From f427199dd4e058b0fb023aa62a97f1b9e1d20ab5 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Tue, 5 May 2020 01:42:23 +0200 Subject: [VNFSDK] Use common secret template for postgres credentials Even through we use common secret template both passwords are still hardcoded in common postgres chart but this will be removed as a final step just like we did for mariadb-galera. Issue-ID: OOM-2250 Change-Id: I4ca210c99c27fbfbf74a467d72a81b2e38d8d800 Signed-off-by: Krzysztof Opasiak (cherry picked from commit 79677d38adfb3de5a35c00cdb710f6325a8719a9) --- .../vnfsdk/resources/config/configuration.xml | 35 ++++++++++++++++++++++ kubernetes/vnfsdk/templates/configmap.yaml | 2 +- kubernetes/vnfsdk/templates/deployment.yaml | 33 ++++++++++++++++++-- kubernetes/vnfsdk/templates/job.yaml | 6 ++-- kubernetes/vnfsdk/templates/secrets.yaml | 16 ++++++++++ kubernetes/vnfsdk/values.yaml | 21 +++++++++++-- 6 files changed, 104 insertions(+), 9 deletions(-) create mode 100644 kubernetes/vnfsdk/resources/config/configuration.xml create mode 100644 kubernetes/vnfsdk/templates/secrets.yaml diff --git a/kubernetes/vnfsdk/resources/config/configuration.xml b/kubernetes/vnfsdk/resources/config/configuration.xml new file mode 100644 index 0000000000..6bd4e1c8eb --- /dev/null +++ b/kubernetes/vnfsdk/resources/config/configuration.xml @@ -0,0 +1,35 @@ + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/vnfsdk/templates/configmap.yaml b/kubernetes/vnfsdk/templates/configmap.yaml index 44d5f41f15..0c39e6e685 100644 --- a/kubernetes/vnfsdk/templates/configmap.yaml +++ b/kubernetes/vnfsdk/templates/configmap.yaml @@ -23,4 +23,4 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/marketplace_tables_postgres.sql").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/vnfsdk/templates/deployment.yaml b/kubernetes/vnfsdk/templates/deployment.yaml index bd187db286..3f4d6c43eb 100644 --- a/kubernetes/vnfsdk/templates/deployment.yaml +++ b/kubernetes/vnfsdk/templates/deployment.yaml @@ -34,6 +34,25 @@ spec: name: {{ include "common.name" . }} spec: initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PG_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: init-data-input + - mountPath: /config + name: init-data + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - command: - /root/ready.py args: @@ -54,9 +73,10 @@ spec: name: {{ include "common.name" . }} resources: {{ include "common.resources" . | indent 12 }} - env: - - name: POSTGRES_SERVICE_HOST - value: "$(VNFSDK_DBSET_SERVICE_HOST)" + volumes: + - mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml + name: init-data + subPath: configuration.xml readinessProbe: tcpSocket: port: {{ .Values.service.internalPort }} @@ -64,3 +84,10 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" + volumes: + - name: init-data-input + configMap: + name: {{ include "common.fullname" . }} + - name: init-data + emptyDir: + medium: Memory diff --git a/kubernetes/vnfsdk/templates/job.yaml b/kubernetes/vnfsdk/templates/job.yaml index 2ec7b95772..1d0dd29f59 100644 --- a/kubernetes/vnfsdk/templates/job.yaml +++ b/kubernetes/vnfsdk/templates/job.yaml @@ -51,13 +51,15 @@ spec: image: "{{ .Values.postgresRepository }}/{{ .Values.postgresImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: + - name: PGUSER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - name: PGPASSWORD - value: "{{ .Values.postgres.config.pgUserPassword }}" + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} command: - /bin/sh - -c - | - psql -U {{ .Values.postgres.config.pgUserName }} -h $(VNFSDK_DBPRI_SERVICE_HOST) -f /aaa/init/marketplace_tables_postgres.sql + psql -h $(VNFSDK_DBPRI_SERVICE_HOST) -f /aaa/init/marketplace_tables_postgres.sql volumeMounts: - name: init-data mountPath: /aaa/init/marketplace_tables_postgres.sql diff --git a/kubernetes/vnfsdk/templates/secrets.yaml b/kubernetes/vnfsdk/templates/secrets.yaml new file mode 100644 index 0000000000..b143034d8f --- /dev/null +++ b/kubernetes/vnfsdk/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index 28dea47cfc..82bef2d4eb 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -22,6 +22,22 @@ global: readinessImage: readiness-check:2.0.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + envsubstImage: dibi/envsubst + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-vnfsdk-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "vnfsdk-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-vnfsdk-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "vnfsdk-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate ################################################################# # Application configuration defaults. @@ -50,9 +66,8 @@ postgres: config: pgUserName: postgres pgDatabase: postgres - pgPrimaryPassword: postgres - pgUserPassword: postgres - pgRootPassword: postgres + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName # flag to enable debugging - application support required debugEnabled: false -- cgit 1.2.3-korg From d451bedd8fac229c70feb767622675b09f4d968e Mon Sep 17 00:00:00 2001 From: Eric Multanen Date: Wed, 6 May 2020 14:40:12 -0700 Subject: Set multicloud-k8s image to 0.6.0 Update image for Frankfurt release. Change-Id: Idc26b081694b8d7270fea81a30d595d41b6b9240 Issue-ID: OOM-2397 Signed-off-by: Eric Multanen (cherry picked from commit 0d36387da995a3e5100b4a99c3e05765ee3ed4cd) --- kubernetes/multicloud/charts/multicloud-k8s/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/multicloud/charts/multicloud-k8s/values.yaml b/kubernetes/multicloud/charts/multicloud-k8s/values.yaml index 3c7b1d3a65..f0bfedb43a 100644 --- a/kubernetes/multicloud/charts/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/charts/multicloud-k8s/values.yaml @@ -27,7 +27,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/multicloud/k8s:0.5.0 +image: onap/multicloud/k8s:0.6.0 pullPolicy: Always # flag to enable debugging - application support required -- cgit 1.2.3-korg From 70c11046a12ca42fe1b3f3369a449f19ba33e791 Mon Sep 17 00:00:00 2001 From: jhh Date: Fri, 8 May 2020 12:28:27 -0500 Subject: [POLICY] put base64 password in xacml.properties In addition, remove heap mem sizing for drools too as it is properly sized according to container allocated resources. Issue-ID: POLICY-2547 Signed-off-by: jhh Change-Id: I4e1e5eaef1cad924ac4c86e5248230aef1fad7d8 Signed-off-by: jhh (cherry picked from commit ed6839f2fe2566741dcd49c8e59fdae519ce84b0) --- kubernetes/policy/charts/drools/values.yaml | 2 +- .../charts/policy-xacml-pdp/resources/config/xacml.properties | 2 +- .../policy/charts/policy-xacml-pdp/templates/deployment.yaml | 11 +++++------ 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/kubernetes/policy/charts/drools/values.yaml b/kubernetes/policy/charts/drools/values.yaml index 0126c6e06b..3552b2e2f6 100644 --- a/kubernetes/policy/charts/drools/values.yaml +++ b/kubernetes/policy/charts/drools/values.yaml @@ -82,7 +82,7 @@ ingress: # Default installation values to be overridden server: - jvmOpts: -server -Xms1024m -Xmx2048m + jvmOpts: -server -XshowSettings:vm aaf: enabled: "false" diff --git a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties index f2c2cd7765..c7e4ad197e 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties @@ -50,4 +50,4 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome javax.persistence.jdbc.driver=org.mariadb.jdbc.Driver javax.persistence.jdbc.url=jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/operationshistory javax.persistence.jdbc.user=${SQL_USER} -javax.persistence.jdbc.password=${SQL_PASSWORD} +javax.persistence.jdbc.password=${SQL_PASSWORD_BASE64} diff --git a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml index 9ac5d68a89..bd126b810b 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml @@ -35,7 +35,7 @@ spec: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} @@ -45,6 +45,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }} - name: API_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }} + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} volumeMounts: - mountPath: /config-input name: pdpxconfig @@ -59,11 +63,6 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"] args: ["/opt/app/policy/pdpx/etc/mounted/config.json"] - env: - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger -- cgit 1.2.3-korg From 802d528a9ffa56dde7db0a8d6dd613f491188289 Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Mon, 11 May 2020 15:41:59 +0200 Subject: [GENERIC] follow Frankfurt AAI/Robot branches Issue-ID: OOM-2406 Signed-off-by: Sylvain Desbureaux Change-Id: I83f3a48450d1c76de9b2dcf9400f8450a5d2d689 --- .gitmodules | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.gitmodules b/.gitmodules index 08d7aea901..ddad6f6c9a 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,11 +1,11 @@ [submodule "kubernetes/aai"] - path = kubernetes/aai - url = ../aai/oom - branch = master - ignore = dirty + path = kubernetes/aai + url = ../aai/oom + branch = frankfurt + ignore = dirty [submodule "kubernetes/robot"] - path = kubernetes/robot - url = ../testsuite/oom - branch = . - ignore = dirty - \ No newline at end of file + path = kubernetes/robot + url = ../testsuite/oom + branch = frankfurt + ignore = dirty + -- cgit 1.2.3-korg