X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Faai%2Fcomponents%2Faai-resources%2Fvalues.yaml;h=b1d32028c24331b2995a18fd97a28155cf957b38;hb=refs%2Fheads%2Fmaster;hp=2dfbfeebe57a4bbfd50127a0efe1b71dee17d09c;hpb=702d68ae02195cbe56ab5f5cd61bddc816880076;p=oom.git diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index 2dfbfeebe5..f97ca9829b 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -1,6 +1,7 @@ # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Copyright (c) 2020 Nokia, Orange # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,10 +20,18 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 + kafkaBootstrap: strimzi-kafka-bootstrap + aaiKafkaUser: aai-kafka-user cassandra: #Service Name of the cassandra cluster to connect to. #Override it to aai-cassandra if localCluster is enabled. serviceName: cassandra + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # Specifies a list of jobs to be run jobs: @@ -33,8 +42,37 @@ global: # global defaults migration: enabled: false - aafEnabled: false - + # Specifies if basic authorization is enabled + auth: + enabled: true + # users that can authenticate via basic auth + users: + - username: aai@aai.onap.org + password: demo123456! + - username: so@so.onap.org + password: demo123456! + - username: sdnc@sdnc.onap.org + password: demo123456! + - username: dcae@dcae.onap.org + password: demo123456! + - username: policy@policy.onap.org + password: demo123456! + - username: sdc@sdc.onap.org + password: demo123456! + - username: AAI + password: AAI + - username: DCAE + password: DCAE + - username: MSO + password: MSO + - username: POLICY + password: POLICY + - username: ASDC + password: ASDC + - username: ModelLoader + password: ModelLoader + - username: AaiUI + password: AaiUI config: # Specifies that the cluster connected to a dynamic # cluster being spinned up by kubernetes deployment @@ -42,17 +80,9 @@ global: # global defaults cassandra: dynamic: true - # Specifies if the basic authorization is enabled - basic: - auth: - enabled: true - username: AAI - passwd: AAI - # Active spring profiles for the resources microservice profiles: - # aaf-auth profile will be automatically set if aaf enabled is set to true - active: production,dmaap #,aaf-auth + active: production,kafka # Notification event specific properties notification: @@ -63,7 +93,7 @@ global: # global defaults schema: # Specifies if the connection should be one way ssl, two way ssl or no auth service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service translator: list: schema-service @@ -77,11 +107,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v30 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28,v29,v30 # Specifies from which version related link should appear related: link: v11 @@ -98,7 +128,6 @@ global: # global defaults # Specifies which clients should always default to realtime graph connection realtime: clients: SDNC,MSO,SO,robot-ete - api_list: - 11 - 12 @@ -109,6 +138,16 @@ api_list: - 17 - 18 - 19 + - 20 + - 21 + - 22 + - 23 + - 24 + - 25 + - 26 + - 27 + - 28 + - 29 aai_enpoints: - name: aai-cloudInfrastructure @@ -123,47 +162,18 @@ aai_enpoints: url: network - name: aai-externalSystem url: external-system -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-resources-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-resources - fqi: aai-resources@aai-resources.onap.org - public_fqdn: aai-resources.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-resources - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} # application image -image: onap/aai-resources:1.11.0 +image: onap/aai-resources:1.16.0 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small # default number of instances replicaCount: 1 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + # the minimum number of seconds that a newly created Pod should be ready minReadySeconds: 30 updateStrategy: @@ -175,19 +185,22 @@ updateStrategy: # Configuration for the resources deployment config: - # configure keycloak according to your environment. - # don't forget to add keycloak in active profiles above (global.config.profiles) - keycloak: - host: keycloak.your.domain - port: 8180 - # Specifies a set of users, credentials, roles, and groups - realm: aai-resources - # Used by any client application for enabling fine-grained authorization for their protected resources - resource: aai-resources-app - # If set to true, additional criteria will be added that match the data-owner property with the given role - # to the user in keycloak - multiTenancy: + janusgraph: + caching: + # enable when running read-heavy workloads + # modifications to graph done by this service/janusgraph instance will immediately invalidate the cache + # modifications to graph done by other services (traversal) will only be visible + # after time specified in db-cache-time enabled: true + # Documentation: https://docs.janusgraph.org/operations/cache/#database-level-caching + dbCacheTime: 180000 # in milliseconds + dbCacheSize: 0.5 # percentage (expressed as a decimal between 0 and 1) of the total heap space available to the JVM running + dbCacheCleanWait: 20 # in milliseconds + # temporarily enable this to update the graph storage version + # see: https://docs.janusgraph.org/changelog/#upgrade-instructions_9 + allowUpgrade: true + + # Specifies crud related operation timeouts and overrides crud: @@ -209,33 +222,79 @@ config: # Specifies if the bulk can be override and if it can the value override: false + # environment variables added to the launch of the image in deployment + env: + MAX_METASPACE_SIZE: "512m" + + # adds jvm args for remote debugging the application + debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + + # adds jvm args for remote profiling the application + # port-forward, i.e: + # $ PODNAME=traversal + # $ kubectl -n ${NAMESPACE:=onap} port-forward pod/$(kubectl -n ${NAMESPACE:=onap} + # get pods | awk '{print $1}' | grep -m1 -e "$PODNAME") 9999:9999 + profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + nodeSelector: {} affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false + enabled: true + path: /actuator/health + periodSeconds: 10 + timeoutSeconds: 3 readiness: - initialDelaySeconds: 60 + path: /actuator/health/readiness periodSeconds: 10 + timeoutSeconds: 3 + +startup: + path: /actuator/health/liveness + failureThreshold: 60 + periodSeconds: 5 + timeoutSeconds: 3 + +actuator: + echo: + enabled: true service: type: ClusterIP - portName: http - internalPort: 8447 - portName2: tcp-5005 - internalPort2: 5005 - terminationGracePeriodSeconds: 120 + resourcesPortName: http + resourcesPort: 8447 + debugPortName: tcp-5005 + debugPort: 5005 + metricsPortName: metrics + metricsPort: 8448 + profilingPortName: jmx-9999 + profilingPort: 9999 + terminationGracePeriodSeconds: 30 + sessionAffinity: None ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-read + - serviceAccount: consul-read + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -246,30 +305,92 @@ ingress: # ref: http://kubernetes.io/docs/user-guide/compute-resources/ # Minimum memory for development is 2 CPU cores and 4GB memory # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "8" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "4" + memory: "6Gi" unlimited: {} +tracing: + ignorePatterns: + - /aai/util.* + +endpoints: + enabled: true + health: + enabled: true + info: + enabled: true + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + +metrics: + serviceMonitor: + enabled: true + targetPort: 8448 + path: /actuator/prometheus + basicAuth: + enabled: false + externalSecretName: mysecretname + externalSecretUserKey: login + externalSecretPasswordKey: password + + ## Namespace in which Prometheus is running + ## + # namespace: monitoring + + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + #interval: 30s + + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # scrapeTimeout: 10s + + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] + # - sourceLabels: + # - "__name__" + # targetLabel: "__name__" + # action: replace + # regex: '(.*)' + # replacement: 'example_prefix_$1' + #Pods Service Account serviceAccount: nameOverride: aai-resources @@ -279,16 +400,50 @@ serviceAccount: #Log configuration log: path: /var/log/onap + level: + root: INFO + base: INFO # base package (org.onap.aai) + audit: WARN + dbMetric: WARN logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# To make logback capping values configurable -logback: - logToFileEnabled: true - maxHistory: 7 - totalSizeCap: 1GB - queueSize: 1000 - -accessLogback: - logToFileEnabled: true - maxHistory: 7 - totalSizeCap: 1GB +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: aai-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: AAI-EVENT + type: topic + operations: [Read, Write] + +volumes: + logSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'