From 742a7b29bfb6ffb18ef65b0a45ad08de59e52a6e Mon Sep 17 00:00:00 2001 From: ChrisC Date: Fri, 4 Sep 2020 11:29:57 +0200 Subject: [SDC] use of certInitializer template Auto SSL certificates generation through certInitializer template for SDC Refactor to components Issue-ID: SDC-3172 Change-Id: I2c895a8d8e7c25e11a2a1e997735d2e7b2d258aa Signed-off-by: ChrisC --- kubernetes/sdc/components/sdc-wfd-be/.helmignore | 21 +++ kubernetes/sdc/components/sdc-wfd-be/Chart.yaml | 18 +++ .../sdc/components/sdc-wfd-be/requirements.yaml | 23 ++++ .../sdc/components/sdc-wfd-be/templates/NOTES.txt | 33 +++++ .../components/sdc-wfd-be/templates/_helper.tpl | 1 + .../sdc-wfd-be/templates/deployment.yaml | 128 ++++++++++++++++++ .../components/sdc-wfd-be/templates/ingress.yaml | 1 + .../sdc/components/sdc-wfd-be/templates/job.yaml | 70 ++++++++++ .../components/sdc-wfd-be/templates/service.yaml | 41 ++++++ kubernetes/sdc/components/sdc-wfd-be/values.yaml | 143 +++++++++++++++++++++ 10 files changed, 479 insertions(+) create mode 100644 kubernetes/sdc/components/sdc-wfd-be/.helmignore create mode 100644 kubernetes/sdc/components/sdc-wfd-be/Chart.yaml create mode 100644 kubernetes/sdc/components/sdc-wfd-be/requirements.yaml create mode 100644 kubernetes/sdc/components/sdc-wfd-be/templates/NOTES.txt create mode 100644 kubernetes/sdc/components/sdc-wfd-be/templates/_helper.tpl create mode 100644 kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml create mode 100644 kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml create mode 100644 kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml create mode 100644 kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml create mode 100644 kubernetes/sdc/components/sdc-wfd-be/values.yaml (limited to 'kubernetes/sdc/components/sdc-wfd-be') diff --git a/kubernetes/sdc/components/sdc-wfd-be/.helmignore b/kubernetes/sdc/components/sdc-wfd-be/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml new file mode 100644 index 0000000000..7201db2fee --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2018 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: ONAP Service Design and Creation Workflow Designer backend +name: sdc-wfd-be +version: 6.0.0 \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-be/requirements.yaml b/kubernetes/sdc/components/sdc-wfd-be/requirements.yaml new file mode 100644 index 0000000000..b1d52ae32a --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/requirements.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2018 Ericsson. All rights reserved. +# Modifications Copyright © 2020 AT&T. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: certInitializer + version: ~6.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/NOTES.txt b/kubernetes/sdc/components/sdc-wfd-be/templates/NOTES.txt new file mode 100644 index 0000000000..a3c79b12a4 --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/NOTES.txt @@ -0,0 +1,33 @@ +# Copyright © 2018 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.externalPort }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/_helper.tpl b/kubernetes/sdc/components/sdc-wfd-be/templates/_helper.tpl new file mode 100644 index 0000000000..298a2cd673 --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/_helper.tpl @@ -0,0 +1 @@ +{{- define "wfd-be.internalPort" }}{{ if .Values.config.serverSSLEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml new file mode 100644 index 0000000000..b188cdae98 --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml @@ -0,0 +1,128 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada +# Modifications Copyright © 2018 ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + spec: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- if .Values.initJob.enabled }} + - name: {{ include "common.name" . }}-job-completion + image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-workflow-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{ end }} + containers: + - name: {{ include "common.name" . }} + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - "-c" + - | + export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export SERVER_SSL_KEY_PASSWORD=$cadi_keystore_password_p12 + export KEYMANAGER_PASS=$cadi_keystore_password_p12 + export SERVER_SSL_TRUST_PASSWORD=$cadi_truststore_password + export SERVER_SSL_KEYSTORE_PATH={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} + export SERVER_SSL_TRUSTSTORE_PATH={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} + ./startup.sh + {{- end }} + ports: + - containerPort: {{ template "wfd-be.internalPort" . }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ template "wfd-be.internalPort" . }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ template "wfd-be.internalPort" . }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: JAVA_OPTIONS + value: {{ .Values.config.javaOptions }} + - name: CS_HOSTS + value: "{{ .Values.global.cassandra.serviceName }}" + - name: CS_PORT + value: "{{ .Values.config.cassandraClientPort }}" + - name: CS_AUTHENTICATE + value: "{{ .Values.config.cassandraAuthenticationEnabled }}" + - name: CS_USER + valueFrom: + secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user} + - name: CS_PASSWORD + valueFrom: + secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password} + - name: CS_SSL_ENABLED + value: "{{ .Values.config.cassandraSSLEnabled }}" + - name: CS_TRUST_STORE_PATH + value: "{{ .Values.config.cassandraTrustStorePath }}" + - name: CS_TRUST_STORE_PASSWORD + valueFrom: + secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: cs_truststore_password} + - name: SDC_PROTOCOL + value: "{{ .Values.config.sdcProtocol }}" + - name: SDC_ENDPOINT + value: "{{ .Values.config.sdcEndpoint }}" + - name: SDC_USER + value: "{{ .Values.config.sdcExternalUser }}" + - name: SDC_PASSWORD + valueFrom: + secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: wf_external_user_password} + - name: SERVER_SSL_ENABLED + value: "{{ .Values.config.serverSSLEnabled }}" + - name: SERVER_SSL_KEYSTORE_TYPE + value: "{{ .Values.config.serverSSLKeyStoreType }}" + - name: SERVER_SSL_TRUSTSTORE_TYPE + value: "{{ .Values.config.serverSSLTrustStoreType }}" + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml new file mode 100644 index 0000000000..8f87c68f1e --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml @@ -0,0 +1 @@ +{{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml new file mode 100644 index 0000000000..9235cb441c --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml @@ -0,0 +1,70 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada +# Modifications Copyright © 2018 ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.initJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-workflow-init + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-job + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }}-job + release: {{ include "common.release" . }} + spec: + restartPolicy: Never + initContainers: + - name: {{ include "common.name" . }}-init-readiness + image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.release" . }}-sdc-cs-config-cassandra + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + containers: + - name: {{ include "common.name" . }}-job + image: "{{ include "common.repository" . }}/{{ .Values.configInitImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: CS_HOST + value: "{{ .Values.global.cassandra.serviceName }}" + - name: CS_PORT + value: "{{ .Values.config.cassandraClientPort }}" + - name: CS_AUTHENTICATE + value: "{{ .Values.config.cassandraAuthenticationEnabled }}" + - name: CS_USER + valueFrom: + secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user} + - name: CS_PASSWORD + valueFrom: + secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" +{{ end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml new file mode 100644 index 0000000000..d9ea066ab3 --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml @@ -0,0 +1,41 @@ +# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T, ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + {{if eq .Values.service.type "NodePort" -}} + - port: {{ template "wfd-be.internalPort" . }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + name: {{ .Values.service.portName }} + {{- else -}} + - port: {{ if .Values.config.serverSslEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }} + targetPort: {{ template "wfd-be.internalPort" . }} + name: {{ .Values.service.portName }} + {{- end}} + selector: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml new file mode 100644 index 0000000000..da5ae38ad5 --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -0,0 +1,143 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T, ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + readinessImage: onap/oom/readiness:3.0.1 + loggingRepository: docker.elastic.co + loggingImage: beats/filebeat:5.5.0 + aafEnabled: true + cassandra: + #This flag allows SDC to instantiate its own cluster, serviceName + #should be sdc-cs if this flag is enabled + localCluster: false + #The cassandra service name to connect to (default: shared cassandra service) + serviceName: cassandra + #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled + #to match with its own cluster replica + replicaCount: 3 + clusterName: cassandra + dataCenter: Pod + +################################################################# +# AAF Part +################################################################# +certInitializer: + nameOverride: sdc-wfd-be-cert-init + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + fqdn: sdc + fqi: sdc@sdc.onap.org + public_fqdn: sdc.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + addconfig: true + keystoreFile: "org.onap.sdc.p12" + truststoreFile: "org.onap.sdc.trust.jks" + permission_user: 352070 + permission_group: 35953 + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh local showpass + {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + +################################################################# +# Application configuration defaults. +################################################################# +# application image +repository: nexus3.onap.org:10001 +image: onap/workflow-backend:1.6.4 +configInitImage: onap/workflow-init:1.6.4 +pullPolicy: Always + +initJob: + enabled: true + +config: + javaOptions: "-Xmx1536m -Xms1536m" + cassandraAuthenticationEnabled: true + cassandraClientPort: 9042 + sdcProtocol: HTTPS + sdcEndpoint: sdc-be:8443 + sdcExternalUser: workflow + serverSSLEnabled: true + serverSSLKeyStoreType: jks + serverSSLTrustStoreType: jks + cassandraSSLEnabled: false + cassandraTrustStorePath: /home/sdc/etc/truststore + +# environment file +env: + name: AUTO + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + +service: + type: NodePort + portName: sdc-wfd-be + internalPort: 8080 + externalPort: 8080 + internalPort2: 8443 + externalPort2: 8443 + nodePort: "57" # only one node port. set to http or https port depending on isHttpsEnabled property + +ingress: + enabled: false + service: + - baseaddr: "sdcwfdbe" + name: "sdc-wfd-be" + port: 8443 + config: + ssl: "redirect" + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # + # Example: + # Configure resource requests and limits + # ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # Minimum memory for development is 2 CPU cores and 4GB memory + # Minimum memory for production is 4 CPU cores and 8GB memory +#resources: +# limits: +# cpu: 2 +# memory: 4Gi +# requests: +# cpu: 2 +# memory: 4Gi -- cgit 1.2.3-korg