From 23428032527583798d5e42aa96555728cc71a06d Mon Sep 17 00:00:00 2001 From: Andreas Seelinger Date: Thu, 7 Nov 2024 10:20:07 +0100 Subject: [AAI] Fix Kyverno Policy violations - Refactored code for readiness check and use library readinessCheck - Fixed securityContext settings - Limit emptyVolume size and make it configurable - Important: Need to use aai-haproxy docker image version >= 1.15.2 - Refactore meta labels and use common.labels instead Issue-ID: AAI-4044 Change-Id: I346316e64cb67222836951cf12b3772bbf509c6a Signed-off-by: Andreas Seelinger --- kubernetes/aai/components/aai-sparky-be/Chart.yaml | 5 +++- .../aai-sparky-be/templates/configmap.yaml | 9 +------ .../aai-sparky-be/templates/deployment.yaml | 30 +++++----------------- .../aai/components/aai-sparky-be/values.yaml | 20 ++++++++++++--- 4 files changed, 29 insertions(+), 35 deletions(-) (limited to 'kubernetes/aai/components/aai-sparky-be') diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml index 9c9185baf3..074e266228 100644 --- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml +++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 description: ONAP AAI sparky-be name: aai-sparky-be -version: 15.0.0 +version: 15.0.1 dependencies: - name: common @@ -29,3 +29,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml index 7c958fa410..407850eb7f 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml @@ -17,13 +17,6 @@ --- apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 28fe1d5c99..ede5b60676 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -38,32 +38,14 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --service-name - - aai - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: @@ -158,9 +140,11 @@ spec: configMap: name: {{ include "common.fullname" . }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: modeldir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.modeldirSizeLimit }} restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index c4b90d30ca..9cbe9e5fd2 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -128,23 +128,24 @@ serviceMesh: podAnnotations: sidecar.istio.io/rewriteAppHTTPProbers: "false" + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: "0.5" + cpu: "500m" memory: "4Gi" requests: - cpu: "0.25" + cpu: "250m" memory: "1Gi" large: limits: cpu: "1" memory: "8Gi" requests: - cpu: "0.5" + cpu: "500m" memory: "2Gi" unlimited: {} @@ -158,3 +159,16 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + modeldirSizeLimit: 64Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for: + services: + - aai -- cgit 1.2.3-korg