Code Review / oom.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
[AAI][RESOURCES] Remove Hardcoded certificates
[oom.git] / kubernetes / aai / components / aai-resources / templates / deployment.yaml
diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
index 765ccdf..7dc79a7 100644 (file)
--- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
@@ -72,37 +72,29 @@ spec:
       {{- end }}
     spec:
       hostname: aai-resources
-    {{- if .Values.global.initContainers.enabled }}
-      {{- if .Values.global.installSidecarSecurity }}
-      hostAliases:
-      - ip: {{ .Values.global.aaf.serverIp }}
-        hostnames:
-        - {{ .Values.global.aaf.serverHostname }}
-      {{- end }}
-      initContainers:
-      - command:
-      {{- if .Values.global.jobs.migration.enabled }}
+      initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+      - name: {{ include "common.name" . }}-readiness
+        command:
         - /app/ready.py
         args:
+        {{- if .Values.global.jobs.migration.enabled }}
         - --job-name
         - {{ include "common.release" . }}-aai-graphadmin-migration
-      {{- else if .Values.global.jobs.createSchema.enabled  }}
-        - /app/ready.py
-        args:
+        {{- else }}
+          {{- if .Values.global.jobs.createSchema.enabled  }}
         - --job-name
         - {{ include "common.release" . }}-aai-graphadmin-create-db-schema
-      {{- else }}
-        - /app/ready.py
-        args:
+          {{- else }}
         - --container-name
-        {{- if .Values.global.cassandra.localCluster }}
+            {{- if .Values.global.cassandra.localCluster }}
         - aai-cassandra
-        {{- else }}
+            {{- else }}
         - cassandra
-        {{- end }}
+            {{- end }}
         - --container-name
         - aai-schema-service
-      {{- end }}
+          {{- end }}
+        {{- end }}
         env:
         - name: NAMESPACE
           valueFrom:
@@ -111,27 +103,29 @@ spec:
               fieldPath: metadata.namespace
         image: {{ include "repositoryGenerator.image.readiness" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        name: {{ include "common.name" . }}-readiness
-      {{- if .Values.global.installSidecarSecurity }}
-      - name: {{ .Values.global.tproxyConfig.name }}
-        image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tproxyConfig.image }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        securityContext:
-          privileged: true
-      {{- end }}
-    {{- end }}
       containers:
       - name: {{ include "common.name" . }}
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command:
+        - sh
+        args:
+        - -c
+        - |
+          echo "*** retrieve Truststore and Keystore password"
+          export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+          echo "*** actual launch of AAI Resources"
+          /bin/bash /opt/app/aai-resources/docker-entrypoint.sh
         env:
         - name: LOCAL_USER_ID
           value: {{ .Values.global.config.userId | quote }}
         - name: LOCAL_GROUP_ID
           value: {{ .Values.global.config.groupId | quote }}
         - name: POST_JAVA_OPTS
-          value: '-Djavax.net.ssl.trustStore=/opt/app/aai-resources/resources/aaf/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword=changeit'
-        volumeMounts:
+          value: '-Djavax.net.ssl.trustStore=/opt/app/aai-resources/resources/aaf/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword={{ .Values.certInitializer.truststoreAllPassword }}'
+        - name: TRUSTORE_ALL_PASSWORD
+          value: {{ .Values.certInitializer.truststoreAllPassword }}
+        volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
         - mountPath: /etc/localtime
           name: localtime
           readOnly: true
@@ -155,14 +149,6 @@ spec:
         - mountPath: /opt/app/aai-resources/resources/etc/auth/realm.properties
           name: {{ include "common.fullname" . }}-config
           subPath: realm.properties
-        {{- if .Values.global.installSidecarSecurity }}
-        - mountPath: /opt/app/aai-resources/resources/etc/auth/aai_policy.json
-          name: {{ include "common.fullname" . }}-aai-policy
-          subPath: aai_policy.json
-        {{- end }}
-        - mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.keyfile
-          name: {{ include "common.fullname" . }}-aaf-certs
-          subPath: org.onap.aai.keyfile
         - mountPath: /opt/app/aai-resources/resources/aaf/bath_config.csv
           name: {{ include "common.fullname" . }}-aaf-certs
           subPath: bath_config.csv
@@ -178,24 +164,12 @@ spec:
         - mountPath: /opt/app/aai-resources/resources/cadi.properties
           name: {{ include "common.fullname" . }}-aaf-properties
           subPath: cadi.properties
-        - mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.p12
-          name: {{ include "common.fullname" . }}-aaf-certs
-          subPath: org.onap.aai.p12
-        - mountPath: /opt/app/aai-resources/resources/aaf/truststoreONAPall.jks
-          name: aai-common-aai-auth-mount
-          subPath: truststoreONAPall.jks
         - mountPath: /opt/app/aai-resources/resources/application.properties
           name: {{ include "common.fullname" . }}-config
           subPath: application.properties
         - mountPath: /opt/app/aai-resources/resources/application-keycloak.properties
           name: {{ include "common.fullname" . }}-config
           subPath: application-keycloak.properties
-          {{- $global := . }}
-          {{- range $job := .Values.global.config.auth.files }}
-        - mountPath: /opt/app/aai-resources/resources/etc/auth/{{ . }}
-          name: {{ include "common.fullname" $global }}-auth-truststore-sec
-          subPath: {{ . }}
-          {{- end }}
         ports:
         - containerPort: {{ .Values.service.internalPort }}
         - containerPort: {{ .Values.service.internalPort2 }}
@@ -233,88 +207,7 @@ spec:
         - mountPath: /usr/share/filebeat/data
           name: {{ include "common.fullname" . }}-filebeat
         resources: {{ include "common.resources" . | nindent 12 }}
-    {{- if .Values.global.installSidecarSecurity }}
-      - name: {{ .Values.global.rproxy.name }}
-        image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.rproxy.image }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        env:
-        - name: CONFIG_HOME
-          value: "/opt/app/rproxy/config"
-        - name: KEY_STORE_PASSWORD
-          value: {{ .Values.sidecar.keyStorePassword }}
-        - name: spring_profiles_active
-          value: {{ .Values.global.rproxy.activeSpringProfiles }}
-        volumeMounts:
-        - name: {{ include "common.fullname" . }}-rproxy-config
-          mountPath: /opt/app/rproxy/config/forward-proxy.properties
-          subPath: forward-proxy.properties
-        - name: {{ include "common.fullname" . }}-rproxy-config
-          mountPath: /opt/app/rproxy/config/primary-service.properties
-          subPath: primary-service.properties
-        - name: {{ include "common.fullname" . }}-rproxy-config
-          mountPath: /opt/app/rproxy/config/reverse-proxy.properties
-          subPath: reverse-proxy.properties
-        - name: {{ include "common.fullname" . }}-rproxy-config
-          mountPath: /opt/app/rproxy/config/cadi.properties
-          subPath: cadi.properties
-        - name: {{ include "common.fullname" . }}-rproxy-log-config
-          mountPath: /opt/app/rproxy/config/logback-spring.xml
-          subPath: logback-spring.xml
-        - name: {{ include "common.fullname" . }}-rproxy-uri-auth-config
-          mountPath: /opt/app/rproxy/config/auth/uri-authorization.json
-          subPath: uri-authorization.json
-        - name: {{ include "common.fullname" . }}-rproxy-auth-config
-          mountPath: /opt/app/rproxy/config/auth/tomcat_keystore
-          subPath: tomcat_keystore
-        - name: {{ include "common.fullname" . }}-rproxy-auth-config
-          mountPath: /opt/app/rproxy/config/auth/client-cert.p12
-          subPath: client-cert.p12
-        - name: {{ include "common.fullname" . }}-rproxy-auth-config
-          mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks
-          subPath: aaf_truststore.jks
-        - name: {{ include "common.fullname" . }}-rproxy-security-config
-          mountPath: /opt/app/rproxy/config/security/keyfile
-          subPath: keyfile
-        - name: {{ include "common.fullname" . }}-rproxy-auth-config
-          mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12
-          subPath: org.onap.aai.p12
-        ports:
-        - containerPort: {{ .Values.global.rproxy.port }}
-      - name: {{ .Values.global.fproxy.name }}
-        image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.fproxy.image }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        env:
-        - name: CONFIG_HOME
-          value: "/opt/app/fproxy/config"
-        - name: KEY_STORE_PASSWORD
-          value: {{ .Values.sidecar.keyStorePassword }}
-        - name: TRUST_STORE_PASSWORD
-          value: {{ .Values.sidecar.trustStorePassword }}
-        - name: spring_profiles_active
-          value: {{ .Values.global.fproxy.activeSpringProfiles }}
-        volumeMounts:
-        - name: {{ include "common.fullname" . }}-fproxy-config
-          mountPath: /opt/app/fproxy/config/fproxy.properties
-          subPath: fproxy.properties
-        - name: {{ include "common.fullname" . }}-fproxy-log-config
-          mountPath: /opt/app/fproxy/config/logback-spring.xml
-          subPath: logback-spring.xml
-        - name: {{ include "common.fullname" . }}-fproxy-auth-config
-          mountPath: /opt/app/fproxy/config/auth/fproxy_truststore
-          subPath: fproxy_truststore
-        - name: {{ include "common.fullname" . }}-fproxy-auth-config
-          mountPath: /opt/app/fproxy/config/auth/tomcat_keystore
-          subPath: tomcat_keystore
-        - name: {{ include "common.fullname" . }}-fproxy-auth-config
-          mountPath: /opt/app/fproxy/config/auth/client-cert.p12
-          subPath: client-cert.p12
-        ports:
-        - containerPort: {{ .Values.global.fproxy.port }}
-    {{- end }}
-      volumes:
-      - name: aai-common-aai-auth-mount
-        secret:
-          secretName: aai-common-aai-auth
+      volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
       - name: localtime
         hostPath:
           path: /etc/localtime
@@ -327,50 +220,13 @@ spec:
         emptyDir: {}
       - name: {{ include "common.fullname" . }}-config
         configMap:
-          name: {{ include "common.fullname" . }}-configmap
+          name: {{ include "common.fullname" . }}
       - name: {{ include "common.fullname" . }}-aaf-properties
         configMap:
           name: {{ include "common.fullname" . }}-aaf-props
       - name: {{ include "common.fullname" . }}-aaf-certs
         secret:
           secretName: {{ include "common.fullname" . }}-aaf-keys
-      - name: {{ include "common.fullname" . }}-auth-truststore-sec
-        secret:
-          secretName: aai-common-truststore
-          items:
-          {{- range $job := .Values.global.config.auth.files }}
-          - key: {{ . }}
-            path: {{ . }}
-          {{- end }}
-    {{- if .Values.global.installSidecarSecurity }}
-      - name: {{ include "common.fullname" . }}-aai-policy
-        configMap:
-          name: {{ include "common.fullname" . }}-aai-policy-configmap
-      - name: {{ include "common.fullname" . }}-rproxy-config
-        configMap:
-          name: {{ include "common.fullname" . }}-rproxy-config
-      - name: {{ include "common.fullname" . }}-rproxy-log-config
-        configMap:
-          name: {{ include "common.fullname" . }}-rproxy-log-config
-      - name: {{ include "common.fullname" . }}-rproxy-uri-auth-config
-        configMap:
-          name: {{ include "common.fullname" . }}-rproxy-uri-auth-config
-      - name: {{ include "common.fullname" . }}-rproxy-auth-config
-        secret:
-          secretName: {{ include "common.fullname" . }}-rproxy-auth-config
-      - name: {{ include "common.fullname" . }}-rproxy-security-config
-        secret:
-          secretName: {{ include "common.fullname" . }}-rproxy-security-config
-      - name: {{ include "common.fullname" . }}-fproxy-config
-        configMap:
-          name: {{ include "common.fullname" . }}-fproxy-config
-      - name: {{ include "common.fullname" . }}-fproxy-log-config
-        configMap:
-          name: {{ include "common.fullname" . }}-fproxy-log-config
-      - name: {{ include "common.fullname" . }}-fproxy-auth-config
-        secret:
-          secretName: {{ include "common.fullname" . }}-fproxy-auth-config
-    {{- end }}
       restartPolicy: {{ .Values.restartPolicy }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
Introduces the ONAP Platform OOM (ONAP Operations Manager) to efficiently Deploy, Manage, Operate the ONAP platform and its components (e.g. MSO, DCAE, SDC, etc.) and infrastructure (VMs, Containers).