From d425867ae1c52a9b31a06f1dea8810c1c7a0af65 Mon Sep 17 00:00:00 2001 From: jhh Date: Sun, 9 Aug 2020 12:08:08 -0500 Subject: [POLICY] certInit support + refactoring Several changes are including in this patch: - certInitializer support (POLICY-2615, REQ-361) - renamed policy objects to start with "policy-" prefix (POLICY-1000) - add resources section to components that did not have or had it incorrectly set up rendering null (POLICY-2502) - Removal of legacy policy-engine components (POLICY-2743) - Miscellaneous refactoring of charts (POLICY-2745) - update pdp legacy reference to policy-xacml-pdp from pdp (legacy) Issue-ID: POLICY-2615 Signed-off-by: jhh Change-Id: I8b6984a663bbb14d331a366ec02b6dd38755cde7 Signed-off-by: jhh --- .../policy-drools-pdp/templates/configmap.yaml | 33 +++++ .../policy-drools-pdp/templates/secrets.yaml | 32 +++++ .../policy-drools-pdp/templates/service.yaml | 46 +++++++ .../policy-drools-pdp/templates/statefulset.yaml | 149 +++++++++++++++++++++ 4 files changed, 260 insertions(+) create mode 100755 kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml create mode 100755 kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml create mode 100755 kubernetes/policy/components/policy-drools-pdp/templates/service.yaml create mode 100755 kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml (limited to 'kubernetes/policy/components/policy-drools-pdp/templates') diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml new file mode 100755 index 0000000000..90d75cc409 --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml @@ -0,0 +1,33 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018-2020 AT&T Intellectual Property +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +{{- with .Files.Glob "resources/configmaps/*{.zip,store}" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{ tpl (.Files.Glob "resources/configmaps/*.{conf,sh,properties,xml,keyfile}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml new file mode 100755 index 0000000000..7fb84b5ddc --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml @@ -0,0 +1,32 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018-2019 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-secret + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +type: Opaque +data: +{{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} + {{ base $path }}: {{ tpl ($.Files.Get $path) $ | b64enc | quote }} +{{- end }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml new file mode 100755 index 0000000000..9f4ad9bed4 --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml @@ -0,0 +1,46 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018-2019 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + {{if eq .Values.service.type "NodePort" -}} + - port: {{ .Values.service.externalPort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + name: {{ .Values.service.portName }}-{{ .Values.service.externalPort }} + - port: {{ .Values.service.externalPort2 }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} + name: {{ .Values.service.portName }}-{{ .Values.service.externalPort2 }} + {{- else -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }}-{{ .Values.service.externalPort }} + - port: {{ .Values.service.externalPort2 }} + targetPort: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.portName }}-{{ .Values.service.externalPort2 }} + {{- end}} + selector: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml new file mode 100755 index 0000000000..dc917ce248 --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -0,0 +1,149 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018-2020 AT&T Intellectual Property +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + serviceName: {{ include "common.servicename" . }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "common.name" . }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + spec: + initContainers: + - command: + - /root/job_complete.py + args: + - --job-name + - {{ include "common.release" . }}-policy-galera-config + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-db-readiness +{{- if not .Values.nexus.offline }} + - command: + - /root/ready.py + args: + - --container-name + - {{ .Values.nexus.name }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness +{{- end }} +{{ include "common.certInitializer.initContainer" . | indent 6 }} + containers: + - name: {{ include "common.name" . }} + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["bash","-c"] + args: ["if [ -f {{ .Values.certInitializer.credsPath }}/.ci ]; then \ + source {{ .Values.certInitializer.credsPath }}/.ci; fi;\ + /opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"] + ports: + - containerPort: {{ .Values.service.externalPort }} + - containerPort: {{ .Values.service.externalPort2 }} + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.externalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{- end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.externalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: REPLICAS + value: "{{ .Values.replicaCount }}" + - name: SQL_USER + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + volumeMounts: +{{ include "common.certInitializer.volumeMount" . | indent 10 }} + - mountPath: /etc/localtime + name: localtime + readOnly: true + {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} + - mountPath: /tmp/policy-install/config/{{ base $path }} + name: drools-secret + subPath: {{ base $path }} + {{- end }} + {{- range $path, $bytes := .Files.Glob "resources/configmaps/*" }} + - mountPath: /tmp/policy-install/config/{{ base $path }} + name: drools-config + subPath: {{ base $path }} + {{- end }} + resources: +{{ include "common.resources" . }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + volumes: +{{ include "common.certInitializer.volumes" . | indent 8 }} + - name: localtime + hostPath: + path: /etc/localtime + - name: drools-config + configMap: + name: {{ include "common.fullname" . }}-configmap + items: + {{- range $path, $bytes := .Files.Glob "resources/configmaps/*" }} + - key: {{ base $path }} + path: {{ base $path }} + mode: 0755 + {{- end }} + - name: drools-secret + secret: + secretName: {{ include "common.fullname" . }}-secret + items: + {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} + - key: {{ base $path }} + path: {{ base $path }} + mode: 0644 + {{- end }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" -- cgit 1.2.3-korg