From 7479042d780f5c9281c67d141ac61ca0c0c76529 Mon Sep 17 00:00:00 2001 From: Andreas Geissler Date: Mon, 27 Feb 2023 10:31:01 +0100 Subject: [VNFSDK] Make VNFSDK ServiceMesh ready Disable TLS interface, add job sidecar cleanup and cleanup charts Fix the deployment.yaml Issue-ID: OOM-3095 Signed-off-by: Andreas Geissler Change-Id: I88a9b01ecf5e4cbb247346b6b2da1c521199a2fb --- kubernetes/vnfsdk/Chart.yaml | 6 ++-- kubernetes/vnfsdk/resources/nginx/nginx.conf | 12 ++----- kubernetes/vnfsdk/templates/deployment.yaml | 47 +++++++--------------------- kubernetes/vnfsdk/templates/ingress.yaml | 16 ++++++++++ kubernetes/vnfsdk/templates/job.yaml | 2 ++ kubernetes/vnfsdk/templates/service.yaml | 26 ++------------- kubernetes/vnfsdk/values.yaml | 46 ++++++++------------------- 7 files changed, 49 insertions(+), 106 deletions(-) diff --git a/kubernetes/vnfsdk/Chart.yaml b/kubernetes/vnfsdk/Chart.yaml index 1c67281798..52eec854d8 100644 --- a/kubernetes/vnfsdk/Chart.yaml +++ b/kubernetes/vnfsdk/Chart.yaml @@ -23,12 +23,12 @@ dependencies: - name: common version: ~12.x-0 repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: postgres version: ~12.x-0 repository: '@local' - name: repositoryGenerator version: ~12.x-0 repository: '@local' + - name: readinessCheck + version: ~12.x-0 + repository: '@local' diff --git a/kubernetes/vnfsdk/resources/nginx/nginx.conf b/kubernetes/vnfsdk/resources/nginx/nginx.conf index d26cc5d813..9d7aa78b36 100644 --- a/kubernetes/vnfsdk/resources/nginx/nginx.conf +++ b/kubernetes/vnfsdk/resources/nginx/nginx.conf @@ -38,16 +38,8 @@ http { error_log /var/log/nginx/error.log; server { - listen *:8703 ssl; - server_name - ssl on; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.pem; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_session_cache builtin:1000 shared:SSL:80m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; - ssl_prefer_server_ciphers on; - ssl_session_timeout 10m; + listen {{ .Values.service.internalPort }}; + server_name {{ .Values.service.name }}; keepalive_timeout 70; location / { diff --git a/kubernetes/vnfsdk/templates/deployment.yaml b/kubernetes/vnfsdk/templates/deployment.yaml index 89eba2f360..9ba8f27521 100644 --- a/kubernetes/vnfsdk/templates/deployment.yaml +++ b/kubernetes/vnfsdk/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,26 +17,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - sh args: @@ -54,28 +43,14 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - - - command: - - /app/ready.py - args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} - resources: -{{ include "common.resources" . | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + ports: {{ include "common.containerPorts" . | nindent 8 }} + resources: {{ include "common.resources" . | nindent 10 }} + volumeMounts: - mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml name: init-data subPath: configuration.xml @@ -89,7 +64,7 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: init-data-input configMap: name: {{ include "common.fullname" . }} diff --git a/kubernetes/vnfsdk/templates/ingress.yaml b/kubernetes/vnfsdk/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/vnfsdk/templates/ingress.yaml +++ b/kubernetes/vnfsdk/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/vnfsdk/templates/job.yaml b/kubernetes/vnfsdk/templates/job.yaml index 7c320fc86f..5e9ad8a6fc 100644 --- a/kubernetes/vnfsdk/templates/job.yaml +++ b/kubernetes/vnfsdk/templates/job.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,6 +67,7 @@ spec: - name: init-data mountPath: /aaa/init/marketplace_tables_postgres.sql subPath: marketplace_tables_postgres.sql + {{ include "common.waitForJobContainer" . | indent 6 | trim }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" volumes: diff --git a/kubernetes/vnfsdk/templates/service.yaml b/kubernetes/vnfsdk/templates/service.yaml index 25786bd7ad..6127b2b373 100644 --- a/kubernetes/vnfsdk/templates/service.yaml +++ b/kubernetes/vnfsdk/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modification © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,27 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - name: {{ .Values.service.portName | default "http" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index a19f15d991..654657273c 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,37 +34,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: refrepo-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: refrepo - fqi: refrepo@refrepo.onap.org - fqi_namespace: org.onap.refrepo - public_fqdn: refrepo.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - echo "keystore password: $$cadi_keystore_password_p12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership of certificates to targeted user" - chown -R 999 {{ .Values.credsPath }}/certs - - ################################################################# # Application configuration defaults. ################################################################# @@ -133,9 +103,11 @@ readiness: service: type: NodePort name: refrepo - portName: https - nodePort: 97 internalPort: 8703 + ports: + - name: http + port: 8703 + nodePort: '97' ingress: enabled: false @@ -145,3 +117,11 @@ ingress: port: 8703 config: ssl: "redirect" + +readinessCheck: + wait_for: + - '{{ .Values.postgres.nameOverride }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' -- cgit 1.2.3-korg