diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index 1c20977..4b47c63 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -29,7 +29,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/appc-image:1.4.0-SNAPSHOT-latest +image: onap/appc-image:1.3.0 pullPolicy: Always # flag to enable debugging - application support required @@ -37,10 +37,7 @@ debugEnabled: false # application configuration config: - aafExtIP: 127.0.0.1 - aafExtFQDN: aaf-onap-beijing-test.osaaf.org dbRootPassword: openECOMP1.0 - enableAAF: false enableClustering: true configDir: /opt/onap/appc/data/properties dmaapTopic: SUCCESS diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml index 328e058..b359526 100644 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ b/kubernetes/common/dgbuilder/templates/deployment.yaml @@ -35,8 +35,14 @@ spec: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && ./start.sh sdnc1.0 && wait"] + command: + - /bin/bash + - -c + - > + UPDATE_HOSTS_FILE >> /etc/hosts; + UPDATE_NPM_REGISTRY; + cd /opt/onap/ccsdk/dgbuilder/; + ./start.sh sdnc1.0 && wait ports: - containerPort: {{ .Values.service.internalPort }} readinessProbe: @@ -94,3 +100,4 @@ spec: defaultMode: 0755 imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" + diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml index acda520..8fa35f9 100644 --- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml +++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml @@ -68,6 +68,8 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true + - mountPath: /etc/pki/ca-trust/source/anchors + name: root-ca securityContext: privileged: True lifecycle: @@ -80,6 +82,8 @@ spec: set -ex mkdir -p /var/run/secrets/kubernetes.io/ ln -s /secret /var/run/secrets/kubernetes.io/serviceaccount + echo -e '\nREQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-bundle.crt"' >> /etc/sysconfig/cloudify-restservice + update-ca-trust extract volumes: - name: {{ include "common.fullname" . }}-config configMap: @@ -93,5 +97,8 @@ spec: - name: localtime hostPath: path: /etc/localtime + - name: root-ca + hostPath: + path: CERT_PATH imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/charts/message-router/templates/deployment.yaml b/kubernetes/dmaap/charts/message-router/templates/deployment.yaml index 379fc24..4802f8b 100644 --- a/kubernetes/dmaap/charts/message-router/templates/deployment.yaml +++ b/kubernetes/dmaap/charts/message-router/templates/deployment.yaml @@ -48,6 +48,12 @@ spec: name: {{ include "common.name" . }}-readiness containers: - name: {{ include "common.name" . }} + command: + - /bin/sh + - -c + - > + UPDATE_HOSTS_FILE >> /etc/hosts; + ./startup.sh image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ports: diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index b8f15e1..fadb56e 100644 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -39,7 +39,8 @@ global: loggingRepository: docker.elastic.co # image pull policy - pullPolicy: Always + #pullPolicy: Always + pullPolicy: IfNotPresent # default mount path root directory referenced # by persistent volumes and log files @@ -66,11 +67,11 @@ appc: config: openStackType: OpenStackProvider openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: admin + openStackKeyStoneUrl: FILL-ME + openStackServiceTenantName: FILL-ME + openStackDomain: FILL-ME + openStackUserName: FILL-ME + openStackEncryptedPassword: FILL-ME clamp: enabled: true cli: @@ -97,8 +98,11 @@ nbi: enabled: true config: # openstack configuration - openStackRegion: "Yolo" - openStackVNFTenantId: "1234" + openStackUserName: "FILL-ME" + openStackRegion: "FILL-ME" + openStackKeyStoneUrl: "FILL-ME" + openStackServiceTenantName: "FILL-ME" + openStackEncryptedPasswordHere: "FILL-ME" policy: enabled: true portal: @@ -112,7 +116,11 @@ sdnc: replicaCount: 1 + config: + enableClustering: false + mysql: + disableNfsProvisioner: true replicaCount: 1 so: enabled: true @@ -129,11 +137,11 @@ so: # message router configuration dmaapTopic: "AUTO" # openstack configuration - openStackUserName: "vnf_user" - openStackRegion: "RegionOne" - openStackKeyStoneUrl: "http://1.2.3.4:5000" - openStackServiceTenantName: "service" - openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" + openStackUserName: "FILL-ME" + openStackRegion: "FILL-ME" + openStackKeyStoneUrl: "FILL-ME" + openStackServiceTenantName: "FILL-ME" + openStackEncryptedPasswordHere: "FILL-ME" # configure embedded mariadb mariadb: diff --git a/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh b/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh index 72f7a74..f6b3478 100644 --- a/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh +++ b/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh @@ -114,7 +114,7 @@ else url_release fi -wget "${APP_URL}" -O "${DOWNLOAD_DIR}"/apps-"${APP_NAME}".zip +wget "${APP_URL}" -O "${DOWNLOAD_DIR}"/apps-"${APP_NAME}".zip --no-check-certificate if [[ $? != 0 ]]; then echo "ERROR: cannot download ${DOWNLOAD_DIR}/apps-${APP_NAME}.zip" exit 1 diff --git a/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh b/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh index a6c054d..9e48d55 100644 --- a/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh +++ b/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh @@ -84,8 +84,8 @@ echo "Restarting PDP-D .." echo echo -POD=$(kubectl --namespace onap-policy get pods | sed 's/ .*//'| grep drools) -kubectl --namespace onap-policy exec -it ${POD} -- bash -c "source /opt/app/policy/etc/profile.d/env.sh && policy stop && sleep 5 && policy start" +POD=$(kubectl --namespace onap get pods | sed 's/ .*//'| grep drools) +kubectl --namespace onap exec -it ${POD} -- bash -c "source /opt/app/policy/etc/profile.d/env.sh && policy stop && sleep 1 && policy start" sleep 20 diff --git a/kubernetes/policy/resources/config/pe/push-policies.sh b/kubernetes/policy/resources/config/pe/push-policies.sh index dcd3afb..21b3171 100644 --- a/kubernetes/policy/resources/config/pe/push-policies.sh +++ b/kubernetes/policy/resources/config/pe/push-policies.sh @@ -22,7 +22,7 @@ echo "Upload BRMS Param Template" sleep 2 -wget -O cl-amsterdam-template.drl https://git.onap.org/policy/drools-applications/plain/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl?h=beijing +wget -O cl-amsterdam-template.drl https://git.onap.org/policy/drools-applications/plain/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl?h=beijing --no-check-certificate sleep 2 diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml index aea67c8..06dc17b 100644 --- a/kubernetes/robot/values.yaml +++ b/kubernetes/robot/values.yaml @@ -39,49 +39,49 @@ config: # Password of the lighthttpd server. Used for HTML auth for webpage access lightHttpdPassword: robot # gerrit branch where the latest heat code is checked in - gerritBranch: 2.0.0-ONAP + gerritBranch: master # gerrit project where the latest heat code is checked in gerritProject: http://gerrit.onap.org/r/demo.git # Demo configuration # Nexus demo artifact version. Maps to GLOBAL_INJECTED_ARTIFACTS_VERSION -demoArtifactsVersion: "1.2.0-SNAPSHOT" +demoArtifactsVersion: "1.3.0" # Openstack medium sized flavour name. Maps GLOBAL_INJECTED_VM_FLAVOR openStackFlavourMedium: "m1.medium" # Openstack keystone URL. Maps to GLOBAL_INJECTED_KEYSTONE -openStackKeyStoneUrl: "http://1.2.3.4:5000" +openStackKeyStoneUrl: "FILL-ME" # UUID of the Openstack network that can assign floating ips. Maps to GLOBAL_INJECTED_PUBLIC_NET_ID -openStackPublicNetId: "e8f51958045716781ffc" +openStackPublicNetId: "FILL-ME" # password for Openstack tenant where VNFs will be spawned. Maps to GLOBAL_INJECTED_OPENSTACK_PASSWORD -openStackPassword: "tenantPassword" +openStackPassword: "FILL-ME" # Openstack region. Maps to GLOBAL_INJECTED_REGION openStackRegion: "RegionOne" # Openstack tenant UUID where VNFs will be spawned. Maps to GLOBAL_INJECTED_OPENSTACK_TENANT_ID -openStackTenantId: "47899782ed714295b1151681fdfd51f5" +openStackTenantId: "FILL-ME" # username for Openstack tenant where VNFs will be spawned. Maps to GLOBAL_INJECTED_OPENSTACK_USERNAME -openStackUserName: "tenantUsername" +openStackUserName: "FILL-ME" # Openstack glance image name for Ubuntu 14. Maps to GLOBAL_INJECTED_UBUNTU_1404_IMAGE -ubuntu14Image: "Ubuntu_14_trusty" +ubuntu14Image: "FILL-ME" # Openstack glance image name for Ubuntu 16. Maps to GLOBAL_INJECTED_UBUNTU_1604_IMAGE -ubuntu16Image: "Ubuntu_16_xenial" +ubuntu16Image: "FILL-ME" # GLOBAL_INJECTED_SCRIPT_VERSION. Maps to GLOBAL_INJECTED_SCRIPT_VERSION -scriptVersion: "1.2.0-SNAPSHOT" +scriptVersion: "1.2.1" # Openstack network to which VNFs will bind their primary (first) interface. Maps to GLOBAL_INJECTED_NETWORK -openStackPrivateNetId: "e8f51956-00dd-4425-af36-045716781ffc" +openStackPrivateNetId: "FILL-ME" # SDNC Preload configuration # Openstack subnet UUID for the network defined by openStackPrivateNetId. Maps to onap_private_subnet_id -openStackPrivateSubnetId: "e8f51956-00dd-4425-af36-045716781ffc" +openStackPrivateSubnetId: "FILL-ME" # CIDR notation for the Openstack private network where VNFs will be spawned. Maps to onap_private_net_cidr -openStackPrivateNetCidr: "10.0.0.0/8" +openStackPrivateNetCidr: "FILL-ME" # The first 2 octets of the private Openstack subnet where VNFs will be spawned. # Needed because sdnc preload templates hardcodes things like this 10.0.${ecompnet}.X openStackOamNetworkCidrPrefix: "10.0" # Override with Pub Key for access to VNF -vnfPubKey: "FILL_IN_WITH_PUB_KEY" -# Override with DCAE VES Collector external IP -dcaeCollectorIp: "FILL_IN_WITH_DCAE_VES_COLLECTOR_IP" +vnfPubKey: "FILL-ME" +# Override with DCAE VES Collector external IP +dcaeCollectorIp: "FILL-ME" # default number of instances replicaCount: 1 @@ -156,4 +156,4 @@ persistence: accessMode: ReadWriteMany size: 2Gi mountPath: /dockerdata-nfs - mountSubPath: robot/logs \ No newline at end of file + mountSubPath: robot/logs diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml index a19c33a..b49e2c4 100644 --- a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml +++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml @@ -47,8 +47,17 @@ spec: name: {{ include "common.name" . }}-readiness containers: - name: {{ include "common.name" . }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/sdnc && ./startAnsibleServer.sh"] + command: + - bash + - "-c" + - | + pip install /root/ansible_pkg/*.whl + dpkg -i /root/ansible_pkg/*.deb + cp /etc/ansible/ansible.cfg /etc/ansible/ansible.cfg.orig + cat /etc/ansible/ansible.cfg.orig | sed -e 's/#host_key_checking/host_key_checking/' > /etc/ansible/ansible.cfg + touch /tmp/.ansible-server-installed + cd /opt/onap/sdnc + ./startAnsibleServer.sh image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ports: @@ -74,6 +83,8 @@ spec: - mountPath: {{ .Values.config.configDir }}/RestServer_config name: config subPath: RestServer_config + - mountPath: /root/ansible_pkg + name: ansible-pkg resources: {{ toYaml .Values.resources | indent 12 }} {{- if .Values.nodeSelector }} @@ -92,5 +103,9 @@ spec: configMap: name: {{ include "common.fullname" . }} defaultMode: 0644 + - name: ansible-pkg + hostPath: + path: /root/ansible_pkg imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + - name: "{{ include "common.namespace" . }}-docker-registry-key" + diff --git a/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml index 87ed6aa..5da236d 100644 --- a/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml +++ b/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml @@ -49,8 +49,13 @@ spec: name: {{ include "common.name" . }}-readiness containers: - name: {{ include "common.name" . }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/sdnc/admportal/shell && ./start_portal.sh"] + command: + - /bin/bash + - -c + - > + UPDATE_HOSTS_FILE >> /etc/hosts; + UPDATE_NPM_REGISTRY; + cd /opt/onap/sdnc/admportal/shell && ./start_portal.sh image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ports: diff --git a/kubernetes/uui/charts/uui-server/templates/deployment.yaml b/kubernetes/uui/charts/uui-server/templates/deployment.yaml index accdff9..fa83daf 100644 --- a/kubernetes/uui/charts/uui-server/templates/deployment.yaml +++ b/kubernetes/uui/charts/uui-server/templates/deployment.yaml @@ -34,6 +34,12 @@ spec: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/bash + - -c + - > + chown -R mysql:mysql /var/lib/mysql /var/run/mysqld; + /home/uui/bin/run.sh ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger --- oom/kubernetes/common/common/templates/_cacert.tpl 1970-01-01 00:00:00.000000000 +0000 +++ onap-dev/install/onap-offline/resources/oom/kubernetes/common/common/templates/_cacert.tpl 2018-11-02 15:09:31.781688957 +0000 @@ -0,0 +1,62 @@ +#This template adds volume for access to ca certificate. +#Template is ignored when cacert not set. +{{- define "common.cacert-volume" }} +{{- if .Values.global.cacert }} +- name: cacert + configMap: + name: {{ include "common.namespace" . }}-root-ca-cert +{{- end }} +{{- end }} + +#This template mounts the CA certificate in an ubuntu compatible way. +#It is mounted to /usr/local/share/ca-certificates/cacert.crt. +#Template is ignored if cacert not set. +{{- define "common.cacert-mount-ubuntu" }} +{{- if .Values.global.cacert }} +- mountPath: "/usr/local/share/ca-certificates/cacert.crt" + name: cacert + subPath: certificate +{{- end }} +{{- end }} + +#This template creates an empty volume used to store system certificates (includes java keystore). +{{- define "common.system-ca-store-volume" }} +{{- if .Values.global.cacert }} +- name: system-ca-store + emptyDir: +{{- end }} +{{- end }} + +#This template mounts system ca store volume to /etc/ssl/certs (ubuntu specific). +#Template is ignored in case cacert is not given. +{{- define "common.system-ca-store-mount-ubuntu" }} +{{- if .Values.global.cacert }} +- mountPath: "/etc/ssl/certs" + name: system-ca-store +{{- end }} +{{- end }} + +#This template is a template for an init container. +#This init container can be declared to update system's ca store for ubuntu containers. +#It runs as root using the same image as the main one. +#It expects /etc/ssl/certs to be mounted as a volume. +#It has to be shared with the main container. +#This template is ignored if cacert is not given as helm value. +{{- define "common.update-system-ca-store-ubuntu" }} +{{- if .Values.global.cacert }} +- command: + - "/bin/bash" + - "-c" + - | + mkdir -p /etc/ssl/certs/java + update-ca-certificates + name: update-system-ca-store + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + image: {{ include "common.repository" . }}/{{ .Values.image }} + securityContext: + runAsUser: 0 + volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 2 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 2 }} +{{- end }} +{{- end }} --- oom/kubernetes/onap/templates/configmap.yaml 1970-01-01 00:00:00.000000000 +0000 +++ onap-dev/install/onap-offline/resources/oom/kubernetes/onap/templates/configmap.yaml 2018-11-02 15:09:31.804689107 +0000 @@ -0,0 +1,15 @@ +{{ if .Values.global.cacert -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.namespace" . }}-root-ca-cert + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + certificate: | +{{ .Values.global.cacert | indent 4 }} +{{- end }} --- oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml 2018-11-06 07:38:46.341849402 +0000 +++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml 2018-11-02 15:09:31.808689133 +0000 @@ -45,6 +45,7 @@ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} containers: - command: - /bin/bash @@ -68,6 +69,8 @@ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 8 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -94,6 +97,8 @@ {{ toYaml .Values.affinity | indent 10 }} {{- end }} volumes: +{{ include "common.cacert-volume" . | indent 8 }} +{{ include "common.system-ca-store-volume" . | indent 8 }} - name: localtime hostPath: path: /etc/localtime --- oom/kubernetes/policy/charts/drools/templates/statefulset.yaml 2018-11-06 07:38:46.343849404 +0000 +++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/drools/templates/statefulset.yaml 2018-11-02 15:09:31.810689146 +0000 @@ -51,6 +51,8 @@ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} +{{ include "policy.update-policy-keystore" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -78,6 +80,9 @@ - name: REPLICAS value: "{{ .Values.replicaCount }}" volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 10 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }} +{{ include "policy.keystore-mount" . | indent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -136,6 +141,9 @@ {{ toYaml .Values.affinity | indent 10 }} {{- end }} volumes: +{{ include "common.cacert-volume" . | indent 8 }} +{{ include "common.system-ca-store-volume" . | indent 8 }} +{{ include "policy.keystore-storage-volume" . | indent 8 }} - name: localtime hostPath: path: /etc/localtime --- oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml 2018-11-06 07:38:46.345849405 +0000 +++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml 2018-11-02 15:09:31.812689159 +0000 @@ -49,6 +49,7 @@ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} containers: - command: - /bin/bash @@ -72,6 +73,8 @@ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 8 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -121,6 +124,8 @@ {{ toYaml .Values.affinity | indent 10 }} {{- end }} volumes: +{{ include "common.cacert-volume" . | indent 6 }} +{{ include "common.system-ca-store-volume" . | indent 6 }} - name: localtime hostPath: path: /etc/localtime --- oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl 1970-01-01 00:00:00.000000000 +0000 +++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl 2018-11-02 15:09:31.812689159 +0000 @@ -0,0 +1,43 @@ +#This template creates a volume for storing policy-keystore with imported ca. +#It is ignored if cacert was not given. +{{- define "policy.keystore-storage-volume" }} +{{- if .Values.global.cacert }} +- name: keystore-storage + emptyDir: +{{- end }} +{{- end }} + +#This template mounts policy-keystore in appropriate place for policy components to take it. +#It is ignored if cacert is not given. +{{- define "policy.keystore-mount" }} +{{- if .Values.global.cacert }} +- mountPath: "/tmp/policy-install/config/policy-keystore" + name: keystore-storage + subPath: policy-keystore +{{- end }} +{{- end }} + +#This will extract a policy keystore and then import +#the root cacert of offline nexus into it. +#This template expects a volume named keystore-storage where policy-keystore will be put. +#It also expects volume named cacert where the file "certificate" will contain the cert to import. +#Template is ignored if ca certificate not given. +{{- define "policy.update-policy-keystore" }} +{{- if .Values.global.cacert }} +- command: + - "/bin/bash" + - "-c" + - | + set -e + tar -xzf base-*.tar.gz etc/ssl/policy-keystore + cp etc/ssl/policy-keystore keystore-storage/ + keytool -import -keystore keystore-storage/policy-keystore -storepass "Pol1cy_0nap" -noprompt -file /usr/local/share/ca-certificates/cacert.crt + name: update-policy-keystore + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + image: {{ include "common.repository" . }}/{{ .Values.image }} + volumeMounts: + - mountPath: "/tmp/policy-install/keystore-storage" + name: keystore-storage +{{ include "common.cacert-mount-ubuntu" . | indent 2 }} +{{- end }} +{{- end }} --- oom/kubernetes/policy/templates/deployment.yaml 2018-11-06 07:38:46.346849406 +0000 +++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/templates/deployment.yaml 2018-11-02 15:09:31.813689166 +0000 @@ -45,6 +45,7 @@ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} containers: - command: - /bin/bash @@ -72,6 +73,8 @@ - name: PRELOAD_POLICIES value: "{{ .Values.config.preloadPolicies }}" volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 10 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -136,6 +139,8 @@ {{ toYaml .Values.affinity | indent 10 }} {{- end }} volumes: +{{ include "common.cacert-volume" . | indent 8 }} +{{ include "common.system-ca-store-volume" . | indent 8 }} - name: localtime hostPath: path: /etc/localtime