X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fdcaegen2-services%2Fcommon%2Fdcaegen2-services-common%2Ftemplates%2F_deployment.tpl;h=6be03de27bbf7affd684a36befb97e03bacbbb93;hb=30ec390479c9b7eeeaa90f036be02162c29ae918;hp=91fefa47b7e306ab9c8bf93ecdf54e5c8ed405e1;hpb=e5f71603b2dccc87517fbe8892da49cd5df691b6;p=oom.git

diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
index 91fefa47b7..6be03de27b 100644
--- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
@@ -3,6 +3,8 @@
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.
 # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
+# Copyright (c) 2021 Nordix Foundation.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -78,7 +80,7 @@ to give the microservice access to data in volumes created else.
 This initial implementation supports ConfigMaps only, as this is the only
 external volume mounting required by current microservices.
 
-.Values.externalValues is a list of objects.  Each object has 3 required fields and 1 optional field:
+.Values.externalVolumes is a list of objects.  Each object has 3 required fields and 2 optional fields:
    - name: the name of the resource (in the current implementation, it must be a ConfigMap)
      that is to be set up as a volume.  The value is a case sensitive string.  Because the
      names of resources are sometimes set at deployment time (for instance, to prefix the Helm
@@ -90,6 +92,11 @@ external volume mounting required by current microservices.
      value is a case-sensitive string.
    - readOnly: (Optional) Boolean flag.  Set to true to mount the volume as read-only.
      Defaults to false.
+   - optional: (Optional) Boolean flag.  Set to true to make the configMap optional (i.e., to allow the
+     microservice's pod to start even if the configMap doesn't exist).  If set to false, the configMap must
+     be present in order for the microservice's pod to start. Defaults to true.  (Note that this
+     default is the opposite of the Kubernetes default.  We've done this to be consistent with the behavior
+     of the DCAE Cloudify plugin for Kubernetes [k8splugin], which always set "optional" to true.)
 
 Here is an example fragment from a values.yaml file for a microservice:
 
@@ -100,16 +107,19 @@ externalVolumes:
   - name: '{{ include "common.release" . }}-another-example'
     type: configmap
     mountPath: /opt/app/otherconfig
+    optional: false
 */}}
 {{- define "dcaegen2-services-common._externalVolumes" -}}
   {{- $global := . -}}
   {{- if .Values.externalVolumes }}
     {{- range $vol := .Values.externalVolumes }}
       {{- if eq (lower $vol.type) "configmap" }}
-        {{- $vname := (tpl $vol.name $global) }}
+        {{- $vname := (tpl $vol.name $global) -}}
+        {{- $opt := hasKey $vol "optional" | ternary $vol.optional true }}
 - configMap:
     defaultMode: 420
     name: {{ $vname }}
+    optional: {{ $opt }}
   name: {{ $vname }}
       {{- end }}
     {{- end }}
@@ -197,14 +207,28 @@ The sidecar is included if .Values.policies is set.  The
 Policy-sync sidecar polls PolicyEngine (PDP) periodically based
 on .Values.policies.duration and configuration retrieved is shared with
 DCAE Microservice container by common volume. Policy can be retrieved based on
-list of policyID or filter
+list of policyID or filter. An optional policyRelease parameter can be specified
+to override the default policy helm release (used for retreiving the secret containing
+pdp username and password)
+
+Following is example policy config override
+
+dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1
+policies:
+  duration: 300
+  policyRelease: "onap"
+  policyID: |
+    '["onap.vfirewall.tca","onap.vdns.tca"]'
 */}}
 
 {{- define "dcaegen2-services-common.microserviceDeployment" -}}
 {{- $logDir :=  default "" .Values.logDirectory -}}
 {{- $certDir := default "" .Values.certDirectory . -}}
 {{- $tlsServer := default "" .Values.tlsServer -}}
-{{- $policy := default "" .Values.policies -}}
+{{- $commonRelease :=  print (include "common.release" .) -}}
+{{- $policy := default dict .Values.policies -}}
+{{- $policyRls := default $commonRelease $policy.policyRelease -}}
+{{- $drFeedConfig := default "" .Values.drFeedConfig -}}
 
 apiVersion: apps/v1
 kind: Deployment
@@ -216,6 +240,7 @@ spec:
     metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
       initContainers:
+      {{- if not $drFeedConfig }}
       - command:
         - sh
         args:
@@ -238,8 +263,9 @@ spec:
         image: {{ include "repositoryGenerator.image.envsubst" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-update-config
-
+      {{- end }}
       {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }}
+      {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }}
       - name: init-consul
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.consulLoaderImage }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -267,14 +293,19 @@ spec:
         - mountPath: /opt/app/osaaf
           name: tls-info
       {{- end }}
+      {{ include "dcaegen2-services-common._certPostProcessor" .  | nindent 4 }}
       containers:
       - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}
         env:
+        {{- range $cred := .Values.credentials }}
+        - name: {{ $cred.name }}
+          {{- include "common.secret.envFromSecretFast" (dict "global" $ "uid" $cred.uid "key" $cred.key) | indent 10 }}
+        {{- end }}
         {{- if $certDir }}
         - name: DCAE_CA_CERTPATH
-          value: {{ $certDir}}/cacert.pem
+          value: {{ $certDir }}/cacert.pem
         {{- end }}
         - name: CONSUL_HOST
           value: consul-server.onap
@@ -315,6 +346,8 @@ spec:
         volumeMounts:
         - mountPath: /app-config
           name: app-config
+        - mountPath: /app-config-input
+          name: app-config-input
         {{- if $logDir }}
         - mountPath: {{ $logDir}}
           name: component-log
@@ -322,6 +355,9 @@ spec:
         {{- if $certDir }}
         - mountPath: {{ $certDir }}
           name: tls-info
+          {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}}
+          {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}}
+          {{- end -}}
         {{- end }}
         {{- if $policy }}
         - name: policy-shared
@@ -361,12 +397,12 @@ spec:
         - name: POLICY_SYNC_PDP_USER
           valueFrom:
             secretKeyRef:
-              name: onap-policy-xacml-pdp-api-creds
+              name: {{ $policyRls }}-policy-xacml-pdp-api-creds
               key: login
         - name: POLICY_SYNC_PDP_PASS
           valueFrom:
             secretKeyRef:
-              name: onap-policy-xacml-pdp-api-creds
+              name: {{ $policyRls }}-policy-xacml-pdp-api-creds
               key: password
         - name: POLICY_SYNC_PDP_URL
           value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969
@@ -384,7 +420,7 @@ spec:
         {{- end -}}
         {{- if $policy.duration }}
         - name: POLICY_SYNC_DURATION
-          value: {{ $policy.duration }}
+          value: "{{ $policy.duration }}"
         {{- end }}
         resources: {{ include "common.resources" . | nindent 2 }}
         volumeMounts:
@@ -417,12 +453,75 @@ spec:
       {{- if $certDir }}
       - emptyDir: {}
         name: tls-info
+        {{ if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}}
+        {{ include "common.certManager.volumesReadOnly" . | nindent 6 }}
+        {{- end }}
       {{- end }}
       {{- if $policy }}
       - name: policy-shared
         emptyDir: {}
       {{- end }}
+      {{- include "common.dmaap.provisioning._volumes" . | nindent 6 -}}
       {{- include "dcaegen2-services-common._externalVolumes" . | nindent 6 }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end -}}
+
+{{/*
+  For internal use
+
+  Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore
+  and swaps keystore files.
+*/}}
+{{- define "dcaegen2-services-common._certPostProcessor" -}}
+  {{- $certDir := default "" .Values.certDirectory . -}}
+  {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}}
+    {{- $cmpv2Certificate := (index .Values.certificates 0) -}}
+    {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}}
+    {{- $certType := "pem" -}}
+    {{- if $cmpv2Certificate.keystore -}}
+      {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}}
+    {{- end -}}
+    {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}}
+    {{- $truststoresPasswordPaths := ":" -}}
+    {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}}
+    {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}}
+    {{- if not (eq $certType "pem") -}}
+      {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}}
+      {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}}
+      {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}}
+      {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}}
+    {{- end }}
+  - name: cert-post-processor
+    image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }}
+    imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+    resources:
+      {{- include "common.resources" . | nindent 4 }}
+    volumeMounts:
+    - mountPath: {{ $certDir }}
+      name: tls-info
+      {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }}
+    env:
+    - name: TRUSTSTORES_PATHS
+      value: {{ $truststoresPaths | quote}}
+    - name: TRUSTSTORES_PASSWORDS_PATHS
+      value: {{ $truststoresPasswordPaths | quote }}
+    - name: KEYSTORE_SOURCE_PATHS
+      value: {{ $keystoreSourcePaths | quote }}
+    - name: KEYSTORE_DESTINATION_PATHS
+      value: {{ $keystoreDestinationPaths | quote }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+  Template returns string "true" if CMPv2 certificates should be used and nothing (so it can be used in with statements)
+  when they shouldn't. Example use:
+    {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}}
+
+*/}}
+{{- define "dcaegen2-services-common.shouldUseCmpv2Certificates" -}}
+  {{- $certDir := default "" .Values.certDirectory . -}}
+  {{- if (and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.useCmpv2Certificates) -}}
+  true
+  {{- end -}}
+{{- end -}}