X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fdcaegen2-services%2Fcommon%2Fdcaegen2-services-common%2Ftemplates%2F_deployment.tpl;h=db587268935d56b36b6b9edb2af37f1e4ef15e65;hb=9b00b56b7787992a15df2a11006828ca5a8f7046;hp=80b4cbc77b06dc7cd189be510cd815a8a58ca211;hpb=74d9c9b6286d381dade24abbbcad8a41a4fdf4b4;p=oom.git diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 80b4cbc77b..db58726893 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -2,6 +2,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -113,12 +114,21 @@ certificate information will include a server cert and key, in various formats. It will also include the AAF CA cert. If the microservice is a TLS client only (indicated by setting .Values.tlsServer to false), the certificate information includes only the AAF CA cert. + +Deployed POD may also include a Policy-sync sidecar container. +The sidecar is included if .Values.policies is set. The +Policy-sync sidecar polls PolicyEngine (PDP) periodically based +on .Values.policies.duration and configuration retrieved is shared with +DCAE Microservice container by common volume. Policy can be retrieved based on +list of policyID or filter */}} {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $logDir := default "" .Values.logDirectory -}} {{- $certDir := default "" .Values.certDirectory . -}} {{- $tlsServer := default "" .Values.tlsServer -}} +{{- $policy := default "" .Values.policies -}} + apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -180,6 +190,7 @@ spec: - mountPath: /opt/app/osaaf name: tls-info {{- end }} + {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -187,7 +198,7 @@ spec: env: {{- if $certDir }} - name: DCAE_CA_CERTPATH - value: {{ $certDir}}/cacert.pem + value: {{ $certDir }}/cacert.pem {{- end }} - name: CONSUL_HOST value: consul-server.onap @@ -235,6 +246,13 @@ spec: {{- if $certDir }} - mountPath: {{ $certDir }} name: tls-info + {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}} + {{- end -}} + {{- end }} + {{- if $policy }} + - name: policy-shared + mountPath: /etc/policies {{- end }} {{- if $logDir }} - image: {{ include "repositoryGenerator.image.logging" . }} @@ -256,6 +274,53 @@ spec: name: filebeat-conf subPath: filebeat.yml {{- end }} + {{- if $policy }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: policy-sync + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: POLICY_SYNC_PDP_USER + valueFrom: + secretKeyRef: + name: onap-policy-xacml-pdp-api-creds + key: login + - name: POLICY_SYNC_PDP_PASS + valueFrom: + secretKeyRef: + name: onap-policy-xacml-pdp-api-creds + key: password + - name: POLICY_SYNC_PDP_URL + value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 + - name: POLICY_SYNC_OUTFILE + value : "/etc/policies/policies.json" + - name: POLICY_SYNC_V1_DECISION_ENDPOINT + value : "policy/pdpx/v1/decision" + {{- if $policy.filter }} + - name: POLICY_SYNC_FILTER + value: {{ $policy.filter }} + {{- end -}} + {{- if $policy.policyID }} + - name: POLICY_SYNC_ID + value: {{ $policy.policyID }} + {{- end -}} + {{- if $policy.duration }} + - name: POLICY_SYNC_DURATION + value: {{ $policy.duration }} + {{- end }} + resources: {{ include "common.resources" . | nindent 2 }} + volumeMounts: + - mountPath: /etc/policies + name: policy-shared + {{- if $certDir }} + - mountPath: /opt/ca-certificates/ + name: tls-info + {{- end }} + {{- end }} hostname: {{ include "common.name" . }} volumes: - configMap: @@ -278,7 +343,60 @@ spec: {{- if $certDir }} - emptyDir: {} name: tls-info + {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{ include "common.certManager.volumesReadOnly" . | nindent 6 }} + {{- end }} + {{- end }} + {{- if $policy }} + - name: policy-shared + emptyDir: {} {{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" {{ end -}} + +{{/* + For internal use + + Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore + and swaps keystore files. +*/}} +{{- define "dcaegen2-services-common._certPostProcessor" -}} + {{- $certDir := default "" .Values.certDirectory . -}} + {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- $cmpv2Certificate := (index .Values.certificates 0) -}} + {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}} + {{- $certType := "pem" -}} + {{- if $cmpv2Certificate.keystore -}} + {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}} + {{- end -}} + {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "ca.crt" -}} + {{- $truststoresPasswordPaths := "" -}} + {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "tls.crt" $cmpv2CertificateDir "tls.key" -}} + {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}} + {{- if not (eq $certType "pem") -}} + {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}} + {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}} + {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}} + {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}} + {{- end }} + - name: cert-post-processor + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + {{- include "common.resources" . | nindent 4 }} + volumeMounts: + - mountPath: {{ $certDir }} + name: tls-info + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }} + env: + - name: TRUSTSTORES_PATHS + value: {{ $truststoresPaths | quote}} + - name: TRUSTSTORES_PASSWORDS_PATHS + value: {{ $truststoresPasswordPaths | quote }} + - name: KEYSTORE_SOURCE_PATHS + value: {{ $keystoreSourcePaths | quote }} + - name: KEYSTORE_DESTINATION_PATHS + value: {{ $keystoreDestinationPaths | quote }} + {{- end }} +{{- end -}}