From 746ff37c26277159584e2ad9b01b55a8f70fbd71 Mon Sep 17 00:00:00 2001 From: PatrikBuhr Date: Fri, 30 Apr 2021 15:12:51 +0200 Subject: [PMS] Persistent storage of policies and type definitions Improvements: - Using common metadata for the PV and the PVC. - Changed the deployment to a stateful set. Even Deployments with one replica using ReadWriteOnce volume are not recommended. This is because the default Deployment strategy creates a second Pod before bringing down the first Pod on a recreate. The Deployment may fail in deadlock as the second Pod can't start because the ReadWriteOnce volume is already in use, and the first Pod won't be removed because the second Pod has not yet started. Instead, use a StatefulSet with ReadWriteOnce volumes. Change-Id: If3477be43eee5348a9142cceb832bbb2bf9d6017 Issue-ID: CCSDK-3256 Signed-off-by: PatrikBuhr --- .../a1policymanagement/templates/deployment.yaml | 128 --------------------- kubernetes/a1policymanagement/templates/pv.yaml | 26 +---- kubernetes/a1policymanagement/templates/pvc.yaml | 41 ------- .../a1policymanagement/templates/statefulset.yaml | 126 ++++++++++++++++++++ kubernetes/a1policymanagement/values.yaml | 3 +- 5 files changed, 130 insertions(+), 194 deletions(-) delete mode 100644 kubernetes/a1policymanagement/templates/deployment.yaml delete mode 100644 kubernetes/a1policymanagement/templates/pvc.yaml create mode 100644 kubernetes/a1policymanagement/templates/statefulset.yaml diff --git a/kubernetes/a1policymanagement/templates/deployment.yaml b/kubernetes/a1policymanagement/templates/deployment.yaml deleted file mode 100644 index 0d8399c8b3..0000000000 --- a/kubernetes/a1policymanagement/templates/deployment.yaml +++ /dev/null @@ -1,128 +0,0 @@ -{{/* -################################################################################ -# Copyright (c) 2020 Nordix Foundation. # -# Copyright © 2020 Samsung Electronics, Modifications # -# # -# Licensed under the Apache License, Version 2.0 (the "License"); # -# you may not use this file except in compliance with the License. # -# You may obtain a copy of the License at # -# # -# http://www.apache.org/licenses/LICENSE-2.0 # -# # -# Unless required by applicable law or agreed to in writing, software # -# distributed under the License is distributed on an "AS IS" BASIS, # -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # -# See the License for the specific language governing permissions and # -# limitations under the License. # -################################################################################ -*/}} - -kind: Deployment -apiVersion: apps/v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -spec: - replicas: {{ index .Values.replicaCount }} - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - name: {{ include "common.name" . }}-bootstrap-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\ - | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - chmod o+w /config/${PFILE} - done - cat /config/application.yaml - env: - - name: A1CONTROLLER_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - - name: A1CONTROLLER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: {{ include "common.fullname" . }}-policy-conf-input - - mountPath: /config - name: config - containers: - - name: {{ include "common.name" . }}-update-config - image: "{{ .Values.global.envsubstImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsGroup: {{ .Values.groupID }} - runAsUser: {{ .Values.userID }} - runAsNonRoot: true - command: - - sh - args: - - /tmp/scripts/daemon.sh - env: - - name: A1CONTROLLER_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - - name: A1CONTROLLER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /tmp/scripts - name: {{ include "common.fullname" . }}-envsubst-scripts - - mountPath: /config-input - name: {{ include "common.fullname" . }}-policy-conf-input - - mountPath: /config - name: config - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - livenessProbe: - httpGet: - path: /status - port: {{ .Values.liveness.port }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - name: config - mountPath: /opt/app/policy-agent/data/application_configuration.json - subPath: application_configuration.json - - name: config - mountPath: /opt/app/policy-agent/config/application.yaml - subPath: application.yaml - - name: vardata - mountPath: "/var/policy-management-service/database" - resources: {{ include "common.resources" . | nindent 10 }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: {{ include "common.fullname" . }}-policy-conf-input - configMap: - name: {{ include "common.fullname" . }}-policy-conf - - name: {{ include "common.fullname" . }}-envsubst-scripts - configMap: - name: {{ include "common.fullname" . }}-envsubst-scripts - defaultMode: 0555 - - name: config - emptyDir: - medium: Memory - - name: vardata - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} diff --git a/kubernetes/a1policymanagement/templates/pv.yaml b/kubernetes/a1policymanagement/templates/pv.yaml index 904d863b03..0a3cbdeff5 100644 --- a/kubernetes/a1policymanagement/templates/pv.yaml +++ b/kubernetes/a1policymanagement/templates/pv.yaml @@ -16,27 +16,5 @@ ################################################################################ */}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if not .Values.persistence.storageClass -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/app -{{- end -}} -{{- end -}} + +{{ include "common.replicaPV" . }} diff --git a/kubernetes/a1policymanagement/templates/pvc.yaml b/kubernetes/a1policymanagement/templates/pvc.yaml deleted file mode 100644 index 4183edfdbb..0000000000 --- a/kubernetes/a1policymanagement/templates/pvc.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -################################################################################ -# Copyright (c) 2021 Nordix Foundation. # -# # -# Licensed under the Apache License, Version 2.0 (the "License"); # -# you may not use this file except in compliance with the License. # -# You may obtain a copy of the License at # -# # -# http://www.apache.org/licenses/LICENSE-2.0 # -# # -# Unless required by applicable law or agreed to in writing, software # -# distributed under the License is distributed on an "AS IS" BASIS, # -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # -# See the License for the specific language governing permissions and # -# limitations under the License. # -################################################################################ -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - {{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} - {{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.fullname" . }}-data -{{- end -}} diff --git a/kubernetes/a1policymanagement/templates/statefulset.yaml b/kubernetes/a1policymanagement/templates/statefulset.yaml new file mode 100644 index 0000000000..54ee1515bc --- /dev/null +++ b/kubernetes/a1policymanagement/templates/statefulset.yaml @@ -0,0 +1,126 @@ +{{/* +################################################################################ +# Copyright (c) 2020 Nordix Foundation. # +# Copyright © 2020 Samsung Electronics, Modifications # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ +*/}} + +kind: StatefulSet +apiVersion: apps/v1 +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + serviceName: {{ include "common.servicename" . }} + replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + spec: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + - name: {{ include "common.name" . }}-bootstrap-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + args: + - -c + - | + export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\ + | xargs -0) + cd /config-input + for PFILE in `ls -1` + do + envsubst <${PFILE} >/config/${PFILE} + chmod o+w /config/${PFILE} + done + cat /config/application.yaml + env: + - name: A1CONTROLLER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} + - name: A1CONTROLLER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - mountPath: /config-input + name: {{ include "common.fullname" . }}-policy-conf-input + - mountPath: /config + name: config + containers: + - name: {{ include "common.name" . }}-update-config + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsGroup: {{ .Values.groupID }} + runAsUser: {{ .Values.userID }} + runAsNonRoot: true + command: + - sh + args: + - /tmp/scripts/daemon.sh + env: + - name: A1CONTROLLER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} + - name: A1CONTROLLER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /tmp/scripts + name: {{ include "common.fullname" . }}-envsubst-scripts + - mountPath: /config-input + name: {{ include "common.fullname" . }}-policy-conf-input + - mountPath: /config + name: config + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + livenessProbe: + httpGet: + path: /status + port: {{ .Values.liveness.port }} + scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - name: config + mountPath: /opt/app/policy-agent/data/application_configuration.json + subPath: application_configuration.json + - name: config + mountPath: /opt/app/policy-agent/config/application.yaml + subPath: application.yaml + - name: {{ include "common.fullname" . }} + mountPath: "/var/policy-management-service/database" + resources: {{ include "common.resources" . | nindent 10 }} + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + - name: {{ include "common.fullname" . }}-policy-conf-input + configMap: + name: {{ include "common.fullname" . }}-policy-conf + - name: {{ include "common.fullname" . }}-envsubst-scripts + configMap: + name: {{ include "common.fullname" . }}-envsubst-scripts + defaultMode: 0555 + - name: config + emptyDir: + medium: Memory +{{- if not .Values.persistence.enabled }} + - name: {{ include "common.fullname" . }} + emptyDir: {} +{{- else }} + volumeClaimTemplates: + - {{include "common.PVCTemplate" . | indent 6 | trim }} +{{- end }} diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml index 08590d891c..4768349736 100644 --- a/kubernetes/a1policymanagement/values.yaml +++ b/kubernetes/a1policymanagement/values.yaml @@ -20,7 +20,8 @@ global: nodePortPrefix: 302 - + persistence: {} + secrets: - uid: controller-secret type: basicAuth -- cgit 1.2.3-korg