiness.path }} + {{- if .Values.readiness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.readiness.periodSeconds }} + startupProbe: + httpGet: + port: {{ .Values.service.actuatorPort }} + path: {{ .Values.startup.path }} + failureThreshold: {{ .Values.startup.failureThreshold }} + periodSeconds: {{ .Values.startup.periodSeconds }} resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -212,8 +206,12 @@ spec: {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: tmp-volume + emptyDir: {} - name: logs emptyDir: {} + - name: script-logs + emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: config configMap: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index f1178a0a6e..3f0c4e11e5 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -60,7 +60,7 @@ spec: name: {{ include "common.name" . }} spec: initContainers: - {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} + {{- if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - command: - /bin/bash - -c @@ -93,13 +93,8 @@ spec: - | {{- if include "common.onServiceMesh" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - sh docker-entrypoint.sh dataSnapshot.sh; + bash docker-entrypoint.sh dataSnapshot.sh; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index 3f5c1d3d19..e67479a1d5 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -55,33 +55,13 @@ spec: name: {{ include "common.name" . }} spec: initContainers: - - command: - - /app/ready.py - args: - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForWithCreateSchemaDisabled) | indent 6 | trim }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: @@ -92,17 +72,19 @@ spec: sh docker-entrypoint.sh createDBSchema.sh; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} + {{- if .Values.config.debug.enabled }} + - name: JVM_OPTS + value: {{ .Values.config.debug.args | quote }} + {{- end }} + ports: + {{- if .Values.config.debug.enabled }} + - containerPort: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + {{- end }} volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties name: properties subPath: aaiconfig.properties @@ -128,7 +110,8 @@ spec: volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi - name: config configMap: name: {{ include "common.fullname" . }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index df62d4169c..4ec2306eca 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -89,20 +89,12 @@ spec: - -c - | sh docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'` - env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties name: properties subPath: aaiconfig.properties @@ -133,18 +125,10 @@ spec: echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} sh docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties name: properties subPath: aaiconfig.properties @@ -207,7 +191,7 @@ spec: name: {{ include "common.name" . }} spec: initContainers: - {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} + {{- if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - command: - /bin/bash - -c @@ -242,11 +226,6 @@ spec: echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} sh docker-entrypoint.sh dataSnapshot.sh {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index 68f1cda815..16924e9d5c 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -43,10 +43,10 @@ spec: nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.debugPortName }} targetPort: {{ .Values.service.debugPortName }} - - port: {{ .Values.service.internalPort3 }} + - port: {{ .Values.service.actuatorPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName3 }} - targetPort: {{ .Values.service.portName3 }} + name: {{ .Values.service.actuatorPortName }} + targetPort: {{ .Values.service.actuatorPortName }} {{- else -}} - port: {{ .Values.service.appPort }} name: {{ .Values.service.appPortName }} @@ -54,8 +54,8 @@ spec: - port: {{ .Values.service.debugPort }} name: {{ .Values.service.debugPortName }} targetPort: {{ .Values.service.debugPortName }} - - port: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName3 }} + - port: {{ .Values.service.actuatorPort }} + name: {{ .Values.service.actuatorPortName }} targetPort: {{ .Values.service.appPort }} {{- end}} selector: diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index acc1ba22f7..dd95c8b67a 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -103,11 +103,11 @@ global: # global defaults clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1 # application image -image: onap/aai-graphadmin:1.14.6 +image: onap/aai-graphadmin:1.14.7 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small + # default number of instances replicaCount: 1 @@ -141,7 +141,8 @@ config: # config override for the cassandra driver # see: https://docs.janusgraph.org/master/configs/configuration-reference/#storagecqlinternal cassandraDriver: - configuration: advanced.metadata.schema.debouncer.window = 1 second # Default maximum records to fix for the data grooming and dupeTool + configuration: advanced.metadata.schema.debouncer.window = 1 second + # Default maximum records to fix for the data grooming and dupeTool maxFix: dataGrooming: 150 dupeTool: 25 @@ -200,16 +201,28 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false + enabled: true + path: /actuator/health/liveness + periodSeconds: 10 readiness: - initialDelaySeconds: 60 + path: /actuator/health/readiness periodSeconds: 10 +startup: + path: /actuator/health/liveness + failureThreshold: 60 + periodSeconds: 5 + +readinessCheck: + waitForWithCreateSchemaEnabled: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + waitForWithCreateSchemaDisabled: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + service: type: ClusterIP # REST API port for the graphadmin microservice @@ -219,8 +232,8 @@ service: debugPort: 5005 profilingPortName: jxm-9999 profilingPort: 9999 - portName3: http-graphadmin - internalPort3: 8448 + actuatorPortName: http-graphadmin + actuatorPort: 8448 terminationGracePeriodSeconds: 45 ingress: @@ -279,12 +292,19 @@ resources: memory: "8Gi" requests: cpu: "1" - memory: "3.2Gi" + memory: "4Gi" unlimited: {} +# define the heap size for the JVM +# according to the resource flavor +small: + maxHeapSize: "1g" +large: + maxHeapSize: "5g" + metrics: serviceMonitor: - enabled: false + enabled: true targetPort: 8448 path: /actuator/prometheus basicAuth: @@ -302,8 +322,8 @@ metrics: # Not fully used for now securityContext: - user_id: 1000 - group_id: 1000 + user_id: 65534 + group_id: 65534 #Pods Service Account serviceAccount: @@ -314,8 +334,8 @@ serviceAccount: log: path: /var/log/onap level: - root: DEBUG - base: DEBUG + root: INFO + base: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' #DupeTool cronjob parameters diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index c7d7cbe2fa..486ffbaa49 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -34,7 +34,11 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: + {{- if .Values.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} @@ -77,6 +81,25 @@ spec: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config + {{- if .Values.profiling.enabled }} + - name: JVM_ARGS + value: '{{ join " " .Values.profiling.args }}' + {{- end }} + {{- if .Values.debug.enabled }} + - name: JVM_ARGS + value: {{ .Values.debug.args | quote }} + {{- end }} + ports: + - containerPort: 9500 + name: http + {{- if .Values.debug.enabled }} + - containerPort: {{ .Values.debug.port }} + name: {{ .Values.debug.portName }} + {{- end }} + {{- if .Values.profiling.enabled }} + - containerPort: {{ .Values.profiling.port }} + name: {{ .Values.profiling.portName }} + {{- end }} volumeMounts: - mountPath: /opt/app/model-loader/config/model-loader.properties subPath: model-loader.properties diff --git a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml new file mode 100644 index 0000000000..1eb564ed72 --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml @@ -0,0 +1,34 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.metrics.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "common.fullname" . }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + podMetricsEndpoints: + - port: {{ .Values.metrics.podMonitor.port }} + path: {{ .Values.metrics.podMonitor.path }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index 14b7ccaf13..b28989c78f 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -21,7 +21,7 @@ global: # global defaults nodePortPrefix: 302 # application image -image: onap/model-loader:1.14.1 +image: onap/model-loader:1.14.2 pullPolicy: Always restartPolicy: Always flavor: small @@ -49,6 +49,28 @@ updateStrategy: maxUnavailable: 0 maxSurge: 1 +# adds jvm args for remote debugging the application +debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + port: 5005 + portName: debug + +# adds jvm args for remote profiling the application +profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + port: 9999 + portName: jmx + + nodeSelector: {} affinity: {} @@ -91,6 +113,12 @@ tracing: ignorePatterns: - /aai/util.* +metrics: + podMonitor: + enabled: true + port: http + path: /actuator/prometheus + #Pods Service Account serviceAccount: nameOverride: aai-modelloader diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index 14ae2debbc..630c88a244 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -134,7 +134,7 @@ aai_enpoints: url: external-system # application image -image: onap/aai-resources:1.14.6 +image: onap/aai-resources:1.14.7 pullPolicy: Always restartPolicy: Always flavor: small diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index 4bb6d4163e..e017032b03 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -29,7 +29,7 @@ global: # global defaults serviceName: aai-search-data # application image -image: onap/sparky-be:2.0.3 +image: onap/sparky-be:2.0.5 pullPolicy: Always restartPolicy: Always flavor: small diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index 036a3c96f2..6b268cae42 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -111,7 +111,7 @@ global: # global defaults someConfig: random # application image -image: onap/aai-traversal:1.14.6 +image: onap/aai-traversal:1.14.7 pullPolicy: Always restartPolicy: Always flavor: small diff --git a/kubernetes/common/etcd/Chart.yaml b/kubernetes/common/etcd/Chart.yaml index 465364b3da..bd508c57fd 100644 --- a/kubernetes/common/etcd/Chart.yaml +++ b/kubernetes/common/etcd/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2019 Intel Corporation # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +18,7 @@ apiVersion: v2 name: etcd home: https://github.com/coreos/etcd -version: 13.0.0 +version: 13.0.1 appVersion: 2.2.5 description: Distributed reliable key-value store for the most critical data of a distributed system. diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index 722a27d791..c71d3295eb 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2019 Intel Corporation Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,10 +37,12 @@ spec: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.googleK8sRepository" . }}/{{ .Values.image }} imagePullPolicy: "{{ .Values.pullPolicy }}" + {{ include "common.containerSecurityContext" . | indent 10 | trim }} ports: - containerPort: {{ .Values.service.peerInternalPort }} name: {{ .Values.service.peerPortName }} diff --git a/kubernetes/common/etcd/values.yaml b/kubernetes/common/etcd/values.yaml index e2334eadfe..69d533c728 100644 --- a/kubernetes/common/etcd/values.yaml +++ b/kubernetes/common/etcd/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2019 Intel Corporation, Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,6 +36,10 @@ nodeSelector: {} affinity: {} +securityContext: + user_id: 1000 + group_id: 1000 + # probe configuration parameters liveness: initialDelaySeconds: 90 diff --git a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml index 980be74367..e9d4df5fe3 100644 --- a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml @@ -3,6 +3,7 @@ # Modifications Copyright (C) 2020 Bell Canada. # Modifications Copyright (C) 2021-2023 Nordix Foundation. # Modifications Copyright (C) 2021 Orange +# Modifications Copyright (C) 2024 TechMahindra Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,6 +44,12 @@ security: username: ${CPS_USERNAME} password: ${CPS_PASSWORD} +# Actuator +management: + tracing: + propagation: + produce: {{ .Values.management.tracing.propagation.produce }} + logging: level: org: @@ -71,12 +78,24 @@ spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} {{ toYaml .Values.config.additional | nindent 2 }} {{- end }} +# cps tracing +{{- if .Values.tracing }} + {{ toYaml .Values.tracing | nindent 2 }} +{{- end }} + # Custom Hazelcast config. hazelcast: + cluster-name: {{ .Values.hazelcast.config.clusterName }} mode: kubernetes: enabled: {{ .Values.hazelcast.config.kubernetesDiscovery }} service-name: {{ .Values.hazelcast.config.kubernetesServiceName }} +otel: + exporter: + otlp: + traces: + protocol: {{ .Values.otel.config.otlp.traces.protocol }} + # Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index a5cc7e0dcd..94aa67efd3 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -1,6 +1,7 @@ # Copyright (C) 2021 Pantheon.tech, Orange, Bell Canada. # Modifications Copyright (C) 2022 Bell Canada # Modifications Copyright © 2022-2023 Nordix Foundation +# Modifications Copyright © 2024 TechMahindra Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -183,7 +184,6 @@ config: additional: notification.enabled: true - notification.data-updated.topic: &dataUpdatedTopic cps.data-updated-events notification.data-updated.filters.enabled-dataspaces: "" notification.async.enabled: false notification.async.executor.core-pool-size: 2 @@ -191,12 +191,16 @@ config: notification.async.executor.queue-capacity: 500 notification.async.executor.wait-for-tasks-to-complete-on-shutdown: true notification.async.executor.thread-name-prefix: Async- + app.cps.data-updated.change-event-notifications-enabled: true # Strimzi KafkaUser and Topic config kafkaTopic: - name: &dmiCmEventsTopic dmi-cm-events retentionMs: 7200000 segmentBytes: 1073741824 + - name: &dataUpdatedTopic cps-data-updated-events + retentionMs: 7200000 + segmentBytes: 1073741824 kafkaUser: authenticationType: scram-sha-512 @@ -216,17 +220,62 @@ kafkaUser: - name: &cmAvcSubscriptionTopic cm-avc-subscription type: topic operations: [Read] + - name: &ncmpCmSubscriptionIn subscription + type: topic + operations: [Read] + - name: &ncmpCmSubscriptionDmiIn ncmp-dmi-cm-avc-subscription + type: topic + operations: [Read] + - name: &ncmpCmSubscriptionDmiOut dmi-ncmp-cm-avc-subscription + type: topic + operations: [Read] + - name: &ncmpCmSubscriptionOut subscription-response + type: topic + operations: [Read] + - name: &ncmpCmEventsTopic cm-events + type: topic + operations: [Read] + - name: &dmiDeviceHeartbeatTopic dmi-device-heartbeat + type: topic + operations: [Read] + - name: &lcmEventsTopic ncmp-events + type: topic + operations: [Read] topics: config: app.ncmp.async-m2m.topic: *ncmpAsyncM2MTopic - app.ncmp.avc.subscription-topic: *cmAvcSubscriptionTopic + app.ncmp.avc.cm-subscription-ncmp-in: *ncmpCmSubscriptionIn + app.ncmp.avc.cm-subscription-dmi-in: *ncmpCmSubscriptionDmiIn + app.ncmp.avc.cm-subscription-dmi-out: *ncmpCmSubscriptionDmiOut + app.ncmp.avc.cm-subscription-ncmp-out: *ncmpCmSubscriptionOut + app.ncmp.avc.cm-events-topic: *ncmpCmEventsTopic + app.lcm.events.topic: *lcmEventsTopic app.dmi.cm-events.topic: *dmiCmEventsTopic + app.dmi.device-heartbeat.topic: *dmiDeviceHeartbeatTopic + app.cps.data-updated.topic: *dataUpdatedTopic logging: level: INFO path: /tmp +management: + tracing: + propagation: + produce: [W3C] + +tracing: + cps: + tracing: + sampler: + jaeger_remote: + endpoint: http://onap-otel-collector:14250 + exporter: + endpoint: http://onap-otel-collector:4317 + protocol: grpc + enabled: false + excluded-observation-names: tasks.scheduled.execution + ################################################################# # Postgres overriding defaults in the postgres ################################################################# @@ -283,5 +332,11 @@ hazelcast: config: kubernetesDiscovery: true kubernetesServiceName: cps-core-headless + clusterName: cps-and-ncmp-common-cache-cluster +otel: + config: + otlp: + traces: + protocol: grpc diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index c841d6df50..5e39d51844 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -313,6 +313,8 @@ spec: name: {{ ternary "app-config-input" "app-config" (not $drNeedProvisioning) }} - mountPath: /app-config-input name: app-config-input + - mountPath: /tmp + name: tmp-volume {{- if $logDir }} - mountPath: {{ $logDir}} name: logs @@ -385,6 +387,9 @@ spec: - emptyDir: medium: Memory name: app-config + - name: tmp-volume + emptyDir: + sizeLimit: 128Mi {{- if $logDir }} - emptyDir: {} name: logs diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index ee6dabc015..9b631c7af5 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 14.0.4 +version: 14.0.5 dependencies: - name: common @@ -28,7 +28,7 @@ dependencies: - name: mariadb-galera version: ~13.x-0 repository: '@local' - condition: global.mariadbGalera.localCluster + condition: global.mariadbGalera.useInPolicy,global.mariadbGalera.localCluster - name: policy-nexus version: ~14.x-0 repository: 'file://components/policy-nexus' @@ -93,4 +93,4 @@ dependencies: - name: postgres version: ~13.x-0 repository: '@local' - condition: global.postgres.localCluster + condition: global.postgres.useInPolicy,global.postgres.localCluster diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index ef0b5eae94..f5c876646b 100755 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 14.0.1 +version: 14.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index 4e73dc0b5b..c39a27bdeb 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2022 Bell Canada. All rights reserved. # Modifications Copyright (C) 2022 AT&T Intellectual Property. # Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,7 +32,7 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: -{{ if not .Values.global.postgres.localCluster }} +{{ if .Values.global.mariadbGalera.useInPolicy }} url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index 2f135fac5e..f89945f90e 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -1,3 +1,23 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -13,10 +33,10 @@ spec: - /app/ready.py args: - --job-name -{{ if not .Values.global.postgres.localCluster }} - - {{ include "common.release" . }}-policy-galera-config +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config {{ else }} - - {{ include "common.release" . }}-policy-pg-config + - {{ include "common.release" . }}-policy-pg-migrator-config {{ end }} env: - name: NAMESPACE diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 9193366422..902268f41a 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. # Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +26,9 @@ global: nodePortPrefix: 304 persistence: {} postgres: - localCluster: false + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Secrets metaconfig diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index 0dd1f34fcf..ef9a7494ec 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2021-2024 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 14.0.1 +version: 14.0.2 dependencies: - name: common @@ -33,4 +33,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local' + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index 35e42c589d..2e09397806 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,8 +25,13 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/clampacm + {{ if .Values.global.mariadbGalera.useInPolicy }} + url: jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/clampacm driverClassName: org.mariadb.jdbc.Driver + {{ else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/clampacm + driverClassName: org.postgresql.Driver + {{ end }} username: ${SQL_USER} password: ${SQL_PASSWORD} hikari: @@ -42,7 +47,11 @@ spring: implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy properties: hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect + {{ if .Values.global.mariadbGalera.useInPolicy }} + dialect: org.hibernate.dialect.MariaDBDialect + {{ else }} + dialect: org.hibernate.dialect.PostgreSQLDialect + {{ end }} format_sql: true metrics: @@ -105,4 +114,4 @@ management: endpoints: web: exposure: - include: health, metrics, prometheus + include: health, metrics, prometheus
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index 462f2e517b..5a206b996e 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -31,10 +31,14 @@ spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - - /app/ready.py + - /app/ready.py args: - - --job-name - - {{ include "common.release" . }}-policy-galera-config + - --job-name +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-migrator-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -44,7 +48,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-galera-config-readiness + name: {{ include "common.name" . }}-db-config-readiness resources: limits: cpu: "100m" @@ -63,14 +67,16 @@ spec: - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - name: RUNTIME_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} - name: RUNTIME_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "password") | indent 10 }} +{{- if .Values.global.useStrimziKafka }} - name: SASL_JAAS_CONFIG valueFrom: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config +{{- end }} volumeMounts: - mountPath: /config-input name: ac-runtime-config @@ -103,27 +109,33 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - name: logs - mountPath: /var/log/onap - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - - mountPath: /opt/app/policy/clamp/etc/logback.xml - subPath: logback.xml - name: ac-runtime-config-processed - - mountPath: /opt/app/policy/clamp/etc/mounted - name: ac-runtime-config-processed + - mountPath: /etc/localtime + name: localtime + readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-runtime-config-processed + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-runtime-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: localtime + hostPath: + path: /etc/localtime - name: empty-dir emptyDir: sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index b030f940de..eb974d6ed2 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -23,6 +23,10 @@ global: nodePortPrefixExt: 304 persistence: {} + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true #Strimzi Kafka properties kafkaTopics: acRuntimeTopic: @@ -85,8 +89,10 @@ db: user: policy-user password: policy_user service: - name: policy-mariadb - internalPort: 3306 + mariadbName: policy-mariadb + mariadbPort: 3306 + pgName: policy-pg-primary + pgPort: 5432 # default number of instances replicaCount: 1 @@ -160,7 +166,7 @@ serviceAccount: wait_for_job_container: containers: - - '{{ include "common.release" . }}-policy-galera-config' + - '{{ include "common.release" . }}-galera-migrator-config' customNaming: toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 710a04f111..25060ae593 100755 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 14.0.1 +version: 14.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index 2e6efae345..dc7f788405 100755..100644 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -2,6 +2,7 @@ # Copyright © 2017-2018 Amdocs, Bell Canada. # Modifications Copyright (C) 2018-2020, 2022 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ # JVM options -JVM_OPTIONS={{.Values.server.jvmOpts}} +JVM_OPTIONS={{ .Values.server.jvmOpts | quote }} # SYSTEM software configuration @@ -40,11 +41,21 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}} # Relational (SQL) DB access -SQL_HOST={{ .Values.db.name }} -SQL_PORT=3306 -JDBC_URL=jdbc:mariadb://{{ .Values.db.name }}:3306/ +{{ if .Values.global.mariadbGalera.useInPolicy }} +SQL_HOST={{ .Values.db.mariadbName }} +SQL_PORT={{ .Values.db.mariadbPort }} +JDBC_URL=jdbc:mariadb://{{ .Values.db.mariadbName }}:{{ .Values.db.mariadbPort }}/ JDBC_OPTS= +JDBC_DRIVER=org.mariadb.jdbc.Driver MYSQL_CMD= +{{ else }} +SQL_HOST={{ .Values.db.pgName }} +SQL_PORT={{ .Values.db.pgPort }} +JDBC_URL=jdbc:postgresql://{{ .Values.db.pgName }}:{{ .Values.db.pgPort }}/ +JDBC_OPTS= +JDBC_DRIVER=org.postgresql.Driver +MYSQL_CMD= +{{ end }} # Liveness LIVENESS_CONTROLLERS=* @@ -92,7 +103,15 @@ DCAE_CONSUMER_GROUP=dcae.policy.shared # Open DMaaP KAFKA_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} +KAFKA_ADDITIONAL_PROPS="{ + \"group.id\": \"${GROUP_ID}\", + \"security.protocol\": \"SASL_PLAINTEXT\", + \"sasl.mechanism\": \"${SASL}\", + \"sasl.jaas.config\": \"${JAASLOGIN}\" + }" + DMAAP_HTTPS="false" +KAFKA_HTTPS="false" # AAI @@ -122,4 +141,4 @@ SDNC_CONTEXT_URI=restconf/operations/ # CDS CDS_GRPC_HOST={{.Values.cds.grpc.svcName}} -CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}} +CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties new file mode 100644 index 0000000000..d4577b577a --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties @@ -0,0 +1,37 @@ +### +# ============LICENSE_START======================================================= +# ONAP +# ================================================================================ +# Copyright (C) 2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + +#Database properties +{{ if .Values.global.mariadbGalera.useInPolicy }} +jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver +jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} +jakarta.persistence.jdbc.user=${envd:SQL_USER} +jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} +{{ else }} +jakarta.persistence.jdbc.driver=org.postgresql.Driver +jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} +jakarta.persistence.jdbc.user=${envd:SQL_USER} +jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} +{{ end }} + +# default property values are commented out +#distributed.locking.expire.check.seconds=900 +#distributed.locking.retry.seconds=60 +#distributed.locking.max.retries=2
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties new file mode 100644 index 0000000000..26e10122da --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties @@ -0,0 +1,41 @@ +# ============LICENSE_START======================================================= +# ONAP +# ================================================================================ +# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +lifecycle.pdp.group=${envd:POLICY_PDP_PAP_GROUP:defaultGroup} +lifecycle.pdp.type=${envd:POLICY_PDP_PAP_TYPE:drools} + +# Mandatory policy types that this PDP-D must support at a minimum +lifecycle.pdp.policytypes=${envd:POLICY_PDP_PAP_POLICYTYPES} + +kafka.source.topics=${envd:POLICY_PDP_PAP_TOPIC} +kafka.sink.topics=${envd:POLICY_PDP_PAP_TOPIC} + +kafka.source.topics.policy-pdp-pap.servers=${envd:KAFKA_SERVERS} +kafka.source.topics.policy-pdp-pap.effectiveTopic=${envd:POLICY_PDP_PAP_TOPIC} +kafka.source.topics.policy-pdp-pap.apiKey=${envd:POLICY_PDP_PAP_API_KEY} +kafka.source.topics.policy-pdp-pap.apiSecret=${envd:POLICY_PDP_PAP_API_SECRET} +kafka.source.topics.policy-pdp-pap.https=${envd:KAFKA_HTTPS:false} +kafka.source.topics.policy-pdp-pap.additionalProps=${envd:KAFKA_ADDITIONAL_PROPS} + +kafka.sink.topics.policy-pdp-pap.servers=${envd:KAFKA_SERVERS} +kafka.sink.topics.policy-pdp-pap.effectiveTopic=${envd:POLICY_PDP_PAP_TOPIC} +kafka.sink.topics.policy-pdp-pap.apiKey=${envd:POLICY_PDP_PAP_API_KEY} +kafka.sink.topics.policy-pdp-pap.apiSecret=${envd:POLICY_PDP_PAP_API_SECRET} +kafka.sink.topics.policy-pdp-pap.https=${envd:KAFKA_HTTPS:false} +kafka.sink.topics.policy-pdp-pap.additionalProps=${envd:KAFKA_ADDITIONAL_PROPS} diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf index 006388af61..c9277b69d3 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf @@ -1,6 +1,7 @@ {{/* # Copyright 2018-2019 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2018 Amdocs, Bell Canada. +# Modifications Copyright © 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,4 +16,4 @@ # limitations under the License. */}} -POOLING_TOPIC=pooling +POOLING_TOPIC=policy-pdp-pooling diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml index 3f25d964e4..a24476cc74 100755..100644 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property +# Modifications Copyright (C) 2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -32,7 +33,11 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-policy-galera-config +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-migrator-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -82,13 +87,43 @@ spec: cpu: "3m" memory: "20Mi" {{- end }} + - command: + - sh + args: + - -c + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done + env: + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + {{- if .Values.global.useStrimziKafka }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{- end }} + volumeMounts: + - mountPath: /config-input + name: drools-config + - mountPath: /config + name: drools-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["sh","-c"] - args: ["/opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"] + args: + - ls /tmp/policy-install; + /opt/app/policy/bin/pdpd-cl-entrypoint.sh boot ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: @@ -112,6 +147,9 @@ spec: - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} volumeMounts: + - mountPath: /etc/localtime + name: localtime + readOnly: true - name: logs mountPath: /var/log/onap - name: empty-dir @@ -119,28 +157,42 @@ spec: subPath: tmp-dir - mountPath: /opt/app/policy/etc/profile.d/base.conf subPath: base.conf + name: drools-config-processed + - mountPath: /opt/app/policy/etc/profile.d/credentials.conf + subPath: credentials.conf + name: drools-config-processed + - mountPath: /opt/app/policy/etc/profile.d/feature-pooling-messages.conf + subPath: feature-pooling-messages.conf + name: drools-config-processed + - mountPath: /opt/app/policy/config/feature-lifecycle.properties + subPath: feature-lifecycle.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/engine-system.properties + subPath: engine-system.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/feature-distributed-locking.properties + subPath: feature-distributed-locking.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/logback.xml + subPath: logback.xml name: drools-config - {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} - - mountPath: /tmp/policy-install/config/{{ base $path }} - name: drools-secret - subPath: {{ base $path }} - {{- end }} - {{- range $path, $bytes := .Files.Glob "resources/configmaps/*" }} - - mountPath: /tmp/policy-install/config/{{ base $path }} - name: drools-config - subPath: {{ base $path }} - {{- end }} + - mountPath: /opt/app/policy/config/settings.xml + subPath: settings.xml + name: drools-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: localtime + hostPath: + path: /etc/localtime - name: empty-dir emptyDir: sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} @@ -156,6 +208,10 @@ spec: path: {{ base $path }} mode: 0755 {{- end }} + - name: drools-config-processed + emptyDir: + medium: Memory + sizeLimit: 64Mi - name: drools-secret secret: secretName: {{ include "common.fullname" . }}-secret diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index b1a26fb669..f22d642e95 100755..100644 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs # Copyright © 2017, 2021 Bell Canada # Modifications Copyright © 2018-2022 AT&T Intellectual Property +# Modifications Copyright (C) 2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +21,10 @@ ################################################################# global: nodePortPrefix: 302 - + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Secrets metaconfig ################################################################# @@ -42,7 +46,9 @@ secrets: # Application configuration defaults. ################################################################# # application image +# The newest images have been tested with SASL and Postgres. The images released next will have the relevant fixes image: onap/policy-pdpd-cl:2.1.3 + pullPolicy: Always # flag to enable debugging - application support required @@ -87,7 +93,7 @@ serviceMesh: - serviceAccount: strimzi-kafka-read server: - jvmOpts: -server -XshowSettings:vm + jvmOpts: "-server -XshowSettings:vm" telemetry: user: demo@people.osaaf.org @@ -101,7 +107,10 @@ nexus: offline: true db: - name: policy-mariadb + mariadbName: policy-mariadb + pgName: policy-pg-primary + mariadbPort: 3306 + pgPort: 5432 user: policy-user password: policy_user @@ -229,3 +238,47 @@ kafkaUser: type: topic patternType: prefix operations: [ Create, Describe, Read, Write ] + - name: a1-p-rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: a1-p + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-cl + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-lcm-read + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-lcm-write + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: dcae_cl_rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: unauthenticated.dcae_cl_output + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: dcae_topic + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: policy-cl-mgt + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: sdnr-cl-rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: sdnr-cl + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index ae8eebe50b..dcb3c3ac72 100755 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 14.0.1 +version: 14.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml index b82785f2b8..cc75a9fe15 100755 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property # Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,6 +21,10 @@ global: nodePortPrefix: 302 persistence: {} + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Application configuration defaults. diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 1fd621beb0..2122e6fb3f 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -23,7 +23,7 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 14.0.1 +version: 14.0.2 dependencies: - name: common @@ -34,4 +34,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local' + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 614116ae23..58dfc9f497 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ spring: converters: preferred-json-mapper: gson datasource: -{{ if not .Values.global.postgres.localCluster }} +{{ if .Values.global.mariadbGalera.useInPolicy }} url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" @@ -34,9 +34,6 @@ spring: hikari: maximumPoolSize: 20 jpa: - properties: - hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect hibernate: ddl-auto: none naming: @@ -58,10 +55,6 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy - properties: - hibernate: - dialect: org.hibernate.dialect.PostgreSQLDialect - format_sql: true {{ end }} server: @@ -73,7 +66,6 @@ server: pap: name: PapGroup - aaf: false topic: pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }} notification.name: {{ .Values.config.kafka.topics.policyNotification }} @@ -151,13 +143,6 @@ pap: password: "${API_PASSWORD}" useHttps: false basePath: policy/api/v1/healthcheck - - clientName: distribution - hostname: policy-distribution - port: 6969 - userName: "${DISTRIBUTION_USER}" - password: "${DISTRIBUTION_PASSWORD}" - useHttps: false - basePath: healthcheck management: endpoints: diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index 8f00eb049f..f7c400865f 100755..100644 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -2,6 +2,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -32,19 +33,20 @@ spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - - /app/ready.py + - /app/ready.py args: - - --job-name -{{ if not .Values.global.postgres.localCluster }} - - {{ include "common.release" . }}-policy-galera-config + - --job-name +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config {{ else }} - - {{ include "common.release" . }}-policy-pg-config -{{ end }} env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + - {{ include "common.release" . }}-policy-pg-migrator-config +{{ end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} {{ include "common.containerSecurityContext" . | indent 8 | trim }} @@ -78,11 +80,13 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} - name: DISTRIBUTION_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} +{{- if .Values.global.useStrimziKafka }} - name: JAASLOGIN valueFrom: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config +{{- end }} volumeMounts: - mountPath: /config-input name: papconfig @@ -126,27 +130,33 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: - - name: logs - mountPath: /var/log/onap - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - - mountPath: /opt/app/policy/pap/etc/logback.xml - subPath: logback.xml - name: papconfig-processed - - name: papconfig-processed - mountPath: /opt/app/policy/pap/etc/mounted + - mountPath: /etc/localtime + name: localtime + readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/pap/etc/logback.xml + subPath: logback.xml + name: papconfig-processed + - name: papconfig-processed + mountPath: /opt/app/policy/pap/etc/mounted resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: localtime + hostPath: + path: /etc/localtime - name: empty-dir emptyDir: sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index d7384a5e65..4c6f5355e0 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019 Nordix Foundation. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2024 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,7 +27,9 @@ global: nodePortPrefixExt: 304 persistence: {} postgres: - localCluster: false + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Secrets metaconfig diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index 8bb17a53de..a02171ef31 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 14.0.2 +version: 14.0.3 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties index d2e9c62edf..3df3578fd2 100755..100644 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties @@ -1,4 +1,22 @@ {{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + # # Properties that the embedded PDP engine uses to configure and load # @@ -49,8 +67,14 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome # # JPA Properties # +{{ if .Values.global.mariadbGalera.useInPolicy }} eclipselink.target-database=MySQL -javax.persistence.jdbc.driver=org.mariadb.jdbc.Driver -javax.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/operationshistory -javax.persistence.jdbc.user=${SQL_USER} -javax.persistence.jdbc.password=${SQL_PASSWORD} +jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver +jakarta.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/operationshistory +{{ else }} +eclipselink.target-database=PostgreSQL +jakarta.persistence.jdbc.driver=org.postgresql.Driver +jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/operationhistory +{{ end }} +jakarta.persistence.jdbc.user=${SQL_USER} +jakarta.persistence.jdbc.password=${SQL_PASSWORD}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index ce11fe71e5..828f6ec2c7 100755..100644 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -34,7 +35,11 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-policy-galera-config +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-migrator-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -155,14 +160,17 @@ spec: name: pdpxconfig-processed - mountPath: /opt/app/policy/pdpx/etc/mounted name: pdpxconfig-processed + - mountPath: /etc/localtime + name: localtime + readOnly: true resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: @@ -190,6 +198,9 @@ spec: - name: logs emptyDir: sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + - name: localtime + hostPath: + path: /etc/localtime - name: pdpxconfig configMap: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 18ddfdfeba..b20ab89370 100755..100644 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +23,10 @@ ################################################################# global: persistence: {} - + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Secrets metaconfig ################################################################# @@ -64,8 +68,10 @@ db: user: policy-user password: policy_user service: - name: policy-mariadb - internalPort: 3306 + mariadbName: policy-mariadb + mariadbPort: 3306 + pgName: policy-pg-primary + pgPort: 5432 restServer: user: healthcheck diff --git a/kubernetes/policy/resources/config/db-pg.sh b/kubernetes/policy/resources/config/db-pg.sh index f26a80fad7..913ccc7728 100644 --- a/kubernetes/policy/resources/config/db-pg.sh +++ b/kubernetes/policy/resources/config/db-pg.sh @@ -1,7 +1,7 @@ #!/bin/sh # # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,10 +20,10 @@ export PGPASSWORD=${PG_ADMIN_PASSWORD}; -psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER ${PG_USER} WITH PASSWORD '${PG_USER_PASSWORD}'" +psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER \"${PG_USER}\" WITH PASSWORD '${PG_USER_PASSWORD}'" for db in migration pooling policyadmin policyclamp operationshistory clampacm do psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};" - psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO ${PG_USER};" -done + psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO \"${PG_USER}\";" +done
\ No newline at end of file diff --git a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh index 53921ab751..15a6e3224f 100644 --- a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh +++ b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh @@ -1,6 +1,6 @@ #!/bin/sh {{/* -# Copyright (C) 2022 Nordix Foundation. +# Copyright (C) 2022, 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,8 +14,19 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} -/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o upgrade -rc=$? -/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o report -exit $rc + +for schema in ${SQL_DB}; do + echo "Initializing $schema..." + /opt/app/policy/bin/prepare_upgrade.sh ${schema} + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o upgrade + rc=$? + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report + + if [ "$rc" != 0 ]; then + break + fi +done diff --git a/kubernetes/policy/resources/config/db_migrator_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_policy_init.sh index d1cc108fec..a1d8fd89ea 100644 --- a/kubernetes/policy/resources/config/db_migrator_policy_init.sh +++ b/kubernetes/policy/resources/config/db_migrator_policy_init.sh @@ -1,6 +1,6 @@ #!/bin/sh {{/* -# Copyright (C) 2021 Nordix Foundation. +# Copyright (C) 2021, 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,8 +14,21 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} -/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o upgrade -rc=$? -/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o report -exit $rc + +for schema in ${SQL_DB}; do + echo "Initializing $schema..." + /opt/app/policy/bin/prepare_upgrade.sh ${schema} + + /opt/app/policy/bin/db-migrator -s ${schema} -o report + + /opt/app/policy/bin/db-migrator -s ${schema} -o upgrade + rc=$? + + /opt/app/policy/bin/db-migrator -s ${schema} -o report + + if [ "$rc" != 0 ]; then + break + fi +done + +exit $rc
\ No newline at end of file diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 2c0ee783d5..3886a85d11 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -1,7 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2022 Nordix Foundation. +# Modifications Copyright (C) 2022-2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -17,7 +17,7 @@ # limitations under the License. */}} -{{ if not .Values.global.postgres.localCluster }} +{{ if .Values.global.mariadbGalera.useInPolicy }} apiVersion: batch/v1 kind: Job metadata: @@ -68,6 +68,7 @@ spec: - name: policy-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - /bin/sh - "-c" @@ -101,7 +102,7 @@ spec: path: db.sh {{ end }} -{{ if .Values.global.postgres.localCluster }} +{{ if .Values.global.postgres.useInPolicy }} --- apiVersion: batch/v1 kind: Job @@ -153,6 +154,7 @@ spec: resources: {{ include "common.resources" . | nindent 10 }} {{- if (include "common.requireSidecarKiller" .) }} - name: policy-service-mesh-wait-for-job-container + {{ include "common.containerSecurityContext" . | indent 8 | trim }} image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always command: @@ -187,110 +189,104 @@ spec: - key: db-pg.sh path: db-pg.sh {{ end }} - --- -{{ if not .Values.global.postgres.localCluster }} +{{ if .Values.global.mariadbGalera.useInPolicy }} apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-galera-config + name: {{ include "common.fullname" . }}-galera-migrator-config namespace: {{ include "common.namespace" . }} labels: - app: {{ include "common.name" . }}-galera-config + app: {{ include "common.name" . }}-galera-migrator-config release: {{ include "common.release" . }} spec: template: metadata: labels: - app: {{ include "common.name" . }}-galera-config + app: {{ include "common.name" . }}-galera-migrator-config release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-galera-config + name: {{ include "common.name" . }}-galera-migrator-config spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - name: {{ include "common.name" . }}-init-readiness - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-galera-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + - name: {{ include "common.name" . }}-init-readiness + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-galera-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - - name: {{ include "common.name" . }}-galera-db-migrator - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /dbcmd-config/db_migrator_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_policy_init.sh - - mountPath: /opt/app/policy/etc/db - name: db-conf - command: - - /bin/sh - - -cx - - | + - name: {{ include "common.name" . }}-galera-db-migrator + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /opt/app/policy/etc/db/ + name: {{ include "common.fullname" . }}-migration-writable + - mountPath: /dbcmd-config/db_migrator_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_policy_init.sh + command: + - /bin/sh + - -cx + - | {{- if include "common.requireSidecarKiller" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_policy_init.sh - env: - - name: SQL_HOST - value: "{{ index .Values "mariadb-galera" "service" "name" }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schema }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "sql" - resources: {{ include "common.resources" . | nindent 10 }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + /dbcmd-config/db_migrator_policy_init.sh + env: + - name: SQL_HOST + value: "{{ index .Values "mariadb-galera" "service" "name" }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schemas }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "sql" + resources: {{ include "common.resources" . | nindent 12 }} {{- if (include "common.requireSidecarKiller" .) }} - - name: policy-service-mesh-wait-for-job-container - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - resources: - limits: - cpu: 100m - memory: 500Mi - requests: - cpu: 10m - memory: 10Mi + - name: policy-service-mesh-wait-for-job-container + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.image.quitQuit" . }} + imagePullPolicy: Always + command: + - /bin/sh + - "-c" + args: + - echo "waiting 10s for istio side cars to be up"; sleep 10s; + /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45; + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: {{ include "common.fullname" . }}-migration-writable + emptyDir: {} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-db-configmap @@ -298,116 +294,107 @@ spec: items: - key: db_migrator_policy_init.sh path: db_migrator_policy_init.sh - - name: db-conf - emptyDir: - medium: Memory - sizeLimit: 64Mi {{ end }} -{{ if .Values.global.postgres.localCluster }} +{{ if .Values.global.postgres.useInPolicy }} --- apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-pg-config + name: {{ include "common.fullname" . }}-pg-migrator-config namespace: {{ include "common.namespace" . }} labels: - app: {{ include "common.name" . }}-pg-config + app: {{ include "common.name" . }}-pg-migrator-config release: {{ include "common.release" . }} spec: template: metadata: labels: - app: {{ include "common.name" . }}-pg-config + app: {{ include "common.name" . }}-pg-migrator-config release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-pg-config + name: {{ include "common.name" . }}-pg-migrator-config spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - name: {{ include "common.name" . }}-init-readiness - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-pg-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + - name: {{ include "common.name" . }}-init-readiness + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-pg-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - - name: {{ include "common.name" . }}-pg-db-migrator - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_pg_policy_init.sh - - mountPath: /opt/app/policy/etc/db - name: db-conf - command: - - /bin/sh - - -cx - - | + - name: {{ include "common.name" . }}-pg-db-migrator + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_pg_policy_init.sh + - mountPath: /opt/app/policy/etc/db/ + name: {{ include "common.fullname" . }}-migration-writable + command: + - /bin/sh + - -cx + - | {{- if include "common.requireSidecarKiller" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_pg_policy_init.sh - env: - - name: SQL_HOST - value: "{{ .Values.postgres.service.name2 }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schema }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "postgres" - - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - resources: {{ include "common.resources" . | nindent 10 }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + /dbcmd-config/db_migrator_pg_policy_init.sh + env: + - name: SQL_HOST + value: "{{ .Values.postgres.service.name2 }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schemas }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "postgres" + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if (include "common.requireSidecarKiller" .) }} - - name: policy-service-mesh-wait-for-job-container - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - resources: - limits: - cpu: 100m - memory: 500Mi - requests: - cpu: 10m - memory: 10Mi + - name: policy-service-mesh-wait-for-job-container + image: {{ include "repositoryGenerator.image.quitQuit" . }} + imagePullPolicy: Always + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + command: + - /bin/sh + - "-c" + args: + - echo "waiting 10s for istio side cars to be up"; sleep 10s; + /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45; + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: {{ include "common.fullname" . }}-migration-writable + emptyDir: {} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-db-configmap @@ -415,8 +402,4 @@ spec: items: - key: db_migrator_pg_policy_init.sh path: db_migrator_pg_policy_init.sh - - name: db-conf - emptyDir: - medium: Memory - sizeLimit: 64Mi -{{ end }} +{{ end }}
\ No newline at end of file diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index ccd8223284..67f4dbd1e5 100755..100644 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -35,6 +35,7 @@ global: nameOverride: *mariadbService # (optional) if localCluster=false and an external secret is used set this variable #userRootSecret: <secretName> + useInPolicy: true prometheusEnabled: false postgres: localCluster: false @@ -44,8 +45,10 @@ global: name3: tcp-pgset-replica container: name: postgres + useInPolicy: false kafkaBootstrap: strimzi-kafka-bootstrap:9092 policyKafkaUser: policy-kafka-user + useStrimziKafka: true kafkaTopics: acRuntimeTopic: name: policy.clamp-runtime-acm @@ -56,8 +59,8 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ .Values.global.mariadbGalera.localCluster | - ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + externalSecret: '{{ or .Values.global.postgres.useInPolicy .Values.global.mariadbGalera.useInPolicy | ternary ( + ( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) @@ -164,8 +167,11 @@ policy-nexus: ################################################################# dbmigrator: + # New released image will allow full SASL and Postgres (drools included). Tested with snapshot. Release to come later. image: onap/policy-db-migrator:3.1.3 - schema: policyadmin + # These schemas will be required with the new version of db-migrator + # schemas: "policyadmin clampacm pooling operationshistory" + schemas: "policyadmin" policy_home: "/opt/app/policy" subChartsOnly: @@ -305,4 +311,4 @@ securityContext: serviceAccount: nameOverride: policy roles: - - read + - read
\ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml index d925060b81..ade5d1e734 100644 --- a/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml +++ b/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml @@ -29,7 +29,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 13.0.0 +version: 13.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -43,7 +43,3 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: '@local' - - name: serviceAccount - version: ~13.x-0 - repository: '@local' - diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml index b45ead6a52..f41d630f02 100644 --- a/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml @@ -6,4 +6,7 @@ metadata: data: {{- range $key, $val := .Values.env }} {{ $key }}: {{ $val | quote }} - {{- end -}}
\ No newline at end of file + {{- end -}} + {{- range $key, $val := .Values.global.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml index ef54110af4..7d521cf1cb 100644 --- a/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml @@ -6,13 +6,18 @@ spec: replicas: {{ .Values.replicaCount }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "common.templateMetadata" . | indent 6 }} spec: {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ .Chart.Name }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -34,3 +39,4 @@ spec: port: {{ .Values.service.port }} initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + resources: {{ include "common.resources" . | nindent 12 }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/values.yaml b/kubernetes/portal-ng/components/portal-ng-bff/values.yaml index b8b7c3d061..cc39ea8b87 100644 --- a/kubernetes/portal-ng/components/portal-ng-bff/values.yaml +++ b/kubernetes/portal-ng/components/portal-ng-bff/values.yaml @@ -1,59 +1,104 @@ -global: {} +global: + env: + KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak + KEYCLOAK_REALM: ONAP + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 -# Default values for bff. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +## Default values for portal-ng-bff. +## This is a YAML-formatted file. +## Declare variables to be passed into your templates. + +## +## Specifies the details of the Docker image to be used for deployment. +## image: + ## The name of the Docker image. imageName: onap/portal-ng/bff + ## The policy that indicates when the image should be pulled. + ## "Always" means the image will be pulled on every deployment. pullPolicy: Always - # Overrides the image tag whose default value is the chart appVersion. + ## Overrides the image tag. The default is the chart appVersion. + ## An empty value means the default tag will be used. # tag: 0.1.0 +## Number of Pods to deploy replicaCount: 2 -# Specifies how many old replicas will be retained in a deployment +## Specifies how many old replicas will be retained in a deployment revisionHistoryLimit: 2 -# Custom selector label (for bigger namespaces with other components) +## Custom selector label (for bigger namespaces with other components) partOf: portal +## +## Service +## service: + ## Use ClusterIP as the service type to expose the service on an internal IP type: ClusterIP port: 9080 + ## The port on which the service is exposed ports: - name: http port: 9080 +## +## Autoscaling +## autoscaling: + ## Autoscaling is disabled. When set to true, the Horizontal Pod Autoscaler is enabled. enabled: false + ## Minimum number of replicas to maintain. minReplicas: 1 - maxReplicas: 100 + ## Maximum number of replicas to maintain. + maxReplicas: 2 + ## Target CPU utilization percentage at which the Horizontal Pod Autoscaler adds or removes replicas. targetCPUUtilizationPercentage: 80 +resources: + small: + limits: + cpu: "4" + memory: "1Gi" + requests: + cpu: "50m" + memory: "256Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "100m" + memory: "256Mi" + unlimited: {} + +## +## Readiness and liveness probes +## probes: + # Configuration of the readiness probe to check if the container is ready. readiness: + ## Wait before performing the first probe initialDelaySeconds: 20 + ## Number of consecutive failures allowed before marking probe as failed. failureThreshold: 4 + # Configuration of the liveness probe to check if the container is alive. liveness: + ## Wait before performing the first probe initialDelaySeconds: 20 + ## Number of consecutive failures allowed before marking probe as failed. failureThreshold: 4 env: - KEYCLOAK_URL: http://keycloakx-http.keycloak/auth - KEYCLOAK_REALM: ONAP HISTORY_URL: http://portal-ng-history:9002 PREFERENCES_URL: http://portal-ng-preferences:9001 TRACING_ENABLED: true - COLLECTOR_HOST: jaeger-collector.istio-system - COLLECTOR_PORT: 9411 secretEnv: KEYCLOAK_CLIENT_ID: portal-bff KEYCLOAK_CLIENT_SECRET: pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr -#Pods Service Account -serviceAccount: - nameOverride: portal-ng-bff - roles: - - read - +securityContext: + user_id: 65534 + group_id: 65534 diff --git a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml index 4b62b5def2..9f55e31be4 100644 --- a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml +++ b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml @@ -29,7 +29,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 13.0.0 +version: 13.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml index f8c23479e1..b81e796c75 100644 --- a/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml @@ -20,5 +20,8 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{- range $key, $val := .Values.env }} - {{ $key }}: {{ $val | quote }} - {{- end -}}
\ No newline at end of file + {{ $key }}: {{ $val | quote }} + {{- end -}} + {{- range $key, $val := .Values.global.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml index a2a924b488..cdf47ca81d 100644 --- a/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml @@ -21,13 +21,18 @@ spec: replicas: {{ .Values.replicaCount }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "common.templateMetadata" . | indent 6 }} spec: {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ .Chart.Name }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -45,4 +50,5 @@ spec: path: /actuator/health/readiness port: {{ .Values.service.port }} initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} - failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
\ No newline at end of file + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + resources: {{ include "common.resources" . | nindent 12 }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/values.yaml b/kubernetes/portal-ng/components/portal-ng-history/values.yaml index dc999841ef..a12e70c575 100644 --- a/kubernetes/portal-ng/components/portal-ng-history/values.yaml +++ b/kubernetes/portal-ng/components/portal-ng-history/values.yaml @@ -1,4 +1,9 @@ -global: {} +global: + env: + KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak + KEYCLOAK_REALM: ONAP + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 image: imageName: onap/portal-ng/history @@ -26,6 +31,23 @@ service: - name: http port: 9002 +resources: + small: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "100m" + memory: "256Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "200m" + memory: "256Mi" + unlimited: {} + autoscaling: enabled: false minReplicas: 1 @@ -34,11 +56,11 @@ autoscaling: probes: readiness: - initialDelaySeconds: 20 - failureThreshold: 4 + initialDelaySeconds: 30 + failureThreshold: 5 liveness: - initialDelaySeconds: 20 - failureThreshold: 4 + initialDelaySeconds: 30 + failureThreshold: 5 secretEnv: MONGO_USERNAME: dbuser @@ -46,13 +68,9 @@ secretEnv: MONGO_DATABASE: history env: - KEYCLOAK_URL: http://keycloakx-http.keycloak - KEYCLOAK_REALM: ONAP MONGO_HOST: history-mongodb MONGO_PORT: 27017 TRACING_ENABLED: true - COLLECTOR_HOST: jaeger-collector.istio-system - COLLECTOR_PORT: 9411 mongodb: nameOverride: history-mongodb @@ -79,3 +97,7 @@ serviceAccount: nameOverride: portal-ng-history roles: - read + +securityContext: + user_id: 65534 + group_id: 65534 diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml index 96088586fc..622ee90ac1 100644 --- a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml +++ b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml @@ -29,7 +29,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 13.0.0 +version: 13.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -49,5 +49,3 @@ dependencies: - name: mongodb version: ~14.12.x-0 repository: '@local' - - diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml index f8c23479e1..b81e796c75 100644 --- a/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml @@ -20,5 +20,8 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{- range $key, $val := .Values.env }} - {{ $key }}: {{ $val | quote }} - {{- end -}}
\ No newline at end of file + {{ $key }}: {{ $val | quote }} + {{- end -}} + {{- range $key, $val := .Values.global.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml index a2a924b488..cdf47ca81d 100644 --- a/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml @@ -21,13 +21,18 @@ spec: replicas: {{ .Values.replicaCount }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "common.templateMetadata" . | indent 6 }} spec: {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ .Chart.Name }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -45,4 +50,5 @@ spec: path: /actuator/health/readiness port: {{ .Values.service.port }} initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} - failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
\ No newline at end of file + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + resources: {{ include "common.resources" . | nindent 12 }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml index 2f6d1bae78..fd2180b36f 100644 --- a/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml +++ b/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml @@ -1,4 +1,9 @@ -global: {} +global: + env: + KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak + KEYCLOAK_REALM: ONAP + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 # Default values for preferences. # This is a YAML-formatted file. @@ -27,6 +32,23 @@ service: - name: http port: 9001 +resources: + small: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "100m" + memory: "256Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "200m" + memory: "256Mi" + unlimited: {} + autoscaling: enabled: false minReplicas: 1 @@ -35,11 +57,11 @@ autoscaling: probes: readiness: - initialDelaySeconds: 20 - failureThreshold: 4 + initialDelaySeconds: 30 + failureThreshold: 5 liveness: - initialDelaySeconds: 20 - failureThreshold: 4 + initialDelaySeconds: 30 + failureThreshold: 5 secretEnv: MONGO_USERNAME: dbuser @@ -47,13 +69,9 @@ secretEnv: MONGO_DATABASE: Preferences env: - KEYCLOAK_URL: http://keycloakx-http.keycloak - KEYCLOAK_REALM: ONAP MONGO_HOST: preferences-mongodb MONGO_PORT: 27017 TRACING_ENABLED: true - COLLECTOR_HOST: jaeger-collector.istio-system - COLLECTOR_PORT: 9411 mongodb: nameOverride: preferences-mongodb @@ -80,3 +98,7 @@ serviceAccount: nameOverride: portal-ng-preferences roles: - read + +securityContext: + user_id: 65534 + group_id: 65534 diff --git a/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml index 09178d9694..496d7b12de 100644 --- a/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml +++ b/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml @@ -29,12 +29,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 13.0.0 +version: 13.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.1.0 +appVersion: 0.1.2 dependencies: - name: common diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/acl.json b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/acl.json new file mode 100644 index 0000000000..a8a505b291 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/acl.json @@ -0,0 +1,5 @@ +{ + "portal_admin": {{ .Values.acl.portal_admin | toPrettyJson }}, + "portal_operator": {{ .Values.acl.portal_operator | toPrettyJson }}, + "portal_designer": {{ .Values.acl.portal_designer | toPrettyJson }} +} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/env.js b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/env.js index 2e21ca50d0..81a71c39d7 100644 --- a/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/env.js +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/env.js @@ -4,8 +4,8 @@ // Environment variables window["env"]["customStyleEnabled"] = "{{ .Values.env.CUSTOM_STYLE_ENABLED }}"; - window["env"]["keycloak"]["hostname"] = "{{ .Values.env.KEYCLOAK_HOSTNAME }}"; - window["env"]["keycloak"]["realm"] = "{{ .Values.env.KEYCLOAK_REALM }}"; + window["env"]["keycloak"]["hostname"] = "{{ .Values.env.KEYCLOAK_EXTERNAL_URL }}"; + window["env"]["keycloak"]["realm"] = "{{ .Values.env.KEYCLOAK_REALM | default .Values.global.env.KEYCLOAK_REALM }}"; window['env']['keycloak']['clientId'] = '{{ .Values.env.KEYCLOAK_CLIENT_ID }}'; window["env"]["loggingEnabled"]= '{{ .Values.env.LOGGING_ENABLED }}'; })(this); diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/default.conf b/kubernetes/portal-ng/components/portal-ng-ui/resources/default.conf index d448e278d5..0c64588840 100644 --- a/kubernetes/portal-ng/components/portal-ng-ui/resources/default.conf +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/default.conf @@ -1,6 +1,7 @@ -resolver {{ .Values.env.CLUSTER_NAMESERVER_IP }}; +resolver {{ .Values.env.NAME_SERVER }}; server { listen {{ .Values.env.NGINX_PORT }}; + listen [::]:{{.Values.env.NGINX_PORT}}; # listen on ipv6 location / { root /usr/share/nginx/html; index index.html; @@ -21,7 +22,7 @@ server { proxy_http_version 1.1; } location /auth/ { - set $upstream {{ .Values.env.KEYCLOAK_INTERNAL_URL }}; + set $upstream {{ .Values.env.KEYCLOAK_URL | default .Values.global.env.KEYCLOAK_URL }}.svc.cluster.local; rewrite /auth/(.*) /$1 break; add_header Access-Control-Allow-Origin *; proxy_pass $upstream/$1$is_args$args; @@ -45,4 +46,4 @@ gzip_min_length 1100; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; -gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
\ No newline at end of file +gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-env-js.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-assets.yaml index e2244bd768..0db7d5637c 100644 --- a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-env-js.yaml +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-assets.yaml @@ -16,11 +16,12 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-env-js + name: {{ include "common.fullname" . }}-assets labels: app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/assets/env.js").AsConfig . | nindent 2 }} + env_js: {{ tpl (.Files.Get "resources/assets/env.js") . | quote }} + acl_json: {{ tpl (.Files.Get "resources/assets/acl.json") . | quote }} + version_json: {{ tpl (.Files.Get "resources/assets/version.json") . | quote }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-nginx-config.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-nginx-config.yaml index f8e560b908..81a5407209 100644 --- a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-nginx-config.yaml +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-nginx-config.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2024 Deutsche Telekom +# Copyright © 2022 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,14 +13,15 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} +--- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-nginx-config + namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/default.conf").AsConfig . | nindent 2 }} +{{ tpl (.Files.Glob "resources/default.conf").AsConfig . | indent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml index 4895edd85b..337cbc455e 100644 --- a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml @@ -21,10 +21,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: {{- range $key, $val := .Values.env }} {{ $key }}: {{ $val | quote }} {{- end -}} + {{- range $key, $val := .Values.global.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml index a06f87b5ba..e9562bc302 100644 --- a/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml @@ -22,13 +22,18 @@ spec: replicas: {{ .Values.replicaCount }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "common.templateMetadata" . | indent 6 }} spec: {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ .Chart.Name }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -57,11 +62,15 @@ spec: mountPath: /etc/nginx/conf.d/default.conf subPath: default.conf readOnly: true - - name: env-js + - name: assets mountPath: /usr/share/nginx/html/assets/env.js subPath: env.js readOnly: true - - name: version-json + - name: assets + mountPath: /usr/share/nginx/html/assets/acl.json + subPath: acl.json + readOnly: true + - name: assets mountPath: /usr/share/nginx/html/assets/version.json subPath: version.json readOnly: true @@ -95,12 +104,16 @@ spec: - name: nginx-config configMap: name: {{ include "common.fullname" . }}-nginx-config - - name: env-js - configMap: - name: {{ include "common.fullname" . }}-env-js - - name: version-json + - name: assets configMap: - name: {{ include "common.fullname" . }}-version-json + name: {{ include "common.fullname" . }}-assets + items: + - key: env_js + path: env.js + - key: acl_json + path: acl.json + - key: version_json + path: version.json - name: tmp-volume emptyDir: sizeLimit: 64Mi diff --git a/kubernetes/portal-ng/components/portal-ng-ui/values.yaml b/kubernetes/portal-ng/components/portal-ng-ui/values.yaml index 7e154afae2..fa019b8a5b 100644 --- a/kubernetes/portal-ng/components/portal-ng-ui/values.yaml +++ b/kubernetes/portal-ng/components/portal-ng-ui/values.yaml @@ -13,6 +13,9 @@ # limitations under the License. global: + env: + KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak + KEYCLOAK_REALM: ONAP ingress: virtualhost: # Default Ingress base URL @@ -49,7 +52,7 @@ service: internalPort: 8080 ports: - name: http - port: 80 + port: 8080 port_protocol: http ingress: @@ -57,11 +60,26 @@ ingress: service: - baseaddr: "portal-ng-ui" name: "portal-ng-ui" - port: 80 + port: 8080 config: ssl: "redirect" -resources: {} +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "50m" + memory: "128Mi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "100m" + memory: "256Mi" + unlimited: {} autoscaling: enabled: false @@ -84,12 +102,10 @@ tolerations: [] affinity: {} env: + NAME_SERVER: coredns.kube-system + KEYCLOAK_EXTERNAL_URL: https://keycloak-ui.simpledemo.onap.org BFF_URL: http://portal-ng-bff.onap.svc.cluster.local:9080 NGINX_PORT: 8080 - KEYCLOAK_REALM: ONAP - KEYCLOAK_INTERNAL_URL: http://keycloakx-http.keycloak.svc.cluster.local - KEYCLOAK_HOSTNAME: https://keycloak-ui.simpledemo.onap.org - CLUSTER_NAMESERVER_IP: 1.2.3.4 #Pods Service Account serviceAccount: @@ -109,4 +125,21 @@ tiles: HOLMES_URL: "holmes-rule-mgmt-ui" AAI_URL: "aai-sparkybe-api" SDNCDG_URL: "sdnc-dgbuilder-ui" - SDNCODL_URL: "sdnc-web-ui"
\ No newline at end of file + SDNCODL_URL: "sdnc-web-ui" + +acl: + portal_admin: + - users.administration.list + - users.administration.detail + - users.administration.create + - users.administration.edit + - users.administration.delete + - dashboard.tile.USER_LAST_ACTION_TILE + portal_operator: + - dashboard.tile.USER_LAST_ACTION_TILE + portal_designer: + - dashboard.tile.USER_LAST_ACTION_TILE + +securityContext: + user_id: 101 + group_id: 101 diff --git a/kubernetes/sdc/components/sdc-be/templates/servicemonitor.yaml b/kubernetes/sdc/components/sdc-be/templates/servicemonitor.yaml new file mode 100644 index 0000000000..c0d9f212b4 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/servicemonitor.yaml @@ -0,0 +1,3 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }}
\ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index 7f914d4bdf..752fc2cc15 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -169,6 +169,14 @@ resources: memory: "6Gi" unlimited: {} +metrics: + serviceMonitor: + enabled: true + targetPort: 8080 + path: /sdc2/rest/actuator/prometheus + basicAuth: + enabled: false + #Pods Service Account serviceAccount: nameOverride: sdc-be diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml index 1b927d6c4d..180b42bff9 100644 --- a/kubernetes/strimzi/Chart.yaml +++ b/kubernetes/strimzi/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP Strimzi Kafka name: strimzi -version: 13.0.1 +version: 13.0.2 dependencies: - name: common @@ -31,4 +31,3 @@ dependencies: version: ~13.x-0 repository: 'file://components/strimzi-kafka-bridge' condition: strimzi-kafka-bridge.enabled - diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml index e254d99710..ca4a4e94d3 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP Strimzi Kafka Bridge name: strimzi-kafka-bridge -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml index 25fbf3df77..7f4dea46e1 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml @@ -21,4 +21,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/log4j2.properties").AsConfig . | indent 2 }} - diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml index b081e290e3..8364dfe58f 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml @@ -34,6 +34,18 @@ spec: configMapKeyRef: key: log4j2.properties name: {{ include "common.fullname" . }}-kb-logging-cm + resources: + requests: + cpu: {{ .Values.resources.requests.cpu }} + memory: {{ .Values.resources.requests.memory }} + limits: + cpu: {{ .Values.resources.limits.cpu }} + memory: {{ .Values.resources.limits.memory }} template: pod: {{- include "common.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.pod.securityContext | nindent 8 }} + bridgeContainer: + securityContext: + {{- toYaml .Values.bridgeContainer.securityContext | nindent 8 }} diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml index 8a4c4cdc6c..fa7b10aa22 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml @@ -33,3 +33,27 @@ config: # nameOverride is required to avoid duplication # in pod and service names ie ...-bridge-bridge-{random hex} nameOverride: strimzi-kafka + +resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +pod: + securityContext: + seccompProfile: + type: RuntimeDefault +bridgeContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml index 12c742ef35..1e59dc67a0 100644 --- a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml @@ -17,4 +17,4 @@ lowercaseOutputName: true rules: - pattern: kafka.cruisecontrol<name=(.+)><>(\w+) name: kafka_cruisecontrol_$1_$2 - type: GAUGE
\ No newline at end of file + type: GAUGE diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml index 7ad971fc16..8db35a9c8d 100644 --- a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml @@ -134,4 +134,4 @@ rules: name: kafka_$1_$2_$3 type: GAUGE labels: - quantile: "0.$4"
\ No newline at end of file + quantile: "0.$4" diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml index 6a1eab7825..d5bf27f44d 100644 --- a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml @@ -41,4 +41,4 @@ rules: type: GAUGE labels: replicaId: "$2" - memberType: "$3"
\ No newline at end of file + memberType: "$3" diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index aee4696fe0..5f5fcd553a 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -20,6 +20,13 @@ spec: kafka: version: {{ .Values.config.kafkaVersion }} replicas: {{ .Values.replicaCount }} + resources: + limits: + cpu: {{ .Values.kafka.resources.limits.cpu }} + memory: {{ .Values.kafka.resources.limits.memory }} + requests: + cpu: {{ .Values.kafka.resources.requests.cpu }} + memory: {{ .Values.kafka.resources.requests.memory }} listeners: - name: plain port: {{ .Values.config.kafkaInternalPort }} @@ -71,8 +78,7 @@ spec: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: - runAsUser: 0 - fsGroup: 0 + {{- toYaml .Values.kafka.template.pod.securityContext | nindent 10 }} {{- if .Values.affinity.podAntiAffinity.enabled }} affinity: podAntiAffinity: @@ -85,6 +91,9 @@ spec: - {{ include "common.fullname" . }}-kafka topologyKey: "kubernetes.io/hostname" {{- end }} + kafkaContainer: + securityContext: + {{- toYaml .Values.kafka.template.kafkaContainer.securityContext | nindent 10 }} config: default.replication.factor: {{ .Values.replicaCount }} min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} @@ -116,8 +125,7 @@ spec: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: - runAsUser: 0 - fsGroup: 0 + {{- toYaml .Values.zookeeper.template.pod.securityContext | nindent 10 }} {{- if .Values.affinity.podAntiAffinity.enabled }} affinity: podAntiAffinity: @@ -130,6 +138,9 @@ spec: - {{ include "common.fullname" . }}-zookeeper topologyKey: "kubernetes.io/hostname" {{- end }} + zookeeperContainer: + securityContext: + {{- toYaml .Values.zookeeper.template.zookeeperContainer.securityContext | nindent 10 }} replicas: {{ .Values.replicaCount }} config: ssl.hostnameVerification: false @@ -149,30 +160,76 @@ spec: configMapKeyRef: name: {{ include "common.fullname" . }} key: zookeeper-metrics-config.yml + resources: + limits: + cpu: {{ .Values.zookeeper.resources.limits.cpu }} + memory: {{ .Values.zookeeper.resources.limits.memory }} + requests: + cpu: {{ .Values.zookeeper.resources.requests.cpu }} + memory: {{ .Values.zookeeper.resources.requests.memory }} {{- end }} entityOperator: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} - topicOperator: {} - userOperator: {} + securityContext: + {{- toYaml .Values.entityOperator.template.pod.securityContext | nindent 10 }} + topicOperatorContainer: + securityContext: + {{- toYaml .Values.entityOperator.template.topicOperatorContainer.securityContext | nindent 10 }} + userOperatorContainer: + securityContext: + {{- toYaml .Values.entityOperator.template.userOperatorContainer.securityContext | nindent 10 }} + topicOperator: + resources: + limits: + cpu: {{ .Values.entityOperator.template.topicOperator.resources.limits.cpu }} + memory: {{ .Values.entityOperator.template.topicOperator.resources.limits.memory }} + requests: + cpu: {{ .Values.entityOperator.template.topicOperator.resources.requests.cpu }} + memory: {{ .Values.entityOperator.template.topicOperator.resources.requests.memory }} + userOperator: + resources: + limits: + cpu: {{ .Values.entityOperator.template.userOperator.resources.limits.cpu }} + memory: {{ .Values.entityOperator.template.userOperator.resources.limits.memory }} + requests: + cpu: {{ .Values.entityOperator.template.userOperator.resources.requests.cpu }} + memory: {{ .Values.entityOperator.template.userOperator.resources.requests.memory }} {{- if .Values.cruiseControl.enabled }} cruiseControl: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} + securityContext: + {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }} + cruiseControlContainer: + securityContext: + {{- toYaml .Values.cruiseControl.template.cruiseControlContainer.securityContext | nindent 10 }} metricsConfig: type: {{ .Values.cruiseControl.metricsConfig.type }} valueFrom: configMapKeyRef: name: {{ include "common.fullname" . }} key: cruisecontrol-metrics-config.yml + resources: + limits: + cpu: {{ .Values.cruiseControl.template.resources.limits.cpu }} + memory: {{ .Values.cruiseControl.template.resources.limits.memory }} + requests: + cpu: {{ .Values.cruiseControl.template.resources.requests.cpu }} + memory: {{ .Values.cruiseControl.template.resources.requests.memory }} {{- end }} {{- if .Values.metrics.kafkaExporter.enabled }} kafkaExporter: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} + securityContext: + {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }} + container: + securityContext: + {{- toYaml .Values.kafkaExporter.template.container.securityContext | nindent 10 }} topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }} groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }} resources: diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml index 3cced3e41a..fe3ca852a9 100644 --- a/kubernetes/strimzi/values.yaml +++ b/kubernetes/strimzi/values.yaml @@ -33,7 +33,7 @@ affinity: podAntiAffinity: enabled: true config: - kafkaVersion: 3.7.0 + kafkaVersion: 3.8.0 authType: simple saslMechanism: &saslMech scram-sha-512 kafkaInternalPort: &plainPort 9092 @@ -141,6 +141,29 @@ cruiseControl: # ref. https://strimzi.io/blog/2020/06/15/cruise-control/ kafkaRebalance: enabled: false + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + cruiseControlContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi ###################### # Component overrides @@ -151,3 +174,122 @@ strimzi-kafka-bridge: saslMechanism: *saslMech kafkaInternalPort: *plainPort strimziKafkaAdminUser: *adminUser + +kafka: + template: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + kafkaContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + #runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +zookeeper: + template: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + zookeeperContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + #runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +entityOperator: + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + topicOperatorContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + userOperatorContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + topicOperator: + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + userOperator: + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +kafkaExporter: + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + container: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW |