From 2b764d035310d91744b4c22ace83593b9a561116 Mon Sep 17 00:00:00 2001
From: othman touijer <othman.touijer@soprasteria.com>
Date: Wed, 5 Jan 2022 14:40:37 +0100
Subject: [SDC] Service Mesh Compliance for SDC

Adding basic requirements for Service Mesh Compliance within SDC.

Change-Id: Ib9104ef2e8b6daf0b9b529288cee158b297ce9e4
Issue-ID: OOM-2253
Signed-off-by: rope252 <gareth.roper@est.tech>
Signed-off-by: othman touijer <othman.touijer@soprasteria.com>
---
 .../components/sdc-wfd-be/templates/_helper.tpl    |  1 -
 .../sdc-wfd-be/templates/deployment.yaml           | 19 ++++++++-----
 .../components/sdc-wfd-be/templates/ingress.yaml   |  2 +-
 .../sdc/components/sdc-wfd-be/templates/job.yaml   | 32 ++++++++++++++--------
 .../components/sdc-wfd-be/templates/service.yaml   | 10 +++----
 5 files changed, 38 insertions(+), 26 deletions(-)
 delete mode 100644 kubernetes/sdc/components/sdc-wfd-be/templates/_helper.tpl

(limited to 'kubernetes/sdc/components/sdc-wfd-be/templates')

diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/_helper.tpl b/kubernetes/sdc/components/sdc-wfd-be/templates/_helper.tpl
deleted file mode 100644
index 298a2cd673..0000000000
--- a/kubernetes/sdc/components/sdc-wfd-be/templates/_helper.tpl
+++ /dev/null
@@ -1 +0,0 @@
-{{- define "wfd-be.internalPort" }}{{ if .Values.config.serverSSLEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }}
diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml
index 1cfcad4f56..a187e19a75 100644
--- a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml
@@ -79,13 +79,13 @@ spec:
             ./startup.sh
           {{- end }}
           ports:
-          - containerPort: {{ template "wfd-be.internalPort" . }}
+          - containerPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger
           # so K8s doesn't restart unresponsive container
           {{ if .Values.liveness.enabled }}
           livenessProbe:
             tcpSocket:
-              port: {{ template "wfd-be.internalPort" . }}
+              port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}
             initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
             periodSeconds: {{ .Values.liveness.periodSeconds }}
             successThreshold: {{ .Values.liveness.successThreshold }}
@@ -93,14 +93,14 @@ spec:
           {{ end }}
           readinessProbe:
             tcpSocket:
-              port: {{ template "wfd-be.internalPort" . }}
+              port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}
             initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
             periodSeconds: {{ .Values.readiness.periodSeconds }}
             successThreshold: {{ .Values.readiness.successThreshold }}
             failureThreshold: {{ .Values.readiness.failureThreshold }}
           startupProbe:
             tcpSocket:
-              port: {{ template "wfd-be.internalPort" . }}
+              port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}
             initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
             periodSeconds: {{ .Values.startup.periodSeconds }}
             successThreshold: {{ .Values.startup.successThreshold }}
@@ -128,20 +128,25 @@ spec:
             valueFrom:
               secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: cs_truststore_password}
           - name: SDC_PROTOCOL
-            value: "{{ .Values.config.sdcProtocol }}"
+            value: "{{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }}"
           - name: SDC_ENDPOINT
-            value: "{{ .Values.config.sdcEndpoint }}"
+            value: "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdcEndpoint.https .Values.config.sdcEndpoint.http }}"
           - name: SDC_USER
             value: "{{ .Values.config.sdcExternalUser }}"
           - name: SDC_PASSWORD
             valueFrom:
               secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: wf_external_user_password}
+          {{- if (include "common.needTLS" .) }}
           - name: SERVER_SSL_ENABLED
-            value: "{{ .Values.config.serverSSLEnabled }}"
+            value: "true"
           - name: SERVER_SSL_KEYSTORE_TYPE
             value: "{{ .Values.config.serverSSLKeyStoreType }}"
           - name: SERVER_SSL_TRUSTSTORE_TYPE
             value: "{{ .Values.config.serverSSLTrustStoreType }}"
+          {{- else }}
+          - name: SERVER_SSL_ENABLED
+            value: "false"
+          {{- end }}
           volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
           resources: {{ include "common.resources" . | nindent 12 }}
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml
index 8f87c68f1e..171442dfdc 100644
--- a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml
@@ -1 +1 @@
-{{ include "common.ingress" . }}
+{{include "common.ingress" .}}
diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
index da3df9062f..2e5826d229 100644
--- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
@@ -60,23 +60,31 @@ spec:
               cpu: 3m
               memory: 20Mi
       containers:
-        - name: {{ include "common.name" . }}-job
-          image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.configInitImage }}
-          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-          env:
+      - name: {{ include "common.name" . }}-job
+        image:
+          {{ include "repositoryGenerator.repository" . }}/{{ .Values.configInitImage }}
+        imagePullPolicy:
+          {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{- if include "common.onServiceMesh" . }}
+        args:
+        - echo "waiting 10s for istio side cars to be up"; sleep 10s; /start.sh
+        command:
+        - /bin/sh
+        - -c
+        {{- end }}
+        env:
           - name: CS_HOST
             value: "{{ .Values.global.sdc_cassandra.serviceName }}"
           - name: CS_PORT
-            value: "{{ .Values.config.cassandraClientPort }}"
+            value: {{ .Values.config.cassandraClientPort | quote }}
           - name: CS_AUTHENTICATE
-            value: "{{ .Values.config.cassandraAuthenticationEnabled }}"
+            value: {{ .Values.config.cassandraAuthenticationEnabled | quote }}
           - name: CS_USER
-            valueFrom:
-              secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user}
+            valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user}}
           - name: CS_PASSWORD
-            valueFrom:
-              secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}
-          resources: {{ include "common.resources" . | nindent 12 }}
+            valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}}
+        resources: {{ include "common.resources" . | nindent 12 }}
+      {{ include "common.waitForJobContainer" . | indent 6 | trim }}
       imagePullSecrets:
-      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+        - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end }}
diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml
index 2af5e2ba26..2f4129b03f 100644
--- a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml
@@ -30,13 +30,13 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     {{if eq .Values.service.type "NodePort" -}}
-    - port: {{ template "wfd-be.internalPort" . }}
+    - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}
       nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
-      name: {{ .Values.service.portName }}
+      name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
     {{- else -}}
-    - port: {{ if .Values.config.serverSslEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }}
-      targetPort: {{ template "wfd-be.internalPort" . }}
-      name: {{ .Values.service.portName }}
+    - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }}
+      targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}
+      name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
     {{- end}}
   selector:
     app: {{ include "common.name" . }}
-- 
cgit 1.2.3-korg