Age | Commit message (Collapse) | Author | Files | Lines |
|
When deploying a shared mariadb-galera instance using common chart
a dummy database is created based on the default values n the chart.
This is obviously unnecessary and creates an obviousl security issue.
That's why let's make sure that when we deploy a shared mariadb
instance no dummy databases are created.
Issue-ID: OOM-2053
Change-Id: I1130cb8eb555b15a2d8b365102d69e32259233eb
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
When you type make in kubernetes directory all charts are linted.
If one of them try to generate password whole linting process
ends with an error because masterPassword has not been provided
and there is no default value for it.
To avoid this issue but still don't provide any default value
whcih would be obviously insecure in this context, let's just
test current release name. If it matches "testRelease" we treat whis
as a special case and use predefined master key.
Security implication:
You should never, ever name your productional deployment "testRelease"
nor use it as a master password.
Issue-ID: OOM-2052
Change-Id: I7a2132e81f6910dfea562e8930c7eacd7aa7a00b
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
For now we use it only for DB secret but in a future also
other secrets should be replaced.
Issue-ID: OOM-2249
Change-Id: Ie6515806c39c6a2cd94be378b5210156b78f4afb
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
Usage of plain strings is very fragile especially when you try
to change them. That's why instead of depending on strings let's
just define a few convenience templates to be used in projects
that use mariadb-galera chart.
Issue-ID: OOM-2249
Change-Id: Ib867d34090b06a15ea3898a9524f5e3d04a656c0
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
This template used to be for internal use only but it turned out
to be very useful in number of places so let's just expose it.
Issue-ID: OOM-2249
Change-Id: I57cd31681fb5edb4ac95b0b7b2446a364ce826d2
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
By default common.fullname uses .Chart.Name or
.Values.nameOverride to generate a "full name" used in many
places.
In some cases it may be convenient to be able to generate this
full name for a specific, well known chart name.
Issue-ID: OOM-2249
Change-Id: I68034c1c5df81ae9533f5f4bc6fab58f2416623a
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
In some cases it is useful to bypass default policy for secret name
generation and provide a custom name for a secret. In this case
current search implementation got confused and couln't find a secret
based on uid. This patch fixes the issue by comaring not only name
but also uid.
Issue-ID: OOM-2246
Change-Id: Iaea7a23fee09aa388968aad792ba7f7e1fbf2f21
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
Use common secret template for all passwords that are used
inside this chart.
Issue-ID: OOM-2248
Change-Id: Ia94b87a4d0316a3d334fd492521be5a255c14b4e
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
ONAP is too big to be deployed using helm install so we need to
use a custom helm plugin helm deploy. This script deloys onap
component by component instead of deploying evrything at
once. Unfortunately this script also modifies the helm release by
appending component name to it.
As a result of this behavior our objects are called for example:
onap-mariadb-galera-mariadb-galera-0
instead of just being called onap-mariadb-galera-0.
This patch simplifies this naming convention by replacing all direct
usages of .Release.Name with common.release macro which strips the
component specific part from the release name.
Issue-ID: OOM-2275
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Ia8cead50d305adb00eef666d0a1ace74479b5183
|
|
Helm by default creates some useful templates in _helpers.tpl
file. This is fine for stand alone charts but when they become
part of ONAP those helpers are no longer needed as our common
components already provides all required functions
Issue-ID: OOM-2278
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I659e4b45b031e87cc87f7bbbb22bf9e23cd74e61
|
|
|
|
When creating https://gerrit.onap.org/r/c/oom/+/99478, forgot to
backport storage class part of https://gerrit.onap.org/r/c/oom/+/98962.
Issue-ID: OOM-2234
Issue-ID: OOM-1227
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I3c42b28ad5bea67eda004b0209c8a21783b539f1
|
|
For some reason unknown to me I was stupid enough to forget to
put ! in a front of variable name in the final vesion of script.
Let's just quickly fix that so that not too many people notice;)
Issue-ID: OOM-2248
Change-Id: I0b8891b94856b21f4b1fad1d6731c461bae2c1aa
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
|
|
|
|
Replace two sets of commands with a simple loop.
Issue-ID: OOM-2248
Change-Id: I83a748cdad256e7206310d45a987530b4acc621b
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
Instead of defining the secret in some custom way let's use the common
template (common.secret). To avoid some issues in ONAP components that
depend on this chart let's do not remove for now the default username
and password. We will do this when all services properly utylize
secrets to store mariadb credentials.
Issue-ID: OOM-2053
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I78e224299cccd9632192ee03a45cd077e6f0906f
|
|
Instead of statefulset + inner work in the container, use deployments in
order to be more reliable
Change-Id: Icf4fe1303ae3489c822558e28bb08b69af2d4970
Issue-ID: OOM-2234
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
Improve common secret template by adding:
- ability to generate secrets if they are not provided
- ability to fail the deployment if marked secret is not provided
- support for using already existing secret instead of creating
a new one
Issue-ID: OOM-2053
Change-Id: Ic101f384f7c767702f646eb0e879ec80bf9a6334
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
Separated from change:
I65f9891f1d3586c0633b252a47b461c887d5b8ad
to allow the template to be easily merged to master.
Issue-ID: OOM-1971
Change-Id: I8dd4128bfa6e614ba5ddd084c45ca008e4da87ad
Signed-off-by: Kajur, Harish (vk250x) <vk250x@att.com>
[Separate from other changes, add license header,
update commit message]
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
|
|
|
|
OOM has now templates in order to create the needed PVC, using:
* a PV with a specific class when using a common nfs mount path between
nodes (sames as today use) --> is the default behavior today
* or a storage class if we want to use dynamic PV.
On this case, we use (in order of priority):
- persistence.storageClassOverride if set on the chart
- global.persistence.storageClass if set globally
- persistence.storageClass if set on the chart
I've also aligned the PV creation of the different charts.
I've also aligned the PVC creation of the different charts.
I've removed unused mysql chart and (badly) used nfs-provisioner chart.
I've also make cassandra backup work with dynamic PV (but RWX only for
now).
Change-Id: I0ea3f8c7514ca648d94b6c682684c06b822bbe0a
Issue-ID: OOM-2229
Issue-ID: OOM-2228
Issue-ID: OOM-2227
Issue-ID: OOM-1227
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
|
|
|
|
Add virtual hosting support to the ingress
common template
Added support for global configuration path
or virtual host based
Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
Change-Id: I6b1a0c9cfd0eb5c90a090058d5db70f8ee33731e
Issue-ID: OOM-2125
Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
|
|
Instead of having our "own" galera cluster, use the common one already
proposed by OOM.
If a local cluster is needed, you just need to set
global.mariadbGalera.localCluster to True.
Also create a common chart that create the needed values for the
database.
Change-Id: I9ad551b76a40732b4ab3fc34ba7cde6ca90fe432
Issue-ID: EXTAPI-348
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
Currently there is a number of hardcoded passwords in OOM helm charts
that are reused for almost all ONAP deployments in different labs.
One possible solution for this issue could be to generate a random
password for every deployment but this may cause number of issues
while doing helm upgrade.
That's why instead of generating a random password we generate a
password for particular use case, based on chart name, master
password provided by the deployer and additional UID. This is done
using derivePassword function so check its documentation for more
details how this password is derived.
From a user perspective, the most important fact is that he or she can
achieve reproductible deployment. Every time when ONAP is deployed
with the same masterPassword all derived passwords are going
to be also the same.
Issue-ID: OOM-2052
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I666d597e6daab8b79e630917ad75f17cc70f897b
|
|
Two helper functions are defined:
- common.storageClass: will print the right storage class according to
properties set or not:
* if no storage class set --> use previous behavior (storage class
named `common.fullname-data`.
* if a "persistence.storageClassOverride" is set for this specific chart,
we use it (if it's "-", we set to default one)
* if a "global.persistence.storageClass" has been set (and no
storageClassOverride for this chart), we use it (same specificity than
storageClassOverride)
* if a "persistence.storageClass) has been set (and no
storageClassOverride nor global one), we use it (same specificity
than storageClassOverride)
- common.needPV: will print "True" if we need a PV (no storageClass and
storageClassOverride being set).
an implementation example with mariadb-galera is provided.
Issue-ID: OOM-1500
Change-Id: I20a667e17b00c255c4b828e3c66f9c0df7c8755c
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
I've adjusted the Requests / Limits of portal pods according to real
usage of "Orange Openlab" and "Onap daily master".
Calculation is the following:
per deployment:
* CPU/Mem requests is max of average from the two deployments
* CPU/Mem limits is (max of max from the two deployments) * 1.2
Change-Id: I3fce54e6be495a7014bf346d66721976fa2dab8b
Issue-ID: MUSIC-533
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
|
|
Missing apiVersion causes linting failure and therefore make common
fails
Issue-ID: OOM-2156
Signed-off-by: Tomáš Levora <t.levora@partner.samsung.com>
Change-Id: Idb0aeb998fc99cc8e409247c6b5e20d140297a3e
|
|
Used PVC(s) are actually created in the statefulset
Change-Id: I24f2c3ff0934178c9af06bfee60b4b6e35cfe953
Issue-ID: OOM-2155
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
Issue-ID: OOM-2059
Signed-off-by: Akansha Dua <akansha.dua@amdocs.com>
Change-Id: I9b8db6ff689c0928ac497b523290e586c0f6f1f8
|
|
Update dgbuilder to use latest release (0.6.3) with https support and
update configuration to enable https
Change-Id: Ia04a3cde6b0f18655301e25dcf125ffcdf1ec120
Issue-ID: OJSI-100
Signed-off-by: Timoney, Dan (dt5972) <dtimoney@att.com>
|
|
Update CCSDK version to RCO (0.6.3) and update SDNC
version to RC0 (1.7.3)
Change-Id: I4af5684ecacd2cf8134a4db51684fb95b488d536
Issue-ID: SDNC-917
Signed-off-by: Timoney, Dan (dt5972) <dtimoney@att.com>
|
|
Update versions of CCSDK and SDNC dockers to 0.6.2 / 1.7.2
Change-Id: Ib8294b292122c924fcbe29a02806dffd5ce935ec
Issue-ID: SDNC-905
Signed-off-by: Timoney, Dan (dt5972) <dtimoney@att.com>
|
|
|
|
Issue-ID: OOM-2089
Signed-off-by: Akansha Dua <akansha.dua@amdocs.com>
Change-Id: Ia1086deda37ba6e613afcc6bd064e7bf4ee692b9
|
|
Issue-ID: OOM-2088
Signed-off-by: Akansha Dua <akansha.dua@amdocs.com>
Change-Id: Ie7f25c812984abc8631a86b2385dd14a365a8ea5
|
|
|
|
|
|
|
|
Update SDNC helm charts to use Neon-based El Alto images
Change-Id: If91320bc663992355f665b3f57f77214e96985cd
Issue-ID: SDNC-874
Signed-off-by: Timoney, Dan (dt5972) <dtimoney@att.com>
|
|
Mariadb PVC are created in 1 to 1 mapping with galera replicas thus we
don't need RWX.
Change-Id: I438855b2d4b2f90932387e056c168b0a995975a5
Issue-ID: OOM-2081
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
Today when deploying NBI with OOM, the PersistentVolumeClaim needs the
"ReadWriteMany" (or "RWX") capability.
According to Kubernetes Documentation (https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes),
ReadWriteMany stands for "the volume can be mounted as read-write by many nodes".
That means that a particular PVC needs to be read and written from many pods.
That also means that your code takes that into account and do the work to avoid
write at the same place at the same time.
An issue on RWX mode is that most "official" storage driver from Kubernetes doesn't
support it (13 over the 19 drivers doesn't support it, espacially OpenStack, Amazon
and Google storage classes).
MongoDb PVC is used only for one Mongo instance and it's the same for
maria. Thus we don't need RWX
Change-Id: I4d54cd7853778d8ba6c83551a211abe34d383382
Issue-ID: EXTAPI-305
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
|
|
Issue-ID: OOM-2050
Signed-off-by: Ondřej Šmalec <o.smalec@partner.samsung.com>
Change-Id: I7d54c4c8adc192d0c27249dde2fad4af2ed0a52a
|
|
|
|
|
|
Fix inproper backend section identation in the
common ingress config template
Change-Id: I04c4eebc408a04aba0679ff5123e1a8503ffd912
Issue-ID: OOM-1508
Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
|