X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fdcaegen2-services%2Fcommon%2Fdcaegen2-services-common%2Ftemplates%2F_deployment.tpl;h=dd0bf4bd4823540b152712541378ac87feaf843a;hb=05da03322b0a0539e85819bd84cffd2c7a9c3c1e;hp=e9ada4d87cc463722f0ab9b442ff14403bb3a9e5;hpb=4bb3da3dccebf6abdb390d80ac3c4e323ed43250;p=oom.git diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index e9ada4d87c..dd0bf4bd48 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -2,6 +2,9 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. +# Copyright (c) 2021 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +20,141 @@ # ============LICENSE_END========================================================= */}} {{/* +For internal use only! + +dcaegen2-services-common._ms-specific-env-vars: +This template generates a list of microservice-specific environment variables +as specified in .Values.applicationEnv. The +dcaegen2-services-common.microServiceDeployment uses this template +to add the microservice-specific environment variables to the microservice's container. +These environment variables are in addition to a standard set of environment variables +provided to all microservices. + +The template expects a single argument, pointing to the caller's global context. + +Microservice-specific environment variables can be specified in two ways: + 1. As literal string values. + 2. As values that are sourced from a secret, identified by the secret's + uid and the key within the secret that provides the value. + +The following example shows an example of each type. The example assumes +that a secret has been created using the OOM common secret mechanism, with +a secret uid "example-secret" and a key called "password". + +applicationEnv: + APPLICATION_PASSWORD: + secretUid: example-secret + key: password + APPLICATION_EXAMPLE: "An example value" + +The example would set two environment variables on the microservice's container, +one called "APPLICATION_PASSWORD" with the value set from the "password" key in +the secret with uid "example-secret", and one called "APPLICATION_EXAMPLE" set to +the the literal string "An example value". +*/}} +{{- define "dcaegen2-services-common._ms-specific-env-vars" -}} + {{- $global := . }} + {{- if .Values.applicationEnv }} + {{- range $envName, $envValue := .Values.applicationEnv }} + {{- if kindIs "string" $envValue }} +- name: {{ $envName }} + value: {{ $envValue | quote }} + {{- else }} + {{ if or (not $envValue.secretUid) (not $envValue.key) }} + {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }} + {{- end }} +- name: {{ $envName }} + {{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }} + {{- end -}} + {{- end }} + {{- end }} +{{- end -}} +{{/* +For internal use only! + +dcaegen2-services-common._externalVolumes: +This template generates a list of volumes associated with the pod, +based on information provided in .Values.externalVolumes. This +template works in conjunction with dcaegen2-services-common._externalVolumeMounts +to give the microservice access to data in volumes created else. +This initial implementation supports ConfigMaps only, as this is the only +external volume mounting required by current microservices. + +.Values.externalVolumes is a list of objects. Each object has 3 required fields and 2 optional fields: + - name: the name of the resource (in the current implementation, it must be a ConfigMap) + that is to be set up as a volume. The value is a case sensitive string. Because the + names of resources are sometimes set at deployment time (for instance, to prefix the Helm + release to the name), the string can be a Helm template fragment that will be expanded at + deployment time. + - type: the type of the resource (in the current implementation, only "ConfigMap" is supported). + The value is a case-INsensitive string. + - mountPoint: the path to the mount point for the volume in the container file system. The + value is a case-sensitive string. + - readOnly: (Optional) Boolean flag. Set to true to mount the volume as read-only. + Defaults to false. + - optional: (Optional) Boolean flag. Set to true to make the configMap optional (i.e., to allow the + microservice's pod to start even if the configMap doesn't exist). If set to false, the configMap must + be present in order for the microservice's pod to start. Defaults to true. (Note that this + default is the opposite of the Kubernetes default. We've done this to be consistent with the behavior + of the DCAE Cloudify plugin for Kubernetes [k8splugin], which always set "optional" to true.) + +Here is an example fragment from a values.yaml file for a microservice: + +externalVolumes: + - name: my-example-configmap + type: configmap + mountPath: /opt/app/config + - name: '{{ include "common.release" . }}-another-example' + type: configmap + mountPath: /opt/app/otherconfig + optional: false +*/}} +{{- define "dcaegen2-services-common._externalVolumes" -}} + {{- $global := . -}} + {{- if .Values.externalVolumes }} + {{- range $vol := .Values.externalVolumes }} + {{- if eq (lower $vol.type) "configmap" }} + {{- $vname := (tpl $vol.name $global) -}} + {{- $opt := hasKey $vol "optional" | ternary $vol.optional true }} +- configMap: + defaultMode: 420 + name: {{ $vname }} + optional: {{ $opt }} + name: {{ $vname }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{/* +For internal use only! + +dcaegen2-services-common._externalVolumeMounts: +This template generates a list of volume mounts for the microservice container, +based on information provided in .Values.externalVolumes. This +template works in conjunction with dcaegen2-services-common._externalVolumes +to give the microservice access to data in volumes created else. +This initial implementation supports ConfigMaps only, as this is the only +external volume mounting required by current microservices. + +See the documentation for dcaegen2-services-common._externalVolumes for +details on how external volumes are specified in the values.yaml file for +the microservice. +*/}} +{{- define "dcaegen2-services-common._externalVolumeMounts" -}} + {{- $global := . -}} + {{- if .Values.externalVolumes }} + {{- range $vol := .Values.externalVolumes }} + {{- if eq (lower $vol.type) "configmap" }} + {{- $vname := (tpl $vol.name $global) -}} + {{- $readOnly := $vol.readOnly | default false }} +- mountPath: {{ $vol.mountPath }} + name: {{ $vname }} + readOnly: {{ $readOnly }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{/* dcaegen2-services-common.microserviceDeployment: This template produces a Kubernetes Deployment for a DCAE microservice. @@ -63,12 +201,35 @@ certificate information will include a server cert and key, in various formats. It will also include the AAF CA cert. If the microservice is a TLS client only (indicated by setting .Values.tlsServer to false), the certificate information includes only the AAF CA cert. + +Deployed POD may also include a Policy-sync sidecar container. +The sidecar is included if .Values.policies is set. The +Policy-sync sidecar polls PolicyEngine (PDP) periodically based +on .Values.policies.duration and configuration retrieved is shared with +DCAE Microservice container by common volume. Policy can be retrieved based on +list of policyID or filter. An optional policyRelease parameter can be specified +to override the default policy helm release (used for retreiving the secret containing +pdp username and password) + +Following is example policy config override + +dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 +policies: + duration: 300 + policyRelease: "onap" + policyID: | + '["onap.vfirewall.tca","onap.vdns.tca"]' */}} {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $logDir := default "" .Values.logDirectory -}} {{- $certDir := default "" .Values.certDirectory . -}} {{- $tlsServer := default "" .Values.tlsServer -}} +{{- $commonRelease := print (include "common.release" .) -}} +{{- $policy := default dict .Values.policies -}} +{{- $policyRls := default $commonRelease $policy.policyRelease -}} +{{- $drFeedConfig := default "" .Values.drFeedConfig -}} + apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -79,6 +240,7 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: + {{- if not $drFeedConfig }} - command: - sh args: @@ -101,8 +263,9 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - + {{- end }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} + {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} - name: init-consul image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.consulLoaderImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -130,14 +293,19 @@ spec: - mountPath: /opt/app/osaaf name: tls-info {{- end }} + {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} env: + {{- range $cred := .Values.credentials }} + - name: {{ $cred.name }} + {{- include "common.secret.envFromSecretFast" (dict "global" $ "uid" $cred.uid "key" $cred.key) | indent 10 }} + {{- end }} {{- if $certDir }} - name: DCAE_CA_CERTPATH - value: {{ $certDir}}/cacert.pem + value: {{ $certDir }}/cacert.pem {{- end }} - name: CONSUL_HOST value: consul-server.onap @@ -150,12 +318,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP - {{- if .Values.applicationEnv }} - {{- range $envName, $envValue := .Values.applicationEnv }} - - name: {{ $envName }} - value: {{ $envValue | quote }} - {{- end }} - {{- end }} + {{- include "dcaegen2-services-common._ms-specific-env-vars" . | nindent 8 }} {{- if .Values.service }} ports: {{ include "common.containerPorts" . | nindent 10 }} {{- end }} @@ -183,6 +346,8 @@ spec: volumeMounts: - mountPath: /app-config name: app-config + - mountPath: /app-config-input + name: app-config-input {{- if $logDir }} - mountPath: {{ $logDir}} name: component-log @@ -190,7 +355,15 @@ spec: {{- if $certDir }} - mountPath: {{ $certDir }} name: tls-info + {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}} + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}} + {{- end -}} + {{- end }} + {{- if $policy }} + - name: policy-shared + mountPath: /etc/policies {{- end }} + {{- include "dcaegen2-services-common._externalVolumeMounts" . | nindent 8 }} {{- if $logDir }} - image: {{ include "repositoryGenerator.image.logging" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -211,7 +384,55 @@ spec: name: filebeat-conf subPath: filebeat.yml {{- end }} + {{- if $policy }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: policy-sync + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: POLICY_SYNC_PDP_USER + valueFrom: + secretKeyRef: + name: {{ $policyRls }}-policy-xacml-pdp-api-creds + key: login + - name: POLICY_SYNC_PDP_PASS + valueFrom: + secretKeyRef: + name: {{ $policyRls }}-policy-xacml-pdp-api-creds + key: password + - name: POLICY_SYNC_PDP_URL + value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 + - name: POLICY_SYNC_OUTFILE + value : "/etc/policies/policies.json" + - name: POLICY_SYNC_V1_DECISION_ENDPOINT + value : "policy/pdpx/v1/decision" + {{- if $policy.filter }} + - name: POLICY_SYNC_FILTER + value: {{ $policy.filter }} + {{- end -}} + {{- if $policy.policyID }} + - name: POLICY_SYNC_ID + value: {{ $policy.policyID }} + {{- end -}} + {{- if $policy.duration }} + - name: POLICY_SYNC_DURATION + value: "{{ $policy.duration }}" + {{- end }} + resources: {{ include "common.resources" . | nindent 2 }} + volumeMounts: + - mountPath: /etc/policies + name: policy-shared + {{- if $certDir }} + - mountPath: /opt/ca-certificates/ + name: tls-info + {{- end }} + {{- end }} hostname: {{ include "common.name" . }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - configMap: defaultMode: 420 @@ -233,7 +454,75 @@ spec: {{- if $certDir }} - emptyDir: {} name: tls-info + {{ if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}} + {{ include "common.certManager.volumesReadOnly" . | nindent 6 }} + {{- end }} {{- end }} + {{- if $policy }} + - name: policy-shared + emptyDir: {} + {{- end }} + {{- include "common.dmaap.provisioning._volumes" . | nindent 6 -}} + {{- include "dcaegen2-services-common._externalVolumes" . | nindent 6 }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" {{ end -}} + +{{/* + For internal use + + Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore + and swaps keystore files. +*/}} +{{- define "dcaegen2-services-common._certPostProcessor" -}} + {{- $certDir := default "" .Values.certDirectory . -}} + {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}} + {{- $cmpv2Certificate := (index .Values.certificates 0) -}} + {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}} + {{- $certType := "pem" -}} + {{- if $cmpv2Certificate.keystore -}} + {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}} + {{- end -}} + {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}} + {{- $truststoresPasswordPaths := ":" -}} + {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}} + {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}} + {{- if not (eq $certType "pem") -}} + {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}} + {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}} + {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}} + {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}} + {{- end }} + - name: cert-post-processor + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + {{- include "common.resources" . | nindent 4 }} + volumeMounts: + - mountPath: {{ $certDir }} + name: tls-info + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }} + env: + - name: TRUSTSTORES_PATHS + value: {{ $truststoresPaths | quote}} + - name: TRUSTSTORES_PASSWORDS_PATHS + value: {{ $truststoresPasswordPaths | quote }} + - name: KEYSTORE_SOURCE_PATHS + value: {{ $keystoreSourcePaths | quote }} + - name: KEYSTORE_DESTINATION_PATHS + value: {{ $keystoreDestinationPaths | quote }} + {{- end }} +{{- end -}} + +{{/* + Template returns string "true" if CMPv2 certificates should be used and nothing (so it can be used in with statements) + when they shouldn't. Example use: + {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}} + +*/}} +{{- define "dcaegen2-services-common.shouldUseCmpv2Certificates" -}} + {{- $certDir := default "" .Values.certDirectory . -}} + {{- if (and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.useCmpv2Certificates) -}} + true + {{- end -}} +{{- end -}}