# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dockerhubRepository: docker.io
busyboxImage: busybox
- readinessImage: onap/oom/readiness:3.0.1
+ readinessImage: onap/oom/readiness:5.0.1
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
restartPolicy: Always
- aafEnabled: true
- msbEnabled: true
- centralizedLoggingEnabled: true
+ msbEnabled: false
+ centralizedLoggingEnabled: false
cassandra:
#This will instantiate AAI cassandra cluster, default:shared cassandra.
localCluster: false
+ # in case of a local cassandra cluster
+ # flag to enable the DB creation via k8ssandra-operator
+ useOperator: true
+ # if useOperator set to "true", set "enableServiceAccount to "false"
+ # as the SA is created by the Operator
+ enableServiceAccount: false
+
#Service Name of the cassandra cluster to connect to.
#Override it to aai-cassandra if localCluster is enabled.
- serviceName: cassandra
+ #in case of using k8ssandra-operator in the common cassandra installation
+ #the service name is:
+ serviceName: cassandra-dc1-service
+ #in case of local k8ssandra-operator instance it is
+ #serviceName: aai-cassandra-dc1-service
+ #in case the older cassandra installation is used:
+ #serviceName: cassandra
#This should be same as shared cassandra instance or if localCluster is enabled
#then it should be same as aai-cassandra replicaCount
replicas: 3
- #Cassanara login details
+ #Cassandra login details
username: cassandra
password: cassandra
serviceName: aai-resources
sparkyBe:
serviceName: aai-sparky-be
- dataRouter:
- serviceName: aai-data-router
- gizmo:
- serviceName: aai-gizmo
modelloader:
serviceName: aai-modelloader
searchData:
serviceName: aai-traversal
graphadmin:
serviceName: aai-graphadmin
- spike:
- serviceName: aai-spike
initContainers:
enabled: true
# Specifies if the connection should be one way ssl, two way ssl or no auth
# will be set to no-auth if tls is disabled
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will make a rest request to schema service
translator:
list: schema-service
aai-traversal:
logConfigMapNamePrefix: '{{ include "common.release" . }}-aai'
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: "aai"
- app_ns: "org.osaaf.aaf"
- fqi_namespace: "org.onap.aai"
- fqi: "aai@aai.onap.org"
- public_fqdn: "aaf.osaaf.org"
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- credsPath: /opt/app/osaaf/local
- aaf_add_config: |
- echo "*** transform AAF certs into pem files"
- mkdir -p {{ .Values.credsPath }}/certs
- keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
- -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
- -alias ca_local_0 \
- -storepass $cadi_truststore_password
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** generating needed file"
- cat {{ .Values.credsPath }}/certs/cert.pem \
- {{ .Values.credsPath }}/certs/cacert.pem \
- {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
- > {{ .Values.credsPath }}/certs/fullchain.pem;
- chown 1001 {{ .Values.credsPath }}/certs/*
-
# application image
dockerhubRepository: registry.hub.docker.com
-image: aaionap/haproxy:1.4.2
+image: onap/aai-haproxy:1.11.0
pullPolicy: Always
flavor: small
# default number of instances
replicaCount: 1
+updateStrategy:
+ type: RollingUpdate
+ maxUnavailable: 0
+ maxSurge: 1
+
nodeSelector: {}
affinity: {}
# HAProxy configuration to block HTTP requests to AAI based on configurable URL patterns
haproxy:
+ initContainers:
+ resources:
+ memory: 100Mi
+ cpu: 50m
requestBlocking:
enabled: false
customConfigs: []
+ replicas:
+ aaiResources: 1
+ aaiTraversal: 1
# probe configuration parameters
liveness:
persistence:
mountSubPath: aai/cassandra
enabled: true
+ k8ssandraOperator:
+ config:
+ clusterName: aai-cassandra
readiness:
initialDelaySeconds: 10
service:
type: NodePort
portName: http
- externalPort: 8443
- internalPort: 8443
+ externalPort: 80
+ internalPort: 8080
nodePort: 33
- externalPlainPort: 80
- internalPlainPort: 8080
- nodeport: 33
+ sessionAffinity: None
+
+metricsService:
+ type: ClusterIP
+ portName: http-pro
+ externalPort: 8448
+ internalPort: 8448
+
+metrics:
+ serviceMonitor:
+ enabled: false
+ targetPort: 8448
+ path: /metrics
+ basicAuth:
+ enabled: false
+
+ selector:
+ app: '{{ include "common.name" . }}-metrics'
+ chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+ release: '{{ include "common.release" . }}'
+ heritage: '{{ .Release.Service }}'
+
+ relabelings: []
+
+ metricRelabelings: []
ingress:
enabled: false
service:
- - baseaddr: "aai.api"
+ - baseaddr: "aai-api"
name: "aai"
- port: 8443
+ port: 80
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipalsMetrics: []
+ authorizedPrincipals:
+ - serviceAccount: aai-graphadmin-read
+ - serviceAccount: aai-modelloader-read
+ - serviceAccount: aai-resources-read
+ - serviceAccount: aai-schema-service-read
+ - serviceAccount: aai-traversal-read
+ - serviceAccount: cds-blueprints-processor-read
+ - serviceAccount: consul-read
+ - serviceAccount: dcae-prh-read
+ - serviceAccount: dcae-slice-analysis-ms-read
+ - serviceAccount: dcae-tcagen2
+ - serviceAccount: nbi-read
+ - serviceAccount: sdnc-read
+ - serviceAccount: so-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-cnf-adapter-read
+ - serviceAccount: so-nssmf-adapter-read
+ - serviceAccount: so-etsi-nfvo-ns-lcm-read
+ - serviceAccount: so-etsi-sol003-adapter-read
+ - serviceAccount: so-openstack-adapter-read
+ - serviceAccount: so-sdc-controller-read
+ - serviceAccount: so-ve-vnfm-adapter
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
resources:
small:
limits:
memory: 4Gi
requests:
cpu: 1
- memory: 1Gi
+ memory: 1.2Gi
large:
limits:
cpu: 4
memory: 8Gi
requests:
cpu: 2
- memory: 2Gi
+ memory: 2.4Gi
unlimited: {}
#Pods Service Account