labels:
app: aai-service
name: aai-service
- annotations:
- pod.beta.kubernetes.io/init-containers: '[
- {
- "args": [
- "--container-name",
- "hbase"
- ],
- "command": [
- "/root/ready.py"
- ],
- "env": [
- {
- "name": "NAMESPACE",
- "valueFrom": {
- "fieldRef": {
- "apiVersion": "v1",
- "fieldPath": "metadata.namespace"
- }
- }
- }
- ],
- "image": "oomk8s/readiness-check:1.0.0",
- "imagePullPolicy": "Always",
- "name": "aai-service-readiness"
- }
- ]'
spec:
containers:
- - env:
- - name: AAI_REPO_PATH
- value: r/aai
- - name: AAI_CHEF_ENV
- value: simpledemo
- - name: AAI_CHEF_LOC
- value: /var/chef/aai-data/environments
- - name: docker_gitbranch
- value: release-1.0.0
- - name: DEBIAN_FRONTEND
- value: noninteractive
- - name: JAVA_HOME
- value: /usr/lib/jvm/java-8-openjdk-amd64
- image: nexus3.onap.org:10001/openecomp/ajsc-aai:1.1-STAGING-latest
- name: aai-service
+ - name: aai-service
+ image: aaionap/haproxy
volumeMounts:
- - mountPath: /etc/ssl/certs/
- name: aai-service-certs
- - mountPath: /opt/aai/logroot/
- name: aai-service-logroot
- - mountPath: /var/chef/aai-config/
- name: aai-config
- - mountPath: /var/chef/aai-data/
- name: aai-data
+ - mountPath: /dev/log
+ name: aai-service-log
+ - mountPath: /usr/local/etc/haproxy/haproxy.cfg
+ name: haproxy-cfg
ports:
- containerPort: 8080
- containerPort: 8443
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- - name: aai-service-certs
+ - name: aai-service-log
hostPath:
- path: /dockerdata/onapdemo/aai/etc/ssl/certs/
- - name: aai-service-logroot
+ path: /dockerdata/onapdemo/aai/haproxy/log/
+ - name: haproxy-cfg
hostPath:
- path: /dockerdata/onapdemo/aai/opt/aai/logroot/
- - name: aai-config
- hostPath:
- path: /dockerdata/onapdemo/aai/aai-config/
- - name: aai-data
- hostPath:
- path: /dockerdata/onapdemo/aai/aai-data/
+ path: /dockerdata/onapdemo/aai/haproxy/haproxy.cfg
restartPolicy: Always
imagePullSecrets:
- name: onap-docker-registry-key
mkdir -p /config-init/$NAMESPACE/sdc/logs/ASDC/ASDC-FE/
mkdir -p /config-init/$NAMESPACE/aai/opt/aai/logroot/
mkdir -p /config-init/$NAMESPACE/aai/model-loader/logs/
+mkdir -p /config-init/$NAMESPACE/aai/haproxy/log/
+mkdir -p /config-init/$NAMESPACE/aai/aai-traversal/logs/ajsc-jetty/gc/
+mkdir -p /config-init/$NAMESPACE/aai/aai-traversal/logs/dmaapAAIEventConsumer/
+mkdir -p /config-init/$NAMESPACE/aai/aai-traversal/logs/perf-audit/
+mkdir -p /config-init/$NAMESPACE/aai/aai-traversal/logs/rest/
+mkdir -p /config-init/$NAMESPACE/aai/aai-resources/logs/ajsc-jetty/gc/
+mkdir -p /config-init/$NAMESPACE/aai/aai-resources/logs/dmaapAAIEventConsumer/
+mkdir -p /config-init/$NAMESPACE/aai/aai-resources/logs/perf-audit/
+mkdir -p /config-init/$NAMESPACE/aai/aai-resources/logs/rest/
chmod -R 777 /config-init/$NAMESPACE/sdc/logs/
chmod -R 777 /config-init/$NAMESPACE/aai/aai-config/
chmod -R 777 /config-init/$NAMESPACE/aai/aai-data/
chmod -R 777 /config-init/$NAMESPACE/aai/opt/aai/logroot/
chmod -R 777 /config-init/$NAMESPACE/aai/model-loader/logs/
+chmod -R 777 /config-init/$NAMESPACE/aai/haproxy/log/
+chmod -R 777 /config-init/$NAMESPACE/aai/aai-traversal/logs/
+chmod -R 777 /config-init/$NAMESPACE/aai/aai-resources/logs/
# replace the default 'onap' namespace qualification of K8s hostnames within the config files
find /config-init/$NAMESPACE/ -type f -exec sed -i -e "s/onap-/$NAMESPACE-/g" {} \;
--- /dev/null
+global
+ log /dev/log local0
+ stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
+ stats timeout 30s
+ user root
+ group root
+ daemon
+ #################################
+ # Default SSL material locations#
+ #################################
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+ # Default ciphers to use on SSL-enabled listening sockets.
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ # An alternative list with additional directives can be obtained from
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+ tune.ssl.default-dh-param 2048
+
+defaults
+ log global
+ mode http
+ option httplog
+# option dontlognull
+# errorfile 400 /etc/haproxy/errors/400.http
+# errorfile 403 /etc/haproxy/errors/403.http
+# errorfile 408 /etc/haproxy/errors/408.http
+# errorfile 500 /etc/haproxy/errors/500.http
+# errorfile 502 /etc/haproxy/errors/502.http
+# errorfile 503 /etc/haproxy/errors/503.http
+# errorfile 504 /etc/haproxy/errors/504.http
+
+ option http-server-close
+ option forwardfor except 127.0.0.1
+ retries 6
+ option redispatch
+ maxconn 50000
+ timeout connect 50000
+ timeout client 480000
+ timeout server 480000
+ timeout http-keep-alive 30000
+
+
+frontend IST_8443
+ mode http
+ bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ option httplog
+ log global
+ option logasap
+ option forwardfor
+ capture request header Host len 100
+ capture response header Host len 100
+ option log-separate-errors
+ option forwardfor
+ http-request set-header X-Forwarded-Proto https if { ssl_fc }
+ http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
+ http-request set-header X-AAI-SSL %[ssl_fc]
+ http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
+ http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
+ http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
+ http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
+ http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
+ http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
+ http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
+ http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
+ http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
+ http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
+ http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
+ http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
+ reqadd X-Forwarded-Proto:\ https
+ reqadd X-Forwarded-Port:\ 8443
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+ acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_named-query path_beg -i /aai/search/named-query
+ acl is_search-model path_beg -i /aai/search/model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
+
+ default_backend IST_Default_8447
+
+
+#######################
+#DEFAULT BACKEND 847###
+#######################
+
+backend IST_Default_8447
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-resources.onap-aai aai-resources.onap-aai:8447 port 8447 ssl verify none
+
+#######################
+# BACKEND 8446#########
+#######################
+
+backend IST_AAI_8446
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-traversal.onap-aai aai-traversal.onap-aai:8446 port 8446 ssl verify none
+
+listen IST_AAI_STATS
+ mode http
+ bind *:8080
+ stats uri /stats
+ stats enable
+ stats refresh 30s
+ stats hide-version
+ stats auth admin:admin
+ stats show-legends
+ stats show-desc IST AAI APPLICATION NODES
+ stats admin if TRUE
+