X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Faai%2Fcomponents%2Faai-modelloader%2Ftemplates%2Fdeployment.yaml;h=d3136d8dda58ee10f500747744000acdfaef67e0;hb=c87dbc30928b4a9d05062ac842ec6749ee25ab3c;hp=8cfad2015f2d2d816c5d2d0a580fd3d51c458760;hpb=2dce7527bc6a7c88934eb07f16e2b1b568fb29a6;p=oom.git diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index 8cfad2015f..d3136d8dda 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -1,5 +1,7 @@ +{{/* # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada +# Modifications Copyright © 2020-2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,6 +14,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +*/}} apiVersion: apps/v1 kind: Deployment @@ -25,6 +28,13 @@ metadata: heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} + {{- end }} selector: matchLabels: app: {{ include "common.name" . }} @@ -36,74 +46,107 @@ spec: name: {{ include "common.name" . }} spec: {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.aafEnabled }} + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + - command: + - sh + args: + - -c + - | + echo "*** retrieve Truststore and Keystore password" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + echo "*** obfuscate them " + export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD} + export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD} + export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") + export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + image: {{ include "repositoryGenerator.image.jetty" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-obfuscate + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + securityContext: + runAsUser: {{ .Values.securityContext.user_id }} + - command: + - sh + args: + - -c + - | + echo "*** Set obfuscated Truststore and Keystore password into configuration file" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + cd /config-input + for PFILE in `ls -1` + do + envsubst <${PFILE} >/config/${PFILE} + done + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - mountPath: /config-input + name: prop-config-input + - mountPath: /config + name: prop-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config {{- end }} containers: - name: {{ include "common.name" . }} - image: "{{ include "common.repository" . }}/{{ .Values.image }}" + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ - volumeMounts: + - name: SECURITY_PROTOCOL + value: {{ .Values.config.kafka.securityProtocol }} + - name: SASL_MECHANISM + value: {{ .Values.config.kafka.saslMechanism }} + - name: SASL_JAAS_CONFIG + value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /opt/app/model-loader/config/model-loader.properties subPath: model-loader.properties - name: {{ include "common.fullname" . }}-prop-config + name: prop-config - mountPath: /opt/app/model-loader/config/auth/ - name: {{ include "common.fullname" . }}-auth-config - - mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logs + name: auth-config + - mountPath: {{ .Values.log.path }} + name: logs - mountPath: /opt/app/model-loader/logback.xml - name: {{ include "common.fullname" . }}-log-conf + name: log-config subPath: logback.xml - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - resources: -{{ include "common.resources" . }} - + resources: {{ include "common.resources" . | nindent 10 }} # side car containers - - name: filebeat-onap - image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - name: filebeat-conf - - mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logs - - mountPath: /usr/share/filebeat/data - name: aai-filebeat - resources: -{{ include "common.resources" . }} - volumes: + {{ include "common.log.sidecar" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: localtime hostPath: path: /etc/localtime - - name: {{ include "common.fullname" . }}-prop-config + - name: prop-config + {{- if .Values.global.aafEnabled }} + emptyDir: + medium: Memory + - name: prop-config-input + {{- end }} configMap: name: {{ include "common.fullname" . }}-prop - - name: {{ include "common.fullname" . }}-auth-config + - name: auth-config secret: secretName: {{ include "common.fullname" . }} - - name: filebeat-conf - configMap: - name: aai-filebeat - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: aai-filebeat + - name: logs emptyDir: {} - - name: {{ include "common.fullname" . }}-log-conf + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} + - name: log-config configMap: - name: {{ include "common.fullname" . }}-log + name: {{ include "common.fullname" . }}-log restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key"