--- /dev/null
+{{ if .Values.global.aafEnabled }}
+{{/*
+# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies, Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.aafConfig.addconfig -}}
+apiVersion: v1
+kind: ConfigMap
+{{- $suffix := "aaf-add-config" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+data:
+ aaf-add-config.sh: |-
+ /opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \
+ {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.aafConfig.credsPath }}/mycreds.prop
+{{- end -}}
+{{- end -}}
release: {{ include "common.release" . }}
name: {{ include "common.fullname" . }}
spec:
+{{- if .Values.global.aafEnabled }}
+ initContainers: {{ include "common.aaf-config" . | nindent 6 }}
+{{- end }}
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
+ {{- if .Values.global.aafEnabled }}
+ command:
+ - bash
+ args:
+ - -c
+ - |
+ export $(grep '^c' {{ .Values.aafConfig.credsPath }}/mycreds.prop | xargs -0)
+ export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \
+ -Dserver.ssl.key-store={{ .Values.aafConfig.credsPath }}/org.onap.nbi.p12 \
+ -Dserver.ssl.key-store-type=PKCS12 \
+ -Djavax.net.ssl.trustStore={{ .Values.aafConfig.credsPath }}/org.onap.nbi.trust.jks \
+ -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \
+ -Djavax.net.ssl.trustStoreType=jks\
+ -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443"
+ {{- if eq "DEBUG" .Values.config.loglevel }}
+ export JAVA_DEBUG="-Djavax.net.debug=all"
+ {{- end }}
+ exec java -XX:+UseContainerSupport $JAVA_DEBUG $JAVA_OPTS -jar /opt/onap/app.jar
+ {{- end }}
{{ if .Values.liveness.enabled }}
livenessProbe:
- tcpSocket:
- port: {{ .Values.service.internalPort }}
+ httpGet:
+ port: {{ .Values.liveness.port }}
+ path: {{ .Values.liveness.path }}
+ scheme: HTTPS
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end }}
readinessProbe:
- tcpSocket:
- port: {{ .Values.service.internalPort }}
+ httpGet:
+ port: {{ .Values.readiness.port }}
+ path: {{ .Values.readiness.path }}
+ scheme: HTTPS
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
- name: ONAP_CLOUDOWNER
value: {{ .Values.config.cloudOwner }}
- name: NBI_URL
- value: "http://nbi.{{ include "common.namespace" . }}:8080/nbi/api/v4"
+ value: "https://nbi.{{ include "common.namespace" . }}:8443/nbi/api/v4"
- name: SDC_HOST
value: "https://sdc-be.{{ include "common.namespace" . }}:8443"
- name: SDC_HEADER_ECOMPINSTANCEID
value: {{ .Values.so_authorization }}
{{- end }}
- name: DMAAP_HOST
- value: "https://message-router.{{ include "common.namespace" . }}:3905"
+ value: "http://message-router.{{ include "common.namespace" . }}:3904"
- name: LOGGING_LEVEL_ORG_ONAP_NBI
value: {{ .Values.config.loglevel }}
- name: MSB_ENABLED
value: "msb-discovery.{{ include "common.namespace" . }}"
- name: MSB_DISCOVERY_PORT
value: "10081"
- volumeMounts:
+ volumeMounts: {{ include "common.aaf-config-volume-mountpath" . | nindent 12 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
# name: esr-server-logs
# - mountPath: /usr/share/filebeat/data
# name: esr-server-filebeat
- volumes:
+ volumes: {{ include "common.aaf-config-volumes" . | nindent 8 }}
- name: localtime
hostPath:
path: /etc/localtime
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
+ aafAgentImage: onap/aaf/aaf_agent:2.1.15
+ aafEnabled: true
+ busyBoxImage: busybox:1.30
+ busyBoxRepository: docker.io
+
+#################################################################
+# AAF part
+#################################################################
+aafConfig:
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: nbi
+ fqi: nbi@nbi.onap.org
+ public_fqdn: nbi.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ credsPath: /opt/app/osaaf/local
+ app_ns: org.osaaf.aaf
+ permission_user: 1000
+ permission_group: 999
+ addconfig: true
+ secret_uid: &aaf_secret_uid nbi-aaf-deploy-creds
+
#################################################################
# Secrets metaconfig
externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}'
login: '{{ .Values.config.db.userName }}'
password: '{{ .Values.config.db.userPassword }}'
+ - uid: *aaf_secret_uid
+ type: basicAuth
+ externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}'
+ login: '{{ .Values.aafConfig.aafDeployFqi }}'
+ password: '{{ .Values.aafConfig.aafDeployPass }}'
+ passwordPolicy: required
subChartsOnly:
enabled: true
# application image
repository: nexus3.onap.org:10001
-image: onap/externalapi/nbi:6.0.0
+image: onap/externalapi/nbi:6.0.1
pullPolicy: IfNotPresent
sdc_authorization: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU=
aai_authorization: Basic QUFJOkFBSQ==
# probe configuration parameters
liveness:
- httpGet:
- path: /nbi/api/v4/status
- port: 8080
+ path: /nbi/api/v4/status
+ port: 8443
initialDelaySeconds: 180
periodSeconds: 30
# necessary to disable liveness probe when setting breakpoints
enabled: true
readiness:
- httpGet:
- path: /nbi/api/v4/status
- port: 8080
+ path: /nbi/api/v4/status
+ port: 8443
initialDelaySeconds: 185
periodSeconds: 30
portName: api
name: nbi
nodePort: 74
- internalPort: 8080
+ internalPort: 8443
ingress:
enabled: false
"implementation": "org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl",
"databaseDriver": "org.mariadb.jdbc.Driver",
"databaseUrl": "jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/{{ .Values.global.mariadb.config.mysqlDatabase }}",
- "databaseUser": "{{ .Values.global.mariadb.config.userName }}",
- "databasePassword": "{{ .Values.global.mariadb.config.userPassword | b64enc }}",
+ "databaseUser": "${SQL_USER}",
+ "databasePassword": "${SQL_PASSWORD_BASE64}",
"persistenceUnit": "PolicyMariaDb"
},
"topicParameterGroup": {
image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-readiness
+
+ - command:
+ - sh
+ args:
+ - -c
+ - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: SQL_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+ - name: SQL_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: papconfig
+ - mountPath: /config
+ name: papconfig-processed
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
name: localtime
readOnly: true
- mountPath: /opt/app/policy/pap/etc/mounted
- name: papconfig
+ name: papconfig-processed
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
configMap:
name: {{ include "common.fullname" . }}-configmap
defaultMode: 0755
+ - name: papconfig-processed
+ emptyDir:
+ medium: Memory
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
--- /dev/null
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secretFast" . }}
#################################################################
global:
persistence: {}
+ envsubstImage: dibi/envsubst
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: db-secret
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}'
+ login: '{{ .Values.db.user }}'
+ password: '{{ .Values.db.password }}'
+ passwordPolicy: required
#################################################################
# Application configuration defaults.
# application configuration
+db:
+ user: policy_user
+ password: policy_user
+
# default number of instances
replicaCount: 1
"implementation": "org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl",
"databaseDriver": "org.mariadb.jdbc.Driver",
"databaseUrl": "jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/policyadmin",
- "databaseUser": "{{ .Values.global.mariadb.config.userName }}",
- "databasePassword": "{{ .Values.global.mariadb.config.userPassword | b64enc }}",
+ "databaseUser": "${SQL_USER}",
+ "databasePassword": "${SQL_PASSWORD_BASE64}",
"persistenceUnit": "PolicyMariaDb"
},
"preloadPolicyTypes": [
image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-readiness
+
+ - command:
+ - sh
+ args:
+ - -c
+ - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: SQL_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
+ - name: SQL_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: apiconfig
+ - mountPath: /config
+ name: apiconfig-processed
+ image: "{{ .Values.global.envsubstImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
name: localtime
readOnly: true
- mountPath: /opt/app/policy/api/etc/mounted
- name: apiconfig
+ name: apiconfig-processed
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
configMap:
name: {{ include "common.fullname" . }}-configmap
defaultMode: 0755
+ - name: apiconfig-processed
+ emptyDir:
+ medium: Memory
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
--- /dev/null
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secretFast" . }}
global:
nodePortPrefix: 304
persistence: {}
+ envsubstImage: dibi/envsubst
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: db-secret
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}'
+ login: '{{ .Values.db.user }}'
+ password: '{{ .Values.db.password }}'
+ passwordPolicy: required
#################################################################
# Application configuration defaults.
debugEnabled: false
# application configuration
+db:
+ user: policy_user
+ password: policy_user
# default number of instances
replicaCount: 1
+aai:
+ endpoint: https://aai.{{ include "common.namespace" . }}:8443
+ auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}}
server:
port: {{ index .Values.containerPort }}
tomcat: