X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Faai%2Fcomponents%2Faai-graphadmin%2Ftemplates%2Fdeployment.yaml;h=3e1479e335df2f98d1b36c0c0d4bb1a149124be4;hb=46fb5809d4aa57c10c57ee6b828b72b9a80ccd9b;hp=8ed7ce83bcd4def30cf46a91ea7a8a25e3956791;hpb=27fd7d8750ceeb798052eb8af36264c79b6536fb;p=oom.git diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 8ed7ce83bc..3e1479e335 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -5,7 +5,7 @@ # ================================================================================ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. -# Copyright (c) 2020 Orange Intellectual Property. All rights reserved. +# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,6 +32,12 @@ metadata: heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} selector: matchLabels: app: {{ include "common.name" . }} @@ -45,8 +51,52 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: hostname: aai-graphadmin + terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} {{ if .Values.global.initContainers.enabled }} - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- if .Values.global.aafEnabled }} + - command: + - sh + args: + - -c + - | + echo "*** retrieve Truststore and Keystore password" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + echo "*** obfuscate them " + export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") + export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + image: {{ include "repositoryGenerator.image.jetty" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-obfuscate + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + securityContext: + runAsUser: {{ .Values.securityContext.user_id }} + - command: + - sh + args: + - -c + - | + echo "*** Set obfuscated Truststore and Keystore password into configuration file" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + cd /config-input + for PFILE in `ls -1` + do + envsubst <${PFILE} >/config/${PFILE} + done + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - mountPath: /config-input + name: properties-input + - mountPath: /config + name: properties + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + {{- end }} - command: {{ if .Values.global.jobs.migration.enabled }} - /app/ready.py @@ -86,45 +136,58 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} + value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - volumeMounts: + value: {{ .Values.securityContext.group_id | quote }} + - name: INTERNAL_PORT_1 + value: {{ .Values.service.internalPort | quote }} + - name: INTERNAL_PORT_2 + value: {{ .Values.service.internalPort2 | quote }} + - name: INTERNAL_PORT_3 + value: {{ .Values.service.internalPort3 | quote }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties - name: {{ include "common.fullname" . }}-config + name: config subPath: janusgraph-realtime.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config + name: config subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties - name: {{ include "common.fullname" . }}-config + name: properties subPath: aaiconfig.properties - mountPath: /opt/aai/logroot/AAI-RES - name: {{ include "common.fullname" . }}-logs + name: logs - mountPath: /opt/app/aai-graphadmin/resources/logback.xml - name: {{ include "common.fullname" . }}-config + name: config subPath: logback.xml - mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml - name: {{ include "common.fullname" . }}-config + name: config subPath: localhost-access-logback.xml - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/realm.properties - name: {{ include "common.fullname" . }}-config + name: config subPath: realm.properties - mountPath: /opt/app/aai-graphadmin/resources/application.properties - name: {{ include "common.fullname" . }}-config + name: properties subPath: application.properties - {{ $global := . }} - {{ range $job := .Values.global.config.auth.files }} - - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }} - name: {{ include "common.fullname" $global }}-auth-truststore-sec - subPath: {{ . }} - {{ end }} ports: - containerPort: {{ .Values.service.internalPort }} - containerPort: {{ .Values.service.internalPort2 }} + - containerPort: {{ .Values.service.internalPort3 }} + lifecycle: + # wait for active requests (long-running tasks) to be finished + # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. + preStop: + exec: + command: + - sh + - -c + - | + while (netstat -an | grep ESTABLISHED | grep -e $INTERNAL_PORT_1 -e $INTERNAL_PORT_2) + do sleep 10 + done # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -151,40 +214,26 @@ spec: {{- end }} # side car containers - - name: filebeat-onap - image: {{ include "repositoryGenerator.image.logging" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - name: filebeat-conf - - mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logs - - mountPath: /usr/share/filebeat/data - name: {{ include "common.fullname" . }}-filebeat - - volumes: + {{ include "common.log.sidecar" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: localtime hostPath: path: /etc/localtime - - name: filebeat-conf - configMap: - name: aai-filebeat - - name: {{ include "common.fullname" . }}-logs + - name: logs emptyDir: {} - - name: {{ include "common.fullname" . }}-filebeat - emptyDir: {} - - name: {{ include "common.fullname" . }}-config + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} + - name: config + configMap: + name: {{ include "common.fullname" . }} + - name: properties + {{- if .Values.global.aafEnabled }} + emptyDir: + medium: Memory + - name: properties-input + {{- end }} configMap: - name: {{ include "common.fullname" . }}-configmap - - name: {{ include "common.fullname" . }}-auth-truststore-sec - secret: - secretName: aai-common-truststore - items: - {{ range $job := .Values.global.config.auth.files }} - - key: {{ . }} - path: {{ . }} - {{ end }} + name: {{ include "common.fullname" . }}-properties restartPolicy: {{ .Values.restartPolicy }} imagePullSecrets: - name: {{ include "common.namespace" . }}-docker-registry-key