diff options
59 files changed, 3451 insertions, 67 deletions
diff --git a/csit/run-k8s-csit.sh b/csit/run-k8s-csit.sh new file mode 100755 index 00000000..63df5dc2 --- /dev/null +++ b/csit/run-k8s-csit.sh @@ -0,0 +1,71 @@ +#!/bin/bash +# +# ============LICENSE_START==================================================== +# Copyright (C) 2022 Nordix Foundation. +# ============================================================================= +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END====================================================== + +# This script spins up kubernetes cluster in Microk8s for deploying policy helm charts. + +function spin_microk8s_cluster () { + echo "Verify if Microk8s cluster is running.." + microk8s version + exitcode="${?}" + + if [ "$exitcode" -ne 0 ]; then + echo "Microk8s cluster not available, Spinning up the cluster.." + sudo snap install microk8s --classic --channel=1.25/stable + + if [ "${?}" -ne 0 ]; then + echo "Failed to install kubernetes cluster. Aborting.." + return 1 + fi + echo "Microk8s cluster installed successfully" + sudo usermod -a -G microk8s $USER + echo "Enabling DNS and helm3" + microk8s.enable dns helm3 + echo "Creating configuration file for Microk8s" + microk8s kubectl config view --raw > $HOME/.kube/config + chmod 600 $HOME/.kube/config + echo "K8s installation completed" + else + echo "K8s cluster is already running" + return 0 + fi + +} + +function teardown_cluster () { + echo "Removing k8s cluster and k8s configuration file" + sudo snap remove microk8s;rm -rf $HOME/.kube/config + echo "K8s Cluster removed" +} + + +if [ $1 == "install" ]; then + spin_microk8s_cluster + if [ "${?}" -eq 0 ]; then + echo "Installing policy helm charts in the default namespace" + cd ../helm/;helm dependency build policy;microk8s helm install dev-policy policy; + echo "Policy chart installation completed" + fi + +elif [ $1 == "uninstall" ]; then + teardown_cluster +else + echo "Invalid arguments provided. Usage: $0 [option..] {install | uninstall}" +fi + diff --git a/helm/policy/Chart.yaml b/helm/policy/Chart.yaml new file mode 100755 index 00000000..f1930303 --- /dev/null +++ b/helm/policy/Chart.yaml @@ -0,0 +1,35 @@ +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Policy +name: policy +version: 11.0.0 + +dependencies: + - name: mariadb-galera + version: ~11.x-0 + repository: 'file://components/mariadb-galera' + - name: policy-clamp-ac-k8s-ppnt + version: ~11.x-0 + repository: 'file://components/policy-clamp-ac-k8s-ppnt' + condition: policy-clamp-ac-k8s-ppnt.enabled + - name: policy-clamp-runtime-acm + version: ~11.x-0 + repository: 'file://components/policy-clamp-runtime-acm' + condition: policy-clamp-runtime-acm.enabled + - name: policy-models-simulator + version: ~11.x-0 + repository: 'file://components/policy-models-simulator' + condition: policy-models-simulator.enabled diff --git a/helm/policy/components/mariadb-galera/.helmignore b/helm/policy/components/mariadb-galera/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/helm/policy/components/mariadb-galera/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/helm/policy/components/mariadb-galera/Chart.yaml b/helm/policy/components/mariadb-galera/Chart.yaml new file mode 100644 index 00000000..63b04a03 --- /dev/null +++ b/helm/policy/components/mariadb-galera/Chart.yaml @@ -0,0 +1,25 @@ +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: Chart for MariaDB Galera cluster +name: mariadb-galera +version: 11.0.0 +keywords: + - mariadb + - mysql + - database + - sql + - galera + - cluster diff --git a/helm/policy/components/mariadb-galera/templates/configmap.yaml b/helm/policy/components/mariadb-galera/templates/configmap.yaml new file mode 100644 index 00000000..e0b33086 --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/configmap.yaml @@ -0,0 +1,30 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if .Values.mariadbConfiguration }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-configuration + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm +data: + my.cnf: | +{{ .Values.mariadbConfiguration | indent 4 }} +{{- end }} diff --git a/helm/policy/components/mariadb-galera/templates/metrics-svc.yaml b/helm/policy/components/mariadb-galera/templates/metrics-svc.yaml new file mode 100644 index 00000000..00917452 --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/metrics-svc.yaml @@ -0,0 +1,37 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if default false .Values.global.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }}-metrics + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm +spec: + type: {{ .Values.metrics.service.type }} + ports: + - name: tcp-metrics + port: {{ .Values.metrics.service.port }} + targetPort: tcp-metrics + selector: + matchLabels: + app.kubernetes.io/name: {{ .Chart.Name }} + +{{- end }} diff --git a/helm/policy/components/mariadb-galera/templates/pdb.yaml b/helm/policy/components/mariadb-galera/templates/pdb.yaml new file mode 100644 index 00000000..e4f7e5c3 --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/pdb.yaml @@ -0,0 +1,37 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.podDisruptionBudget.create }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm +spec: +{{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Chart.Name }} +{{- end }} diff --git a/helm/policy/components/mariadb-galera/templates/prometheusrules.yaml b/helm/policy/components/mariadb-galera/templates/prometheusrules.yaml new file mode 100644 index 00000000..3e7bad66 --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/prometheusrules.yaml @@ -0,0 +1,35 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if default false (and .Values.global.metrics.enabled .Values.global.metrics.custom_resources) }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: { .Chart.Name }} + namespace: {{ include "common.namespace" . }} + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + + {{- toYaml .Values.metrics.prometheusRules.selector | nindent 4 }} +spec: + groups: + - name: {{ .Chart.Name }} + rules: + {{- toYaml .Values.metrics.prometheusRules.rules | nindent 6 }} +{{- end }} + diff --git a/helm/policy/components/mariadb-galera/templates/pv.yaml b/helm/policy/components/mariadb-galera/templates/pv.yaml new file mode 100644 index 00000000..3790c78a --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/pv.yaml @@ -0,0 +1,81 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +kind: PersistentVolume +apiVersion: v1 +metadata: + name: {{ .Chart.Name }}--0 + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + +spec: + capacity: + storage: {{ .Values.persistence.size }} + accessModes: + - {{ .Values.persistence.accessMode }} + persistentVolumeReclaimPolicy: + storageClassName: "mariadb-galera-data" + hostPath: + path: /dockerdata-nfs/mariadb-galera/data-0 + +--- + +kind: PersistentVolume +apiVersion: v1 +metadata: + name: {{ .Chart.Name }}--1 + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + +spec: + capacity: + storage: {{ .Values.persistence.size }} + accessModes: + - {{ .Values.persistence.accessMode }} + persistentVolumeReclaimPolicy: + storageClassName: "mariadb-galera-data" + hostPath: + path: /dockerdata-nfs/mariadb-galera/data-1 + +--- + +kind: PersistentVolume +apiVersion: v1 +metadata: + name: {{ .Chart.Name }}--2 + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + +spec: + capacity: + storage: {{ .Values.persistence.size }} + accessModes: + - {{ .Values.persistence.accessMode }} + persistentVolumeReclaimPolicy: + storageClassName: "mariadb-galera-data" + hostPath: + path: /dockerdata-nfs/mariadb-galera/data-2 + diff --git a/helm/policy/components/mariadb-galera/templates/role-binding.yaml b/helm/policy/components/mariadb-galera/templates/role-binding.yaml new file mode 100644 index 00000000..c06b1950 --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/role-binding.yaml @@ -0,0 +1,29 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Chart.Name }}-read + namespace: default +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-read +roleRef: + kind: Role + name: read + apiGroup: rbac.authorization.k8s.io + diff --git a/helm/policy/components/mariadb-galera/templates/secrets.yaml b/helm/policy/components/mariadb-galera/templates/secrets.yaml new file mode 100644 index 00000000..7a134928 --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/secrets.yaml @@ -0,0 +1,59 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-galera-db-backup-credentials + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +type: Opaque +stringData: + login: {{ .Values.galera.mariabackup.user }} + password: {{ .Values.galera.mariabackup.password }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-galera-db-root-password + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +type: Opaque +stringData: + password: {{ .Values.rootUser.password }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-galera-db-user-credentials + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +type: Opaque +stringData: + login: {{ .Values.db.user }} + password: {{ .Values.db.password }} + diff --git a/helm/policy/components/mariadb-galera/templates/service-account.yaml b/helm/policy/components/mariadb-galera/templates/service-account.yaml new file mode 100644 index 00000000..417938a6 --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/service-account.yaml @@ -0,0 +1,20 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-read diff --git a/helm/policy/components/mariadb-galera/templates/service.yaml b/helm/policy/components/mariadb-galera/templates/service.yaml new file mode 100644 index 00000000..0494f7d8 --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/service.yaml @@ -0,0 +1,68 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm +spec: + ports: + - port: 3306 + targetPort: tcp-mysql + protocol: TCP + name: tcp-mysql + ipFamilyPolicy: PreferDualStack + type: ClusterIP + selector: + app.kubernetes.io/name: {{ .Chart.Name }} + sessionAffinity: None + +--- + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }}-headless + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm +spec: + clusterIP: None + ports: + - port: 4567 + targetPort: tcp-galera + protocol: TCP + name: tcp-galera + - port: 4568 + targetPort: tcp-ist + protocol: TCP + name: tcp-ist + - port: 4444 + targetPort: tcp-sst + protocol: TCP + name: tcp-sst + ipFamilyPolicy: PreferDualStack + type: ClusterIP + selector: + app.kubernetes.io/name: {{ .Chart.Name }} + sessionAffinity: None diff --git a/helm/policy/components/mariadb-galera/templates/statefulset.yaml b/helm/policy/components/mariadb-galera/templates/statefulset.yaml new file mode 100644 index 00000000..3644a9bd --- /dev/null +++ b/helm/policy/components/mariadb-galera/templates/statefulset.yaml @@ -0,0 +1,338 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + +spec: + podManagementPolicy: {{ .Values.podManagementPolicy }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Chart.Name }} + + serviceName: {{ .Chart.Name }}-headless + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + template: + metadata: + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: 4444,4567,4568 + traffic.sidecar.istio.io/excludeOutboundPorts: 4444,4567,4568 + traffic.sidecar.istio.io/includeInboundPorts: '*' + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + name: {{ .Chart.Name }} + + spec: + securityContext: + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + initContainers: + # we shouldn't need this but for unknown reason, it's fsGroup is not + # applied + - name: fix-permission + command: + - /bin/sh + args: + - -c + - | + chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data + chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /bootstrap/ + chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /tmp/ + {{- if .Values.mariadbConfiguration }} + cp /config/my.cnf /actual/my.cnf + chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /actual + {{- end }} + image: docker.io/library/busybox:1.34.1 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: 0 + volumeMounts: + - name: previous-boot + mountPath: /bootstrap + - name: mariadb-tmp-folder + mountPath: /tmp + - name: {{ .Chart.Name }} + mountPath: /data + {{- if .Values.mariadbConfiguration }} + - name: mariadb-galera-starting-config + mountPath: /config/my.cnf + subPath: my.cnf + - name: mariadb-galera-actual-config + mountPath: /actual + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy | quote}} + command: + - bash + - -ec + - | + {{- if (not (empty (.Values.galera.bootstrap.bootstrapFromNode | quote)))}} + {{- $fullname := "mariadb-galera" }} + {{- $bootstrapFromNode := int .Values.galera.bootstrap.bootstrapFromNode }} + # Bootstrap from the indicated node + NODE_ID="${MY_POD_NAME#"{{ $fullname }}-"}" + if [[ "$NODE_ID" -eq "{{ $bootstrapFromNode }}" ]]; then + export MARIADB_GALERA_CLUSTER_BOOTSTRAP=yes + export MARIADB_GALERA_FORCE_SAFETOBOOTSTRAP={{ ternary "yes" "no" .Values.galera.bootstrap.forceSafeToBootstrap }} + fi + {{- end }} + exec /opt/bitnami/scripts/mariadb-galera/entrypoint.sh /opt/bitnami/scripts/mariadb-galera/run.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.debug | quote }} + - name: MARIADB_INIT_SLEEP_TIME + value: {{ .Values.init_sleep_time | quote }} + - name: MARIADB_GALERA_CLUSTER_NAME + value: {{ .Values.galera.name | quote }} + - name: MARIADB_GALERA_CLUSTER_ADDRESS + value: "gcomm://{{ .Chart.Name }}-headless.default.svc.{{ .Values.global.clusterDomain }}" + # Bitnami init script don't behave well in dual stack env. + # set it here as long as https://github.com/bitnami/charts/issues/4077 is not solved. + - name: MARIADB_GALERA_NODE_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: MARIADB_ROOT_USER + value: {{ .Values.rootUser.user | quote }} + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-galera-db-root-password + key: password + - name: MARIADB_USER + valueFrom: + secretKeyRef: + name: mariadb-galera-db-user-credentials + key: login + - name: MARIADB_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-galera-db-user-credentials + key: password + - name: MARIADB_DATABASE + value: {{ .Values.db.name | quote }} + - name: MARIADB_GALERA_MARIABACKUP_USER + valueFrom: + secretKeyRef: + name: mariadb-galera-db-backup-credentials + key: login + - name: MARIADB_GALERA_MARIABACKUP_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-galera-db-backup-credentials + key: password + {{- if .Values.extraFlags }} + - name: MARIADB_EXTRA_FLAGS + value: {{ .Values.extraFlags | quote }} + {{- end }} + ports: + - containerPort: 3306 + name: tcp-mysql + - containerPort: 4567 + name: tcp-galera + - containerPort: 4568 + name: tcp-ist + - containerPort: 4444 + name: tcp-sst + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - sh + - -ec + - | + exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - sh + - -ec + - | + exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - sh + - -ec + - | + exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- end }} + resources: +{{ toYaml .Values.resources.small | indent 12 }} + volumeMounts: + - name: previous-boot + mountPath: /opt/bitnami/mariadb/.bootstrap + - name: {{ .Chart.Name }} + mountPath: /bitnami/mariadb + - name: mariadb-tmp-folder + mountPath: /opt/bitnami/mariadb/tmp + {{- if .Values.mariadbConfiguration }} + - name: mariadb-galera-actual-config + mountPath: /opt/bitnami/mariadb/conf + {{- end }} + {{- if default false .Values.global.metrics.enabled }} + - name: {{ .Chart.Name }}-metrics + image: {{ .Values.metrics.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.metrics.pullPolicy | quote}} + env: + - name: MARIADB_METRICS_EXTRA_FLAGS + value: {{ default "" (join " " .Values.metrics.extraFlags) | quote }} + - name: MARIADB_ROOT_USER + value: {{ .Values.rootUser.user | quote }} + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-galera-db-root-password + key: password + command: + - sh + - -c + - | + DATA_SOURCE_NAME="$MARIADB_ROOT_USER:$MARIADB_ROOT_PASSWORD@(localhost:3306)/" /bin/mysqld_exporter $MARIADB_METRICS_EXTRA_FLAGS + ports: + - name: tcp-metrics + containerPort: 9104 + livenessProbe: + httpGet: + path: /metrics + port: tcp-metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /metrics + port: tcp-metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + securityContext: + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + imagePullSecrets: + - name: default-docker-registry-key + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + serviceAccountName: mariadb-galera-read + affinity: + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: {{ .Chart.Name }} + namespaces: + - default + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: {} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 10 }} + {{- end }} + volumes: + - name: previous-boot + emptyDir: {} + - name: mariadb-tmp-folder + emptyDir: {} + {{- if .Values.mariadbConfiguration }} + - name: mariadb-galera-actual-config + emptyDir: {} + - name: mariadb-galera-starting-config + configMap: + name: {{ .Chart.Name }}-configuration + {{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: {{ .Chart.Name }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim }} +{{- else if not .Values.persistence.enabled }} + - name: {{ .Chart.Name }} + emptyDir: {} +{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + + spec: + accessModes: + - {{ .Values.persistence.accessMode }} + storageClassName: mariadb-galera-data + resources: + requests: + storage: {{ .Values.persistence.size }} +{{- end }} diff --git a/helm/policy/components/mariadb-galera/values.yaml b/helm/policy/components/mariadb-galera/values.yaml new file mode 100644 index 00000000..d2a54a41 --- /dev/null +++ b/helm/policy/components/mariadb-galera/values.yaml @@ -0,0 +1,607 @@ +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + persistence: + mountPath: /dockerdata-nfs + backup: + mountPath: /dockerdata-nfs/backup + clusterDomain: cluster.local + metrics: {} + dockerHubRepository: &dockerHubRepository docker.io + +passwordStrengthOverride: basic + +image: docker.io/bitnami/mariadb-galera:10.5.8 +## Specify a imagePullPolicy +## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' +## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images +## +pullPolicy: Always + +## Set to true if you would like to see extra information on logs +## It turns BASH debugging in minideb-extras-base +## +debug: true + +## Sometimes, especially when a lot of pods are created at the same time, +## actions performed on the databases are tried to be done before actual start. +init_sleep_time: 5 + +## String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: mariadb-galera + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel +## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy +## +podManagementPolicy: OrderedReady + + +## Pods Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + nameOverride: mariadb-galera + roles: + - read + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + user_id: 10001 + group_id: 10001 + +## Database credentials for root (admin) user +## +rootUser: + ## MariaDB admin user + user: root + ## MariaDB admin password + ## Password is ignored if externalSecret is specified. + ## If not set, password will be "randomly" generated + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-the-root-password-on-first-run + ## + password: dOM39tQX + # externalSecret: + +## Custom db configuration +## +db: + ## MariaDB username and password + ## Password is ignored if externalSecret is specified. + ## If not set, password will be "randomly" generated + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run + ## + user: policy-user + password: policy-user + # externalSecret: + ## Database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run + ## + # name: my_database + +## Galera configuration +## +galera: + ## Galera cluster name + ## + name: galera + + ## Bootstraping options + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#bootstraping + bootstrap: + ## Node to bootstrap from, you will need to change this parameter incase you want to bootstrap from other node + ## + bootstrapFromNode: 0 + ## Force safe_to_bootstrap in grastate.date file. + ## This will set safe_to_bootstrap=1 in the node indicated by bootstrapFromNode. + forceSafeToBootstrap: true + + ## Credentials to perform backups + ## + mariabackup: + ## MariaBackup username and password + ## Password is ignored if externalSecret is specified. + ## If not set, password will be "randomly" generated + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-up-a-multi-master-cluster + ## + user: mariabackup + password: pt49gEq7 + # externalSecret: + +## The backup job will mount the mariadb data pvc in order to run mariabackup. +## For this reason the db data pvc needs to have accessMode: ReadWriteMany. +backup: + enabled: false + cron: "00 00 * * *" + retentionPeriod: 3 + persistence: + ## If true, use a Persistent Volume Claim, If false, use emptyDir + ## + enabled: true + # Enable persistence using an existing PVC + # existingClaim: + ## selector can be used to match an existing PersistentVolume + ## selector: + ## matchLabels: + ## app: my-app + selector: {} + ## Persistent Volume Storage Class + ## If defined, storageClassName: <storageClass> + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + ## Persistent Volume Claim annotations + ## + annotations: + ## Persistent Volume Access Mode + ## + accessMode: ReadWriteOnce + ## Persistent Volume size + ## + size: 2Gi + +## TLS configuration +## +tls: + ## Enable TLS + ## + enabled: false + ## Name of the secret that contains the certificates + ## + # certificatesSecret: + ## Certificate filename + ## + # certFilename: + ## Certificate Key filename + ## + # certKeyFilename: + ## CA Certificate filename + ## + # certCAFilename: + +## Configure MariaDB with a custom my.cnf file +## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file +## Alternatively, you can put your my.cnf under the files/ directory +## +mariadbConfiguration: |- + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + plugin_dir=/opt/bitnami/mariadb/plugin + + [mysqld] + lower_case_table_names = 1 + default_storage_engine=InnoDB + basedir=/opt/bitnami/mariadb + datadir=/bitnami/mariadb/data + plugin_dir=/opt/bitnami/mariadb/plugin + tmpdir=/opt/bitnami/mariadb/tmp + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid + bind_address=0.0.0.0 + + ## Character set + collation_server=utf8_unicode_ci + init_connect='SET NAMES utf8' + character_set_server=utf8 + + ## MyISAM + key_buffer_size=32M + myisam_recover_options=FORCE,BACKUP + + ## Safety + skip_host_cache + skip_name_resolve + max_allowed_packet=16M + max_connect_errors=1000000 + sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY + sysdate_is_now=1 + + ## Binary Logging + log_bin=mysql-bin + expire_logs_days=14 + # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql + sync_binlog=0 + # Required for Galera + binlog_format=row + + ## Caches and Limits + tmp_table_size=32M + max_heap_table_size=32M + # Re-enabling as now works with Maria 10.1.2 + query_cache_type=1 + query_cache_limit=4M + query_cache_size=256M + max_connections=500 + thread_cache_size=50 + open_files_limit=65535 + table_definition_cache=4096 + table_open_cache=4096 + + ## InnoDB + innodb=FORCE + innodb_strict_mode=1 + # Mandatory per https://github.com/codership/documentation/issues/25 + innodb_autoinc_lock_mode=2 + # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ + innodb_doublewrite=1 + innodb_flush_method=O_DIRECT + innodb_log_files_in_group=2 + innodb_log_file_size=128M + innodb_flush_log_at_trx_commit=1 + innodb_file_per_table=1 + # 80% Memory is default reco. + # Need to re-evaluate when DB size grows + innodb_buffer_pool_size=2G + innodb_file_format=Barracuda + + ## Logging + log_error=/opt/bitnami/mariadb/logs/mysqld.log + slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log + log_queries_not_using_indexes=1 + slow_query_log=1 + + ## SSL + ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem + # ssl_ca=/certs/ca.pem + # ssl_cert=/certs/server-cert.pem + # ssl_key=/certs/server-key.pem + + [galera] + wsrep_on=ON + wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so + wsrep_sst_method=mariabackup + wsrep_slave_threads=4 + wsrep_cluster_address=gcomm:// + wsrep_cluster_name=galera + wsrep_sst_auth="root:" + # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit + innodb_flush_log_at_trx_commit=2 + # MYISAM REPLICATION SUPPORT # + wsrep_replicate_myisam=ON + binlog_format=row + default_storage_engine=InnoDB + innodb_autoinc_lock_mode=2 + transaction-isolation=READ-COMMITTED + wsrep_causal_reads=1 + wsrep_sync_wait=7 + + [mariadb] + plugin_load_add=auth_pam + + ## Data-at-Rest Encryption + ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem + # plugin_load_add=file_key_management + # file_key_management_filename=/encryption/keyfile.enc + # file_key_management_filekey=FILE:/encryption/keyfile.key + # file_key_management_encryption_algorithm=AES_CTR + # encrypt_binlog=ON + # encrypt_tmp_files=ON + + ## InnoDB/XtraDB Encryption + # innodb_encrypt_tables=ON + # innodb_encrypt_temporary_tables=ON + # innodb_encrypt_log=ON + # innodb_encryption_threads=4 + # innodb_encryption_rotate_key_age=1 + + ## Aria Encryption + # aria_encrypt_tables=ON + # encrypt_tmp_disk_tables=ON + +## MariaDB additional command line flags +## Can be used to specify command line flags, for example: +## +## extraFlags: "--max-connect-errors=1000 --max_connections=155" + +## Desired number of cluster nodes +## +replicaCount: 3 + +## updateStrategy for MariaDB Master StatefulSet +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate + +## Additional pod annotations for MariaDB Galera pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## -> here required to enable mariadb-galera in istio +## +podAnnotations: + # sidecar.istio.io/inject: "false" + traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568" + traffic.sidecar.istio.io/includeInboundPorts: '*' + traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568" + +## Pod affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAffinityPreset: "" + +## Pod anti-affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAntiAffinityPreset: soft + +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## Allowed values: soft, hard +## +nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## Affinity for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} + +## Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## Tolerations for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + ## If true, use a Persistent Volume Claim, If false, use emptyDir + ## + enabled: true + # Enable persistence using an existing PVC + # existingClaim: + mountPath: /dockerdata-nfs + mountSubPath: "mariadb-galera/data" + ## selector can be used to match an existing PersistentVolume + ## selector: + ## matchLabels: + ## app: my-app + selector: {} + ## Persistent Volume Storage Class + ## If defined, storageClassName: <storageClass> + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + ## Persistent Volume Claim annotations + ## + annotations: + ## Persistent Volume Access Mode + ## Use ReadWriteMany if backup is enabled, see backup section. + ## + accessMode: ReadWriteOnce + ## Persistent Volume size + ## + size: 3Gi + +## Additional pod labels +## +# podLabels: +# extraLabel: extraValue + +## Priority Class Name +# +# priorityClassName: 'priorityClass' + +## MariaDB Galera containers' resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 500m + memory: 2Gi + unlimited: {} + +## MariaDB Galera containers' liveness and readiness probes +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## +livenessProbe: + enabled: true + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + failureThreshold: 3 +readinessProbe: + enabled: true + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + failureThreshold: 3 +startupProbe: + ## Initializing the database could take some time + ## + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + # will wait up for initialDelaySeconds + failureThreshold*periodSeconds before + # stating startup wasn't good (910s per default) + failureThreshold: 90 + +## Pod disruption budget configuration +## +podDisruptionBudget: + ## Specifies whether a Pod disruption budget should be created + ## + create: true + minAvailable: 1 + # maxUnavailable: 1 + +## Prometheus exporter configuration +## +metrics: + ## Bitnami MySQL Prometheus exporter image + ## ref: https://hub.docker.com/r/bitnami/mysqld-exporter/tags/ + ## + image: docker.io/bitnami/mysqld-exporter:0.12.1-debian-10-r264 + pullPolicy: Always + ## MySQL exporter additional command line flags + ## Can be used to specify command line flags + ## E.g.: + ## extraFlags: + ## - --collect.binlog_size + ## + extraFlags: [] + ## MySQL Prometheus exporter containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 0.5 + memory: 256Mi + requests: + cpu: 0.5 + memory: 256Mi + ## MariaDB Galera metrics container's liveness and readiness probes + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + ## MySQL Prometheus exporter service parameters + ## + service: + type: ClusterIP + port: 9104 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9104" + + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + enabled: false + ## Namespace in which Prometheus is running + ## + # namespace: monitoring + + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # interval: 10s + + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # scrapeTimeout: 10s + + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + # selector: + # prometheus: kube-prometheus + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] + # - sourceLabels: + # - "__name__" + # targetLabel: "__name__" + # action: replace + # regex: '(.*)' + # replacement: 'example_prefix_$1' + + ## Prometheus Operator PrometheusRule configuration + ## + prometheusRules: + enabled: false + + ## Additional labels to add to the PrometheusRule so it is picked up by the operator. + ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release and 'app: prometheus-operator' + selector: + app: prometheus-operator + release: prometheus + + ## Rules as a map. + rules: [] + # - alert: MariaDB-Down + # annotations: + # message: 'MariaDB instance {{ $labels.instance }} is down' + # summary: MariaDB instance is down + # expr: absent(up{job="mariadb-galera"} == 1) + # labels: + # severity: warning + # service: mariadb-galera + # for: 5m diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml new file mode 100644 index 00000000..4f02d934 --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy Clamp Controlloop K8s Participant +name: policy-clamp-ac-k8s-ppnt +version: 11.0.0 diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml new file mode 100644 index 00000000..9a0a8fdc --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml @@ -0,0 +1,132 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + autoconfigure: + exclude: > + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration, + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration, + org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration + security: + user: + name: ${RESTSERVER_USER} + password: ${RESTSERVER_PASSWORD} + kafka: + consumer: + group-id: {{ .Values.config.kafka.consumer.groupId }} +{{- if .Values.config.useStrimziKafka }} + bootstrap-servers: release-{{ .Values.config.kafkaBootstrap }}:9092 + security.protocol: SASL_PLAINTEXT + properties.sasl: + mechanism: SCRAM-SHA-512 + jaas.config: ${JAASLOGIN} +{{ else }} +{{ toYaml .Values.config.eventConsumption | nindent 2 }} +{{- end }} + +security: + enable-csrf: false + +participant: + localChartDirectory: /home/policy/local-charts + infoFileName: CHART_INFO.json + intermediaryParameters: + reportingTimeIntervalMs: 120000 + description: Participant Description + participantId: + name: K8sParticipant0 + version: 1.0.0 + participantType: + name: org.onap.policy.clamp.acm.KubernetesParticipant + version: 2.3.4 + clampAutomationCompositionTopics: + topicSources: + - + topic: POLICY-ACRUNTIME-PARTICIPANT + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + fetchTimeout: 15000 + useHttps: false + topicSinks: + - + topic: POLICY-ACRUNTIME-PARTICIPANT + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + useHttps: false + +# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below +# clampAutomationCompositionTopics: +# topicSources: +# - +# topic: policy-acruntime-participant +# servers: +# - release-{{ .Values.config.kafkaBootstrap }}:9092 +# topicCommInfrastructure: kafka +# fetchTimeout: 15000 +# useHttps: true +# additionalProps: +# security.protocol: SASL_PLAINTEXT +# sasl.mechanism: SCRAM-SHA-512 +# sasl.jaas.config: ${JAASLOGIN} +# topicSinks: +# - +# topic: policy-acruntime-participant +# servers: +# - release-{{ .Values.config.kafkaBootstrap }}:9092 +# topicCommInfrastructure: kafka +# useHttps: true +# additionalProps: +# security.protocol: SASL_PLAINTEXT +# sasl.mechanism: SCRAM-SHA-512 +# sasl.jaas.config: ${JAASLOGIN} + +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus + +server: + # Configuration of the HTTP/REST server. The parameters are defined and handled by the springboot framework. + # See springboot documentation. + port: 8083 + servlet: + context-path: /onap/policy/clamp/acm/k8sparticipant + ssl: + enabled: false + + +logging: + # Configuration of logging + level: + ROOT: INFO + org.springframework: ERROR + org.springframework.data: ERROR + org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR + org.onap.policy.clamp.controlloop.participant.kubernetes: INFO + + file: + name: /var/log/onap/policy/clamp/application.log + +chart: + api: + enabled: false + +# Permitted list of helm repositories. Values are updated from values.yaml diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/logback.xml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/logback.xml new file mode 100644 index 00000000..6ceb2e5a --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/logback.xml @@ -0,0 +1,103 @@ +<!-- + ============LICENSE_START======================================================= + Copyright (C) 2022 Nordix Foundation. + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + SPDX-License-Identifier: Apache-2.0 + ============LICENSE_END========================================================= +--> + +<configuration scan="true" scanPeriod="30 seconds" debug="false"> + + <appender name="ErrorOut" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>/var/log/onap/policy/k8s-participant/error.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>/var/log/onap/policy/k8s-participant/error.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>WARN</level> + </filter> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> + </encoder> + </appender> + + <appender name="AsyncErrorOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="ErrorOut" /> + </appender> + + <appender name="DebugOut" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>/var/log/onap/policy/k8s-participant/debug.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>/var/log/onap/policy/k8s-participant/debug.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> + </encoder> + </appender> + + <appender name="AsyncDebugOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="DebugOut" /> + </appender> + + <appender name="NetworkOut" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>/var/log/onap/policy/k8s-participant/network.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>/var/log/onap/policy/k8s-participant/network.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n</pattern> + </encoder> + </appender> + + <appender name="AsyncNetworkOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="NetworkOut" /> + </appender> + + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <Pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</Pattern> + </encoder> + </appender> + + <appender name="AsyncStdOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="STDOUT" /> + </appender> + + <logger name="network" level="INFO" additivity="false"> + <appender-ref ref="AsyncNetworkOut" /> + <appender-ref ref="AsyncStdOut" /> + </logger> + + <logger name="org.eclipse.jetty.server.RequestLog" level="info" additivity="false"> + <appender-ref ref="AsyncNetworkOut" /> + <appender-ref ref="AsyncStdOut" /> + </logger> + + <root level="INFO"> + <appender-ref ref="AsyncDebugOut" /> + <appender-ref ref="AsyncErrorOut" /> + <appender-ref ref="AsyncStdOut" /> + </root> + +</configuration> diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml new file mode 100644 index 00000000..6df0b636 --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml @@ -0,0 +1,36 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-configmap + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +data: +{{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} +{{- if .Values.repoList }} +{{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }} +{{ toYaml .Values.repoList | indent 4 }} +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} +{{- end }}
\ No newline at end of file diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml new file mode 100644 index 00000000..58721070 --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml @@ -0,0 +1,134 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: RELEASE + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ .Chart.Name }} + app.kubernetes.io/instance: RELEASE + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: RELEASE + app.kubernetes.io/managed-by: Helm + name: {{ .Chart.Name }} + + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + valueFrom: + secretKeyRef: + name: {{ .Chart.Name }}-restserver-secret + key: login + + - name: RESTSERVER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Chart.Name }}-restserver-secret + key: password + +{{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ .Chart.Name }}-policy-kafka-user + key: sasl.jaas.config + +{{- end }} + volumeMounts: + - mountPath: /config-input + name: ac-k8s-ppnt-config + - mountPath: /config + name: ac-k8s-ppnt-config-processed + image: docker.io/dibi/envsubst:1 + imagePullPolicy: {{ .Values.pullPolicy }} + name: {{ .Chart.Name }}-update-config + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.pullPolicy }} + command: ["/opt/app/policy/clamp/bin/kubernetes-participant.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/KubernetesParticipantParameters.yaml"] + ports: + - containerPort: 8083 + name: http-api + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-k8s-ppnt-config-processed + resources: +{{ toYaml .Values.resources.small | indent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ .Chart.Name }}-create + volumes: + - name: localtime + hostPath: + path: /etc/localtime + - name: ac-k8s-ppnt-config + configMap: + name: {{ .Chart.Name }}-configmap + defaultMode: 0755 + - name: ac-k8s-ppnt-config-processed + emptyDir: + medium: Memory + imagePullSecrets: + - name: default-docker-registry-key" diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/role-binding.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/role-binding.yaml new file mode 100644 index 00000000..08b0df23 --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/role-binding.yaml @@ -0,0 +1,37 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }}-binding + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ .Chart.Name }}-create + namespace: default + diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/secret.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/secret.yaml new file mode 100644 index 00000000..a25390f2 --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/secret.yaml @@ -0,0 +1,48 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Chart.Name }}-restserver-secret + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +type: Opaque +stringData: + login: {{ .Values.restServer.user }} + password: {{ .Values.restServer.password }} + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Chart.Name }}-policy-kafka-user + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +type: Opaque +stringData: + sasl.jaas.config: {{ .Values.config.jaas }} diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/service-account.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/service-account.yaml new file mode 100644 index 00000000..1e9bcae3 --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/service-account.yaml @@ -0,0 +1,25 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-create diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml new file mode 100644 index 00000000..b350d84f --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml @@ -0,0 +1,40 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + +spec: + ports: + - port: {{ .Values.service.ports.port }} + targetPort: {{ .Values.service.ports.port }} + nodePort: {{ .Values.service.ports.nodePort }} + protocol: TCP + name: {{ .Values.service.ports.name }} + type: {{ .Values.service.type }} + selector: + app.kubernetes.io/name: {{ .Chart.Name }}
\ No newline at end of file diff --git a/helm/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/helm/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml new file mode 100644 index 00000000..ba7dd7c8 --- /dev/null +++ b/helm/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -0,0 +1,121 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-clamp-ac-k8s-ppnt:6.3.1 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +restServer: + user: participantUser + password: zb!XztG34 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: http-api + +readiness: + initialDelaySeconds: 20 + periodSeconds: 10 + port: http-api + +service: + type: NodePort + name: policy-clamp-ac-k8s-ppnt + useNodePortExt: true + ports: + name: http-api + port: 8083 + nodePort: 30443 + +ingress: + enabled: false + +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: policy-clamp-ac-k8s-ppnt + roles: + - create +# Update the config here for permitting repositories and protocols +repoList: + helm: + repos: + - + repoName: kong + address: https://charts.konghq.com + - + repoName: bitnami + address: https://charts.bitnami.com/bitnami + + protocols: + - http + - https + +config: +# Event consumption (kafka) properties + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap + kafka: + consumer: + groupId: policy-group + app: + listener: + acRuntimeTopic: policy-acruntime-participant + jaas: KuldHochQipa7, +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. +# +# eventConsumption: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: PLAINTEXT +# spring.kafka.consumer.group-id: policy-group +# +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 diff --git a/helm/policy/components/policy-clamp-runtime-acm/Chart.yaml b/helm/policy/components/policy-clamp-runtime-acm/Chart.yaml new file mode 100644 index 00000000..21d196ae --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy Clamp Controlloop Runtime +name: policy-clamp-runtime-acm +version: 11.0.0 diff --git a/helm/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/helm/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml new file mode 100644 index 00000000..17242c2f --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -0,0 +1,128 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + security: + user: + name: ${RUNTIME_USER} + password: ${RUNTIME_PASSWORD} + mvc: + converters: + preferred-json-mapper: gson + datasource: + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/clampacm + driverClassName: org.mariadb.jdbc.Driver + username: ${SQL_USER} + password: ${SQL_PASSWORD} + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: update + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.MariaDB103Dialect + format_sql: true + kafka: + consumer: + group-id: {{ .Values.config.kafka.consumer.groupId }} +{{- if .Values.config.useStrimziKafka }} + bootstrap-servers: {{ .Values.config.kafkaBootstrap }}:9092 + security.protocol: SASL_PLAINTEXT + properties.sasl: + mechanism: SCRAM-SHA-512 + jaas.config: ${JAASLOGIN} +{{ else }} +{{ toYaml .Values.config.eventConsumption | nindent 2 }} +{{- end }} + +security: + enable-csrf: false + +server: + port: 6969 + servlet: + context-path: /onap/policy/clamp/acm + error: + path: /error + ssl: + enabled: false + + +runtime: + participantParameters: + heartBeatMs: 120000 + maxMessageAgeMs: 600000 + maxStatusWaitMs: 100000 + updateParameters: + maxRetryCount: 3 + maxWaitMs: 100000 + topicParameterGroup: + topicSources: + - + topic: POLICY-ACRUNTIME-PARTICIPANT + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + useHttps: false + fetchTimeout: 15000 + topicSinks: + - + topic: POLICY-ACRUNTIME-PARTICIPANT + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + useHttps: false + +# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below +# topicParameterGroup: +# topicSources: +# - +# topic: policy-acruntime-participant +# servers: +# - {{ .Values.config.kafkaBootstrap }}:9092 +# topicCommInfrastructure: kafka +# useHttps: true +# fetchTimeout: 15000 +# additionalProps: +# security.protocol: SASL_PLAINTEXT +# sasl.mechanism: SCRAM-SHA-512 +# sasl.jaas.config: ${JAASLOGIN} +# topicSinks: +# - +# topic: policy-acruntime-participant +# servers: +# - {{ .Values.config.kafkaBootstrap }}:9092 +# topicCommInfrastructure: kafka +# useHttps: true +# additionalProps: +# security.protocol: SASL_PLAINTEXT +# sasl.mechanism: SCRAM-SHA-512 +# sasl.jaas.config: ${JAASLOGIN} + +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus diff --git a/helm/policy/components/policy-clamp-runtime-acm/resources/config/db.sh b/helm/policy/components/policy-clamp-runtime-acm/resources/config/db.sh new file mode 100755 index 00000000..3b8f30b7 --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/resources/config/db.sh @@ -0,0 +1,26 @@ +#!/bin/sh +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; }; + +for db in migration pooling policyadmin policyclamp operationshistory clampacm +do + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" +done + +mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/helm/policy/components/policy-clamp-runtime-acm/resources/config/logback.xml b/helm/policy/components/policy-clamp-runtime-acm/resources/config/logback.xml new file mode 100644 index 00000000..a98cb57f --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/resources/config/logback.xml @@ -0,0 +1,103 @@ +<!-- + ============LICENSE_START======================================================= + Copyright (C) 2022 Nordix Foundation. + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + SPDX-License-Identifier: Apache-2.0 + ============LICENSE_END========================================================= +--> + +<configuration scan="true" scanPeriod="30 seconds" debug="false"> + + <appender name="ErrorOut" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>/var/log/onap/policy/policy-clamp-runtime-acm/error.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>/var/log/onap/policy/policy-clamp-runtime-acm/error.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>WARN</level> + </filter> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> + </encoder> + </appender> + + <appender name="AsyncErrorOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="ErrorOut" /> + </appender> + + <appender name="DebugOut" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>/var/log/onap/policy/policy-clamp-runtime-acm/debug.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>/var/log/onap/policy/policy-clamp-runtime-acm/debug.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> + </encoder> + </appender> + + <appender name="AsyncDebugOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="DebugOut" /> + </appender> + + <appender name="NetworkOut" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>/var/log/onap/policy/policy-clamp-runtime-acm/network.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>/var/log/onap/policy/policy-clamp-runtime-acm/network.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n</pattern> + </encoder> + </appender> + + <appender name="AsyncNetworkOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="NetworkOut" /> + </appender> + + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <Pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</Pattern> + </encoder> + </appender> + + <appender name="AsyncStdOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="STDOUT" /> + </appender> + + <logger name="network" level="INFO" additivity="false"> + <appender-ref ref="AsyncNetworkOut" /> + <appender-ref ref="AsyncStdOut" /> + </logger> + + <logger name="org.eclipse.jetty.server.RequestLog" level="info" additivity="false"> + <appender-ref ref="AsyncNetworkOut" /> + <appender-ref ref="AsyncStdOut" /> + </logger> + + <root level="INFO"> + <appender-ref ref="AsyncDebugOut" /> + <appender-ref ref="AsyncErrorOut" /> + <appender-ref ref="AsyncStdOut" /> + </root> + +</configuration> diff --git a/helm/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml b/helm/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml new file mode 100644 index 00000000..309dc45e --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml @@ -0,0 +1,37 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-configmap + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +{{- with .Files.Glob "resources/config/*store" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{ tpl (.Files.Glob "resources/config/*.{json,xml,yaml}").AsConfig . | indent 2 }} diff --git a/helm/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/helm/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml new file mode 100644 index 00000000..ba192cb5 --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -0,0 +1,153 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + namespace: default +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ .Chart.Name }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: RELEASE + app.kubernetes.io/managed-by: Helm + name: {{ .Chart.Name }} + spec: + initContainers: + - command: + - /app/ready.py + args: + - --job-name + - policy-galera-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: nexus3.onap.org:10001/onap/oom/readiness:3.0.1 + imagePullPolicy: {{ .Values.pullPolicy }} + name: {{ .Chart.Name }}-readiness + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: SQL_USER + valueFrom: + secretKeyRef: + name: {{ .Chart.Name }}-db-secret + key: login + + - name: SQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Chart.Name }}-db-secret + key: password + + - name: RUNTIME_USER + valueFrom: + secretKeyRef: + name: {{ .Chart.Name }}-runtime-secret + key: login + + - name: RUNTIME_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Chart.Name }}-runtime-secret + key: password + +{{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ .Chart.Name }}-policy-kafka-user + key: sasl.jaas.config + +{{- end }} + volumeMounts: + - mountPath: /config-input + name: ac-runtime-config + - mountPath: /config + name: ac-runtime-config-processed + image: docker.io/dibi/envsubst:1 + imagePullPolicy: {{ .Values.pullPolicy }} + name: {{ .Chart.Name }}-update-config + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.pullPolicy }} + command: ["/opt/app/policy/clamp/bin/acm-runtime.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/acRuntimeParameters.yaml"] + ports: + - containerPort: 6969 + name: http-api + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-runtime-config-processed + resources: +{{ toYaml .Values.resources.small | indent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ .Chart.Name }}-read + volumes: + - name: localtime + hostPath: + path: /etc/localtime + - name: ac-runtime-config + configMap: + name: {{ .Chart.Name }}-configmap + defaultMode: 0755 + - name: ac-runtime-config-processed + emptyDir: + medium: Memory + imagePullSecrets: + - name: "default-docker-registry-key" diff --git a/helm/policy/components/policy-clamp-runtime-acm/templates/role-binding.yaml b/helm/policy/components/policy-clamp-runtime-acm/templates/role-binding.yaml new file mode 100644 index 00000000..40f59aef --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/templates/role-binding.yaml @@ -0,0 +1,33 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Chart.Name }}-read + namespace: default +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-read +roleRef: + kind: Role + name: read + apiGroup: rbac.authorization.k8s.io + diff --git a/helm/policy/components/policy-clamp-runtime-acm/templates/secret.yaml b/helm/policy/components/policy-clamp-runtime-acm/templates/secret.yaml new file mode 100644 index 00000000..f761acd0 --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/templates/secret.yaml @@ -0,0 +1,64 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Chart.Name }}-runtime-secret + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +type: Opaque +stringData: + login: {{ .Values.config.policyAppUserName }} + password: {{ .Values.config.policyAppUserPassword }} + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Chart.Name }}-db-secret + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +type: Opaque +stringData: + login: {{ .Values.db.user }} + password: {{ .Values.db.password }} + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Chart.Name }}-policy-kafka-user + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: Helm +type: Opaque +stringData: + sasl.jaas.config: {{ .Values.config.jaas }} diff --git a/helm/policy/components/policy-clamp-runtime-acm/templates/service-account.yaml b/helm/policy/components/policy-clamp-runtime-acm/templates/service-account.yaml new file mode 100644 index 00000000..8bf00b02 --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/templates/service-account.yaml @@ -0,0 +1,25 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-read + diff --git a/helm/policy/components/policy-clamp-runtime-acm/templates/service.yaml b/helm/policy/components/policy-clamp-runtime-acm/templates/service.yaml new file mode 100644 index 00000000..8daa872a --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/templates/service.yaml @@ -0,0 +1,41 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: Helm + +spec: + ports: + - port: {{ .Values.service.ports.port }} + targetPort: {{ .Values.service.ports.port }} + nodePort: {{ .Values.service.ports.nodePort }} + protocol: TCP + name: {{ .Values.service.ports.name }} + type: {{ .Values.service.type }} + selector: + app.kubernetes.io/name: {{ .Chart.Name }} + diff --git a/helm/policy/components/policy-clamp-runtime-acm/values.yaml b/helm/policy/components/policy-clamp-runtime-acm/values.yaml new file mode 100644 index 00000000..544b1d05 --- /dev/null +++ b/helm/policy/components/policy-clamp-runtime-acm/values.yaml @@ -0,0 +1,115 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: nexus3.onap.org:10001/onap/policy-clamp-runtime-acm:6.3.1 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: + policyAppUserName: runtimeUser + policyAppUserPassword: zb!XztG34 + jaas: JuzgCumoDahj9* + +# Event consumption (kafka) properties + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap + kafka: + consumer: + groupId: policy-group + app: + listener: + acRuntimeTopic: policy.policy-acruntime-participant +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. +# +# eventConsumption: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: PLAINTEXT +# spring.kafka.consumer.group-id: policy-group +# +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + +db: + user: policy-user + password: policy-user + service: + name: mariadb-galera + internalPort: 3306 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: http-api + +readiness: + initialDelaySeconds: 20 + periodSeconds: 10 + port: http-api + +service: + type: NodePort + name: policy-clamp-runtime-acm + useNodePortExt: true + ports: + name: http-api + port: 6969 + nodePort: 30442 + +ingress: + enabled: false + +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: policy-clamp-runtime-acm + roles: + - read diff --git a/helm/policy-models-simulator/.helmignore b/helm/policy/components/policy-models-simulator/.helmignore index 50af0317..50af0317 100644 --- a/helm/policy-models-simulator/.helmignore +++ b/helm/policy/components/policy-models-simulator/.helmignore diff --git a/helm/policy-models-simulator/Chart.yaml b/helm/policy/components/policy-models-simulator/Chart.yaml index 95354034..01bf798a 100644 --- a/helm/policy-models-simulator/Chart.yaml +++ b/helm/policy/components/policy-models-simulator/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Kubernetes name: policy-models-simulator -version: 0.1.0 +version: 11.0.0 diff --git a/helm/policy-models-simulator/resources/cds/CreateSubscriptionResponseEvent.json b/helm/policy/components/policy-models-simulator/resources/cds/CreateSubscriptionResponseEvent.json index adb51adc..adb51adc 100644 --- a/helm/policy-models-simulator/resources/cds/CreateSubscriptionResponseEvent.json +++ b/helm/policy/components/policy-models-simulator/resources/cds/CreateSubscriptionResponseEvent.json diff --git a/helm/policy-models-simulator/resources/cds/DefaultResponseEvent-error.json b/helm/policy/components/policy-models-simulator/resources/cds/DefaultResponseEvent-error.json index a66b1114..a66b1114 100644 --- a/helm/policy-models-simulator/resources/cds/DefaultResponseEvent-error.json +++ b/helm/policy/components/policy-models-simulator/resources/cds/DefaultResponseEvent-error.json diff --git a/helm/policy-models-simulator/resources/cds/DefaultResponseEvent.json b/helm/policy/components/policy-models-simulator/resources/cds/DefaultResponseEvent.json index adb51adc..adb51adc 100644 --- a/helm/policy-models-simulator/resources/cds/DefaultResponseEvent.json +++ b/helm/policy/components/policy-models-simulator/resources/cds/DefaultResponseEvent.json diff --git a/helm/policy-models-simulator/resources/cds/pm_control-create-subscription-error.json b/helm/policy/components/policy-models-simulator/resources/cds/pm_control-create-subscription-error.json index a66b1114..a66b1114 100644 --- a/helm/policy-models-simulator/resources/cds/pm_control-create-subscription-error.json +++ b/helm/policy/components/policy-models-simulator/resources/cds/pm_control-create-subscription-error.json diff --git a/helm/policy-models-simulator/resources/cds/pm_control-create-subscription.json b/helm/policy/components/policy-models-simulator/resources/cds/pm_control-create-subscription.json index adb51adc..adb51adc 100644 --- a/helm/policy-models-simulator/resources/cds/pm_control-create-subscription.json +++ b/helm/policy/components/policy-models-simulator/resources/cds/pm_control-create-subscription.json diff --git a/helm/policy-models-simulator/resources/config/logback.xml b/helm/policy/components/policy-models-simulator/resources/config/logback.xml index 224c322c..224c322c 100644 --- a/helm/policy-models-simulator/resources/config/logback.xml +++ b/helm/policy/components/policy-models-simulator/resources/config/logback.xml diff --git a/helm/policy-models-simulator/resources/config/simParameters.json b/helm/policy/components/policy-models-simulator/resources/config/simParameters.json index 7408ade8..41fc9057 100644 --- a/helm/policy-models-simulator/resources/config/simParameters.json +++ b/helm/policy/components/policy-models-simulator/resources/config/simParameters.json @@ -8,43 +8,41 @@ "name": "DMaaP simulator", "providerClass": "org.onap.policy.models.sim.dmaap.rest.DmaapSimRestControllerV1", "host": "0.0.0.0", - "port": 3905, - "https": true + "port": 3904, + "https": false }, { "name": "A&AI simulator", "providerClass": "org.onap.policy.simulators.AaiSimulatorJaxRs", "host": "0.0.0.0", "port": 6666, - "https": true - }, - { - "name": "Guard simulator", - "providerClass": "org.onap.policy.simulators.GuardSimulatorJaxRs", - "host": "0.0.0.0", - "port": 6667, - "https": true + "https": false, + "userName": "policy@policy.onap.org", + "password": "demo123456!", + "resourceLocation": "/opt/app/policy/simulators/etc/mounted/aairesponse/" }, { "name": "SDNC simulator", "providerClass": "org.onap.policy.simulators.SdncSimulatorJaxRs", "host": "0.0.0.0", "port": 6668, - "https": true + "https": false }, { "name": "SO simulator", "providerClass": "org.onap.policy.simulators.SoSimulatorJaxRs", "host": "0.0.0.0", "port": 6669, - "https": true + "https": false, + "userName": "InfraPortalClient", + "password": "password1$" }, { "name": "VFC simulator", "providerClass": "org.onap.policy.simulators.VfcSimulatorJaxRs", "host": "0.0.0.0", "port": 6670, - "https": true + "https": false } ], "topicSinks": [ @@ -52,22 +50,17 @@ "topic": "APPC-CL", "servers": ["${HOST_NAME}"], "topicCommInfrastructure": "DMAAP", - "useHttps": true, - "allowSelfSignedCerts" : true + "useHttps": false, + "apiKey": "some-key", + "apiSecret": "some-secret" }, { "topic": "APPC-LCM-WRITE", "servers": ["${HOST_NAME}"], "topicCommInfrastructure": "DMAAP", - "useHttps": true, - "allowSelfSignedCerts" : true - }, - { - "topic": "SDNR-CL", - "servers": ["${HOST_NAME}"], - "topicCommInfrastructure": "DMAAP", - "useHttps": true, - "allowSelfSignedCerts" : true + "useHttps": false, + "apiKey": "some-key", + "apiSecret": "some-secret" } ], "topicSources": [ @@ -75,22 +68,17 @@ "topic": "APPC-CL", "servers": ["${HOST_NAME}"], "topicCommInfrastructure": "DMAAP", - "useHttps": true, - "allowSelfSignedCerts" : true + "useHttps": false, + "apiKey": "some-key", + "apiSecret": "some-secret" }, { "topic": "APPC-LCM-READ", "servers": ["${HOST_NAME}"], "topicCommInfrastructure": "DMAAP", - "useHttps": true, - "allowSelfSignedCerts" : true - }, - { - "topic": "SDNR-CL-RSP", - "servers": ["${HOST_NAME}"], - "topicCommInfrastructure": "DMAAP", - "useHttps": true, - "allowSelfSignedCerts" : true + "useHttps": false, + "apiKey": "some-key", + "apiSecret": "some-secret" } ], "topicServers": [ @@ -105,12 +93,6 @@ "providerClass": "org.onap.policy.simulators.AppcLcmTopicServer", "sink": "APPC-LCM-WRITE", "source": "APPC-LCM-READ" - }, - { - "name": "SDNR simulator", - "providerClass": "org.onap.policy.simulators.SdnrTopicServer", - "sink": "SDNR-CL", - "source": "SDNR-CL-RSP" } ], "grpcServer": { @@ -121,7 +103,7 @@ "timeout": 30, "username": "ccsdkapps", "password": "ccsdkapps", - "resourceLocation": "/opt/app/policy/simulators/etc/mounted/", + "resourceLocation": "/opt/app/policy/simulators/etc/mounted/cdsresponse/", "successRepeatCount": 0, "requestedResponseDelayMs": 0 } diff --git a/helm/policy-models-simulator/templates/NOTES.txt b/helm/policy/components/policy-models-simulator/templates/NOTES.txt index f6e027f2..f6e027f2 100644 --- a/helm/policy-models-simulator/templates/NOTES.txt +++ b/helm/policy/components/policy-models-simulator/templates/NOTES.txt diff --git a/helm/policy-models-simulator/templates/_helpers.tpl b/helm/policy/components/policy-models-simulator/templates/_helpers.tpl index a741f0de..8469a1a3 100644 --- a/helm/policy-models-simulator/templates/_helpers.tpl +++ b/helm/policy/components/policy-models-simulator/templates/_helpers.tpl @@ -19,7 +19,7 @@ If release name contains chart name it will be used as a full name. {{- if contains $name .Release.Name -}} {{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s" $name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/helm/policy-models-simulator/templates/configmap.yaml b/helm/policy/components/policy-models-simulator/templates/configmap.yaml index c0f75199..c0f75199 100644 --- a/helm/policy-models-simulator/templates/configmap.yaml +++ b/helm/policy/components/policy-models-simulator/templates/configmap.yaml diff --git a/helm/policy-models-simulator/templates/deployment.yaml b/helm/policy/components/policy-models-simulator/templates/deployment.yaml index 84ba530d..c4d41a2d 100644 --- a/helm/policy-models-simulator/templates/deployment.yaml +++ b/helm/policy/components/policy-models-simulator/templates/deployment.yaml @@ -32,28 +32,22 @@ spec: command: ["/opt/app/policy/simulators/bin/simulators.sh"] args: ["/opt/app/policy/simulators/etc/mounted/simParameters.json"] ports: - - containerPort: {{ .Values.service.internalPort }} - containerPort: {{ .Values.service.internalPort2 }} - containerPort: {{ .Values.service.internalPort3 }} - containerPort: {{ .Values.service.internalPort4 }} - containerPort: {{ .Values.service.internalPort5 }} - containerPort: {{ .Values.service.internalPort6 }} + - containerPort: {{ .Values.service.internalPort7 }} livenessProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: 120 - periodSeconds: 20 + tcpSocket: + port: 3904 + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} readinessProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: 120 - periodSeconds: 20 + tcpSocket: + port: 3904 + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - mountPath: /opt/app/policy/simulators/etc/mounted/ name: simconfig diff --git a/helm/policy-models-simulator/templates/service.yaml b/helm/policy/components/policy-models-simulator/templates/service.yaml index 362ac93a..0ef23d1e 100644 --- a/helm/policy-models-simulator/templates/service.yaml +++ b/helm/policy/components/policy-models-simulator/templates/service.yaml @@ -1,15 +1,12 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "policy-models-simulator.fullname" . }} + name: message-router labels: {{ include "policy-models-simulator.labels" . | indent 4 }} spec: type: {{ .Values.service.type }} ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - port: {{ .Values.service.externalPort2 }} targetPort: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName }}2 @@ -25,6 +22,9 @@ spec: - port: {{ .Values.service.externalPort6 }} targetPort: {{ .Values.service.internalPort6 }} name: {{ .Values.service.portName }}6 + - port: {{ .Values.service.externalPort7 }} + targetPort: {{ .Values.service.internalPort7 }} + name: {{ .Values.service.portName }}7 selector: app.kubernetes.io/name: {{ include "policy-models-simulator.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/policy-models-simulator/templates/serviceaccount.yaml b/helm/policy/components/policy-models-simulator/templates/serviceaccount.yaml index 27ee5daa..27ee5daa 100644 --- a/helm/policy-models-simulator/templates/serviceaccount.yaml +++ b/helm/policy/components/policy-models-simulator/templates/serviceaccount.yaml diff --git a/helm/policy-models-simulator/templates/tests/test-connection.yaml b/helm/policy/components/policy-models-simulator/templates/tests/test-connection.yaml index e90661bc..e90661bc 100644 --- a/helm/policy-models-simulator/templates/tests/test-connection.yaml +++ b/helm/policy/components/policy-models-simulator/templates/tests/test-connection.yaml diff --git a/helm/policy-models-simulator/values.yaml b/helm/policy/components/policy-models-simulator/values.yaml index d6264637..9174b61e 100644 --- a/helm/policy-models-simulator/values.yaml +++ b/helm/policy/components/policy-models-simulator/values.yaml @@ -31,12 +31,24 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: message-router + +readiness: + initialDelaySeconds: 20 + periodSeconds: 10 + port: message-router + service: type: ClusterIP - name: policy-models-simulator - portName: policy-models-simulator - externalPort: 3905 - internalPort: 3905 + name: message-router + portName: message-router externalPort2: 6667 internalPort2: 6667 externalPort3: 6668 @@ -47,6 +59,8 @@ service: internalPort5: 6670 externalPort6: 6680 internalPort6: 6680 + externalPort7: 3904 + internalPort7: 3904 ingress: enabled: false diff --git a/helm/policy/resources/config/db.sh b/helm/policy/resources/config/db.sh new file mode 100755 index 00000000..8c68c6ba --- /dev/null +++ b/helm/policy/resources/config/db.sh @@ -0,0 +1,30 @@ +#!/bin/bash +{{/* +# +# ============LICENSE_START==================================================== +# Copyright (C) 2022 Nordix Foundation. +# ============================================================================= +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END====================================================== +*/}} +mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; }; + +for db in migration pooling policyadmin policyclamp operationshistory clampacm +do + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" +done + +mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/helm/policy/resources/config/db_migrator_policy_init.sh b/helm/policy/resources/config/db_migrator_policy_init.sh new file mode 100644 index 00000000..cd6181d4 --- /dev/null +++ b/helm/policy/resources/config/db_migrator_policy_init.sh @@ -0,0 +1,22 @@ +#!/bin/sh +{{/* +# ============LICENSE_START==================================================== +# Copyright (C) 2022 Nordix Foundation. +# ============================================================================= +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} +/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o upgrade +rc=$? +/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o report +exit $rc diff --git a/helm/policy/templates/configmap.yaml b/helm/policy/templates/configmap.yaml new file mode 100755 index 00000000..c193281a --- /dev/null +++ b/helm/policy/templates/configmap.yaml @@ -0,0 +1,26 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-db-configmap + namespace: default + labels: + app: policy + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +data: +{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }} diff --git a/helm/policy/templates/job.yaml b/helm/policy/templates/job.yaml new file mode 100755 index 00000000..beca1288 --- /dev/null +++ b/helm/policy/templates/job.yaml @@ -0,0 +1,180 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: policy-galera-init + namespace: default + labels: + app: policy-galera-init +spec: + template: + metadata: + labels: + app: policy-galera-init + name: policy-galera-init + spec: + imagePullSecrets: + - name: "default-docker-registry-key" + initContainers: + - name: policy-mariadb-readiness + image: {{ .Values.repository }}/{{ .Values.readiness.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + - --container-name + - {{ index .Values "mariadb-galera" "service" "name" }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + containers: + - name: policy-galera-config + image: {{ .Values.dockerRepository }}/{{ .Values.mariadb.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /dbcmd-config/db.sh + name: {{ .Chart.Name }}-config + subPath: db.sh + command: + - /bin/sh + - -cx + - | + /dbcmd-config/db.sh + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-galera-db-root-password + key: password + optional: false + - name: MYSQL_HOST + value: "{{ index .Values "mariadb-galera" "service" "name" }}" + - name: MYSQL_USER + valueFrom: + secretKeyRef: + name: mariadb-galera-db-user-credentials + key: login + optional: false + - name: MYSQL_PORT + value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" + resources: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + restartPolicy: Never + serviceAccount: {{ .Chart.Name }}-read + serviceAccountName: {{ .Chart.Name }}-read + volumes: + - name: {{ .Chart.Name }}-config + configMap: + name: {{ .Chart.Name }}-db-configmap + defaultMode: 0755 + items: + - key: db.sh + path: db.sh + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: policy-galera-config + namespace: default + labels: + app: policy-galera-config +spec: + template: + metadata: + labels: + app: policy-galera-config + name: policy-galera-config + spec: + imagePullSecrets: + - name: "default-docker-registry-key" + initContainers: + - name: policy-init-readiness + image: {{ .Values.repository }}/{{ .Values.readiness.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - policy-galera-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + containers: + - name: policy-galera-db-migrator + image: {{ .Values.repository }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /dbcmd-config/db_migrator_policy_init.sh + name: {{ .Chart.Name }}-config + subPath: db_migrator_policy_init.sh + command: + - /bin/sh + - -cx + - | + /dbcmd-config/db_migrator_policy_init.sh + env: + - name: SQL_HOST + value: "{{ index .Values "mariadb-galera" "service" "name" }}" + - name: SQL_USER + valueFrom: + secretKeyRef: + name: mariadb-galera-db-user-credentials + key: login + optional: false + - name: SQL_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-galera-db-user-credentials + key: password + optional: false + - name: SQL_DB + value: {{ .Values.dbmigrator.schema }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "sql" + resources: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + restartPolicy: Never + serviceAccountName: {{ .Chart.Name }}-read + volumes: + - name: {{ .Chart.Name }}-config + configMap: + name: {{ .Chart.Name }}-db-configmap + defaultMode: 0755 + items: + - key: db_migrator_policy_init.sh + path: db_migrator_policy_init.sh + diff --git a/helm/policy/templates/service-account.yaml b/helm/policy/templates/service-account.yaml new file mode 100644 index 00000000..28757f53 --- /dev/null +++ b/helm/policy/templates/service-account.yaml @@ -0,0 +1,21 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-read + diff --git a/helm/policy/values.yaml b/helm/policy/values.yaml new file mode 100755 index 00000000..8dcdae89 --- /dev/null +++ b/helm/policy/values.yaml @@ -0,0 +1,177 @@ +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# + +global: + aafEnabled: true + mariadb: + # '&mariadbConfig' means we "store" the values for later use in the file + # with '*mariadbConfig' pointer. + config: &mariadbConfig + mysqlDatabase: policyadmin + service: &mariadbService + name: &mariadb-galera mariadb-galera + internalPort: 3306 + prometheusEnabled: false + kafkaBootstrap: strimzi-kafka-bootstrap + policyKafkaUser: policy-kafka-user + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-password + name: &dbRootPassSecretName 'policy-db-root-password' + type: password + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}' + password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' + policy: generate + - uid: db-secret + name: &dbSecretName 'policy-db-secret' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "db" "user" }}' + password: '{{ index .Values "mariadb-galera" "db" "password" }}' + passwordPolicy: generate + - uid: policy-app-user-creds + name: &policyAppCredsSecret 'policy-app-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.policyAppUserExternalSecret) . }}' + login: '{{ .Values.config.policyAppUserName }}' + password: '{{ .Values.config.policyAppUserPassword }}' + passwordPolicy: generate + +db: &dbSecretsHook + credsExternalSecret: *dbSecretName + +policy-models-simulator: + enabled: true +policy-clamp-ac-k8s-ppnt: + enabled: true +policy-clamp-runtime-acm: + enabled: true + db: *dbSecretsHook + config: + appUserExternalSecret: *policyAppCredsSecret + +################################################################# +# DB configuration defaults. +################################################################# + +repository: nexus3.onap.org:10001 +pullPolicy: Always + +dockerRepository: docker.io + +mariadb: + image: mariadb:10.5.8 + +dbmigrator: + image: onap/policy-db-migrator:2.5.1 + schema: policyadmin + policy_home: "/opt/app/policy" + +subChartsOnly: + enabled: true + +# flag to enable debugging - application support required +debugEnabled: false + +# default number of instances +#replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + image: onap/oom/readiness:3.0.1 + initialDelaySeconds: 10 + periodSeconds: 10 + + +config: + policyAppUserName: runtimeUser + useStrimziKafka: true + acRuntimeTopic: + name: policy-acruntime-participant + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 + consumer: + groupId: policy-group + policyHeartbeatTopic: + name: policy-heartbeat + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 + consumer: + groupId: policy-group + policyNotificationTopic: + name: policy-notification + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 + consumer: + groupId: policy-group + someConfig: blah + +mariadb-galera: + # mariadb-galera.config and global.mariadb.config must be equals + db: + user: policy-user + # password: + externalSecret: *dbSecretName + name: &mysqlDbName policyadmin + rootUser: + externalSecret: *dbRootPassSecretName + nameOverride: *mariadb-galera + # mariadb-galera.service and global.mariadb.service must be equals + service: *mariadbService + #replicaCount: 1 + persistence: + enabled: true + mountSubPath: policy/maria/data + serviceAccount: + nameOverride: *mariadb-galera + +# Resource Limit flavor -By Default using small +# Segregation for Different environment (small, large, or unlimited) +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: policy + roles: + - read |