Code Review / oom.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Update Gizmo and Champ security config
[oom.git] / kubernetes / aai / charts / aai-gizmo / templates / deployment.yaml
1 # Copyright © 2018 Amdocs, AT&T
2 # Modifications Copyright © 2018 Bell Canada
3 #
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7 #
8 #       http://www.apache.org/licenses/LICENSE-2.0
9 #
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 apiVersion: extensions/v1beta1
17 kind: Deployment
18 metadata:
19   name: {{ include "common.fullname" . }}
20   namespace: {{ include "common.namespace" . }}
21   labels:
22     app: {{ include "common.name" . }}
23     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
24     release: {{ .Release.Name }}
25     heritage: {{ .Release.Service }}
26 spec:
27   replicas: {{ .Values.replicaCount }}
28   template:
29     metadata:
30       labels:
31         app: {{ include "common.name" . }}
32         release: {{ .Release.Name }}
33     spec:
34     {{ if .Values.global.installSidecarSecurity }}
35       initContainers:
36         - name: {{ .Values.global.tproxyConfig.name }}
37           image: "{{ include "common.repository" . }}/{{ .Values.global.tproxyConfig.image }}"
38           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
39           securityContext:
40             privileged: true
41     {{ end }}
42       containers:
43         - name: {{ .Chart.Name }}
44           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
45           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
46           ports:
47           - containerPort: {{ .Values.service.internalPort }}
48           # disable liveness probe when breakpoints set in debugger
49           # so K8s doesn't restart unresponsive container
50           {{ if .Values.liveness.enabled }}
51           livenessProbe:
52             tcpSocket:
53               port: {{ .Values.service.internalPort }}
54             initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
55             periodSeconds: {{ .Values.liveness.periodSeconds }}
56           {{ end }}
57           readinessProbe:
58             tcpSocket:
59               port: {{ .Values.service.internalPort }}
60             initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
61             periodSeconds: {{ .Values.readiness.periodSeconds }}
62           env:
63             - name: CONFIG_HOME
64               value: /opt/app/crud-service/config/
65             - name: KEY_STORE_PASSWORD
66               valueFrom:
67                 secretKeyRef:
68                   name: {{ template "common.fullname" . }}-pass
69                   key: KEY_STORE_PASSWORD
70             - name: KEY_MANAGER_PASSWORD
71               valueFrom:
72                 secretKeyRef:
73                   name: {{ template "common.fullname" . }}-pass
74                   key: KEY_MANAGER_PASSWORD
75             - name: SERVICE_BEANS
76               value: /opt/app/crud-service/dynamic/conf
77           volumeMounts:
78           - mountPath: /etc/localtime
79             name: localtime
80             readOnly: true
81           - mountPath: /opt/app/crud-service/config/crud-api.properties
82             subPath: crud-api.properties
83             name: {{ include "common.fullname" . }}-config
84           - mountPath: /opt/app/crud-service/config/schema-ingest.properties
85             subPath: schema-ingest.properties
86             name: {{ include "common.fullname" . }}-config
87           - mountPath: /opt/app/crud-service/config/edgeprops-ingest.properties
88             subPath: edgeprops-ingest.properties
89             name: {{ include "common.fullname" . }}-config
90           - mountPath: /opt/app/crud-service/config/model/
91             name: {{ include "common.fullname" . }}-model-config
92           - mountPath: /opt/app/crud-service/config/auth
93             name: {{ include "common.fullname" . }}-auth-secret
94           - mountPath: /opt/app/crud-service/dynamic/conf/crud-beans.xml
95             name: {{ include "common.fullname" . }}-config
96             subPath: crud-beans.xml
97           - mountPath: /var/log/onap
98             name: {{ include "common.fullname" . }}-logs
99           - mountPath: /opt/app/crud-api/bundleconfig/etc/logback.xml
100             name: {{ include "common.fullname" . }}-logback-config
101             subPath: logback.xml
102           resources:
103 {{ include "common.resources" . | indent 12 }}
104         {{- if .Values.nodeSelector }}
105         nodeSelector:
106 {{ toYaml .Values.nodeSelector | indent 10 }}
107         {{- end -}}
108         {{- if .Values.affinity }}
109         affinity:
110 {{ toYaml .Values.affinity | indent 10 }}
111         {{- end }}
112
113         - name: filebeat-onap
114           image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
115           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
116           volumeMounts:
117           - mountPath: /usr/share/filebeat/filebeat.yml
118             name: filebeat-conf
119             subPath: filebeat.yml
120           - mountPath: /var/log/onap
121             name: {{ include "common.fullname" . }}-logs
122           - mountPath: /usr/share/filebeat/data
123             name: {{ include "common.fullname" . }}-data-filebeat
124
125     {{ if .Values.global.installSidecarSecurity }}
126         - name: {{ .Values.global.rproxy.name }}
127           image: "{{ include "common.repository" . }}/{{ .Values.global.rproxy.image }}"
128           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
129           env:
130           - name: CONFIG_HOME
131             value: "/opt/app/rproxy/config"
132           - name: KEY_STORE_PASSWORD
133             value: {{ .Values.config.keyStorePassword }}
134           - name: spring_profiles_active
135             value: {{ .Values.global.rproxy.activeSpringProfiles }}
136           volumeMounts:
137           - name: {{ include "common.fullname" . }}-rproxy-config
138             mountPath: /opt/app/rproxy/config/forward-proxy.properties
139             subPath: forward-proxy.properties
140           - name: {{ include "common.fullname" . }}-rproxy-config
141             mountPath: /opt/app/rproxy/config/primary-service.properties
142             subPath: primary-service.properties
143           - name: {{ include "common.fullname" . }}-rproxy-config
144             mountPath: /opt/app/rproxy/config/reverse-proxy.properties
145             subPath: reverse-proxy.properties
146           - name: {{ include "common.fullname" . }}-rproxy-config
147             mountPath: /opt/app/rproxy/config/cadi.properties
148             subPath: cadi.properties
149           - name: {{ include "common.fullname" . }}-rproxy-log-config
150             mountPath: /opt/app/rproxy/config/logback-spring.xml
151             subPath: logback-spring.xml
152           - name: {{ include "common.fullname" . }}-rproxy-auth-certs
153             mountPath: /opt/app/rproxy/config/auth/tomcat_keystore
154             subPath: tomcat_keystore
155           - name: {{ include "common.fullname" . }}-rproxy-auth-certs
156             mountPath: /opt/app/rproxy/config/auth/client-cert.p12
157             subPath: client-cert.p12
158           - name: {{ include "common.fullname" . }}-rproxy-auth-certs
159             mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12
160             subPath: org.onap.aai.p12
161           - name: {{ include "common.fullname" . }}-rproxy-auth-config
162             mountPath: /opt/app/rproxy/config/auth/uri-authorization.json
163             subPath: uri-authorization.json
164           - name: {{ include "common.fullname" . }}-rproxy-security-config
165             mountPath: /opt/app/rproxy/config/security/keyfile
166             subPath: keyfile
167
168           ports:
169           - containerPort: {{ .Values.global.rproxy.port }}
170
171         - name: {{ .Values.global.fproxy.name }}
172           image: "{{ include "common.repository" . }}/{{ .Values.global.fproxy.image }}"
173           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
174           env:
175           - name: CONFIG_HOME
176             value: "/opt/app/fproxy/config"
177           - name: KEY_STORE_PASSWORD
178             value: {{ .Values.config.keyStorePassword }}
179           - name: TRUST_STORE_PASSWORD
180             value: {{ .Values.config.trustStorePassword }}
181           - name: spring_profiles_active
182             value: {{ .Values.global.fproxy.activeSpringProfiles }}
183           volumeMounts:
184           - name: {{ include "common.fullname" . }}-fproxy-config
185             mountPath: /opt/app/fproxy/config/fproxy.properties
186             subPath: fproxy.properties
187           - name: {{ include "common.fullname" . }}-fproxy-log-config
188             mountPath: /opt/app/fproxy/config/logback-spring.xml
189             subPath: logback-spring.xml
190           - name: {{ include "common.fullname" . }}-fproxy-auth-certs
191             mountPath: /opt/app/fproxy/config/auth/tomcat_keystore
192             subPath: tomcat_keystore
193           - name: {{ include "common.fullname" . }}-fproxy-auth-certs
194             mountPath: /opt/app/fproxy/config/auth/fproxy_truststore
195             subPath: fproxy_truststore
196           - name: {{ include "common.fullname" . }}-fproxy-auth-certs
197             mountPath: /opt/app/fproxy/config/auth/client-cert.p12
198             subPath: client-cert.p12
199           ports:
200           - containerPort: {{ .Values.global.fproxy.port }}
201     {{ end }}
202
203       volumes:
204         - name: localtime
205           hostPath:
206             path: /etc/localtime
207         - name: {{ include "common.fullname" . }}-data-filebeat
208           emptyDir: {}
209         - name: filebeat-conf
210           configMap:
211             name: {{ include "common.fullname" . }}-filebeat-configmap
212         - name: {{ include "common.fullname" . }}-logs
213           emptyDir: {}
214         - name: {{ include "common.fullname" . }}-auth-secret
215           secret:
216             secretName: {{ include "common.fullname" . }}-auth
217         - name: {{ include "common.fullname" . }}-config
218           configMap:
219             name: {{ include "common.fullname" . }}-configmap
220             items:
221             - key: crud-api.properties
222               path: crud-api.properties
223             - key: schema-ingest.properties
224               path: schema-ingest.properties
225             - key: edgeprops-ingest.properties
226               path: edgeprops-ingest.properties
227             - key: crud-beans.xml
228               path: crud-beans.xml
229         - name: {{ include "common.fullname" . }}-logback-config
230           configMap:
231             name: {{ include "common.fullname" . }}-log-configmap
232             items:
233             - key: logback.xml
234               path: logback.xml
235         - name: {{ include "common.fullname" . }}-model-config
236           configMap:
237             name: {{ include "common.fullname" . }}-model-configmap
238     {{ if .Values.global.installSidecarSecurity }}
239         - name: {{ include "common.fullname" . }}-rproxy-config
240           configMap:
241             name: {{ include "common.fullname" . }}-rproxy-config
242         - name: {{ include "common.fullname" . }}-rproxy-log-config
243           configMap:
244             name: {{ include "common.fullname" . }}-rproxy-log-config
245         - name: {{ include "common.fullname" . }}-rproxy-auth-config
246           secret:
247             secretName: {{ include "common.fullname" . }}-rproxy-auth-config
248         - name: {{ include "common.fullname" . }}-rproxy-auth-certs
249           secret:
250             secretName: aai-rproxy-auth-certs
251         - name: {{ include "common.fullname" . }}-rproxy-security-config
252           secret:
253             secretName: aai-rproxy-security-config
254         - name: {{ include "common.fullname" . }}-fproxy-config
255           configMap:
256             name: {{ include "common.fullname" . }}-fproxy-config
257         - name: {{ include "common.fullname" . }}-fproxy-log-config
258           configMap:
259             name: {{ include "common.fullname" . }}-fproxy-log-config
260         - name: {{ include "common.fullname" . }}-fproxy-auth-certs
261           secret:
262             secretName: aai-fproxy-auth-certs
263     {{ end }}
264
265       imagePullSecrets:
266       - name: "{{ include "common.namespace" . }}-docker-registry-key"
Introduces the ONAP Platform OOM (ONAP Operations Manager) to efficiently Deploy, Manage, Operate the ONAP platform and its components (e.g. MSO, DCAE, SDC, etc.) and infrastructure (VMs, Containers).