{{/*
#============LICENSE_START========================================================
# ================================================================================
-# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved.
# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2021 Nokia. All rights reserved.
# Copyright (c) 2021 Nordix Foundation.
The template expects a single argument, pointing to the caller's global context.
Microservice-specific environment variables can be specified in two ways:
- 1. As literal string values.
+ 1. As literal string values. (The values can also be Helm template fragments.)
2. As values that are sourced from a secret, identified by the secret's
uid and the key within the secret that provides the value.
{{- range $envName, $envValue := .Values.applicationEnv }}
{{- if kindIs "string" $envValue }}
- name: {{ $envName }}
- value: {{ $envValue | quote }}
+ value: {{ tpl $envValue $global | quote }}
{{- else }}
- {{ if or (not $envValue.secretUid) (not $envValue.key) }}
- {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }}
- {{- end }}
+ {{- if and (hasKey $envValue "externalSecret") ($envValue.externalSecret) }}
+- name: {{ $envName }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ tpl $envValue.externalSecretUid $global | quote }}
+ key: {{ tpl $envValue.key $global | quote }}
+ {{- else }}
+ {{ if or (not $envValue.secretUid) (not $envValue.key) }}
+ {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }}
+ {{- end }}
- name: {{ $envName }}
{{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }}
+ {{- end }}
{{- end -}}
{{- end }}
{{- end }}
depends on the content of .Values.
The Deployment always includes a single Pod, with a container that uses
-the DCAE microservice image.
+the DCAE microservice image. The image name and tag are specified by
+.Values.image. By default, the image comes from the ONAP repository
+(registry) set up by the common repositoryGenerator template. A different
+repository for the microservice image can be set using
+.Values.imageRepositoryOverride. Note that this repository must not
+require authentication, because there is no way to specify credentials for
+the override repository. imageRepositoryOverride is intended primarily
+for testing purposes.
The Deployment Pod may also include a logging sidecar container.
-The sidecar is included if .Values.logDirectory is set. The
+The sidecar is included if .Values.log.path is set. The
logging sidecar and the DCAE microservice container share a
volume where the microservice logs are written.
-The Deployment includes an initContainer that pushes the
-microservice's initial configuration (from .Values.applicationConfig)
-into Consul. All DCAE microservices retrieve their initial
-configurations by making an API call to a DCAE platform component called
-the config-binding-service. The config-binding-service currently
-retrieves configuration information from Consul.
-
-The Deployment also includes an initContainer that checks for the
-readiness of other components that the microservice relies on.
-This container is generated by the "common.readinessCheck.waitfor"
-template.
-
-If the microservice acts as a TLS client or server, the Deployment will
-include an initContainer that retrieves certificate information from
-the AAF certificate manager. The information is mounted at the
-mount point specified in .Values.certDirectory. If the microservice is
-a TLS server (indicated by setting .Values.tlsServer to true), the
-certificate information will include a server cert and key, in various
-formats. It will also include the AAF CA cert. If the microservice is
-a TLS client only (indicated by setting .Values.tlsServer to false), the
-certificate information includes only the AAF CA cert.
-
Deployed POD may also include a Policy-sync sidecar container.
The sidecar is included if .Values.policies is set. The
Policy-sync sidecar polls PolicyEngine (PDP) periodically based
policyRelease: "onap"
policyID: |
'["onap.vfirewall.tca","onap.vdns.tca"]'
+
+The Deployment includes an initContainer that checks for the
+readiness of other components that the microservice relies on.
+This container is generated by the "common.readinessCheck.waitfor"
+template. See the documentation for this template
+(oom/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl).
+
+If the microservice uses a DMaaP Data Router (DR) feed, the Deployment
+includes an initContainer that makes provisioning requests to the DMaaP
+bus controller (dmaap-bc) to create the feed and to set up a publisher
+and/or subscriber to the feed. The Deployment also includes a second
+initContainer that merges the information returned by the provisioning
+process into the microservice's configuration. See the documentation for
+the common DMaaP provisioning template
+(oom/kubernetes/common/common/templates/_dmaapProvisioning.tpl).
+
+If the microservice acts as a TLS client or server, the Deployment will
+include an initContainer that retrieves certificate information from
+the AAF certificate manager. The information is mounted at the
+mount point specified in .Values.certDirectory. If the microservice is
+a TLS server (indicated by setting .Values.tlsServer to true), the
+certificate information will include a server cert and key, in various
+formats. It will also include the AAF CA cert. If the microservice is
+a TLS client only (indicated by setting .Values.tlsServer to false), the
+certificate information includes only the AAF CA cert.
+
+If the microservice uses certificates from an external CMPv2 provider,
+the Deployment will include an initContainer that performs certificate
+post-processing.
*/}}
{{- define "dcaegen2-services-common.microserviceDeployment" -}}
-{{- $logDir := default "" .Values.logDirectory -}}
-{{- $certDir := default "" .Values.certDirectory . -}}
+{{- $log := default dict .Values.log -}}
+{{- $logDir := default "" $log.path -}}
+{{- $certDir := (eq "true" (include "common.needTLS" .)) | ternary (default "" .Values.certDirectory . ) "" -}}
{{- $tlsServer := default "" .Values.tlsServer -}}
{{- $commonRelease := print (include "common.release" .) -}}
{{- $policy := default dict .Values.policies -}}
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
initContainers:
- {{- if not $drFeedConfig }}
- - command:
- - sh
- args:
- - -c
- - |
- {{- range $var := .Values.customEnvVars }}
- export {{ $var.name }}="{{ $var.value }}";
- {{- end }}
- cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done
- env:
- {{- range $cred := .Values.credentials }}
- - name: {{ $cred.name }}
- {{- include "common.secret.envFromSecretFast" (dict "global" $ "uid" $cred.uid "key" $cred.key) | indent 10 }}
- {{- end }}
- volumeMounts:
- - mountPath: /config-input
- name: app-config-input
- - mountPath: /config
- name: app-config
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ {{- if .Values.readinessCheck }}
{{ include "common.readinessCheck.waitFor" . | indent 6 | trim }}
+ {{- end }}
{{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }}
- - name: init-consul
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.consulLoaderImage }}
+ {{- if $certDir }}
+ - name: {{ include "common.name" . }}-aaf-init-readiness
+ image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command:
+ - /app/ready.py
args:
- - --key-yaml
- - "{{ include "common.name" . }}|/app-config/application_config.yaml"
+ - --container-name
+ - aaf-cm
env:
- - name: CONSUL_HOST
- value: {{ .Values.consulHost | default "consul-server-ui" }}.{{ include "common.namespace" . }}
- resources: {{ include "common.resources" . | nindent 2 }}
- volumeMounts:
- - mountPath: /app-config
- name: app-config
- {{- if $certDir }}
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ requests:
+ cpu: 3m
+ memory: 20Mi
- name: init-tls
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.tlsImage }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- resources: {{ include "common.resources" . | nindent 2 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
volumeMounts:
- mountPath: /opt/app/osaaf
name: tls-info
{{- end }}
{{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }}
containers:
- - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+ - image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}
env:
{{- end }}
{{- end }}
{{- end }}
- resources: {{ include "common.resources" . | nindent 2 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
volumeMounts:
- mountPath: /app-config
- name: app-config
+ name: {{ ternary "app-config-input" "app-config" (not $drFeedConfig) }}
- mountPath: /app-config-input
name: app-config-input
{{- if $logDir }}
- mountPath: {{ $logDir}}
- name: component-log
+ name: logs
{{- end }}
{{- if $certDir }}
- mountPath: {{ $certDir }}
{{- end }}
{{- include "dcaegen2-services-common._externalVolumeMounts" . | nindent 8 }}
{{- if $logDir }}
- - image: {{ include "repositoryGenerator.image.logging" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: filebeat
- env:
- - name: POD_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- resources: {{ include "common.resources" . | nindent 2 }}
- volumeMounts:
- - mountPath: /var/log/onap/{{ include "common.name" . }}
- name: component-log
- - mountPath: /usr/share/filebeat/data
- name: filebeat-data
- - mountPath: /usr/share/filebeat/filebeat.yml
- name: filebeat-conf
- subPath: filebeat.yml
+ {{ include "common.log.sidecar" . | nindent 6 }}
{{- end }}
{{- if $policy }}
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }}
- name: POLICY_SYNC_PDP_USER
valueFrom:
secretKeyRef:
- name: {{ $policyRls }}-policy-xacml-pdp-api-creds
+ name: {{ $policyRls }}-policy-xacml-pdp-restserver-creds
key: login
- name: POLICY_SYNC_PDP_PASS
valueFrom:
secretKeyRef:
- name: {{ $policyRls }}-policy-xacml-pdp-api-creds
+ name: {{ $policyRls }}-policy-xacml-pdp-restserver-creds
key: password
- name: POLICY_SYNC_PDP_URL
value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969
- name: POLICY_SYNC_DURATION
value: "{{ $policy.duration }}"
{{- end }}
- resources: {{ include "common.resources" . | nindent 2 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
volumeMounts:
- mountPath: /etc/policies
name: policy-shared
name: app-config
{{- if $logDir }}
- emptyDir: {}
- name: component-log
- - emptyDir: {}
- name: filebeat-data
- - configMap:
- defaultMode: 420
- name: {{ include "common.fullname" . }}-filebeat-configmap
- name: filebeat-conf
+ name: logs
+ {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }}
{{- end }}
{{- if $certDir }}
- emptyDir: {}