diff options
Diffstat (limited to 'kubernetes')
185 files changed, 2254 insertions, 1798 deletions
diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml index b06609a0c4..77078332c9 100644 --- a/kubernetes/aai/Chart.yaml +++ b/kubernetes/aai/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP Active and Available Inventory name: aai -version: 14.0.3 +version: 15.0.1 dependencies: - name: common @@ -34,32 +34,35 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' - name: aai-babel - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/aai-babel' condition: aai-babel.enabled - name: aai-graphadmin - version: ~14.x-1 + version: ~15.x-0 repository: 'file://components/aai-graphadmin' condition: aai-graphadmin.enabled - name: aai-modelloader - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/aai-modelloader' condition: aai-modelloader.enabled - name: aai-resources - version: ~14.x-1 + version: ~15.x-0 repository: 'file://components/aai-resources' condition: aai-resources.enabled - name: aai-schema-service - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/aai-schema-service' condition: aai-schema-service.enabled - name: aai-sparky-be - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/aai-sparky-be' condition: aai-sparky-be.enabled - name: aai-traversal - version: ~14.x-1 + version: ~15.x-0 repository: 'file://components/aai-traversal' condition: aai-traversal.enabled - name: serviceAccount diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml index 50a7c24ee0..2d0a78bde4 100644 --- a/kubernetes/aai/components/aai-babel/Chart.yaml +++ b/kubernetes/aai/components/aai-babel/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Babel microservice name: aai-babel -version: 14.0.2 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties index 56560d5cb2..b28a4e7c6c 100644 --- a/kubernetes/aai/components/aai-babel/resources/config/application.properties +++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties @@ -24,4 +24,13 @@ server.servlet.context-path=/services/babel-service logging.config=${CONFIG_HOME}/logback.xml tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json +spring.application.name=aai-babel +spring.sleuth.enabled=true +spring.zipkin.baseUrl={{ .Values.tracing.collector.baseUrl }} +spring.sleuth.messaging.jms.enabled = false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false + management.endpoints.web.exposure.include=* diff --git a/kubernetes/aai/components/aai-babel/templates/configmap.yaml b/kubernetes/aai/components/aai-babel/templates/configmap.yaml index baee38c0e2..39d494acc2 100644 --- a/kubernetes/aai/components/aai-babel/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-babel/templates/configmap.yaml @@ -21,10 +21,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml index f3fc04c00c..782ed1226c 100644 --- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml @@ -38,10 +38,12 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} ports: {{- if .Values.debug.enabled }} - containerPort: {{ .Values.debug.port }} @@ -99,6 +101,10 @@ spec: - mountPath: /opt/app/babel/config/logback.xml name: config subPath: logback.xml + - mountPath: /opt/app/babel/logs + name: babel-logs + - mountPath: /tmp + name: tmp resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -120,7 +126,14 @@ spec: secret: secretName: {{ include "common.fullname" . }}-babel-secrets - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + - name: babel-logs + emptyDir: + sizeLimit: {{ .Values.volumes.babelLogsSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-babel/templates/secrets.yaml b/kubernetes/aai/components/aai-babel/templates/secrets.yaml index 9d7d2c5a80..3f2b97c210 100644 --- a/kubernetes/aai/components/aai-babel/templates/secrets.yaml +++ b/kubernetes/aai/components/aai-babel/templates/secrets.yaml @@ -21,11 +21,7 @@ kind: Secret metadata: name: {{ include "common.fullname" . }}-babel-secrets namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index 54f8c5ea98..2a57bb23cc 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -25,10 +25,9 @@ global: {} ################################################################# # application image -image: onap/babel:1.13.3 +image: onap/babel:1.13.4 flavor: small -flavorOverride: small # default number of instances replicaCount: 1 @@ -85,16 +84,16 @@ resources: small: limits: cpu: "1" - memory: "4Gi" + memory: "3Gi" requests: - cpu: "0.5" + cpu: "200m" memory: "1Gi" large: limits: cpu: "4" - memory: "8Gi" + memory: "6Gi" requests: - cpu: "2" + cpu: "1" memory: "2Gi" unlimited: {} @@ -145,3 +144,15 @@ log: level: root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + artifactDataSizeLimit: 50Mi + babelLogsSizeLimit: 100Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 101 + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml index 7c86fed9dd..13315415f2 100644 --- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml +++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP AAI GraphAdmin name: aai-graphadmin -version: 14.0.2 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties index 8f63ac85ab..cf9164295a 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties @@ -5,7 +5,7 @@ # ================================================================================ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2023 Nordix Foundation +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,11 +29,11 @@ aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} +{{- if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} -{{ end }} +{{- end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties index d124f63141..cc6b5677c5 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties @@ -111,5 +111,11 @@ aperture.service.timeout-in-milliseconds=300000 #To Expose the Prometheus scraping endpoint management.server.port={{ .Values.service.actuatorPort }} management.endpoints.enabled-by-default=true -management.endpoints.web.exposure.include=info,health,prometheus +management.endpoints.web.exposure.include=* management.security.enabled=false + +# If true, the actuator health check will be overriden +# to use the AaiGraphChecker check instead. +# This does the same as the /echo endpoint, +# but doesn't show up in micrometer metrics +aai.actuator.echo.enabled={{ .Values.actuator.echo.enabled }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml index 4e9bf7f7ff..04692fefcc 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml +++ b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml index ddf752b480..1a32d7b516 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml @@ -25,11 +25,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -47,11 +43,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-properties namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -68,11 +60,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "0" diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 6ac078b756..991727d7c6 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -23,20 +23,7 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if .Values.config.debug.enabled }} replicas: 1 @@ -54,19 +41,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: hostname: aai-graphadmin terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} @@ -207,11 +182,14 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: tmp-volume - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name: script-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.scriptlogSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: config configMap: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index 3f0c4e11e5..1cc431c94f 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -41,11 +41,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-db-backup namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "2" @@ -54,38 +50,19 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: {{- if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - - command: - - /bin/bash - - -c - - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-db-backup-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForCassandraService ) | indent 6 | trim}} {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index e67479a1d5..19e62ae7c4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -40,18 +40,12 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-create-db-schema namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: initContainers: @@ -76,6 +70,17 @@ spec: - name: JVM_OPTS value: {{ .Values.config.debug.args | quote }} {{- end }} + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }} + key: sasl.jaas.config ports: {{- if .Values.config.debug.enabled }} - containerPort: {{ .Values.service.debugPort }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 4ec2306eca..f6f2f8b1a7 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -41,11 +41,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} annotations: "helm.sh/hook": post-upgrade,post-rollback,post-install "helm.sh/hook-weight": "1" @@ -54,35 +50,12 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForWithSchemaService) | indent 6 | trim }} - command: - sh args: @@ -125,6 +98,7 @@ spec: echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} sh docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config @@ -172,11 +146,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-db-backup-job namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-db-backup-job - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "2" @@ -185,9 +155,7 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-db-backup-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 8 }} name: {{ include "common.name" . }} spec: initContainers: diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml index 563b920c04..cd72d7f219 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml @@ -16,16 +16,13 @@ {{- if .Values.global.jobs.migration.enabled -}} {{- if eq "True" (include "common.needPV" .) -}} +{{- if not .Values.persistence.storageClass -}} kind: PersistentVolume apiVersion: v1 metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} name: {{ include "common.fullname" . }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -42,3 +39,4 @@ spec: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath1 }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml index bf8900686d..19c1016ca4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml @@ -20,11 +20,7 @@ apiVersion: v1 metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "-1" diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index 16924e9d5c..b7c09cfd0e 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -25,12 +25,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -58,6 +53,4 @@ spec: name: {{ .Values.service.actuatorPortName }} targetPort: {{ .Values.service.appPort }} {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml index c0d9f212b4..dc706029bf 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml @@ -1,3 +1,3 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index dd95c8b67a..a2727757cf 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -103,7 +103,7 @@ global: # global defaults clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1 # application image -image: onap/aai-graphadmin:1.14.7 +image: onap/aai-graphadmin:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small @@ -194,6 +194,9 @@ config: - "-Dcom.sun.management.jmxremote.port=9999" - "-Dcom.sun.management.jmxremote.rmi.port=9999" - "-Djava.rmi.server.hostname=127.0.0.1" + env: + BOOTSTRAP_SERVERS: onap-strimzi-kafka-bootstrap:9092 + nodeSelector: {} @@ -214,6 +217,10 @@ startup: failureThreshold: 60 periodSeconds: 5 +actuator: + echo: + enabled: true + readinessCheck: waitForWithCreateSchemaEnabled: jobs: @@ -222,6 +229,23 @@ readinessCheck: services: - '{{ .Values.global.cassandra.serviceName }}' - aai-schema-service + waitForCassandra: + containers: + - aai-schema-service + apps: + - cassandra + waitForLocalCassandra: + containers: + - aai-schema-service + apps: + - aai-cassandra + waitForCassandraService: + services: + - '{{ .Values.global.cassandra.serviceName }}' + waitForWithSchemaService: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service service: type: ClusterIP @@ -284,8 +308,8 @@ resources: cpu: "1" memory: "4Gi" requests: - cpu: "0.5" - memory: "1.6Gi" + cpu: "500m" + memory: "1600Mi" large: limits: cpu: "2" @@ -312,9 +336,9 @@ metrics: selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' relabelings: [] @@ -362,3 +386,11 @@ kafkaUser: - name: AAI-EVENT type: topic operations: [Read, Write] + +volumes: + logSizeLimit: 64Mi + scriptlogSizeLimit: 300Mi + tmpSizeLimit: 500Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-modelloader/Chart.yaml b/kubernetes/aai/components/aai-modelloader/Chart.yaml index 5ce5902869..2f561334f5 100644 --- a/kubernetes/aai/components/aai-modelloader/Chart.yaml +++ b/kubernetes/aai/components/aai-modelloader/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI modelloader name: aai-modelloader -version: 14.0.1 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml index dd8da5951a..90579b04e6 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml +++ b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml @@ -142,6 +142,8 @@ <!-- Model Loader loggers --> <logger name="org.openecomp.modelloader" level="INFO" /> + <logger name="org.onap.sdc.impl.NotificationConsumer" level="WARN" /> + <!-- Other Loggers that may help troubleshoot --> <logger name="net.sf" level="WARN" /> <logger name="org.apache.commons.httpclient" level="WARN" /> diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties index e32f48f77f..7c65c8683c 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties +++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties @@ -1,7 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2023 Nordix Foundation +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml index d3fd509dcd..c2984626b6 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml @@ -19,11 +19,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-prop namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/model-loader.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/application.properties").AsConfig . | indent 2 }} @@ -33,10 +29,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/log/logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index 486ffbaa49..f3753d0040 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -19,20 +19,7 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: {{- if .Values.debug.enabled }} replicas: 1 @@ -51,17 +38,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -69,10 +46,12 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ @@ -90,8 +69,8 @@ spec: value: {{ .Values.debug.args | quote }} {{- end }} ports: - - containerPort: 9500 - name: http + - containerPort: {{ .Values.service.appPort }} + name: {{ .Values.service.appPortName }} {{- if .Values.debug.enabled }} - containerPort: {{ .Values.debug.port }} name: {{ .Values.debug.portName }} @@ -109,6 +88,8 @@ spec: name: prop-config - mountPath: {{ .Values.log.path }} name: logs + - mountPath: /tmp + name: tmp - mountPath: /opt/app/model-loader/logback.xml name: log-config subPath: logback.xml @@ -121,7 +102,11 @@ spec: configMap: name: {{ include "common.fullname" . }}-prop - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: log-config configMap: diff --git a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml index 1eb564ed72..961a850ee9 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml @@ -19,8 +19,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: {{ include "common.fullname" . }} - labels: - {{- include "common.labels" . | nindent 4 }} + labels: {{- include "common.labels" . | nindent 4 }} spec: selector: matchLabels: diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index b28989c78f..6c8cdb7d31 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -25,7 +25,6 @@ image: onap/model-loader:1.14.2 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small # Strimzi KafkaUser config kafkaUser: @@ -75,17 +74,22 @@ nodeSelector: {} affinity: {} +service: + # REST API port for the graphadmin microservice + appPortName: http + appPort: 9500 + # probe configuration parameters liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container enabled: true + path: /healthz + periodSeconds: 10 + initialDelaySeconds: 10 readiness: - initialDelaySeconds: 10 + path: /healthz periodSeconds: 10 + initialDelaySeconds: 10 resources: small: @@ -93,7 +97,7 @@ resources: cpu: "1" memory: "4Gi" requests: - cpu: "0.5" + cpu: "500m" memory: "1Gi" large: limits: @@ -136,3 +140,7 @@ log: level: root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + tmpSizeLimit: 100Mi diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml index c67329d234..c83a28671c 100644 --- a/kubernetes/aai/components/aai-resources/Chart.yaml +++ b/kubernetes/aai/components/aai-resources/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP AAI resources name: aai-resources -version: 14.0.2 +version: 15.0.1 dependencies: - name: common @@ -30,3 +30,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties index 0f6f2923af..6392a8e0b0 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties @@ -91,7 +91,7 @@ aai.bulkconsumer.payloadoverride={{ .Values.config.bulk.override }} # # Indicator to enable or disable scheduled task (true/false) -aai.graph.checker.task.enabled=true +aai.graph.checker.task.enabled=false # Delay, in seconds, before the scheduled task is started, if enabled aai.graph.checker.task.delay=5 diff --git a/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties b/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties index 774e8bd5ca..738634d230 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties @@ -11,4 +11,4 @@ keycloak.public-client=true keycloak.principal-attribute=preferred_username keycloak.ssl-required=external -keycloak.bearer-only=true
\ No newline at end of file +keycloak.bearer-only=true diff --git a/kubernetes/aai/components/aai-resources/resources/config/application.properties b/kubernetes/aai/components/aai-resources/resources/config/application.properties index 5762460a02..eae146b845 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application.properties @@ -107,7 +107,7 @@ schema.service.client=no-auth #to expose the Prometheus scraping endpoint management.server.port=8448 management.endpoints.enabled-by-default=true -management.endpoints.web.exposure.include=info,health,prometheus +management.endpoints.web.exposure.include=* endpoints.enabled={{ .Values.endpoints.enabled }} endpoints.info.enabled={{ .Values.endpoints.info.enabled }} endpoints.prometheus.enabled={{ .Values.metrics.serviceMonitor.enabled }} @@ -118,4 +118,10 @@ management.metrics.distribution.sla[http.server.requests]=20ms, 30ms, 40ms, 50ms #Add common tag for grouping all aai related metrics management.metrics.tags.group_id=aai #It is not advisable to use labels to store dimensions with high cardinality. Enable this option only for debug purposes. For more information: https://github.com/micrometer-metrics/micrometer/issues/1584 -scrape.uri.metrics=false
\ No newline at end of file +scrape.uri.metrics=false + +# If true, the actuator health check will be overriden +# to use the AaiGraphChecker check instead. +# This does the same as the /echo endpoint, +# but doesn't show up in micrometer metrics +aai.actuator.echo.enabled={{ .Values.actuator.echo.enabled }} diff --git a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-cached.properties b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-cached.properties deleted file mode 100644 index b6fdd4c58f..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-cached.properties +++ /dev/null @@ -1,102 +0,0 @@ -{{/* -# -# ============LICENSE_START======================================================= -# org.onap.aai -# ================================================================================ -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# -*/}} - -query.fast-property=true -query.smart-limit=false - -{{ if .Values.global.config.cluster.cassandra.dynamic }} - -storage.backend=cql -storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph -storage.username={{.Values.global.cassandra.username}} -storage.password={{.Values.global.cassandra.password}} - -storage.cql.read-consistency-level=LOCAL_QUORUM -storage.cql.write-consistency-level=LOCAL_QUORUM -storage.cql.replication-factor={{.Values.global.cassandra.replicas}} -storage.cql.only-use-local-consistency-for-system-operations=true - -{{ else }} - -{{ if .Values.global.config.storage }} - -storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cassandra" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} - -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "cql" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cql.keyspace={{ .Values.global.config.storage.name }} - -storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationFactor | int }} - -storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} -storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "hbase" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.hbase.table={{ .Values.global.config.storage.name }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ end }} - -{{ end }} - -{{ end }} - -storage.lock.wait-time=300 -#caching on -cache.db-cache = true -cache.db-cache-clean-wait = 20 -cache.db-cache-time = 180000 -cache.db-cache-size = 0.3 - -#load graphson file on startup -load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties index 36940a8921..1f46755b83 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties @@ -16,12 +16,10 @@ # limitations under the License. # ============LICENSE_END========================================================= */}} - query.fast-property=true query.smart-limit=false -{{ if .Values.global.config.cluster.cassandra.dynamic }} - +{{- if .Values.global.config.cluster.cassandra.dynamic }} storage.backend=cql storage.hostname={{.Values.global.cassandra.serviceName}} storage.username={{.Values.global.cassandra.username}} @@ -34,21 +32,16 @@ storage.cql.write-consistency-level=LOCAL_QUORUM storage.cql.replication-factor={{.Values.global.cassandra.replicas}} storage.cql.only-use-local-consistency-for-system-operations=true -{{ if .Values.global.cassandra.partitionerName }} +{{- if .Values.global.cassandra.partitionerName }} storage.cql.partitioner-name={{ .Values.global.cassandra.partitionerName }} -{{ end }} - -{{ else }} - -{{ if .Values.global.config.storage }} - +{{- end }} +{{- else -}} +{{- if .Values.global.config.storage }} storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cql" }} - +{{- if eq .Values.global.config.storage.backend "cql" }} storage.hostname={{ .Values.global.config.storage.hostname }} storage.cql.keyspace={{ .Values.global.config.storage.name }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} @@ -56,26 +49,21 @@ storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationF storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - {{ else if eq .Values.global.config.storage.backend "hbase" }} - storage.hostname={{ .Values.global.config.storage.hostname }} storage.hbase.table={{ .Values.global.config.storage.name }} storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ end }} - -{{ end }} - -{{ end }} +{{- end }} +{{- end }} +{{- end }} storage.lock.wait-time=300 @@ -83,16 +71,16 @@ storage.lock.wait-time=300 # Setting db-cache to false will ensure the fastest propagation of changes across servers # Setting db-cache to true will ensure fastest response times cache.db-cache={{ .Values.config.janusgraph.caching.enabled }} -{{ if .Values.config.janusgraph.caching.enabled }} +{{- if .Values.config.janusgraph.caching.enabled }} # cache-time in milliseconds cache.db-cache-time={{ .Values.config.janusgraph.caching.dbCacheTime }} cache.db-cache-size={{ .Values.config.janusgraph.caching.dbCacheSize }} cache.db-cache-clean-wait={{ .Values.config.janusgraph.caching.dbCacheCleanWait }} -{{ end }} +{{- end }} #load graphson file on startup load.snapshot.file=false -{{ if .Values.config.janusgraph.allowUpgrade }} +{{- if .Values.config.janusgraph.allowUpgrade }} graph.allow-upgrade=true -{{ end }} +{{- end }} diff --git a/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml index 07919a97a2..54c3d81e05 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml @@ -11,7 +11,7 @@ you may not use this file except in compliance with the License.
You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
+ http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
@@ -105,4 +105,4 @@ %z - Custom pattern that parses the cert for the subject
%y - Custom pattern determines rest or dme2
-->
-*/}}
\ No newline at end of file +*/}}
diff --git a/kubernetes/aai/components/aai-resources/resources/config/logback.xml b/kubernetes/aai/components/aai-resources/resources/config/logback.xml index 441539361f..a90f354cbe 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/logback.xml +++ b/kubernetes/aai/components/aai-resources/resources/config/logback.xml @@ -388,10 +388,10 @@ <logger name="org.onap.aai.aailog.logs.AaiScheduledTaskAuditLog" level="INFO"> <appender-ref ref="asyncAUDIT"/> </logger> - <logger name="org.onap.logging.filter.base.AbstractAuditLogFilter" level="INFO"> + <logger name="org.onap.logging.filter.base.AbstractAuditLogFilter" level={{ .Values.log.level.audit | upper | quote }}> <appender-ref ref="asyncAUDIT"/> </logger> - <logger name="org.onap.aai.aailog.logs.AaiDBMetricLog" level="INFO"> + <logger name="org.onap.aai.aailog.logs.AaiDBMetricLog" level={{ .Values.log.level.dbMetric | upper | quote }}> <appender-ref ref="asyncMETRIC"/> </logger> <logger name="org.onap.aai.aailog.logs.AaiDmaapMetricLog" level="INFO"> @@ -433,4 +433,4 @@ </if> <appender-ref ref="STDOUT"/> </root> -</configuration>
\ No newline at end of file +</configuration> diff --git a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml index 6b703e7cdd..f6063a024d 100644 --- a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml +++ b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml new file mode 100644 index 0000000000..29b191b68d --- /dev/null +++ b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.autoscaling.enabled (not (or .Values.config.debug.enabled .Values.config.profiling.enabled)) }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml index eccc4ba491..8e13c8c90d 100644 --- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml @@ -20,16 +20,11 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml index f00cb99d21..cb434ed2cd 100644 --- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml @@ -20,22 +20,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }} + replicas: 1 + {{- else }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: @@ -47,19 +40,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} {{- if .Values.global.msbEnabled }} {{ $values := .Values }} msb.onap.org/service-info: '[ @@ -93,44 +74,20 @@ spec: spec: hostname: aai-resources terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - {{- if .Values.global.jobs.migration.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{- else }} - {{- if .Values.global.jobs.createSchema.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{- else }} - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - {{- end }} - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{- if .Values.global.jobs.migration.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }} + {{- else if .Values.global.jobs.createSchema.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }} + {{- else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: {{- if .Values.config.env }} {{- range $key,$value := .Values.config.env }} @@ -146,10 +103,6 @@ spec: - name: POST_JVM_ARGS value: {{ .Values.config.debug.args | quote }} {{- end }} - - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - name: INTERNAL_PORT_1 value: {{ .Values.service.resourcesPort | quote }} - name: INTERNAL_PORT_2 @@ -167,9 +120,6 @@ spec: - mountPath: /opt/app/aai-resources/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-resources/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-resources/resources/etc/appprops/aaiconfig.properties name: {{ include "common.fullname" . }}-config subPath: aaiconfig.properties @@ -190,6 +140,8 @@ spec: - mountPath: /opt/app/aai-resources/resources/application-keycloak.properties name: {{ include "common.fullname" . }}-config subPath: application-keycloak.properties + - mountPath: /tmp + name: tmp ports: - containerPort: {{ .Values.service.resourcesPort }} name: {{ .Values.service.resourcesPortName }} @@ -220,33 +172,27 @@ spec: {{- if and .Values.liveness.enabled (not (or .Values.config.debug.enabled .Values.config.profiling.enabled)) }} livenessProbe: httpGet: - path: /aai/util/echo?action=checkDB - port: {{ .Values.service.resourcesPort }} - scheme: HTTP - httpHeaders: - - name: X-FromAppId - value: LivenessCheck - - name: X-TransactionId - value: LiveCheck_TID - - name: Accept - value: application/json + port: {{ .Values.service.metricsPort }} + path: {{ .Values.liveness.path }} + {{- if .Values.liveness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{- end }} readinessProbe: httpGet: - path: /aai/util/echo?action=checkDB - port: {{ .Values.service.resourcesPort }} - scheme: HTTP - httpHeaders: - - name: X-FromAppId - value: ReadinessCheck - - name: X-TransactionId - value: ReadinessCheck_TID - - name: Accept - value: application/json + port: {{ .Values.service.metricsPort }} + path: {{ .Values.readiness.path }} + {{- if .Values.readiness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.readiness.periodSeconds }} + startupProbe: + httpGet: + port: {{ .Values.service.metricsPort }} + path: {{ .Values.startup.path }} + failureThreshold: {{ .Values.startup.failureThreshold }} + periodSeconds: {{ .Values.startup.periodSeconds }} resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -259,7 +205,11 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml index 308dc052c8..605679ee52 100644 --- a/kubernetes/aai/components/aai-resources/templates/service.yaml +++ b/kubernetes/aai/components/aai-resources/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -54,8 +49,6 @@ spec: name: {{ .Values.service.metricsPortName }} targetPort: {{ .Values.service.metricsPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index 630c88a244..7cba7a425e 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -134,11 +134,10 @@ aai_enpoints: url: external-system # application image -image: onap/aai-resources:1.14.7 +image: onap/aai-resources:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small # default number of instances replicaCount: 1 @@ -178,7 +177,7 @@ config: enabled: true # Documentation: https://docs.janusgraph.org/operations/cache/#database-level-caching dbCacheTime: 180000 # in milliseconds - dbCacheSize: 0.1 # percentage (expressed as a decimal between 0 and 1) of the total heap space available to the JVM running + dbCacheSize: 0.5 # percentage (expressed as a decimal between 0 and 1) of the total heap space available to the JVM running dbCacheCleanWait: 20 # in milliseconds # temporarily enable this to update the graph storage version # see: https://docs.janusgraph.org/changelog/#upgrade-instructions_9 @@ -209,7 +208,6 @@ config: # environment variables added to the launch of the image in deployment env: MIN_HEAP_SIZE: "512m" - MAX_HEAP_SIZE: "2g" MAX_METASPACE_SIZE: "512m" # adds jvm args for remote debugging the application @@ -239,14 +237,23 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 60 enabled: true + path: /actuator/health/liveness + periodSeconds: 10 readiness: - initialDelaySeconds: 60 + path: /actuator/health/readiness periodSeconds: 10 +startup: + path: /actuator/health/liveness + failureThreshold: 60 + periodSeconds: 5 + +actuator: + echo: + enabled: true + service: type: ClusterIP resourcesPortName: http @@ -290,7 +297,7 @@ resources: large: limits: cpu: "8" - memory: "12Gi" + memory: "8Gi" requests: cpu: "4" memory: "6Gi" @@ -311,9 +318,15 @@ endpoints: info: enabled: true +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + metrics: serviceMonitor: - enabled: false + enabled: true targetPort: 8448 path: /actuator/prometheus basicAuth: @@ -341,9 +354,9 @@ metrics: ## selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -373,8 +386,10 @@ serviceAccount: log: path: /var/log/onap level: - root: DEBUG - base: DEBUG # base package (org.onap.aai) + root: INFO + base: INFO # base package (org.onap.aai) + audit: WARN + dbMetric: WARN logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # To make logback capping values configurable @@ -406,3 +421,26 @@ kafkaUser: - name: AAI-EVENT type: topic operations: [Read, Write] + +volumes: + logSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-schema-service/Chart.yaml b/kubernetes/aai/components/aai-schema-service/Chart.yaml index 47064859d5..b10eaa2e43 100644 --- a/kubernetes/aai/components/aai-schema-service/Chart.yaml +++ b/kubernetes/aai/components/aai-schema-service/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP AAI Schema Service name: aai-schema-service -version: 14.0.2 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/aai/components/aai-schema-service/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-schema-service/config/localhost-access-logback.xml index d062835849..36acef2c62 100644 --- a/kubernetes/aai/components/aai-schema-service/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-schema-service/config/localhost-access-logback.xml @@ -9,7 +9,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -58,4 +58,4 @@ %z - Custom pattern that parses the cert for the subject %y - Custom pattern determines rest or dme2 --> -*/}}
\ No newline at end of file +*/}} diff --git a/kubernetes/aai/components/aai-schema-service/config/logback.xml b/kubernetes/aai/components/aai-schema-service/config/logback.xml index e91e257d14..11837c5bbc 100644 --- a/kubernetes/aai/components/aai-schema-service/config/logback.xml +++ b/kubernetes/aai/components/aai-schema-service/config/logback.xml @@ -10,7 +10,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -295,7 +295,7 @@ <logger name="com.att.aft.dme2" level="WARN"/> - <root level="DEBUG"> + <root level={{ .Values.log.level.root | upper | quote }}> <appender-ref ref="STDOUT" /> <appender-ref ref="external"/> </root> diff --git a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml index 957387158a..0490f4325a 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml @@ -19,11 +19,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/logback.xml").AsConfig . | indent 2 }} --- @@ -32,11 +28,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-localhost-access-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/localhost-access-logback.xml").AsConfig . | indent 2 }} --- @@ -45,11 +37,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-aaiconfig namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/aaiconfig.properties").AsConfig . | indent 2 }} --- @@ -58,11 +46,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-springapp namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/application.properties").AsConfig . | indent 2 }} --- @@ -71,10 +55,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-realm namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/realm.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml index d4041bed57..9fadcd7077 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml @@ -19,22 +19,13 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "" "labels" .Values.labels "annotations" .Values.annotations ) | nindent 2 }} spec: + {{- if .Values.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} @@ -47,29 +38,31 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: ["cp", "-R", "/opt/app/aai-schema-service/.", "/opt/app/aai-schema-service_rw/"] + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: copy-base-folder + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 3m + memory: 20Mi + volumeMounts: + - mountPath: /opt/app/aai-schema-service_rw + name: aai-schema-service containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} {{- if .Values.profiling.enabled }} - name: PRE_JVM_ARGS value: '{{ join " " .Values.profiling.args }}' @@ -79,6 +72,8 @@ spec: value: {{ .Values.debug.args | quote }} {{- end }} volumeMounts: + - mountPath: /opt/app/aai-schema-service + name: aai-schema-service - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties name: aaiconfig-conf subPath: aaiconfig.properties @@ -138,8 +133,12 @@ spec: - name: aai-common-aai-auth-mount secret: secretName: aai-common-aai-auth + - name: aai-schema-service + emptyDir: + sizeLimit: {{ .Values.volumes.aaiSizeLimit }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: log-conf configMap: diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml index 412b62c6fe..de0270f592 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -45,6 +40,4 @@ spec: name: {{ .Values.service.debugPortName }} targetPort: {{ .Values.service.debugPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index 12dfaea091..3763db940e 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -63,7 +63,7 @@ global: # global defaults image: onap/aai-schema-service:1.12.5 pullPolicy: Always restartPolicy: Always -flavorOverride: small +flavor: small # default number of instances replicaCount: 1 @@ -175,4 +175,13 @@ securityContext: #Log configuration log: path: /var/log/onap + level: + root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 50Mi + aaiSizeLimit: 150Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml index 5f05c6d428..074e266228 100644 --- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml +++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI sparky-be name: aai-sparky-be -version: 14.0.0 +version: 15.0.1 dependencies: - name: common @@ -29,3 +29,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties index 084f6e46bc..96c19d43d7 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties @@ -15,4 +15,4 @@ */}} oxm.apiVersion=v14 -oxm.apiVersionList=v8,v9,v10,v11,v12,v13,v14
\ No newline at end of file +oxm.apiVersionList=v8,v9,v10,v11,v12,v13,v14 diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties index 4465fb3e11..6fcdc3d405 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties @@ -15,4 +15,4 @@ */}} oxm.apiVersionOverride=v14 -oxm.apiVersionList=v8,v9,v10,v11,v12,v13,v14
\ No newline at end of file +oxm.apiVersionList=v8,v9,v10,v11,v12,v13,v14 diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties index 4fb10a21f7..e617554eb3 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties @@ -3,4 +3,4 @@ historicalEntitySyncEnabled=true autoSuggestSyncEnabled=true vnfAliasSyncEnabled=true geoSyncEnabled=true -viewInspectSyncEnabled=true
\ No newline at end of file +viewInspectSyncEnabled=true diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml b/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml index cd5338f5b3..5ceae5c641 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml @@ -1,187 +1,187 @@ <configuration scan="true" scanPeriod="3 seconds" debug="false"> - <!--{{/* - # Copyright © 2018 AT&T - # Copyright © 2021 Orange - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - */}}--> - <!--<jmxConfigurator /> --> - <!-- directory path for all other type logs --> - - <property name="logDir" value="/var/log/onap" /> - - <!-- <ECOMP-component-name>::= "MSO" | "DCAE" | "ASDC " | "AAI" |"Policy" - | "SDNC" | "AC" --> - <property name="componentName" value="AAI-UI"></property> - - <!-- default eelf log file names --> - <property name="generalLogName" value="error" /> - <property name="metricsLogName" value="metrics" /> - <property name="auditLogName" value="audit" /> - <property name="debugLogName" value="debug" /> - - <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|AAIUI|%mdc{PartnerName}|%logger|%.-5level|%msg%n" /> - <property name="auditMetricPattern" value="%m%n" /> - - <property name="logDirectory" value="${logDir}/${componentName}" /> - - - <!-- Example evaluator filter applied against console appender --> - <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> - <encoder> - <pattern>${errorLogPattern}</pattern> - </encoder> - </appender> - - <!-- ============================================================================ --> - <!-- EELF Appenders --> - <!-- ============================================================================ --> - - <!-- The EELFAppender is used to record events to the general application - log --> - - <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${logDirectory}/${generalLogName}.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> - <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip +<!--{{/* + # Copyright © 2018 AT&T + # Copyright © 2021 Orange + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + */}}--> +<!--<jmxConfigurator /> --> +<!-- directory path for all other type logs --> + +<property name="logDir" value="/var/log/onap" /> + +<!-- <ECOMP-component-name>::= "MSO" | "DCAE" | "ASDC " | "AAI" |"Policy" + | "SDNC" | "AC" --> +<property name="componentName" value="AAI-UI"></property> + +<!-- default eelf log file names --> +<property name="generalLogName" value="error" /> +<property name="metricsLogName" value="metrics" /> +<property name="auditLogName" value="audit" /> +<property name="debugLogName" value="debug" /> + +<property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|AAIUI|%mdc{PartnerName}|%logger|%.-5level|%msg%n" /> +<property name="auditMetricPattern" value="%m%n" /> + +<property name="logDirectory" value="${logDir}/${componentName}" /> + + +<!-- Example evaluator filter applied against console appender --> +<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> +</appender> + +<!-- ============================================================================ --> +<!-- EELF Appenders --> +<!-- ============================================================================ --> + +<!-- The EELFAppender is used to record events to the general application + log --> + +<appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${generalLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip </fileNamePattern> - <maxHistory>60</maxHistory> - </rollingPolicy> - <encoder> - <pattern>${errorLogPattern}</pattern> - </encoder> - </appender> - <appender name="asyncEELF" class="ch.qos.logback.classic.AsyncAppender"> - <!-- deny all events with a level below INFO, that is TRACE and DEBUG --> - <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> - <level>INFO</level> - </filter> - <queueSize>256</queueSize> - <appender-ref ref="EELF" /> - </appender> - - - <!-- EELF Audit Appender. This appender is used to record audit engine related - logging events. The audit logger and appender are specializations of the - EELF application root logger and appender. This can be used to segregate - Policy engine events from other components, or it can be eliminated to record - these events as part of the application root log. --> - - <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${logDirectory}/${auditLogName}.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> - <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> +</appender> +<appender name="asyncEELF" class="ch.qos.logback.classic.AsyncAppender"> + <!-- deny all events with a level below INFO, that is TRACE and DEBUG --> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>INFO</level> + </filter> + <queueSize>256</queueSize> + <appender-ref ref="EELF" /> +</appender> + + +<!-- EELF Audit Appender. This appender is used to record audit engine related + logging events. The audit logger and appender are specializations of the + EELF application root logger and appender. This can be used to segregate + Policy engine events from other components, or it can be eliminated to record + these events as part of the application root log. --> + +<appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${auditLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip </fileNamePattern> - <maxHistory>60</maxHistory> - </rollingPolicy> - <encoder> - <pattern>${auditMetricPattern}</pattern> - </encoder> - </appender> - <appender name="asyncEELFAudit" class="ch.qos.logback.classic.AsyncAppender"> - <queueSize>256</queueSize> - <appender-ref ref="EELFAudit" /> - </appender> - - <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${logDirectory}/${metricsLogName}.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> - <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${auditMetricPattern}</pattern> + </encoder> +</appender> +<appender name="asyncEELFAudit" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFAudit" /> +</appender> + +<appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${metricsLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip </fileNamePattern> - <maxHistory>60</maxHistory> - </rollingPolicy> - <encoder> - <!-- <pattern>"%d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n"</pattern> --> - <pattern>${auditMetricPattern}</pattern> - </encoder> - </appender> - - - <appender name="asyncEELFMetrics" class="ch.qos.logback.classic.AsyncAppender"> - <queueSize>256</queueSize> - <appender-ref ref="EELFMetrics" /> - </appender> - - <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${logDirectory}/${debugLogName}.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> - <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <!-- <pattern>"%d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n"</pattern> --> + <pattern>${auditMetricPattern}</pattern> + </encoder> +</appender> + + +<appender name="asyncEELFMetrics" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFMetrics" /> +</appender> + +<appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${debugLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip </fileNamePattern> - <maxHistory>60</maxHistory> - </rollingPolicy> - <encoder> - <pattern>${errorLogPattern}</pattern> - </encoder> - </appender> - - <appender name="asyncEELFDebug" class="ch.qos.logback.classic.AsyncAppender"> - <queueSize>256</queueSize> - <appender-ref ref="EELFDebug" /> - <includeCallerData>false</includeCallerData> - </appender> - - <!-- ============================================================================ --> - <!-- EELF loggers --> - <!-- ============================================================================ --> - <logger name="com.att.eelf" level="info" additivity="false"> - <appender-ref ref="asyncEELF" /> - <appender-ref ref="asyncEELFDebug" /> - <appender-ref ref="STDOUT" /> - </logger> - - <logger name="com.att.eelf.audit" level="info" additivity="false"> - <appender-ref ref="asyncEELFAudit" /> - </logger> - <logger name="com.att.eelf.metrics" level="info" additivity="false"> - <appender-ref ref="asyncEELFMetrics" /> - </logger> - - <!-- Spring related loggers --> - <logger name="org.springframework" level="WARN" /> - <logger name="org.springframework.beans" level="WARN" /> - <logger name="org.springframework.web" level="WARN" /> - <logger name="com.blog.spring.jms" level="WARN" /> - - <!-- Sparky loggers --> - <logger name="org.onap" level="INFO"> - <appender-ref ref="STDOUT" /> - </logger> - - <!-- Other Loggers that may help troubleshoot --> - <logger name="net.sf" level="WARN" /> - <logger name="org.apache.commons.httpclient" level="WARN" /> - <logger name="org.apache.commons" level="WARN" /> - <logger name="org.apache.coyote" level="WARN" /> - <logger name="org.apache.jasper" level="WARN" /> - - <!-- Camel Related Loggers (including restlet/servlet/jaxrs/cxf logging. - May aid in troubleshooting) --> - <logger name="org.apache.camel" level="WARN" /> - <logger name="org.apache.cxf" level="WARN" /> - <logger name="org.apache.camel.processor.interceptor" level="WARN" /> - <logger name="org.apache.cxf.jaxrs.interceptor" level="WARN" /> - <logger name="org.apache.cxf.service" level="WARN" /> - <logger name="org.restlet" level="WARN" /> - <logger name="org.apache.camel.component.restlet" level="WARN" /> - - <!-- logback internals logging --> - <logger name="ch.qos.logback.classic" level="WARN" /> - <logger name="ch.qos.logback.core" level="WARN" /> - - <root> - <appender-ref ref="asyncEELF" /> - <appender-ref ref="STDOUT" /> - <!-- <appender-ref ref="asyncEELFDebug" /> --> - </root> - -</configuration>
\ No newline at end of file + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> +</appender> + +<appender name="asyncEELFDebug" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFDebug" /> + <includeCallerData>false</includeCallerData> +</appender> + +<!-- ============================================================================ --> +<!-- EELF loggers --> +<!-- ============================================================================ --> +<logger name="com.att.eelf" level="info" additivity="false"> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="asyncEELFDebug" /> + <appender-ref ref="STDOUT" /> +</logger> + +<logger name="com.att.eelf.audit" level="info" additivity="false"> + <appender-ref ref="asyncEELFAudit" /> +</logger> +<logger name="com.att.eelf.metrics" level="info" additivity="false"> + <appender-ref ref="asyncEELFMetrics" /> +</logger> + +<!-- Spring related loggers --> +<logger name="org.springframework" level="WARN" /> +<logger name="org.springframework.beans" level="WARN" /> +<logger name="org.springframework.web" level="WARN" /> +<logger name="com.blog.spring.jms" level="WARN" /> + +<!-- Sparky loggers --> +<logger name="org.onap" level="INFO"> + <appender-ref ref="STDOUT" /> +</logger> + +<!-- Other Loggers that may help troubleshoot --> +<logger name="net.sf" level="WARN" /> +<logger name="org.apache.commons.httpclient" level="WARN" /> +<logger name="org.apache.commons" level="WARN" /> +<logger name="org.apache.coyote" level="WARN" /> +<logger name="org.apache.jasper" level="WARN" /> + +<!-- Camel Related Loggers (including restlet/servlet/jaxrs/cxf logging. + May aid in troubleshooting) --> +<logger name="org.apache.camel" level="WARN" /> +<logger name="org.apache.cxf" level="WARN" /> +<logger name="org.apache.camel.processor.interceptor" level="WARN" /> +<logger name="org.apache.cxf.jaxrs.interceptor" level="WARN" /> +<logger name="org.apache.cxf.service" level="WARN" /> +<logger name="org.restlet" level="WARN" /> +<logger name="org.apache.camel.component.restlet" level="WARN" /> + +<!-- logback internals logging --> +<logger name="ch.qos.logback.classic" level="WARN" /> +<logger name="ch.qos.logback.core" level="WARN" /> + +<root> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="STDOUT" /> + <!-- <appender-ref ref="asyncEELFDebug" /> --> +</root> + +</configuration> diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml index 7c958fa410..407850eb7f 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml @@ -17,13 +17,6 @@ --- apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 3c0b4b9d92..ede5b60676 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -22,7 +22,11 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} + {{- if .Values.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} @@ -34,32 +38,14 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - aai - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: @@ -154,9 +140,11 @@ spec: configMap: name: {{ include "common.fullname" . }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: modeldir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.modeldirSizeLimit }} restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index e017032b03..9cbe9e5fd2 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -33,7 +33,6 @@ image: onap/sparky-be:2.0.5 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small dockerhubRepository: registry.hub.docker.com ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 # application configuration @@ -129,23 +128,24 @@ serviceMesh: podAnnotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: "0.5" + cpu: "500m" memory: "4Gi" requests: - cpu: "0.25" + cpu: "250m" memory: "1Gi" large: limits: cpu: "1" memory: "8Gi" requests: - cpu: "0.5" + cpu: "500m" memory: "2Gi" unlimited: {} @@ -159,3 +159,16 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + modeldirSizeLimit: 64Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for: + services: + - aai diff --git a/kubernetes/aai/components/aai-traversal/Chart.yaml b/kubernetes/aai/components/aai-traversal/Chart.yaml index 3b2d8b819e..f4e458f0fb 100644 --- a/kubernetes/aai/components/aai-traversal/Chart.yaml +++ b/kubernetes/aai/components/aai-traversal/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI traversal name: aai-traversal -version: 14.0.2 +version: 15.0.1 dependencies: - name: common @@ -29,3 +29,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application.properties b/kubernetes/aai/components/aai-traversal/resources/config/application.properties index da2703dd41..fff5d5d3d0 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/application.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/application.properties @@ -1,7 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange -# Modifications Copyright © 2023 Nordix Foundation +# Modifications Copyright � 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,11 +26,21 @@ spring.application.name=aai-traversal spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true -server.servlet.context-path=/ +server.servlet.context-path=${schema.uri.base.path} spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration spring.profiles.active={{ .Values.global.config.profiles.active }} -spring.jersey.application-path=${schema.uri.base.path} +spring.jersey.application-path=/ + +spring.zipkin.baseUrl={{ .Values.tracing.collector.baseUrl }} +spring.sleuth.messaging.jms.enabled = false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} + + #The max number of active threads in this pool server.tomcat.max-threads=200 #The minimum number of threads always kept alive @@ -49,7 +59,6 @@ server.ssl.enabled=false # JMS bind address host port jms.bind.address=tcp://localhost:61647 - # dmaap is deprecated now kafka is used spring.kafka.producer.bootstrap-servers=${BOOTSTRAP_SERVERS} spring.kafka.producer.properties.security.protocol=SASL_PLAINTEXT @@ -101,7 +110,8 @@ schema.service.client=no-auth #to expose the Prometheus scraping endpoint management.server.port=8448 management.endpoints.enabled-by-default=true -management.endpoints.web.exposure.include=info,health,prometheus +management.endpoints.web.exposure.include=* +management.security.enabled=false endpoints.enabled={{ .Values.endpoints.enabled }} endpoints.info.enabled={{ .Values.endpoints.info.enabled }} endpoints.prometheus.enabled={{ .Values.metrics.serviceMonitor.enabled }} @@ -113,3 +123,9 @@ management.metrics.distribution.sla[http.server.requests]=20ms, 30ms, 40ms, 50ms management.metrics.tags.group_id=aai #It is not advisable to use labels to store dimensions with high cardinality. Enable this option only for debug purposes. For more information: https://github.com/micrometer-metrics/micrometer/issues/1584 scrape.uri.metrics=false + +# If true, the actuator health check will be overriden +# to use the AaiGraphChecker check instead. +# This does the same as the /echo endpoint, +# but doesn't show up in micrometer metrics +aai.actuator.echo.enabled={{ .Values.actuator.echo.enabled }} diff --git a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-cached.properties b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-cached.properties deleted file mode 100644 index b6fdd4c58f..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-cached.properties +++ /dev/null @@ -1,102 +0,0 @@ -{{/* -# -# ============LICENSE_START======================================================= -# org.onap.aai -# ================================================================================ -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# -*/}} - -query.fast-property=true -query.smart-limit=false - -{{ if .Values.global.config.cluster.cassandra.dynamic }} - -storage.backend=cql -storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph -storage.username={{.Values.global.cassandra.username}} -storage.password={{.Values.global.cassandra.password}} - -storage.cql.read-consistency-level=LOCAL_QUORUM -storage.cql.write-consistency-level=LOCAL_QUORUM -storage.cql.replication-factor={{.Values.global.cassandra.replicas}} -storage.cql.only-use-local-consistency-for-system-operations=true - -{{ else }} - -{{ if .Values.global.config.storage }} - -storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cassandra" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} - -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "cql" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cql.keyspace={{ .Values.global.config.storage.name }} - -storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationFactor | int }} - -storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} -storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "hbase" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.hbase.table={{ .Values.global.config.storage.name }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ end }} - -{{ end }} - -{{ end }} - -storage.lock.wait-time=300 -#caching on -cache.db-cache = true -cache.db-cache-clean-wait = 20 -cache.db-cache-time = 180000 -cache.db-cache-size = 0.3 - -#load graphson file on startup -load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties index 36940a8921..47095adf93 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties @@ -20,7 +20,7 @@ query.fast-property=true query.smart-limit=false -{{ if .Values.global.config.cluster.cassandra.dynamic }} +{{- if .Values.global.config.cluster.cassandra.dynamic }} storage.backend=cql storage.hostname={{.Values.global.cassandra.serviceName}} @@ -34,21 +34,21 @@ storage.cql.write-consistency-level=LOCAL_QUORUM storage.cql.replication-factor={{.Values.global.cassandra.replicas}} storage.cql.only-use-local-consistency-for-system-operations=true -{{ if .Values.global.cassandra.partitionerName }} +{{- if .Values.global.cassandra.partitionerName }} storage.cql.partitioner-name={{ .Values.global.cassandra.partitionerName }} -{{ end }} +{{- end }} -{{ else }} +{{- else -}} -{{ if .Values.global.config.storage }} +{{- if .Values.global.config.storage }} storage.backend={{ .Values.global.config.storage.backend }} -{{ if eq .Values.global.config.storage.backend "cql" }} +{{- if eq .Values.global.config.storage.backend "cql" }} storage.hostname={{ .Values.global.config.storage.hostname }} storage.cql.keyspace={{ .Values.global.config.storage.name }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} @@ -56,13 +56,13 @@ storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationF storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} -{{ else if eq .Values.global.config.storage.backend "hbase" }} +{{- else if eq .Values.global.config.storage.backend "hbase" -}} storage.hostname={{ .Values.global.config.storage.hostname }} storage.hbase.table={{ .Values.global.config.storage.name }} @@ -71,11 +71,9 @@ storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} -{{ end }} - -{{ end }} - -{{ end }} +{{- end }} +{{- end }} +{{- end }} storage.lock.wait-time=300 @@ -83,16 +81,16 @@ storage.lock.wait-time=300 # Setting db-cache to false will ensure the fastest propagation of changes across servers # Setting db-cache to true will ensure fastest response times cache.db-cache={{ .Values.config.janusgraph.caching.enabled }} -{{ if .Values.config.janusgraph.caching.enabled }} +{{- if .Values.config.janusgraph.caching.enabled }} # cache-time in milliseconds cache.db-cache-time={{ .Values.config.janusgraph.caching.dbCacheTime }} cache.db-cache-size={{ .Values.config.janusgraph.caching.dbCacheSize }} cache.db-cache-clean-wait={{ .Values.config.janusgraph.caching.dbCacheCleanWait }} -{{ end }} +{{- end }} #load graphson file on startup load.snapshot.file=false -{{ if .Values.config.janusgraph.allowUpgrade }} +{{- if .Values.config.janusgraph.allowUpgrade }} graph.allow-upgrade=true -{{ end }} +{{- end }} diff --git a/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml index 5e3a15c66a..1e3756adc9 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml @@ -1,23 +1,23 @@ {{/*<!--
- ============LICENSE_START=======================================================
- org.onap.aai
- ================================================================================
- Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- Modifications Copyright © 2018 Amdocs, Bell Canada
- Modifications Copyright © 2020 Orange
- ================================================================================
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+ ============LICENSE_START=======================================================
+ org.onap.aai
+ ================================================================================
+ Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ Modifications Copyright © 2018 Amdocs, Bell Canada
+ Modifications Copyright © 2020 Orange
+ ================================================================================
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
+ http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- ============LICENSE_END=========================================================
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ ============LICENSE_END=========================================================
-->
*/}}
<configuration scan="true" scanPeriod="60 seconds" debug="false">
@@ -94,4 +94,4 @@ %z - Custom pattern that parses the cert for the subject
%y - Custom pattern determines rest or dme2
--->*/}}
\ No newline at end of file +-->*/}}
diff --git a/kubernetes/aai/components/aai-traversal/resources/config/logback.xml b/kubernetes/aai/components/aai-traversal/resources/config/logback.xml index 21f48f7c93..faae0ee518 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/logback.xml +++ b/kubernetes/aai/components/aai-traversal/resources/config/logback.xml @@ -1,23 +1,23 @@ {{/*<!-- - ============LICENSE_START======================================================= - org.onap.aai - ================================================================================ - Copyright © 2017 AT&T Intellectual Property. All rights reserved. - Modifications Copyright © 2018 Amdocs, Bell Canada - Modifications Copyright © 2020 Orange - ================================================================================ - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at + ============LICENSE_START======================================================= + org.onap.aai + ================================================================================ + Copyright © 2017 AT&T Intellectual Property. All rights reserved. + Modifications Copyright © 2018 Amdocs, Bell Canada + Modifications Copyright © 2020 Orange + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - ============LICENSE_END========================================================= + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + ============LICENSE_END========================================================= --> */}} <configuration scan="true" scanPeriod="60 seconds" debug="false"> @@ -432,4 +432,4 @@ </if> <appender-ref ref="STDOUT" /> </root> -</configuration>
\ No newline at end of file +</configuration> diff --git a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml index 7c6a252315..966e5663f2 100644 --- a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml +++ b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml @@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.aaiTravKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml new file mode 100644 index 0000000000..a14a9b5bda --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml @@ -0,0 +1,29 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml index e3d7299c3a..e9415df278 100644 --- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml @@ -18,19 +18,11 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index d8977520a5..d12fc6b702 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -20,22 +20,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }} + replicas: 1 + {{- else }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: @@ -47,19 +40,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} {{- if .Values.global.msbEnabled }} {{ $values := .Values }} msb.onap.org/service-info: '[ @@ -113,43 +94,19 @@ spec: hostname: aai-traversal terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} initContainers: - - command: - - /app/ready.py - args: {{- if .Values.global.jobs.migration.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{- else }} - {{- if .Values.global.jobs.createSchema.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{- else }} - - --service-name - - {{ .Values.global.cassandra.serviceName }} - - --service-name - - aai-schema-service - {{- end }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }} + {{- else if .Values.global.jobs.createSchema.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }} + {{- else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }} {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: {{- if .Values.config.env }} {{- range $key,$value := .Values.config.env }} @@ -157,6 +114,13 @@ spec: value: {{ $value | quote}} {{- end }} {{- end }} + {{- if eq .Values.flavor "small" }} + - name: MAX_HEAP_SIZE + value: {{ .Values.small.maxHeapSize | quote }} + {{- else if eq .Values.flavor "large" }} + - name: MAX_HEAP_SIZE + value: {{ .Values.large.maxHeapSize | quote }} + {{- end }} {{- if .Values.config.profiling.enabled }} - name: PRE_JVM_ARGS value: '{{ join " " .Values.config.profiling.args }}' @@ -167,10 +131,6 @@ spec: {{- end }} - name: DISABLE_UPDATE_QUERY value: {{ .Values.config.disableUpdateQuery | quote }} - - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - name: INTERNAL_PORT_1 value: {{ .Values.service.traversalPort | quote }} - name: INTERNAL_PORT_2 @@ -188,9 +148,6 @@ spec: - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-traversal/resources/etc/appprops/aaiconfig.properties name: {{ include "common.fullname" . }}-config subPath: aaiconfig.properties @@ -213,6 +170,8 @@ spec: - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties name: {{ include "common.fullname" . }}-config subPath: application-keycloak.properties + - mountPath: /tmp + name: tmp ports: - containerPort: {{ .Values.service.traversalPort }} name: {{ .Values.service.traversalPortName }} @@ -243,41 +202,27 @@ spec: {{- if and .Values.liveness.enabled (not (or .Values.config.debug.enabled .Values.config.profiling.enabled)) }} livenessProbe: httpGet: - path: /aai/util/echo?action=checkDB - port: {{ .Values.service.traversalPort }} - scheme: HTTP - httpHeaders: - - name: X-FromAppId - value: LivenessCheck - - name: X-TransactionId - value: LiveCheck_TID - - name: Accept - value: application/json + port: {{ .Values.service.metricsPort }} + path: {{ .Values.liveness.path }} + {{- if .Values.liveness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} + {{- end }} readinessProbe: httpGet: - path: /aai/util/echo?action=checkDB - port: {{ .Values.service.traversalPort }} - scheme: HTTP - httpHeaders: - - name: X-FromAppId - value: ReadinessCheck - - name: X-TransactionId - value: ReadinessCheck_TID - - name: Accept - value: application/json + port: {{ .Values.service.metricsPort }} + path: {{ .Values.readiness.path }} + {{- if .Values.readiness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.readiness.periodSeconds }} resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | indent 8 }} {{- end }} # side car containers @@ -285,9 +230,14 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: {{ include "common.fullname" . }}-logs-misc - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logmiscSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index 3977f827d6..3ea973fb99 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -24,11 +24,7 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-update-query-data namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{ if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": post-upgrade,post-rollback,post-install @@ -38,33 +34,12 @@ metadata: spec: template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --service-name - - aai - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_service) | nindent 6 }} - name: {{ include "common.name" . }}-wait-for-aai-haproxy image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -72,6 +47,8 @@ spec: - sh - "-c" - | + set -x; + until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do echo "Retrying to reach aai on port 80"; sleep 1; @@ -83,6 +60,16 @@ spec: requests: cpu: "3m" memory: "20Mi" + securityContext: + runAsUser: 100 + runAsGroup: 65533 + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -99,20 +86,12 @@ spec: sh -x /opt/app/aai-traversal/bin/install/updateQueryData.sh ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - - env: - - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-traversal/resources/etc/appprops/aaiconfig.properties name: {{ include "common.fullname" . }}-config subPath: aaiconfig.properties @@ -134,9 +113,11 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name: {{ include "common.fullname" . }}-logs-misc - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logmiscSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml index 49ed56306a..60e8efc2ad 100644 --- a/kubernetes/aai/components/aai-traversal/templates/service.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -54,8 +49,6 @@ spec: name: {{ .Values.service.metricsPortName }} targetPort: {{ .Values.service.metricsPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml index c0d9f212b4..dc706029bf 100644 --- a/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml @@ -1,3 +1,3 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index 6b268cae42..fd8206865e 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -111,11 +111,10 @@ global: # global defaults someConfig: random # application image -image: onap/aai-traversal:1.14.7 +image: onap/aai-traversal:1.15.2 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small # the minimum number of seconds that a newly created Pod should be ready minReadySeconds: 30 updateStrategy: @@ -197,7 +196,6 @@ config: # environment variables added to the launch of the image in deployment env: MIN_HEAP_SIZE: "512m" - MAX_HEAP_SIZE: "2g" MAX_METASPACE_SIZE: "512m" # POST_JVM_ARGS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" @@ -259,14 +257,20 @@ affinity: {} # probe configuration parameters liveness: + path: /actuator/health/liveness initialDelaySeconds: 60 periodSeconds: 60 enabled: true readiness: + path: /actuator/health/readiness initialDelaySeconds: 10 periodSeconds: 10 +actuator: + echo: + enabled: true + service: type: ClusterIP traversalPortName: http @@ -321,6 +325,19 @@ resources: memory: "4Gi" unlimited: {} +# define the heap size for the JVM +# according to the resource flavor +small: + maxHeapSize: "2500m" +large: + maxHeapSize: "3g" + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + tracing: collector: baseUrl: http://jaeger-collector.istio-system:9411 @@ -336,9 +353,12 @@ endpoints: info: enabled: true +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + metrics: serviceMonitor: - enabled: false + enabled: true targetPort: 8448 path: /actuator/prometheus basicAuth: @@ -366,9 +386,9 @@ metrics: ## selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -398,9 +418,33 @@ serviceAccount: log: path: /var/log/onap level: - root: DEBUG - base: DEBUG # base package (org.onap.aai) + root: INFO + base: INFO # base package (org.onap.aai) logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 50Mi + logmiscSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + wait_for_service: + services: + - aai ################################################################# # Secrets metaconfig ################################################################# diff --git a/kubernetes/aai/resources/config/haproxy/resolvers.conf b/kubernetes/aai/resources/config/haproxy/resolvers.conf new file mode 100644 index 0000000000..c456e3526a --- /dev/null +++ b/kubernetes/aai/resources/config/haproxy/resolvers.conf @@ -0,0 +1,3 @@ +resolvers kubernetes + nameserver dns1 {{.Values.config.NAME_SERVER}}:53 + hold valid 1s diff --git a/kubernetes/aai/templates/authorizationpolicy.yaml b/kubernetes/aai/templates/authorizationpolicy.yaml index fa59f52f35..f48e06eab4 100644 --- a/kubernetes/aai/templates/authorizationpolicy.yaml +++ b/kubernetes/aai/templates/authorizationpolicy.yaml @@ -27,6 +27,7 @@ kind: AuthorizationPolicy metadata: name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} spec: selector: matchLabels: diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml index dac36d729d..c66af502ac 100644 --- a/kubernetes/aai/templates/configmap.yaml +++ b/kubernetes/aai/templates/configmap.yaml @@ -22,12 +22,9 @@ kind: ConfigMap metadata: name: aai-deployment-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: +{{ tpl (.Files.Glob "resources/config/haproxy/resolvers.conf").AsConfig . | indent 2 }} {{ if .Values.global.installSidecarSecurity }} {{ tpl (.Files.Glob "resources/config/haproxy/haproxy-pluggable-security.cfg").AsConfig . | indent 2 }} {{ else }} @@ -40,6 +37,7 @@ kind: Secret metadata: name: aai-fproxy-auth-certs namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/fproxy/auth/*").AsSecrets . | indent 2 }} @@ -49,6 +47,7 @@ kind: Secret metadata: name: aai-rproxy-auth-certs namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/rproxy/auth/*").AsSecrets . | indent 2 }} @@ -58,6 +57,7 @@ kind: Secret metadata: name: aai-rproxy-security-config namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/rproxy/security/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index d64410ceea..a743592036 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -18,25 +18,13 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: matchLabels: app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} @@ -45,59 +33,48 @@ spec: maxSurge: {{ .Values.updateStrategy.maxSurge }} {{- end }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - {{- if .Chart.AppVersion }} - version: "{{ .Chart.AppVersion | replace "+" "_" }}" - {{- else }} - version: "{{ .Chart.Version | replace "+" "_" }}" - {{- end }} - name: {{ include "common.release" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - aai-resources - - --service-name - - aai-traversal - - --service-name - - aai-graphadmin - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} + {{ include "common.readinessCheck.waitFor" . | indent 6 | trim}} + - command: ["/bin/sh","-c"] + args: ['cp -R /usr/local/etc/haproxy /usr/local/etc/haproxy_rw/'] + image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}' imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: copy-haproxy-config resources: - requests: - memory: {{ .Values.haproxy.initContainers.resources.memory }} - cpu: {{ .Values.haproxy.initContainers.resources.cpu }} limits: - memory: {{ .Values.haproxy.initContainers.resources.memory }} - cpu: {{ .Values.haproxy.initContainers.resources.cpu }} + cpu: 100m + memory: 200Mi + requests: + cpu: 2m + memory: 100Mi + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /usr/local/etc/haproxy_rw + name: haproxy-etc containers: - name: {{ include "common.name" . }} - image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}" + image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}' imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: + - mountPath: /usr/local/etc/haproxy + name: haproxy-etc + - mountPath: /usr/local/etc/haproxy/resolvers.conf + name: haproxy-config + subPath: resolvers.conf + readOnly: true - mountPath: /usr/local/etc/haproxy/haproxy.cfg {{ if .Values.global.installSidecarSecurity }} subPath: haproxy-pluggable-security.cfg {{ else }} subPath: haproxy.cfg {{ end }} - name: haproxy-cfg + name: haproxy-config ports: - containerPort: {{ .Values.service.internalPort }} name: {{ .Values.service.portName }} @@ -112,7 +89,11 @@ spec: initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} readinessProbe: + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} httpGet: path: /aai/util/echo port: {{ .Values.service.internalPort }} @@ -128,9 +109,6 @@ spec: value: OOM_ReadinessCheck_TID - name: Accept value: application/json - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -141,7 +119,10 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: haproxy-cfg - configMap: - name: aai-deployment-configmap + - name: haproxy-config + configMap: + name: aai-deployment-configmap + - name: haproxy-etc + emptyDir: + sizeLimit: {{ .Values.volumes.haProxySizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/templates/secret.yaml b/kubernetes/aai/templates/secret.yaml index d868b9582e..1a592a0801 100644 --- a/kubernetes/aai/templates/secret.yaml +++ b/kubernetes/aai/templates/secret.yaml @@ -19,11 +19,7 @@ kind: Secret metadata: name: aai-common-aai-auth namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} @@ -33,6 +29,7 @@ kind: Secret metadata: name: aai-common-truststore namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml index ecbab26439..1509311a2b 100644 --- a/kubernetes/aai/templates/service.yaml +++ b/kubernetes/aai/templates/service.yaml @@ -19,12 +19,7 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - name: {{ .Values.service.portName }} @@ -36,8 +31,7 @@ spec: {{ end }} {{- end }} type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }} - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} sessionAffinity: {{ .Values.service.sessionAffinity }} --- apiVersion: v1 @@ -45,38 +39,26 @@ kind: Service metadata: name: {{ include "common.servicename" . }}-internal namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - name: {{ .Values.service.portName }} port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} type: ClusterIP - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} --- apiVersion: v1 kind: Service metadata: name: {{ include "common.servicename" . }}-metrics namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-metrics - app.kubernetes.io/name: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - port: {{ .Values.metricsService.externalPort }} targetPort: {{ .Values.metricsService.internalPort }} name: {{ .Values.metricsService.portName }} type: {{ .Values.metricsService.type }} - selector: - app: {{ include "common.name" . }} - clusterIP: None
\ No newline at end of file + selector: {{- include "common.matchLabels" . | nindent 4 }} + clusterIP: None diff --git a/kubernetes/aai/templates/servicemonitor.yaml b/kubernetes/aai/templates/servicemonitor.yaml index c0d9f212b4..dc706029bf 100644 --- a/kubernetes/aai/templates/servicemonitor.yaml +++ b/kubernetes/aai/templates/servicemonitor.yaml @@ -1,3 +1,3 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index 8607e58f60..a000d2f934 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -72,7 +72,6 @@ global: # global defaults # See storage.cql.partitioner-name in https://docs.janusgraph.org/v0.6/configs/configuration-reference/#storagecql partitionerName: org.apache.cassandra.dht.Murmur3Partitioner - aai: serviceName: aai babel: @@ -310,11 +309,10 @@ aai-traversal: # application image dockerhubRepository: registry.hub.docker.com -image: onap/aai-haproxy:1.11.0 +image: onap/aai-haproxy:1.15.2 pullPolicy: Always flavor: small -flavorOverride: small # flag to enable debugging - application support required debugEnabled: false @@ -323,13 +321,19 @@ debugEnabled: false config: logstashServiceName: log-ls logstashPort: 5044 + # IP address of name server is needed in nginx configuration. The secure endpoint for logging with Keycloak need the ip address in the config file. + # You can find this ip address in the /etc/resolv.conf This file is generated by k8s. The name server ip address is in all k8s cluster the same. + NAME_SERVER: coredns.kube-system # default number of instances replicaCount: 1 +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 2 + updateStrategy: type: RollingUpdate - maxUnavailable: 0 + maxUnavailable: 33% maxSurge: 1 nodeSelector: {} @@ -346,8 +350,11 @@ haproxy: enabled: false customConfigs: [] replicas: - aaiResources: 1 - aaiTraversal: 1 + aaiResources: 3 + aaiTraversal: 3 + # stickiness based on path. + # For multiple replicas, requests will not be distributed evenly + stickOnPath: true # probe configuration parameters liveness: @@ -396,7 +403,7 @@ metricsService: metrics: serviceMonitor: - enabled: false + enabled: true targetPort: 8448 path: /metrics basicAuth: @@ -404,9 +411,9 @@ metrics: selector: app: '{{ include "common.name" . }}-metrics' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' relabelings: [] @@ -455,15 +462,15 @@ resources: cpu: "2" memory: "4Gi" requests: - cpu: "1" - memory: "1.2Gi" + cpu: "500m" + memory: "1200Mi" large: limits: cpu: "4" memory: "8Gi" requests: - cpu: "2" - memory: "2.4Gi" + cpu: "1" + memory: "2400Mi" unlimited: {} #Pods Service Account @@ -471,3 +478,20 @@ serviceAccount: nameOverride: aai roles: - read + +securityContext: + user_id: 99 + group_id: 99 + +readinessCheck: + wait_for: + services: + - aai-resources + - aai-traversal + - aai-graphadmin + +volumes: + haProxySizeLimit: 20Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/authentication/Chart.yaml b/kubernetes/authentication/Chart.yaml index e8400aeb81..d178f38481 100644 --- a/kubernetes/authentication/Chart.yaml +++ b/kubernetes/authentication/Chart.yaml @@ -16,7 +16,7 @@ # limitations under the License. # ============LICENSE_END========================================================= apiVersion: v2 -version: 14.0.1 +version: 15.0.0 description: ONAP Realm creation, Oauth2Proxy installation and configuration name: authentication sources: @@ -31,8 +31,8 @@ dependencies: version: ~13.x-0 repository: '@local' - name: onap-keycloak-config-cli - version: 5.12.0 + version: 6.1.6 repository: 'file://components/keycloak-config-cli' - name: onap-oauth2-proxy - version: 7.5.4 + version: 7.8.0 repository: 'file://components/oauth2-proxy' diff --git a/kubernetes/authentication/README.md b/kubernetes/authentication/README.md index 306e2f9645..c2332b409a 100644 --- a/kubernetes/authentication/README.md +++ b/kubernetes/authentication/README.md @@ -27,20 +27,24 @@ This sections sets the realm general attributes shown in Keycloak realmSettings: - name: <Realm ID> - unique ID for a realm (e.g. "ONAP") displayName: <Display Name> - (optional) Keycloak Display Name (e.g. "ONAP Realm") + accessTokenLifespan: - (optional) Access Tolek Lifespan (default: 1900) + registrationAllowed: - (optional) Enable/disable the registration page (default: false) + resetPasswordAllowed: - (optional) Show a link on login page for user to click when they have forgotten their credentials (default: true) + sslRequired: - (optional) Is HTTPS required? ('None'|'External'|'All requests' (default: "external") themes: - (optional) Keycloak Theme settings login: <login theme> - (optional) Keycloak Theme for Login UI (e.g. "base") admin: <admin theme> - (optional) Keycloak Theme for Admin UI (e.g. "base") account: <account theme> - (optional) Keycloak Theme for Account UI (e.g. "base") email: <email theme> - (optional) Keycloak Theme for Email UI (e.g. "base") - attributes: - frontendUrl: "<Keycloak URL>" - External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/") + attributes: - (optional) + frontendUrl: "<Keycloak URL>" - (optional) External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/") ``` ### CLIENT definitions In this section each realm authentication client is defined e.g. portal-bff, oauth2-proxy, grafana -possible "attribute" settings (maybe more): +- possible "attributes" settings (maybe more): - id.token.as.detached.signature: "false" - exclude.session.state.from.auth.response: "false" - tls.client.certificate.bound.access.tokens: "false" @@ -89,6 +93,7 @@ possible "attribute" settings (maybe more): serviceAccountsEnabled: "<false|true>" - (optional) serviceAccountsEnabled (default: false) frontchannelLogout: "<false|true>" - (optional) frontend channel logout (default: true) surrogateAuthRequired: "<false|true>" - (optional) surrogate Auth Required (default: false) + authorizationServicesEnabled: "<false|true>" - (optional) enable Authorization Services (RBAC) (default: false) publicClient: "<false|true>" - (optional) public Client (default: false) attributes: - (optional) attributes settings (see code) post.logout.redirect.uris: '<url>' - example @@ -117,32 +122,79 @@ possible "attribute" settings (maybe more): - "http://localhost/*" webOrigins: - "https://argocd-$PARAM_BASE_URL" - defaultClientScopes: - - "web-origins" + defaultClientScopes: - (optional) definition of default client scopes + - "web-origins" - if used, has to contain the full scope list - "profile" - "acr" - "email" - "roles" - "groups" + optionalClientScopes: - (optional) definition of optional client scopes + - ... - if used, has to contain the full scope list ``` -### CLIENT SCOPE definitions +#### Authorization settings within Client section (optional) -Here additional scopes besides the default scopes can be defined and set as default client scope +Information about the Keycloak Authorization Services can be found under: <https://www.keycloak.org/docs/latest/authorization_services/index.html> -default scopes: +To enable Authorization the setting shown above needs to be: + - authorizationServicesEnabled: true - - roles - - groups - - acr - - profile - - address - - web-origin - - phone - - email - - offline_access - - role_list - - microprofile-jwt +```yaml + authorizationSettings: + allowRemoteResourceManagement: "<false|true>" - (optional) managed remotely by the resource server? (default: true) + policyEnforcementMode: "<ENFORCING|PERMISSIVE|DISABLED>"- (optional) dictates how policies are enforced (default: ENFORCING) + decisionStrategy: "<UNANIMOUS|AFFIRMATIVE>" - (optional) dictates how permissions are evaluated (default: UNANIMOUS) + resources: - resources definitions + - name: "<resource name>" - unique name for this resource + displayName: "<display name>" - (optional) user-friendly name for the resource + type: "<type>" - Type can be used to group different resource instances with the same type + ownerManagedAccess: <true|false> - (optional) access can be managed by the resource owner? (default: false) + attributes: {} - (optional) The attributes associated wth the resource + uris: - Set of URIs which are protected by resource + - "/*" + - ... + scopes: - The scopes associated with this resource + - name: "<scope name1>" + - ... + icon_uri: "<uri>" - (optional) A URI pointing to an icon. + - ... + policies: - policy definitions + - name: "<policy name>" - unique name for this policy + description: "<description>" - (optional) A description for this policy + type: "<role|client|...>" - Choose the policy type + logic: "<POSITIVE|NEGATIVE>" - dictates how the policy decision should be made + roles: - Specifies the client roles allowed by this policy + - id: "<role name>" - points to an existing role + required: <true|false> - decide, whether role is required + ... + - ... + permissions: - policy definitions + - name: "<permission name>" - unique name for this permission + description: "<description>" - (optional) A description for this permission + type: "<scope|resource>" - Choose the permission type + decisionStrategy: "<UNANIMOUS|AFFIRMATIVE|CONSENSUS>" - dictates how the policies associated with a given permission are evaluated + resources: - Specifies that this permission must be applied to a specific resource instance + - "<resource name>" - points to an existing resource + - ... + scopes: - Specifies that this permission must be applied to one or more scopes + - "<scope name>" - points to an existing scope + - ... + applyPolicies: - Specifies all the policies that must be applied to the scopes defined by this permission + - "<policy-name>" - points to an existing policy + - ... + - ... + scopes: - scope definitions + - name: "<scope name>" - unique name for this scope + iconUri: "<uri>" - (optional) A URI pointing to an icon. + displayName: "<display name>" - (optional) user-friendly name for the resource + - ... +``` + +### CLIENT SCOPE definitions + +Here additional scopes besides the default scopes can be defined and set as defaul client scope +default scopes: roles, groups, acr, profile, address, web-origin, phone, email, offline_access, role_list, microprofile-jwt ```yaml defaultClientScopes: @@ -176,13 +228,7 @@ default scopes: ### Access control definitions In this section additional roles (assignableRoles) besides the default roles can be set. - -default roles: - - user - - admin - - offline_access - - uma_authorization - - default-roles-<realm> +default roles: user, admin, offline_access, uma_authorization, default-roles-<realm> (optional) accessRoles can be defined. These access roles are used in the Ingress "Auhorization Policy" to restrict the access to certain services @@ -223,6 +269,8 @@ The access role is assigned to a realm client (e.g. oauth2_proxy) - type: password - (optional) initial password (<pwd>: encrypted password, <salt>: used salt) secretData: "{\"value\":\"<pwd>\",\"salt\":\"<salt>\"}" credentialData: "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" + requiredActions: - (optional) action, the user has to execute + - <action> - e.g. "UPDATE_PASSWORD", "UPDATE_PROFILE",... attributes: - (optional) additional attributes sdc_user: - example attribute - "cs0008" @@ -290,16 +338,9 @@ The access role is assigned to a realm client (e.g. oauth2_proxy) user: "onapsupport" ``` -## Ingress Authentication settings +## Requirements -Activating the Ingress Authentication (enabled: true) will create AuthorizationPolicy resources for each defined "accessControl.accessRoles" in a REALM definition. +authentication needs the following ONAP projects to work: -``` -ingressAuthentication: - enabled: false - exceptions: - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ui") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "minio-console") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "uui-server") }}' -``` +- common +- serviceAccount diff --git a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml index 80e5d27c9f..c196bcc6e2 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: onap-keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 5.12.0 -appVersion: 5.12.0 +version: 6.1.6 +appVersion: 6.1.6 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/authentication/components/keycloak-config-cli/values.yaml b/kubernetes/authentication/components/keycloak-config-cli/values.yaml index 46c67dd220..9574d148ec 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/values.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/values.yaml @@ -23,7 +23,7 @@ nameOverride: "" image: repository: adorsys/keycloak-config-cli - tag: "{{ .Chart.AppVersion }}-22.0.4" + tag: "{{ .Chart.AppVersion }}-25.0.6" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml index 3bcf687241..300ed0964b 100644 --- a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml @@ -1,7 +1,7 @@ name: onap-oauth2-proxy -version: 7.5.4 +version: 7.8.0 apiVersion: v2 -appVersion: 7.6.0 +appVersion: 7.7.1 home: https://oauth2-proxy.github.io/oauth2-proxy/ description: A reverse proxy that provides authentication with Google, Github or other providers keywords: @@ -14,7 +14,7 @@ keywords: - redis dependencies: - name: redis - version: 19.1.0 + version: 20.3.0 repository: https://charts.bitnami.com/bitnami alias: redis condition: redis.enabled @@ -38,11 +38,11 @@ maintainers: email: joel.speed@hotmail.co.uk - name: pierluigilenoci email: pierluigi.lenoci@gmail.com -kubeVersion: ">=1.9.0-0" +kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: changed - description: Wait for redis script fixes for cluster and sentinel + - kind: added + description: allow templates in annotations links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/issues/205 + url: https://github.com/oauth2-proxy/manifests/pull/256 diff --git a/kubernetes/authentication/components/oauth2-proxy/README.md b/kubernetes/authentication/components/oauth2-proxy/README.md index 55a5e44429..0dc6c13962 100644 --- a/kubernetes/authentication/components/oauth2-proxy/README.md +++ b/kubernetes/authentication/components/oauth2-proxy/README.md @@ -1,6 +1,6 @@ # oauth2-proxy -[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. +[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by e-mail, domain, or group. ## TL;DR; @@ -21,7 +21,8 @@ To install the chart with the release name `my-release`: $ helm install my-release oauth2-proxy/oauth2-proxy ``` -The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. +The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. +The [configuration](#configuration) section lists the parameters that can be configured during installation. ## Uninstalling the Chart @@ -35,34 +36,37 @@ The command removes all the Kubernetes components associated with the chart and ## Upgrading an existing Release to a new major version -A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an -incompatible breaking change needing manual actions. +A major chart version change (like v1.2.3 -> v2.0.0) indicates an incompatible breaking change needing manual actions. ### To 1.0.0 -This version upgrades oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade. +This version upgrades oauth2-proxy to v4.0.0. To upgrade, please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400). ### To 2.0.0 -Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. +Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by addressing the Deployment object apiVersion `apps/v1beta2` deprecation. +See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. -Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade` of this chart from versions earlier than 2.0.0. +Due to [this issue](https://github.com/helm/helm/issues/6583), errors may occur when performing a `helm upgrade` of this chart from versions earlier than 2.0.0. ### To 3.0.0 -Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false` +Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. +This is a breaking change since the service account is enabled by default. +To disable this behaviour set `serviceAccount.enabled` to `false` ### To 4.0.0 Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**. -Therefore the `ingress.extraPaths` parameter needs to be updated to the new format. +Therefore, the `ingress.extraPaths` parameter must be updated to the new format. See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information. For the same reason `service.port` was renamed to `service.portNumber`. ### To 5.0.0 -Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). This is a breaking change because many labels of all resources need to be updated to stay consistent. +Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). +This is a breaking change because many labels of all resources need to be updated to stay consistent. In order to upgrade, delete the Deployment before upgrading: @@ -80,140 +84,157 @@ For users who don't want downtime, you can perform these actions: ### To 6.0.0 -Version 6.0.0 bumps the version of the redis subchart from ~10.6.0 to ~16.4.0. You probably need to adjust your redis config. See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. +Version 6.0.0 bumps the version of the Redis subchart from ~10.6.0 to ~16.4.0. +You probably need to adjust your Redis configuration. +See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. + +### To 7.0.0 + +Version 7.0.0 introduces a new implementation to support multiple hostAliases. +You probably need to adjust your hostAliases config. +See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information. ## Configuration The following table lists the configurable parameters of the oauth2-proxy chart and their default values. -Parameter | Description | Default ---- | --- | --- -`affinity` | node/pod affinities | None -`authenticatedEmailsFile.enabled` | Enables authorize individual email addresses | `false` -`authenticatedEmailsFile.persistence` | Defines how the email addresses file will be projected, via a configmap or secret | `configmap` -`authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` -`authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the email addresses list | `""` -`authenticatedEmailsFile.restricted_access` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config | `""` -`authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` -`config.clientID` | oauth client ID | `""` -`config.clientSecret` | oauth client secret | `""` -`config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` -`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` -`config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` -`config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` -`config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` -`alphaConfig.enabled` | Flag to toggle any alpha config related logic | `false` -`alphaConfig.annotations` | Configmap annotations | `{}` -`alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` -`alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` -`alphaConfig.configData` | Arbitrary configuration data to append | `{}` -`alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` -`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` -`alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` -`customLabels` | Custom labels to add into metadata | `{}` | -`config.google.adminEmail` | user impersonated by the google service account | `""` -`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false` -`config.google.targetPrincipal` | service account to use/impersonate | `""` -`config.google.serviceAccountJson` | google service account json contents | `""` -`config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` -`config.google.groups` | restrict logins to members of these google groups | `[]` -`containerPort` | used to customise port on the deployment | `""` -`extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows to configure the same flag multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` -`extraContainers` | List of extra containers to be added to the pod | `[]` -`extraEnv` | key:value list of extra environment variables to give the binary | `[]` -`extraVolumes` | list of extra volumes | `[]` -`extraVolumeMounts` | list of extra volumeMounts | `[]` -`hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. -`htpasswdFile.enabled` | enable htpasswd-file option | `false` -`htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}` -`htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` -`httpScheme` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` -`image.pullPolicy` | Image pull policy | `IfNotPresent` -`image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` -`image.tag` | Image tag | `""` (defaults to appVersion) -`imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) -`ingress.enabled` | Enable Ingress | `false` -`ingress.className` | name referencing IngressClass | `nil` -`ingress.path` | Ingress accepted path | `/` -`ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` -`ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]` -`ingress.labels` | Ingress extra labels | `{}` -`ingress.annotations` | Ingress annotations | `nil` -`ingress.hosts` | Ingress accepted hostnames | `nil` -`ingress.tls` | Ingress TLS configuration | `nil` -`initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true` -`initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` -`initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` -`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` -`initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` -`initContainers.waitForRedis.timeout` | number of seconds | 180 -`initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` -`livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` -`livenessProbe.initialDelaySeconds` | number of seconds | 0 -`livenessProbe.timeoutSeconds` | number of seconds | 1 -`namespaceOverride` | Override the deployment namespace | `""` -`nodeSelector` | node labels for pod assignment | `{}` -`deploymentAnnotations` | annotations to add to the deployment | `{}` -`podAnnotations` | annotations to add to each pod | `{}` -`podLabels` | additional labesl to add to each pod | `{}` -`podDisruptionBudget.enabled`| Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true -`podDisruptionBudget.minAvailable`| minAvailable parameter for PodDisruptionBudget | 1 -`podSecurityContext` | Kubernetes security context to apply to pod | `{}` -`priorityClassName` | priorityClassName | `nil` -`readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` -`readinessProbe.initialDelaySeconds` | number of seconds | 0 -`readinessProbe.timeoutSeconds` | number of seconds | 5 -`readinessProbe.periodSeconds` | number of seconds | 10 -`readinessProbe.successThreshold` | number of successes | 1 -`replicaCount` | desired number of pods | `1` -`resources` | pod resource requests & limits | `{}` -`revisionHistoryLimit` | maximum number of revisions maintained | 10 -`service.portNumber` | port number for the service | `80` -`service.appProtocol` | application protocol on the port of the service | `http` -`service.type` | type of service | `ClusterIP` -`service.clusterIP` | cluster ip address | `nil` -`service.loadBalancerIP` | ip of load balancer | `nil` -`service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` -`service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` -`serviceAccount.enabled` | create a service account | `true` -`serviceAccount.name` | the service account name | `` -`serviceAccount.annotations` | (optional) annotations for the service account | `{}` -`strategy` | configure deployment strategy | `{}` -`tolerations` | list of node taints to tolerate | `[]` -`securityContext.enabled` | enable Kubernetes security context on container | `true` -`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` -`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie` -`sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` -`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from redis subchart secret if not set. sessionStorage.redis.existingSecret takes precedence | `nil` -`sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the redis password value | `redis-password` -`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` -`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set. | `""` -`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` -`sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` -`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil` -`sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the redis sentinel password value | `redis-sentinel-password` -`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` -`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` -`topologySpreadConstraints` | List of pod topology spread constraints | `[]` -`redis.enabled` | Enable the redis subchart deployment | `false` -`checkDeprecation` | Enable deprecation checks | `true` -`metrics.enabled` | Enable Prometheus metrics endpoint | `true` -`metrics.port` | Serve Prometheus metrics on this port | `44180` -`metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` -`metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` -`metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` -`metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` -`metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` -`metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` -`metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` -`metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}` -`metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.| `""` -`metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the endpoint. For example if using istio mTLS.| `{}` -`metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file.| `""` -`metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster| `{}` -`metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion.| `[]` -`metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion.| `[]` -`extraObjects` | Extra K8s manifests to deploy | `[]` +| Parameter | Description | Default | +|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------| +| `affinity` | node/pod affinities | None | +| `authenticatedEmailsFile.enabled` | Enables authorize individual e-mail addresses | `false` | +| `authenticatedEmailsFile.persistence` | Defines how the e-mail addresses file will be projected, via a configmap or secret | `configmap` | +| `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` | +| `authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the e-mail addresses list | `""` | +| `authenticatedEmailsFile.restricted_access` | [e-mail addresses](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/#email-authentication) list config | `""` | +| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | +| `config.clientID` | oauth client ID | `""` | +| `config.clientSecret` | oauth client secret | `""` | +| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | +| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | +| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | +| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | +| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | +| `autoscaling.enabled` | Deploy a Horizontal Pod Autoscaler. | `false` | +| `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for the Horizontal Pod Autoscaler. | `10` | +| `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | +| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | +| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | +| `alphaConfig.annotations` | Configmap annotations | `{}` | +| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | +| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | +| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | +| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | +| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `customLabels` | Custom labels to add into metadata | `{}` | +| `config.google.adminEmail` | user impersonated by the Google service account | `""` | +| `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | +| `config.google.targetPrincipal` | service account to use/impersonate | `""` | +| `config.google.serviceAccountJson` | Google service account JSON contents | `""` | +| `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` | +| `config.google.groups` | restrict logins to members of these Google groups | `[]` | +| `containerPort` | used to customize port on the deployment | `""` | +| `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` | +| `extraContainers` | List of extra containers to be added to the pod | `[]` | +| `extraEnv` | key:value list of extra environment variables to give the binary | `[]` | +| `extraVolumes` | list of extra volumes | `[]` | +| `extraVolumeMounts` | list of extra volumeMounts | `[]` | +| `hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. | | +| `htpasswdFile.enabled` | enable htpasswd-file option | `false` | +| `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options) | `{}` | +| `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` | +| `httpScheme` | `http` or `https`. `name` used for the port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.command` | Define command to be executed by container at startup | `[]` | +| `image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` | +| `image.tag` | Image tag | `""` (defaults to appVersion) | +| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `ingress.enabled` | Enable Ingress | `false` | +| `ingress.className` | name referencing IngressClass | `nil` | +| `ingress.path` | Ingress accepted path | `/` | +| `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` | +| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/). | `[]` | +| `ingress.labels` | Ingress extra labels | `{}` | +| `ingress.annotations` | Ingress annotations | `nil` | +| `ingress.hosts` | Ingress accepted hostnames | `nil` | +| `ingress.tls` | Ingress TLS configuration | `nil` | +| `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | +| `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | +| `initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` | +| `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` +| `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | +| `initContainers.waitForRedis.timeout` | number of seconds | 180 | +| `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` | +| `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | +| `livenessProbe.initialDelaySeconds` | number of seconds | 0 | +| `livenessProbe.timeoutSeconds` | number of seconds | 1 | +| `namespaceOverride` | Override the deployment namespace | `""` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `deploymentAnnotations` | annotations to add to the deployment | `{}` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `podLabels` | additional labels to add to each pod | `{}` | +| `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | +| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 | +| `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | +| `priorityClassName` | priorityClassName | `nil` | +| `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | +| `readinessProbe.initialDelaySeconds` | number of seconds | 0 | +| `readinessProbe.timeoutSeconds` | number of seconds | 5 | +| `readinessProbe.periodSeconds` | number of seconds | 10 | +| `readinessProbe.successThreshold` | number of successes | 1 | +| `replicaCount` | desired number of pods | `1` | +| `resources` | pod resource requests & limits | `{}` | +| `revisionHistoryLimit` | maximum number of revisions maintained | 10 | +| `service.portNumber` | port number for the service | `80` | +| `service.appProtocol` | application protocol on the port of the service | `http` | +| `service.externalTrafficPolicy` | denotes if the service desires to route external traffic to node-local or cluster-wide endpoints | `Cluster` | +| `service.internalTrafficPolicy` | denotes if the service desires to route internal traffic to node-local or cluster-wide endpoints | `Cluster` | +| `service.type` | type of service | `ClusterIP` | +| `service.clusterIP` | cluster ip address | `nil` | +| `service.loadBalancerIP` | ip of load balancer | `nil` | +| `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | +| `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | +| `serviceAccount.enabled` | create a service account | `true` | +| `serviceAccount.name` | the service account name | `` | +| `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | +| `strategy` | configure deployment strategy | `{}` | +| `tolerations` | list of node taints to tolerate | `[]` | +| `securityContext.enabled` | enable Kubernetes security context on container | `true` | +| `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` | +| `sessionStorage.type` | Session storage type which can be one of the following: cookie or Redis | `cookie` | +| `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` | +| `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` | +| `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` | +| `sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for the Redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` | +| `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` | +| `sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g., `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the Redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` | +| `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` | +| `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` | +| `sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` | +| `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `topologySpreadConstraints` | List of pod topology spread constraints | `[]` | +| `redis.enabled` | Enable the Redis subchart deployment | `false` | +| `checkDeprecation` | Enable deprecation checks | `true` | +| `metrics.enabled` | Enable Prometheus metrics endpoint | `true` | +| `metrics.port` | Serve Prometheus metrics on this port | `44180` | +| `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` | +| `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` | +| `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` | +| `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` | +| `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` | +| `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` | +| `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | +| `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` | +| `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` | +| `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` | +| `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` | +| `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` | +| `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` | +| `extraObjects` | Extra K8s manifests to deploy | `[]` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -232,7 +253,7 @@ $ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml ## TLS Configuration -See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls). +See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/). Use ```values.yaml``` like: ```yaml @@ -262,9 +283,8 @@ data: ``` ## Extra environment variable templating -The extraEnv value supports the tpl function which evaluate strings as templates inside the deployment template. -This is useful to pass a template string as a value to the chart's extra environment variables and to render external configuration environment values - +The extraEnv value supports the tpl function, which evaluates strings as templates inside the deployment template. +This is useful for passing a template string as a value to the chart's extra environment variables and rendering external configuration environment values. ```yaml ... @@ -315,13 +335,14 @@ extraObjects: </body> </html> ``` + ## Multi whitelist-domain configuration -For using multi whitelist-domain configuration for one Oauth2-proxy instance, you have to use the config.configFile section. +You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance. -It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` configuration file. -In this example, Google provider is used, but you can find all other provider configuration here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/) +It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file). +In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/). -```yaml +``` config: ... clientID="$YOUR_GOOGLE_CLIENT_ID" @@ -332,7 +353,7 @@ config: email_domains = [ "*" ] upstreams = [ "file:///dev/null" ] cookie_secure = "false" - cookie_domains = [ ".domain.com", ".otherdomain.io" ] - whitelist_domains = [ ".domain.com", ".otherdomain.io"] + cookie_domains = [ ".domain.com", ".example.io" ] + whitelist_domains = [ ".domain.com", ".example.io"] provider = "google" ``` diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml new file mode 100644 index 0000000000..fd1a0060fe --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml @@ -0,0 +1,5 @@ +# Enables Horizontal Pod Autoscaler and removes replica count in deployment +autoscaling: + enabled: true + annotations: + test-annotations/test: "true" diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml index 65977d921b..d217653086 100644 --- a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml @@ -8,6 +8,8 @@ ingress: tls: - hosts: - "{{ $.Release.Name }}.local" + annotations: + test-annotations/test: "{{ $.Release.Name }}" oauth2-proxy: checkDeprecation: false config: @@ -19,3 +21,42 @@ pass_authorization_header: "true" extraArgs: pass-authorization-header: "{{ $.Values.pass_authorization_header }}" + +extraVolumes: + - name: "{{ $.Release.Name }}-secret" + secret: + secretName: "{{ .Release.Name }}-secret" + items: + - key: secret + path: secret + +authenticatedEmailsFile: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +config: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +deploymentAnnotations: + test-annotations/test: "{{ $.Release.Name }}" + +autoscaling: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +alphaConfig: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +service: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +serviceAccount: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +serviceMonitor: + annotations: + test-annotations/test: "{{ $.Release.Name }}" diff --git a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh index 24e628f426..62dd9b684f 100644..100755 --- a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh +++ b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh @@ -24,7 +24,16 @@ check_redis() { # For parsing and checking connections parse_and_check() { url=$1 - clean_url=${url#redis://} + + # Strip either redis:// or rediss:// + if [ $url = "rediss://*" ]; then + clean_url=${url#rediss://} + echo "Using secure Rediss connection..." + else + clean_url=${url#redis://} + echo "Using standard Redis connection..." + fi + host=$(echo $clean_url | cut -d':' -f1) port=$(echo $clean_url | cut -d':' -f2) check_redis $host $port diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml index d9f9cffef7..68c9d76629 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml @@ -6,9 +6,9 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.authenticatedEmailsFile.annotations }} +{{- with .Values.authenticatedEmailsFile.annotations }} annotations: -{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist namespace: {{ template "oauth2-proxy.namespace" $ }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml index 94d7806d2e..0f164d230c 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml @@ -3,9 +3,9 @@ apiVersion: v1 kind: ConfigMap metadata: -{{- if .Values.config.annotations }} +{{- with .Values.config.annotations }} annotations: -{{ toYaml .Values.config.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml index 1a626d1ab8..bd5c2c923d 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml @@ -4,14 +4,16 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} - {{- if .Values.deploymentAnnotations }} + {{- with .Values.deploymentAnnotations }} annotations: -{{ toYaml .Values.deploymentAnnotations | indent 8 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} spec: + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- with .Values.strategy }} strategy: @@ -23,7 +25,9 @@ spec: template: metadata: annotations: + {{- if .Values.config.configFile }} checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} + {{- end }} {{- if .Values.alphaConfig.enabled }} checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} {{- end }} @@ -102,6 +106,12 @@ spec: image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.image.command }} + command: + {{- range .Values.image.command }} + - {{ . | quote }} + {{- end }} + {{- end }} args: {{- if .Values.alphaConfig.enabled }} - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml @@ -136,7 +146,7 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} {{- else }} - - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list + - --authenticated-emails-file=/etc/oauth2-proxy/{{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} {{- end }} {{- with .Values.config.google }} @@ -333,7 +343,7 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} path: {{ .Values.authenticatedEmailsFile.template }} {{- else }} - path: authenticated-emails-list + path: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} {{- if .Values.authenticatedEmailsFile.template }} secretName: {{ .Values.authenticatedEmailsFile.template }} @@ -367,7 +377,7 @@ spec: {{- end }} {{- end }} {{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} +{{ tpl (toYaml .Values.extraVolumes) . | indent 6 }} {{- end }} {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} - configMap: @@ -381,26 +391,28 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} path: {{ .Values.authenticatedEmailsFile.template }} {{- else }} - path: authenticated-emails-list + path: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} name: configaccesslist {{- end }} - {{- if .Values.imagePullSecrets }} + {{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }} imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} - {{- if .Values.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} affinity: -{{ toYaml .Values.affinity | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.nodeSelector }} + {{- with .Values.nodeSelector }} nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + {{ toYaml . | nindent 8 }} {{- end }} + {{- with .Values.tolerations }} tolerations: -{{ toYaml .Values.tolerations | indent 8 }} - {{- with .Values.topologySpreadConstraints }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml new file mode 100644 index 0000000000..a6d7461797 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + {{- with .Values.autoscaling.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 8 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "oauth2-proxy.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml index 5323820487..8cc7953ee9 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml @@ -17,7 +17,7 @@ metadata: namespace: {{ template "oauth2-proxy.namespace" $ }} {{- with .Values.ingress.annotations }} annotations: -{{ toYaml . | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} spec: {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml index 15bb89338e..ba2c02d5aa 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml @@ -7,8 +7,9 @@ apiVersion: v1 kind: Secret metadata: -{{- if .Values.alphaConfig.annotations }} - annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }} +{{- with .Values.alphaConfig.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml index 95f85a8006..9b607dd34a 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml @@ -7,9 +7,9 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.authenticatedEmailsFile.annotations }} +{{- with .Values.authenticatedEmailsFile.annotations }} annotations: -{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist namespace: {{ template "oauth2-proxy.namespace" $ }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml index f3364e95a9..a041843484 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: Secret metadata: -{{- if .Values.config.annotations }} +{{- with .Values.config.annotations }} annotations: -{{ toYaml .Values.config.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml index d16120ee91..e8d02aeba8 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml @@ -6,9 +6,9 @@ metadata: {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} -{{- if .Values.service.annotations }} +{{- with .Values.service.annotations }} annotations: -{{ toYaml .Values.service.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} spec: {{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} @@ -28,6 +28,12 @@ spec: {{- else }} type: {{ .Values.service.type }} {{- end }} +{{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} +{{- if .Values.service.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }} +{{- end }} ports: - port: {{ .Values.service.portNumber }} targetPort: {{ .Values.httpScheme }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml index 2a89c4b9e3..e38cd7a7a6 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ kind: ServiceAccount metadata: {{- with .Values.serviceAccount.annotations }} annotations: - {{- toYaml . | nindent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ $name }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml index 3802666be0..99d62fd4ad 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml @@ -4,7 +4,7 @@ kind: ServiceMonitor metadata: {{- with .Values.metrics.serviceMonitor.annotations }} annotations: - {{- toYaml . | nindent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} {{- if .Values.metrics.serviceMonitor.namespace }} diff --git a/kubernetes/authentication/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml index f49cb638fa..14ea469fa8 100644 --- a/kubernetes/authentication/components/oauth2-proxy/values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/values.yaml @@ -83,6 +83,7 @@ image: # appVersion is used by default tag: "" pullPolicy: "IfNotPresent" + command: [] # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. @@ -153,6 +154,10 @@ service: appProtocol: http annotations: {} # foo.io/bar: "true" + # configure externalTrafficPolicy + externalTrafficPolicy: "" + # configure internalTrafficPolicy + internalTrafficPolicy: "" ## Create or use ServiceAccount serviceAccount: @@ -289,6 +294,16 @@ podDisruptionBudget: enabled: true minAvailable: 1 +## Horizontal Pod Autoscaling +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 +# targetMemoryUtilizationPercentage: 80 + annotations: {} + # Configure Kubernetes security context for pod # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ podSecurityContext: {} diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl index 806f96164a..4606611159 100644 --- a/kubernetes/authentication/templates/_utils.tpl +++ b/kubernetes/authentication/templates/_utils.tpl @@ -25,9 +25,10 @@ Usage: realm: {{ $realm.name }} {{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }} id: {{ $realm.name }} -accessTokenLifespan: 1900 -registrationAllowed: false -resetPasswordAllowed: true +accessTokenLifespan: {{ default "1900" $realm.accessTokenLifespan }} +registrationAllowed: {{ default false $realm.registrationAllowed }} +resetPasswordAllowed: {{ default true $realm.resetPasswordAllowed }} +sslRequired: {{ default "external" $realm.sslRequired }} enabled: true {{ if $realm.themes }} {{ if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }} @@ -159,6 +160,7 @@ clients: baseUrl: {{ tpl $client.baseUrl $dot }} {{- end }} surrogateAuthRequired: {{ default false $client.surrogateAuthRequired }} + authorizationServicesEnabled: {{ default false $client.authorizationServicesEnabled }} enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: {{ default "client-secret" $client.clientAuthenticatorType }} @@ -211,33 +213,136 @@ clients: {{ toYaml $mapper.config | nindent 10 }} {{- end }} {{- end }} + {{- if $client.defaultClientScopes }} defaultClientScopes: - {{- if $client.defaultClientScopes }} - {{- range $index2, $scope := $client.defaultClientScopes }} + {{- range $index2, $scope := $client.defaultClientScopes }} - {{ $scope }} - {{- end }} - {{- else }} - - web-origins - - profile - - acr - - email {{- end }} + {{- end }} + {{- if $client.optionalClientScopes }} optionalClientScopes: - {{- if $client.optionalClientScopes }} - {{- range $index2, $scope := $client.optionalClientScopes }} + {{- range $index2, $scope := $client.optionalClientScopes }} - {{ $scope }} + {{- end }} + {{- end }} + {{- if $client.authorizationSettings }} + authorizationSettings: {{ include "auth._authorizationSettings" (dict "dot" $client.authorizationSettings ) | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Renders the authorizationSettings in the client section in a realm. +Usage: +{{ include "auth._authorizationSettings" ( dict "dot" .Values) }} +*/}} +{{- define "auth._authorizationSettings" -}} +{{- $dot := default . .dot -}} +allowRemoteResourceManagement: "{{ default true $dot.allowRemoteResourceManagement }}" +policyEnforcementMode: "{{ default "ENFORCING" $dot.policyEnforcementMode }}" +decisionStrategy: "{{ default "UNANIMOUS" $dot.decisionStrategy }}" +resources: + {{- range $index, $resource := $dot.resources }} + - name: {{ $resource.name }} + type: {{ (default "" $resource.type) | quote }} + displayName: {{ (default "" $resource.displayName) | quote }} + ownerManagedAccess: {{ default false $resource.ownerManagedAccess }} + {{- if $resource.attributes }} + attributes: + {{- range $key,$value := $resource.attributes }} + {{ $key }}: {{ $value }} {{- end }} - {{- else }} - - address - - phone - - offline_access - - microprofile-jwt + {{- end }} + {{- if $resource.uris }} + uris: + {{- range $index2, $url := $resource.uris }} + - {{ $url }} + {{- end }} + {{- end }} + {{- if $resource.scopes }} + scopes: + {{- range $index3, $scope := $resource.scopes }} + - {{ $scope | toYaml }} + {{- end }} + {{- end }} + icon_uri: {{ (default "" $resource.icon_uri) | quote }} + {{- end }} +policies: + {{- range $index4, $policy := $dot.policies }} + - name: {{ $policy.name }} + type: {{ (default "" $policy.type) | quote }} + description: {{ (default "" $policy.description) | quote }} + logic: {{ default "POSITIVE" $policy.logic }} + decisionStrategy: {{ default "UNANIMOUS" $dot.decisionStrategy }} + config: + roles: {{ include "auth._policyRoles" (dict "dot" $policy.roles) | toJson }} + {{- end }} + {{- range $index6, $permission := $dot.permissions }} + - name: {{ $permission.name }} + type: {{ (default "" $permission.type) | quote }} + description: {{ (default "" $permission.description) | quote }} + logic: {{ default "POSITIVE" $permission.logic }} + decisionStrategy: {{ default "UNANIMOUS" $permission.decisionStrategy }} + config: + {{- if $permission.resources }} + resources: {{ include "auth._permissionResources" (dict "dot" $permission.resources) | toJson }} + {{- end }} + {{- if $permission.scopes }} + scopes: {{ include "auth._permissionScopes" (dict "dot" $permission.scopes) | toJson }} + {{- end }} + {{- if $permission.applyPolicies }} + applyPolicies: {{ include "auth._permissionApplyPolicies" (dict "dot" $permission.applyPolicies) | toJson }} {{- end }} {{- end }} +scopes: + {{- range $index, $scope := $dot.scopes }} + - name: {{ $scope.name }} + iconUri: {{ (default "" $scope.icon_uri) | quote }} + displayName: {{ (default "" $scope.displayName) | quote }} + {{- end }} +{{- end }} + +{{/* +Renders the roles in a policy. +Usage: +{{ include "auth._policyRoles" ( dict "dot" .Values) }} +*/}} +{{- define "auth._policyRoles" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$role := $dot }}{"id":"{{ $role.id }}","required":{{ $role.required }}}{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] {{- end }} {{/* -Renders the defaulDefaultClientScopes section in a realm. +Renders the resources in a permission. +Usage: +{{ include "auth._permissionResources" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionResources" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$resource := $dot }}"{{ $resource }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the scopes in a permission. +Usage: +{{ include "auth._permissionScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionScopes" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$scope := $dot }}"{{ $scope }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the applyPolicies in a permission. +Usage: +{{ include "auth._permissionApplyPolicies" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionApplyPolicies" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$policy := $dot }}"{{ $policy }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} +{{/* +Renders the defaultDefaultClientScopes section in a realm. Usage: {{ include "auth._defaultClientScopes" ( dict "dot" .Values) }} */}} @@ -262,15 +367,15 @@ clientScopes: {{- if $dot.additionalClientScopes }} {{- range $index, $scope := $dot.additionalClientScopes }} - name: {{ $scope.name }} - description: "{{ default "" $scope.description }}" + description: {{ (default "" $scope.description) | quote }} protocol: openid-connect attributes: include.in.token.scope: 'false' display.on.consent.screen: 'true' gui.order: '' consent.screen.text: "${rolesScopeConsentText}" + {{- if $scope.protocolMappers }} protocolMappers: - {{- if $scope.protocolMappers }} {{- range $index2, $mapper := $scope.protocolMappers }} - name: {{ $mapper.name }} protocol: "openid-connect" @@ -279,8 +384,7 @@ clientScopes: config: {{ toYaml $mapper.config | nindent 8 }} {{- end }} - {{- end }} - + {{- end }} {{- end }} {{- end }} - name: roles @@ -719,7 +823,14 @@ users: {{ toYaml $user.credentials | nindent 6 }} {{- end }} disableableCredentialTypes: [] + {{- if $user.requiredActions }} + requiredActions: + {{- range $index2, $action := $user.requiredActions }} + - "{{ $action }}" + {{- end }} + {{- else }} requiredActions: [] + {{- end }} {{- if $user.realmRoles }} realmRoles: {{- range $index2, $realmRole := $user.realmRoles }} @@ -805,7 +916,11 @@ Usage: {{- define "auth._attributes" -}} {{- $dot := default . .dot -}} {{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +{{- if $realm.attributes }} attributes: +{{- if $realm.attributes.frontendUrl }} frontendUrl: {{ tpl $realm.attributes.frontendUrl $dot }} +{{- end }} acr.loa.map: "{\"ABC\":\"5\"}" {{- end }} +{{- end }} diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml index ba99879e87..124bc18c8d 100644 --- a/kubernetes/authentication/values.yaml +++ b/kubernetes/authentication/values.yaml @@ -26,7 +26,7 @@ global: postaddr: "" keycloak: - intURL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/" + intURL: "http://keycloak-http.keycloak.svc.cluster.local/" relativePath: "auth/" ingressAuthentication: enabled: false @@ -38,12 +38,16 @@ ingressAuthentication: onap-keycloak-config-cli: image: + # "edge" is the latest build release and need to be replaced with a new version + # compatible with keycloak 26.x.y + tag: edge + #tag: "6.1.6-25.0.1" pullSecrets: - name: onap-docker-registry-key #existingSecret: "keycloak-keycloakx-admin-creds" env: # internal KC URL plus relative path - KEYCLOAK_URL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/" + KEYCLOAK_URL: "http://keycloak-http.keycloak.svc.cluster.local/auth/" KEYCLOAK_SSLVERIFY: "false" KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" secrets: @@ -71,6 +75,11 @@ onap-keycloak-config-cli: memory: 10Mi onap-oauth2-proxy: + + # Addition for oauth2-proxy deployment + imagePullSecrets: + - name: '{{ include "common.namespace" . }}-docker-registry-key' + securityContext: capabilities: drop: @@ -309,24 +318,24 @@ realmSettings: - name: "Client Host" protocolMapper: "oidc-usersessionmodel-note-mapper" config: - user.session.note : "clientHost" - id.token.claim : "true" - access.token.claim : "true" - claim.name : "clientHost" - jsonType.label : "String" + user.session.note: "clientHost" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "clientHost" + jsonType.label: "String" - name: "Client IP Address" protocolMapper: "oidc-usersessionmodel-note-mapper" config: - user.session.note : "clientAddress" - id.token.claim : "true" - access.token.claim : "true" - claim.name : "clientAddress" - jsonType.label : "String" + user.session.note: "clientAddress" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "clientAddress" + jsonType.label: "String" defaultClientScopes: - "onap_roles" additionalClientScopes: - name: onap_roles - description: OpenID Connect scope for add user onap roles to the access token + description: "OpenID Connect scope for add user onap roles to the access token" protocolMappers: - name: aud protocol: openid-connect diff --git a/kubernetes/cds/Chart.yaml b/kubernetes/cds/Chart.yaml index d8b6cc7de0..f179afd6e9 100644 --- a/kubernetes/cds/Chart.yaml +++ b/kubernetes/cds/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP Controller Design Studio (CDS) name: cds -version: 13.0.2 +version: 13.0.3 dependencies: - name: common diff --git a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml index e4fc011880..cfe5c7371b 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP CDS Blueprints Processor name: cds-blueprints-processor -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties index b99bae7197..004a9909ab 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties @@ -44,7 +44,7 @@ blueprintsprocessor.httpPort=8080 blueprintsprocessor.grpcPort=9111 # db -blueprintsprocessor.db.url=jdbc:mysql://{{.Values.config.cdsDB.dbServer}}:{{.Values.config.cdsDB.dbPort}}/{{.Values.config.cdsDB.dbName}} +blueprintsprocessor.db.url=jdbc:mariadb://{{.Values.config.cdsDB.dbServer}}:{{.Values.config.cdsDB.dbPort}}/{{.Values.config.cdsDB.dbName}} blueprintsprocessor.db.username=${CDS_DB_USERNAME} blueprintsprocessor.db.password=${CDS_DB_PASSWORD} blueprintsprocessor.db.driverClassName=org.mariadb.jdbc.Driver @@ -55,7 +55,7 @@ blueprintsprocessor.db.hibernateDialect=org.hibernate.dialect.MySQL5InnoDBDialec # processor-db endpoint blueprintsprocessor.db.processor-db.type=maria-db -blueprintsprocessor.db.processor-db.url=jdbc:mysql://{{ .Values.config.sdncDB.dbService }}:{{ .Values.config.sdncDB.dbPort }}/{{.Values.config.sdncDB.dbName}} +blueprintsprocessor.db.processor-db.url=jdbc:mariadb://{{ .Values.config.sdncDB.dbService }}:{{ .Values.config.sdncDB.dbPort }}/{{.Values.config.sdncDB.dbName}} blueprintsprocessor.db.processor-db.username=${SDNC_DB_USERNAME} blueprintsprocessor.db.processor-db.password=${SDNC_DB_PASSWORD} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index b0812f26b8..469e40f4bd 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -77,7 +77,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-blueprintsprocessor:1.5.3 +image: onap/ccsdk-blueprintsprocessor:1.7.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index 842c268c8a..e69d30592e 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -29,7 +29,7 @@ global: # global defaults enableServiceAccount: false k8ssandraOperator: - cassandraVersion: 4.1.3 + cassandraVersion: 4.1.6 persistence: #storageClassName: default size: 10Gi diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index 6fa292639e..591f24f4ee 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -17,4 +17,4 @@ apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.2.6 +version: 13.2.10 diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index ca23c75896..4d762c72f5 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -744,11 +744,7 @@ metadata: name: {{ include "common.fullname" $dot }}-ingress annotations: {{ include "ingress.config.annotations" $dot }} - labels: - app: {{ $dot.Chart.Name }} - chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $dot }} - heritage: {{ $dot.Release.Service }} + labels: {{- include "common.labels" $dot | nindent 4 }} spec: rules: {{ include "ingress.config.port" $dot | trim }} diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl index a690acd141..df5cab932d 100644 --- a/kubernetes/common/common/templates/_labels.tpl +++ b/kubernetes/common/common/templates/_labels.tpl @@ -22,11 +22,13 @@ Common labels The function takes several arguments (inside a dictionary): - .dot : environment (.) - .labels : labels to add (dict) + - .suffix : name suffix */}} {{- define "common.labels" -}} {{- $dot := default . .dot -}} -app.kubernetes.io/name: {{ include "common.name" $dot }} -app: {{ include "common.name" $dot }} +{{- $suffix := .suffix -}} +app.kubernetes.io/name: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }} +app: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }} {{- if $dot.Chart.AppVersion }} version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" {{- else }} diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index 743e3db1df..6feb91bd0c 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -98,12 +98,12 @@ securityContext: privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }} allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }} runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }} -{{- if .Values.containerSecurityContext.runAsUser }} +{{- if hasKey .Values.containerSecurityContext "runAsUser" }} runAsUser: {{ .Values.containerSecurityContext.runAsUser }} {{- end }} -{{- if .Values.containerSecurityContext.runAsGroup }} +{{- if hasKey .Values.containerSecurityContext "runAsGroup" }} runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} -{{ end }} +{{- end }} {{- end }} capabilities: drop: diff --git a/kubernetes/common/common/templates/_secret.tpl b/kubernetes/common/common/templates/_secret.tpl index 9d284de500..9eb47d7093 100644 --- a/kubernetes/common/common/templates/_secret.tpl +++ b/kubernetes/common/common/templates/_secret.tpl @@ -19,7 +19,7 @@ Generates a secret header with given name and desired labels. - The template takes two arguments: + The template takes three arguments: - .global: environment (.) - .name: name of the secret - .annotations: annotations which should be used @@ -29,17 +29,14 @@ */}} {{- define "common.secret._header" -}} {{- $global := .global }} + {{- $name := .name }} apiVersion: v1 kind: Secret metadata: name: {{ $name }} namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $global }} - heritage: {{ $global.Release.Service }} + labels: {{- include "common.labels" $global | nindent 4 }} {{- if .annotations }} annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }} {{- end }} diff --git a/kubernetes/common/common/templates/_serviceMonitor.tpl b/kubernetes/common/common/templates/_serviceMonitor.tpl index 907d9c6a9c..5b80c18ac4 100644 --- a/kubernetes/common/common/templates/_serviceMonitor.tpl +++ b/kubernetes/common/common/templates/_serviceMonitor.tpl @@ -52,11 +52,7 @@ ## ServiceMonitor selector labels ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration ## - selector: - app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + selector: {{- include "common.matchLabels" . | nindent 4 }} ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig diff --git a/kubernetes/common/common/templates/_strimzikafka.tpl b/kubernetes/common/common/templates/_strimzikafka.tpl index a2e9c90a4f..a48b444cfc 100644 --- a/kubernetes/common/common/templates/_strimzikafka.tpl +++ b/kubernetes/common/common/templates/_strimzikafka.tpl @@ -56,6 +56,7 @@ kind: KafkaUser metadata: name: {{ include "common.name" . }}-ku labels: + {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: @@ -118,6 +119,7 @@ metadata: name: {{ ($topic.name) | lower }}-kt {{- end }} labels: + {{- include "common.labels" $ | nindent 4 }} strimzi.io/cluster: {{ include "common.release" $ }}-strimzi spec: {{- if (hasKey $topic "partitions") }} diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index 41d11a646e..552f6cc67d 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 13.2.2 +version: 13.2.3 keywords: - mariadb - mysql diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 66ce8abc6e..3011d93e5a 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -39,50 +39,24 @@ spec: initContainers: # we shouldn't need this but for unknown reason, it's fsGroup is not # applied - - name: fix-permission + {{- if .Values.mariadbConfiguration }} + - name: copy-config command: - /bin/sh args: - -c - | - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /bootstrap/ - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /tmp/ - {{- if .Values.mariadbConfiguration }} cp /config/my.cnf /actual/my.cnf - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /actual - {{- end }} image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - CAP_NET_RAW - add: - - CHOWN - - SYS_CHROOT - runAsGroup: {{ .Values.securityContext.group_id }} - readOnlyRootFilesystem: false - runAsUser: 0 - runAsNonRoot: false - seccompProfile: - type: RuntimeDefault + {{ include "common.containerSecurityContext" . | indent 10 | trim }} volumeMounts: - - name: previous-boot - mountPath: /bootstrap - - name: mariadb-tmp-folder - mountPath: /tmp - - name: {{ include "common.fullname" . }} - mountPath: /data - {{- if .Values.mariadbConfiguration }} - name: mariadb-galera-starting-config mountPath: /config/my.cnf subPath: my.cnf - name: mariadb-galera-actual-config mountPath: /actual - {{- end }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -185,6 +159,8 @@ spec: {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: + - name: tmp + mountPath: /tmp - name: previous-boot mountPath: /opt/bitnami/mariadb/.bootstrap - name: {{ include "common.fullname" . }} @@ -258,13 +234,19 @@ spec: tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" .) | nindent 8 }} {{- end }} volumes: + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: previous-boot - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.bootSizeLimit }} - name: mariadb-tmp-folder - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpMariaDBSizeLimit }} {{- if .Values.mariadbConfiguration }} - name: mariadb-galera-actual-config - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.configSizeLimit }} - name: mariadb-galera-starting-config configMap: name: {{ printf "%s-configuration" (include "common.fullname" .) }} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index faab7af1b3..6684d6dcb3 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -609,6 +609,12 @@ resources: memory: "3Gi" unlimited: {} +volumes: + bootSizeLimit: 50Mi + tmpSizeLimit: 200Mi + configSizeLimit: 50Mi + tmpMariaDBSizeLimit: 100Mi + ## MariaDB Galera containers' liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -689,6 +695,7 @@ metrics: requests: cpu: "0.5" memory: "200Mi" + ## MariaDB Galera metrics container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index b691c40903..3e0e6c2eaa 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Template used to create the right Service Accounts / Role / RoleBinding name: serviceAccount -version: 13.0.1 +version: 13.0.2 dependencies: - name: common diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index d6d041f916..90708854ff 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -47,95 +47,14 @@ metadata: namespace: {{ include "common.namespace" $dot }} rules: {{- if eq $role_type "read" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - endpoints - - services - - nodes - - pods - - deployments - - deployments/status - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - verbs: - - get - - watch - - list +{{- with $dot.Values.role.read }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- else }} {{- if eq $role_type "create" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - deployments/status - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - - secrets - - services - verbs: - - get - - watch - - list -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - statefulsets - - configmaps - verbs: - - patch -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - deployments - - secrets - - services - - pods - verbs: - - create -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods - - persistentvolumeclaims - - secrets - - deployments - - services - verbs: - - delete -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods/exec - verbs: - - create - - get -- apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - create - - delete +{{- with $dot.Values.role.create }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- else }} # if you don't match read or create, then you're not allowed to use API # except to see basic information about yourself diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index 4c9f75f38d..5d20e45f58 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -22,8 +22,8 @@ global: # if "createDefaultRoles=false" roles: - nothing -# - read -# - create + # - read + # - create # Flag to enable the creation of default roles instead of using # common roles-wrapper @@ -43,3 +43,116 @@ new_roles_definitions: {} # - "get" # - "watch" # - "list" + +role: + read: + - apiGroups: + - "" # "" indicates the core API group + resources: + - services + - pods + - endpoints + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs/status + verbs: + - get + - apiGroups: + - apps + resources: + - statefulsets + - replicasets + - deployments + - statefulsets + - daemonsets + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - replicasets/status + - deployments/status + - statefulsets/status + verbs: + - get + create: + - apiGroups: + - "" # "" indicates the core API group + - apps + - batchs + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + verbs: + - get + - watch + - list + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + - services + - pods + verbs: + - create + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - services + verbs: + - delete + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create + - get + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index 94aa67efd3..2c251ee344 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -69,7 +69,7 @@ global: container: name: postgres -image: onap/cps-and-ncmp:3.4.9 +image: onap/cps-and-ncmp:3.5.4 service: type: ClusterIP diff --git a/kubernetes/dcaegen2-services/Chart.yaml b/kubernetes/dcaegen2-services/Chart.yaml index 83b344b303..83732e8298 100644 --- a/kubernetes/dcaegen2-services/Chart.yaml +++ b/kubernetes/dcaegen2-services/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 appVersion: "Oslo" description: DCAE Microservices name: dcaegen2-services -version: 15.0.0 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 5e39d51844..183cde0024 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -85,7 +85,7 @@ This template generates a list of volumes associated with the pod, based on information provided in .Values.externalVolumes. This template works in conjunction with dcaegen2-services-common._externalVolumeMounts to give the microservice access to data in volumes created else. -This initial implementation supports ConfigMaps only, as this is the only +This implementation supports ConfigMaps & EmptyDirs only, as this is the only external volume mounting required by current microservices. .Values.externalVolumes is a list of objects. Each object has 3 required fields and 2 optional fields: @@ -94,7 +94,7 @@ external volume mounting required by current microservices. names of resources are sometimes set at deployment time (for instance, to prefix the Helm release to the name), the string can be a Helm template fragment that will be expanded at deployment time. - - type: the type of the resource (in the current implementation, only "ConfigMap" is supported). + - type: the type of the resource (in the current implementation, only "ConfigMap" & "emptyDir" is supported). The value is a case-INsensitive string. - mountPoint: the path to the mount point for the volume in the container file system. The value is a case-sensitive string. @@ -113,7 +113,7 @@ externalVolumes: type: configmap mountPath: /opt/app/config - name: '{{ include "common.release" . }}-another-example' - type: configmap + type: emptyDir mountPath: /opt/app/otherconfig optional: false */}} @@ -121,14 +121,18 @@ externalVolumes: {{- $global := . -}} {{- if .Values.externalVolumes }} {{- range $vol := .Values.externalVolumes }} + {{- $vname := (tpl $vol.name $global) -}} {{- if eq (lower $vol.type) "configmap" }} - {{- $vname := (tpl $vol.name $global) -}} {{- $opt := hasKey $vol "optional" | ternary $vol.optional true }} - configMap: defaultMode: 420 name: {{ $vname }} optional: {{ $opt }} name: {{ $vname }} + {{- else if eq (lower $vol.type) "emptydir" }} +- name: {{ $vname }} + emptyDir: + sizeLimit: {{ $vol.sizeLimit }} {{- end }} {{- end }} {{- end }} @@ -141,7 +145,7 @@ This template generates a list of volume mounts for the microservice container, based on information provided in .Values.externalVolumes. This template works in conjunction with dcaegen2-services-common._externalVolumes to give the microservice access to data in volumes created else. -This initial implementation supports ConfigMaps only, as this is the only +This initial implementation supports ConfigMaps & EmptyDirs, as this is the only external volume mounting required by current microservices. See the documentation for dcaegen2-services-common._externalVolumes for @@ -152,16 +156,20 @@ the microservice. {{- $global := . -}} {{- if .Values.externalVolumes }} {{- range $vol := .Values.externalVolumes }} + {{- $vname := (tpl $vol.name $global) -}} {{- if eq (lower $vol.type) "configmap" }} - {{- $vname := (tpl $vol.name $global) -}} {{- $readOnly := $vol.readOnly | default false }} - mountPath: {{ $vol.mountPath }} name: {{ $vname }} readOnly: {{ $readOnly }} + {{- else if eq (lower $vol.type) "emptydir" }} +- mountPath: {{ $vol.mountPath }} + name: {{ $vname }} {{- end }} {{- end }} {{- end }} {{- end }} + {{/* dcaegen2-services-common.microserviceDeployment: This template produces a Kubernetes Deployment for a DCAE microservice. @@ -236,6 +244,7 @@ post-processing. {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $log := default dict .Values.log -}} {{- $logDir := default "" $log.path -}} +{{- $ves := default false .Values.ves -}} {{- $certDir := (eq "true" (include "common.needTLS" .)) | ternary (default "" .Values.certDirectory . ) "" -}} {{- $commonRelease := print (include "common.release" .) -}} {{- $policy := default dict .Values.policies -}} @@ -253,9 +262,15 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: + + {{- if $ves }} + {{- include "dcaegen2-ves-collector.vesCollectorCopyEtc" . | nindent 6 }} + {{- end }} {{- if .Values.readinessCheck }} - {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} {{- end }} {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} @@ -263,6 +278,8 @@ spec: - image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 10 }} env: {{- range $cred := .Values.credentials }} - name: {{ $cred.name }} @@ -307,6 +324,26 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.liveness }} + livenessProbe: + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds | default 5 }} + periodSeconds: {{ .Values.liveness.periodSeconds | default 15 }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds | default 1 }} + {{- $probeType := .Values.liveness.type | default "httpGet" -}} + {{- if eq $probeType "httpGet" }} + httpGet: + scheme: {{ .Values.liveness.scheme }} + path: {{ .Values.liveness.path }} + port: {{ .Values.liveness.port }} + {{- end }} + {{- if eq $probeType "exec" }} + exec: + command: + {{- range $cmd := .Values.liveness.command }} + - {{ $cmd }} + {{- end }} + {{- end }} + {{- end }} resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /app-config @@ -314,7 +351,7 @@ spec: - mountPath: /app-config-input name: app-config-input - mountPath: /tmp - name: tmp-volume + name: tmp {{- if $logDir }} - mountPath: {{ $logDir}} name: logs @@ -387,12 +424,13 @@ spec: - emptyDir: medium: Memory name: app-config - - name: tmp-volume + - name: tmp emptyDir: sizeLimit: 128Mi {{- if $logDir }} - - emptyDir: {} - name: logs + - name: logs + emptyDir: + sizeLimit: 128Mi {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} {{- end }} {{- if $certDir }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl new file mode 100644 index 0000000000..a3a724741f --- /dev/null +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl @@ -0,0 +1,26 @@ +{{- define "dcaegen2-ves-collector.vesCollectorCopyEtc" -}} +- name: dcae-ves-collector-copy-etc + command: ["cp", "-R", "/opt/app/VESCollector/etc/.", "/opt/app/VESCollector/etc_rw/"] + image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} + imagePullPolicy: Always + resources: + limits: + cpu: {{ .Values.copyEtc.resources.limits.cpu }} + memory: {{ .Values.copyEtc.resources.limits.memory }} + requests: + cpu: {{ .Values.copyEtc.resources.requests.cpu }} + memory: {{ .Values.copyEtc.resources.requests.memory }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/app/VESCollector/etc_rw + name: ves-collector-etc +{{- end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml index fefc06e805..408c0a9300 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml @@ -19,10 +19,10 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "NewDelhi" +appVersion: "Oslo" description: DCAE PRH name: dcae-prh -version: 13.1.0 +version: 13.1.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index 11cb72690c..2c9612f4e0 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -55,7 +55,14 @@ secrets: # probe configuration readiness: - initialDelaySeconds: 5 + initialDelaySeconds: 25 + periodSeconds: 15 + path: /heartbeat + scheme: HTTP + port: 8100 + timeoutSeconds: 30 +liveness: + initialDelaySeconds: 25 periodSeconds: 15 path: /heartbeat scheme: HTTP @@ -197,3 +204,32 @@ serviceAccount: nameOverride: dcae-prh roles: - read + +# Pod Security context +podSecurityContext: + runAsGroup: 1414 + runAsUser: 1414 + fsGroup: 1414 + seccompProfile: + type: RuntimeDefault + +# Container Security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + +# PRH volumes +externalVolumes: + - name: prh-logs + mountPath: /var/log/ONAP/prh/prh-app-server/ + type: emptyDir + sizeLimit: 64Mi + +# PRH pod annotations +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml index 61a5f03b7e..6c03c1a6b2 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml @@ -19,10 +19,10 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "NewDelhi" +appVersion: "Oslo" description: DCAE VES Collector name: dcae-ves-collector -version: 13.1.0 +version: 13.1.1 dependencies: - name: common diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index ae75bacb57..0007b9cd52 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -85,6 +85,12 @@ readiness: path: /healthcheck scheme: HTTP port: 8080 +liveness: + initialDelaySeconds: 5 + periodSeconds: 15 + path: /healthcheck + scheme: HTTP + port: 8080 # service configuration service: @@ -288,3 +294,45 @@ serviceAccount: nameOverride: dcae-ves-collector roles: - read + +# Pod Security context +podSecurityContext: + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + +# Container Security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + +# Flag which can be used to put VES-COLLECTOR specific properties in template +ves: true + +# VES-COLLECTOR volumes +externalVolumes: + - name: ves-collector-etc + type: emptyDir + sizeLimit: 50Mi + mountPath: /opt/app/VESCollector/etc + +# VES-COLLECTOR pod annotations +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + +# Resources for init container copy-etc +copyEtc: + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 30m + memory: 32Mi diff --git a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml index af62dc30ca..cae85bfb90 100644 --- a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml +++ b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml @@ -70,7 +70,7 @@ output.logstash: #ssl.key_passphrase: $ssl.key_passphrase logging: - level: debug + level: info # enable file rotation with default configuration to_files: true diff --git a/kubernetes/multicloud/Chart.yaml b/kubernetes/multicloud/Chart.yaml index cecef8c2e2..fd028a718f 100644 --- a/kubernetes/multicloud/Chart.yaml +++ b/kubernetes/multicloud/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ apiVersion: v2 description: ONAP multicloud broker name: multicloud -version: 15.0.0 +version: 15.0.2 dependencies: - name: common diff --git a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml index b825f67969..64c8d5a7fe 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml @@ -1,5 +1,6 @@ # Copyright (c) 2019, CMCC Technologies Co., Ltd. # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml index 5dc375290a..046f940d40 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml @@ -1,6 +1,7 @@ # Copyright 2019 Intel Corporation, Inc # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +18,7 @@ apiVersion: v2 description: ONAP Multicloud Kubernetes Plugin name: multicloud-k8s -version: 13.1.0 +version: 13.1.2 dependencies: - name: common diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json index d6fa40d471..08c228f2eb 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json +++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json @@ -8,4 +8,4 @@ "database-address": "multicloud-k8s-mongo", "etcd-ip": "multicloud-k8s-etcd", "plugin-dir": "/opt/multicloud/k8splugin/plugins" -}
\ No newline at end of file +} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml index 9881a13615..6ed5dee8ee 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +24,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -30,6 +32,7 @@ spec: command: ["/opt/multicloud/k8splugin/k8plugin"] workingDir: /opt/multicloud/k8splugin ports: {{ include "common.containerPorts" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: @@ -43,9 +46,11 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /opt/multicloud/k8splugin/k8sconfig.json - name: {{ include "common.name" .}} - subPath: k8sconfig.json + - mountPath: /tmp + name: tmp-dir-k8s + - mountPath: /opt/multicloud/k8splugin/k8sconfig.json + name: {{ include "common.name" .}} + subPath: k8sconfig.json resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -60,10 +65,28 @@ spec: name: framework-artifactbroker command: ["/opt/app/distribution/bin/artifact-dist.sh"] args: ["/opt/app/distribution/etc/mounted/config.json"] + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} ports: - containerPort: {{ .Values.artifactbroker.internalPort }} protocol: TCP + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.artifactbroker.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.artifactbroker.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: + - mountPath: /tmp + name: tmp-dir-broker + - mountPath: "{{ .Values.log.path }}" + name: framework-log - mountPath: /opt/app/distribution/etc/mounted/config.json name: {{ include "common.name" .}} subPath: config.json @@ -77,9 +100,19 @@ spec: key: sasl.jaas.config serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: tmp-dir-k8s + emptyDir: + sizeLimit: {{ .Values.volumes.tmpK8SSizeLimit }} + - name: tmp-dir-broker + emptyDir: + sizeLimit: {{ .Values.volumes.tmpBrokerSizeLimit }} + - name: framework-log + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name : {{ include "common.name" . }} configMap: name: {{ include "common.fullname" . }} - name: artifact-data - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/values.yaml b/kubernetes/multicloud/components/multicloud-k8s/values.yaml index 5c9c0ad864..f22dfa7644 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/values.yaml @@ -1,4 +1,5 @@ # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -59,6 +60,16 @@ nodeSelector: {} affinity: {} +securityContext: + user_id: 999 + group_id: 999 + +volumes: + tmpK8SSizeLimit: 100Mi + tmpBrokerSizeLimit: 100Mi + artifactDataSizeLimit: 100Mi + logSizeLimit: 100Mi + # probe configuration parameters liveness: initialDelaySeconds: 10 @@ -70,6 +81,7 @@ liveness: readiness: initialDelaySeconds: 10 periodSeconds: 30 + enabled: true service: type: NodePort @@ -181,3 +193,7 @@ serviceAccount: nameOverride: multicloud-k8s roles: - read + +#Log configuration +log: + path: /var/log/onap diff --git a/kubernetes/multicloud/templates/deployment.yaml b/kubernetes/multicloud/templates/deployment.yaml index 80a09c73b8..a03a6d02b7 100644 --- a/kubernetes/multicloud/templates/deployment.yaml +++ b/kubernetes/multicloud/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,6 +25,23 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - name: {{ include "common.name" . }}-copy-pub + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["cp", "-R", "/opt/multivimbroker/multivimbroker/pub/.", "/opt/multivimbroker/multivimbroker/pub_rw/"] + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 10m + memory: 100Mi + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: /opt/multivimbroker/multivimbroker/pub_rw + name: framework-pub containers: - env: - name: MSB_PROTO @@ -50,9 +68,12 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} volumeMounts: - mountPath: "{{ .Values.log.path }}" name: framework-log + - mountPath: /opt/multivimbroker/multivimbroker/pub + name: framework-pub - mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml name: framework-logconfig subPath: log.yml @@ -62,25 +83,34 @@ spec: ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} + {{ if .Values.liveness.enabled }} livenessProbe: httpGet: - path: /api/multicloud/v0/swagger.json port: {{ .Values.service.internalPort }} - scheme: "HTTP" + path: {{ .Values.liveness.path }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - + {{ end }} + {{ if .Values.readiness.enabled }} + readinessProbe: + httpGet: + port: {{ .Values.service.internalPort }} + path: {{ .Values.readiness.path }} + scheme: HTTP + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + {{ end }} # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: framework-log - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: framework-pub + emptyDir: + sizeLimit: {{ .Values.volumes.pubSizeLimit }} - name: provider-plugin configMap: name: {{ include "common.fullname" . }}-provider-plugin-configmap diff --git a/kubernetes/multicloud/values.yaml b/kubernetes/multicloud/values.yaml index 69063906ba..0579cb9e7b 100644 --- a/kubernetes/multicloud/values.yaml +++ b/kubernetes/multicloud/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,14 +58,26 @@ nodeSelector: {} affinity: {} +securityContext: + user_id: 100 + group_id: 65533 + +volumes: + logSizeLimit: 50Mi + pubSizeLimit: 50Mi + # probe configuration parameters liveness: + enabled: true + path: /api/multicloud/v0/swagger.json initialDelaySeconds: 30 periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 + +readiness: enabled: true + path: /api/multicloud/v0/swagger.json + initialDelaySeconds: 10 + periodSeconds: 30 service: type: NodePort diff --git a/kubernetes/onap/Chart.yaml b/kubernetes/onap/Chart.yaml index a035097004..d9a3679c0c 100644 --- a/kubernetes/onap/Chart.yaml +++ b/kubernetes/onap/Chart.yaml @@ -1,5 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021,2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,11 +26,11 @@ kubeVersion: ">=1.19.11-0" dependencies: - name: authentication - version: ~14.x-0 + version: ~15.x-0 repository: '@local' condition: authentication:enabled - name: aai - version: ~14.x-0 + version: ~15.x-0 repository: '@local' condition: aai.enabled - name: cassandra @@ -61,7 +61,7 @@ dependencies: repository: '@local' condition: multicloud.enabled - name: policy - version: ~14.x-0 + version: ~15.x-0 repository: '@local' condition: policy.enabled - name: portal-ng @@ -96,7 +96,7 @@ dependencies: repository: '@local' condition: strimzi.enabled - name: uui - version: ~13.x-0 + version: ~15.x-0 repository: '@local' condition: uui.enabled - name: platform diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index 9b631c7af5..2bf703c622 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 14.0.5 +version: 15.0.1 dependencies: - name: common @@ -28,57 +28,57 @@ dependencies: - name: mariadb-galera version: ~13.x-0 repository: '@local' - condition: global.mariadbGalera.useInPolicy,global.mariadbGalera.localCluster + condition: global.mariadbGalera.localCluster - name: policy-nexus - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-nexus' condition: policy-nexus.enabled - name: policy-api - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-api' condition: policy-api.enabled - name: policy-pap - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-pap' condition: policy-pap.enabled - name: policy-xacml-pdp - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-xacml-pdp' condition: policy-xacml-pdp.enabled - name: policy-apex-pdp - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-apex-pdp' condition: policy-apex-pdp.enabled - name: policy-drools-pdp - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled - name: policy-distribution - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-distribution' condition: policy-distribution.enabled - name: policy-clamp-ac-k8s-ppnt - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-clamp-ac-k8s-ppnt' condition: policy-clamp-ac-k8s-ppnt.enabled - name: policy-clamp-ac-http-ppnt - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-clamp-ac-http-ppnt' condition: policy-clamp-ac-http-ppnt.enabled - name: policy-clamp-ac-a1pms-ppnt - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-clamp-ac-a1pms-ppnt' condition: policy-clamp-ac-a1pms-ppnt.enabled - name: policy-clamp-ac-kserve-ppnt - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-clamp-ac-kserve-ppnt' condition: policy-clamp-ac-kserve-ppnt.enabled - name: policy-clamp-ac-pf-ppnt - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-clamp-ac-pf-ppnt' condition: policy-clamp-ac-pf-ppnt.enabled - name: policy-clamp-runtime-acm - version: ~14.x-0 + version: ~15.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - name: repositoryGenerator @@ -93,4 +93,4 @@ dependencies: - name: postgres version: ~13.x-0 repository: '@local' - condition: global.postgres.useInPolicy,global.postgres.localCluster + condition: global.postgres.localCluster diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index 4ec4725860..3cd9ef8e59 100755 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2021,2024 Nordix Foundation # Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 14.0.1 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 0c83a55651..9cf89b4c79 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -47,7 +47,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:3.1.3 +image: onap/policy-apex-pdp:4.0.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index f5c876646b..6c3351a5df 100755 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 14.0.2 +version: 15.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index c39a27bdeb..3e357a66e7 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -40,9 +40,6 @@ spring: hikari: maximumPoolSize: 20 jpa: - properties: - hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect hibernate: ddl-auto: none naming: @@ -64,10 +61,6 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy - properties: - hibernate: - dialect: org.hibernate.dialect.PostgreSQLDialect - format_sql: true {{ end }} policy-api: diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 902268f41a..3e86ed1894 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -51,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:3.1.3 +image: onap/policy-api:4.0.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml index a9d27d60a8..a89c614c4f 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp A1PMS Participant name: policy-clamp-ac-a1pms-ppnt -version: 14.0.1 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml index 5bfa825e18..0404a8a68c 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# Copyright (C) 2022,2024 Nordix Foundation. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,6 +32,9 @@ security: participant: intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c00 @@ -40,7 +43,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -50,11 +53,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml index a23e732c8b..b882829ae3 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2022-2023 Nordix Foundation. +# Copyright (C) 2022-2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,8 +23,10 @@ global: persistence: {} kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -41,7 +43,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-a1pms-ppnt:7.1.3 +image: onap/policy-clamp-ac-a1pms-ppnt:8.0.1 pullPolicy: Always componentName: &componentName policy-clamp-ac-a1pms-ppnt @@ -147,6 +149,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index 979aa4f598..1c3abbbc97 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 14.0.1 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml index d447360dd9..8b877ffc0d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,6 +32,9 @@ security: participant: intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c01 @@ -40,7 +43,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -50,11 +53,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 8593a3d316..e7d317e9af 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -24,8 +24,10 @@ global: persistence: {} #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -42,7 +44,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:7.1.3 +image: onap/policy-clamp-ac-http-ppnt:8.0.1 pullPolicy: Always componentName: &componentName policy-clamp-ac-http-ppnt @@ -138,6 +140,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index 5a1cb6e80b..09dadf2806 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 14.0.1 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml index 14deab557b..4616d6643a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. All rights reserved. +# Copyright (C) 2021-2022,2024 Nordix Foundation. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +34,9 @@ participant: localChartDirectory: /home/policy/local-charts infoFileName: CHART_INFO.json intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c02 @@ -42,7 +45,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -52,11 +55,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index 5e43b94965..ea00a34dad 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -25,8 +25,10 @@ global: persistence: {} #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -43,7 +45,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:7.1.3 +image: onap/policy-clamp-ac-k8s-ppnt:8.0.1 pullPolicy: Always componentName: &componentName policy-clamp-ac-k8s-ppnt @@ -153,6 +155,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml index 863d07952f..2982043dab 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Kserve Participant name: policy-clamp-ac-kserve-ppnt -version: 14.0.1 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml index 6613235050..55aa8eb641 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml @@ -39,6 +39,9 @@ security: participant: intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c04 @@ -47,7 +50,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -57,11 +60,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml index 6f9868bc0d..2221ce83ba 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -24,8 +24,10 @@ global: persistence: {} #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -42,7 +44,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-kserve-ppnt:7.1.3 +image: onap/policy-clamp-ac-kserve-ppnt:8.0.1 pullPolicy: Always componentName: &componentName policy-clamp-ac-kserve-ppnt @@ -137,6 +139,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index 4460c18fcd..49d7522eaf 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 14.0.1 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml index 729a455d07..1e7edea091 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -50,6 +50,9 @@ participant: useHttps: "false" allowSelfSignedCerts: true intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description participantId: 101c62b3-8918-41b9-a747-d21eb79c6c03 @@ -58,7 +61,7 @@ participant: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -68,11 +71,23 @@ participant: security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index 97bebd00d2..e7fbbb1f84 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,8 +24,10 @@ global: persistence: {} #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -54,7 +56,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:7.1.3 +image: onap/policy-clamp-ac-pf-ppnt:8.0.1 pullPolicy: Always componentName: &componentName policy-clamp-ac-pf-ppnt @@ -159,6 +161,9 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index ef9a7494ec..8b22acd09c 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 14.0.2 +version: 15.0.0 dependencies: - name: common @@ -33,4 +33,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index 2e09397806..f1785acb0f 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -71,6 +71,9 @@ server: enabled: false runtime: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} participantParameters: heartBeatMs: 120000 maxMessageAgeMs: 600000 @@ -83,7 +86,7 @@ runtime: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -97,7 +100,19 @@ runtime: - useHttps: false fetchTimeout: 15000 - topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} topicCommInfrastructure: kafka servers: - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} @@ -114,4 +129,4 @@ management: endpoints: web: exposure: - include: health, metrics, prometheus
\ No newline at end of file + include: health, metrics, prometheus diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index eb974d6ed2..9f78b29dae 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -29,8 +29,10 @@ global: useInPolicy: true #Strimzi Kafka properties kafkaTopics: - acRuntimeTopic: - name: &acRuntimeTopic policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -53,7 +55,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:7.1.3 +image: onap/policy-clamp-runtime-acm:8.0.1 pullPolicy: Always componentName: &componentName policy-clamp-runtime-acm @@ -78,12 +80,16 @@ kafkaUser: - name: *componentName type: group operations: [Read] - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic type: topic operations: [Read, Write] kafkaTopic: - - name: *acRuntimeTopic + - name: *acRuntimeOperationTopic + - name: *acRuntimeSyncTopic db: user: policy-user diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml index b2d1cde724..3ac1d031a3 100755 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 14.0.1 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index f93dffe1ee..f393250045 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -59,7 +59,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:3.1.3 +image: onap/policy-distribution:4.0.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 25060ae593..37ab25cf88 100755 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 14.0.2 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index dc7f788405..6f0a1bdcbe 100644 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -141,4 +141,4 @@ SDNC_CONTEXT_URI=restconf/operations/ # CDS CDS_GRPC_HOST={{.Values.cds.grpc.svcName}} -CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}}
\ No newline at end of file +CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}} diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index f22d642e95..8fbd6c6446 100644 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -47,7 +47,7 @@ secrets: ################################################################# # application image # The newest images have been tested with SASL and Postgres. The images released next will have the relevant fixes -image: onap/policy-pdpd-cl:2.1.3 +image: onap/policy-pdpd-cl:3.0.1 pullPolicy: Always diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index dcb3c3ac72..eb6c92e75b 100755 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 14.0.2 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 2122e6fb3f..29f9ed3e72 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -23,7 +23,7 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 14.0.2 +version: 15.0.0 dependencies: - name: common @@ -34,4 +34,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local'
\ No newline at end of file + repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 4c6f5355e0..2a5d938a01 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -71,7 +71,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:3.1.3 +image: onap/policy-pap:4.0.1 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index a02171ef31..f4046126dd 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 14.0.3 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties index 3df3578fd2..478cf84ca5 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties @@ -77,4 +77,4 @@ jakarta.persistence.jdbc.driver=org.postgresql.Driver jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/operationhistory {{ end }} jakarta.persistence.jdbc.user=${SQL_USER} -jakarta.persistence.jdbc.password=${SQL_PASSWORD}
\ No newline at end of file +jakarta.persistence.jdbc.password=${SQL_PASSWORD} diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index b20ab89370..bdad532b40 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -54,7 +54,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:3.1.3 +image: onap/policy-xacml-pdp:4.0.1 pullPolicy: Always componentName: &componentName policy-xacml-pdp diff --git a/kubernetes/policy/resources/config/db-pg.sh b/kubernetes/policy/resources/config/db-pg.sh index 913ccc7728..a7fc088d55 100644 --- a/kubernetes/policy/resources/config/db-pg.sh +++ b/kubernetes/policy/resources/config/db-pg.sh @@ -20,10 +20,15 @@ export PGPASSWORD=${PG_ADMIN_PASSWORD}; +echo "Create user ${PG_USER} is created in Host ${PG_HOST}" psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER \"${PG_USER}\" WITH PASSWORD '${PG_USER_PASSWORD}'" for db in migration pooling policyadmin policyclamp operationshistory clampacm do + echo "Create DB ${db}" psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};" + echo "Grant privileges to DB ${db} for user ${PG_USER}" psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO \"${PG_USER}\";" -done
\ No newline at end of file + echo "Grant privileges to SCHEMA public for user ${PG_USER}" + psql -h ${PG_HOST} -p ${PG_PORT} -d ${db} -U postgres --command "GRANT ALL ON SCHEMA public TO \"${PG_USER}\";" +done diff --git a/kubernetes/policy/resources/config/db_migrator_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_policy_init.sh index a1d8fd89ea..32ccbf18d4 100644 --- a/kubernetes/policy/resources/config/db_migrator_policy_init.sh +++ b/kubernetes/policy/resources/config/db_migrator_policy_init.sh @@ -31,4 +31,4 @@ for schema in ${SQL_DB}; do fi done -exit $rc
\ No newline at end of file +exit $rc diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 3886a85d11..ad5b8fbf5a 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -402,4 +402,4 @@ spec: items: - key: db_migrator_pg_policy_init.sh path: db_migrator_pg_policy_init.sh -{{ end }}
\ No newline at end of file +{{ end }} diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 67f4dbd1e5..2fd3c32878 100644 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -20,12 +20,13 @@ ################################################################# global: mariadbGalera: + useInPolicy: false + localCluster: true # flag to enable the DB creation via mariadb-operator - useOperator: true + useOperator: false # if useOperator set to "true", set "enableServiceAccount to "false" # as the SA is created by the Operator - enableServiceAccount: false - localCluster: true + enableServiceAccount: true # '&mariadbConfig' means we "store" the values for later use in the file # with '*mariadbConfig' pointer. config: &mariadbConfig @@ -35,23 +36,29 @@ global: nameOverride: *mariadbService # (optional) if localCluster=false and an external secret is used set this variable #userRootSecret: <secretName> - useInPolicy: true prometheusEnabled: false postgres: - localCluster: false + useInPolicy: true + localCluster: true + # flag to enable the DB creation via pgo-operator + useOperator: false service: name: pgset name2: tcp-pgset-primary name3: tcp-pgset-replica container: name: postgres - useInPolicy: false + nameOverride: "policy-postgres" + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: <secretName> kafkaBootstrap: strimzi-kafka-bootstrap:9092 policyKafkaUser: policy-kafka-user useStrimziKafka: true kafkaTopics: - acRuntimeTopic: - name: policy.clamp-runtime-acm + acRuntimeOperationTopic: + name: policy-acruntime-participant + acRuntimeSyncTopic: + name: acm-ppnt-sync ################################################################# # Secrets metaconfig ################################################################# @@ -59,27 +66,57 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ or .Values.global.postgres.useInPolicy .Values.global.mariadbGalera.useInPolicy | ternary ( - ( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | - ternary - "" - (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) - ) - ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | - ternary + externalSecret: '{{ .Values.global.mariadbGalera.useInPolicy | ternary + ( .Values.global.mariadbGalera.localCluster | ternary + ( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret") | ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( not (empty (default "" .Values.global.mariadbGalera.userRootSecret)) | ternary .Values.global.mariadbGalera.userRootSecret (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) ) + ) + ) + ( .Values.global.postgres.localCluster | ternary + ( hasSuffix "policy-db-root-password" (index .Values "postgres" "config" "pgRootPasswordExternalSecret") | ternary + "" + (tpl (default "" (index .Values "postgres" "config" "pgRootPasswordExternalSecret")) .) + ) + ( not (empty (default "" .Values.global.postgres.userRootSecret)) | ternary + .Values.global.postgres.userRootSecret + (include "common.postgres.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.postgres.nameOverride) + ) + ) ) }}' - password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' + password: '{{ .Values.global.mariadbGalera.useInPolicy | ternary + (index .Values "mariadb-galera" "rootUser" "password") + (index .Values "postgres" "config" "pgRootPassword") + }}' policy: generate - uid: db-secret name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret' type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}' - login: '{{ index .Values "mariadb-galera" "db" "user" }}' - password: '{{ index .Values "mariadb-galera" "db" "password" }}' + externalSecret: '{{ .Values.global.mariadbGalera.useInPolicy | ternary + ( hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret") | ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) + ) + ( hasSuffix "policy-db-secret" (index .Values "postgres" "config" "pgUserExternalSecret") | ternary + "" + (tpl (default "" (index .Values "postgres" "config" "pgUserExternalSecret")) .) + ) + }}' + login: '{{ .Values.global.mariadbGalera.useInPolicy | ternary + (index .Values "mariadb-galera" "db" "user") + (index .Values "postgres" "config" "pgUserName") + }}' + password: '{{ .Values.global.mariadbGalera.useInPolicy | ternary + (index .Values "mariadb-galera" "db" "password") + (index .Values "postgres" "config" "pgUserPassword") + }}' passwordPolicy: generate - uid: policy-app-user-creds name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds' @@ -132,7 +169,7 @@ policy-apex-pdp: config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-drools-pdp: - enabled: false + enabled: true db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' @@ -168,7 +205,7 @@ policy-nexus: dbmigrator: # New released image will allow full SASL and Postgres (drools included). Tested with snapshot. Release to come later. - image: onap/policy-db-migrator:3.1.3 + image: onap/policy-db-migrator:4.0.1 # These schemas will be required with the new version of db-migrator # schemas: "policyadmin clampacm pooling operationshistory" schemas: "policyadmin" @@ -245,6 +282,7 @@ mariadb-galera: persistence: enabled: true mountSubPath: policy/maria/data + size: 3Gi serviceAccount: nameOverride: *mariadbService @@ -263,6 +301,7 @@ postgres: persistence: mountSubPath: policy/postgres/data mountInitPath: policy + size: 3Gi config: pgUserName: policy-user pgDatabase: policyadmin @@ -311,4 +350,4 @@ securityContext: serviceAccount: nameOverride: policy roles: - - read
\ No newline at end of file + - read diff --git a/kubernetes/uui/Chart.yaml b/kubernetes/uui/Chart.yaml index 900a6c97e1..03c42df008 100644 --- a/kubernetes/uui/Chart.yaml +++ b/kubernetes/uui/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: ONAP uui name: uui -version: 13.1.0 +version: 15.0.0 dependencies: - name: common @@ -31,14 +31,14 @@ dependencies: version: ~13.x-0 repository: '@local' - name: uui-server - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/uui-server' - name: uui-nlp version: ~13.x-0 repository: 'file://components/uui-nlp' - name: uui-intent-analysis - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/uui-intent-analysis' - name: uui-llm-adaptation - version: ~13.x-0 + version: ~15.x-0 repository: 'file://components/uui-llm-adaptation' diff --git a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml index bd1f6eedab..25fa9459c5 100644 --- a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP uui intent analysis name: uui-intent-analysis -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/uui/components/uui-intent-analysis/values.yaml b/kubernetes/uui/components/uui-intent-analysis/values.yaml index 73903ceae9..a930e50b1c 100644 --- a/kubernetes/uui/components/uui-intent-analysis/values.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/values.yaml @@ -40,7 +40,7 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -image: onap/usecase-ui-intent-analysis:14.0.0 +image: onap/usecase-ui-intent-analysis:15.0.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml index 1c36c236ee..2391ac35f1 100644 --- a/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml +++ b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP uui llm adaptation name: uui-llm-adaptation -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/uui/components/uui-llm-adaptation/values.yaml b/kubernetes/uui/components/uui-llm-adaptation/values.yaml index f5804efb20..cda22163db 100644 --- a/kubernetes/uui/components/uui-llm-adaptation/values.yaml +++ b/kubernetes/uui/components/uui-llm-adaptation/values.yaml @@ -40,7 +40,7 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -image: onap/usecase-ui-llm-adaptation:14.0.0 +image: onap/usecase-ui-llm-adaptation:15.0.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/uui/components/uui-server/Chart.yaml b/kubernetes/uui/components/uui-server/Chart.yaml index 82e395ed45..034768256f 100644 --- a/kubernetes/uui/components/uui-server/Chart.yaml +++ b/kubernetes/uui/components/uui-server/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP uui server name: uui-server -version: 13.0.0 +version: 15.0.0 dependencies: - name: common diff --git a/kubernetes/uui/components/uui-server/values.yaml b/kubernetes/uui/components/uui-server/values.yaml index 6e715bd7a9..4271bbc380 100644 --- a/kubernetes/uui/components/uui-server/values.yaml +++ b/kubernetes/uui/components/uui-server/values.yaml @@ -48,7 +48,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui-server:14.0.0 +image: onap/usecase-ui-server:15.0.0 pullPolicy: Always # application configuration diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index 2cc0837f41..56bcabe240 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -25,7 +25,7 @@ subChartsOnly: flavor: small # application image -image: onap/usecase-ui:14.0.0 +image: onap/usecase-ui:15.0.0 pullPolicy: Always # application configuration |