aaf-sms@aaf-sms.onap.org|aaf-sms|local|/opt/app/osaaf/local||mailto:|org.onap.aaf-sms|root|30|{'aaf-sms-db.onap', 'aaf-sms.api.simpledemo.onap.org', 'aaf-sms.onap', 'aaf-sms.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file'}
aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'}
aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
-aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'}
-aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'}
+aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
+aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'}
aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'}
appc@appc.onap.org|appc|local|/opt/app/osaaf/local||mailto:|org.onap.appc|root|60|{'appc.api.simpledemo.onap.org', 'appc.onap', 'appc.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'}
clamp@clamp.onap.org|clamp|local|/opt/app/osaaf/local||mailto:|org.onap.clamp|root|30|{'clamp', 'clamp-onap', 'clamp.api.simpledemo.onap.org', 'clamp.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
value: {{ .Values.global.config.userId | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.global.config.groupId | quote }}
+ - name: POST_JAVA_OPTS
+ value: '-Djavax.net.ssl.trustStore=/opt/app/aai-resources/resources/aaf/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword=changeit'
volumeMounts:
- mountPath: /etc/localtime
name: localtime
# be published independently to a repo (at this point)
repository: '@local'
condition: global.cassandra.localCluster
+ - name: certInitializer
+ version: ~7.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~7.x-0
repository: '@local'
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIFKzCCBBOgAwIBAgIILW/fiLbps3kwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
-BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp
-bnRlcm1lZGlhdGVDQV85MB4XDTIwMDMxNzIwMjg1NloXDTIxMDMxNzIwMjg1Nlow
-WTEMMAoGA1UEAwwDYWFpMR0wGwYDVQQLDBRhYWlAYWFpLm9uYXAub3JnOkRFVjEO
-MAwGA1UECwwFT1NBQUYxDTALBgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAov4ddmOzRCWAU/sx2Q9kcYZZ0r/x
-agqwDBcmlS2OP0MAou/f/xY2gzE2ugXXGGEXG6PCUx4YEHGeRxyezEQ/+c+kSjFe
-0FTUa8Z1Ojad3VDsJfjfZ1994NpV99KTrrw1Twq9Ei7dpkypUA8kZxEjg7eM11TU
-F4jS6x5NEyVsxih5uJjIF7ErGwimSEKsympcsXezYgG9Z/VPBpZWmYlYl5MWjzT6
-F0FgGfSbajWauMifEPajmvn8ZXn6Lyx0RCI25+BCcOhS6UvYXFX+jE/uOoEbKgwz
-11tIdryEFrXiLVfD01uhacx02YCrzj1u53RWiD6bCPyatKo1hQsf+aDkEQIDAQAB
-o4ICBzCCAgMwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBeAwIAYDVR0lAQH/BBYw
-FAYIKwYBBQUHAwEGCCsGAQUFBwMCMFQGA1UdIwRNMEuAFIH3mVsQuciM3vNSXupO
-aaBDPqzdoTCkLjAsMQ4wDAYDVQQLDAVPU0FBRjENMAsGA1UECgwET05BUDELMAkG
-A1UEBhMCVVOCAQcwHQYDVR0OBBYEFP94WTftXhHcz93nBT6jIdMe6h+6MIIBTQYD
-VR0RBIIBRDCCAUCBH21hcmsuZC5tYW5hZ2VyQHBlb3BsZS5vc2FhZi5jb22CA2Fh
-aYIUYWFpLXNlYXJjaC1kYXRhLm9uYXCCEmFhaS1zcGFya3ktYmUub25hcIIbYWFp
-LmFwaS5zaW1wbGVkZW1vLm9uYXAub3JngiVhYWkuZWxhc3RpY3NlYXJjaC5zaW1w
-bGVkZW1vLm9uYXAub3JngiVhYWkuZ3JlbWxpbnNlcnZlci5zaW1wbGVkZW1vLm9u
-YXAub3Jngh1hYWkuaGJhc2Uuc2ltcGxlZGVtby5vbmFwLm9yZ4IIYWFpLm9uYXCC
-JWFhaS5zZWFyY2hzZXJ2aWNlLnNpbXBsZWRlbW8ub25hcC5vcmeCF2FhaS5zaW1w
-bGVkZW1vLm9uYXAub3JnghphYWkudWkuc2ltcGxlZGVtby5vbmFwLm9yZzANBgkq
-hkiG9w0BAQsFAAOCAQEAVigPPsYd8yscW+U6zpffBc5S6Mg2DQD/gikB0uF//lIq
-oa5qTI3yB0wPoRKmxpeEZiJYDkBs3App2sPM2fPb9GGmGncCLkprqTflM2Y4yxX4
-k/a7w8vEwMoCrBgxEdmniAj9TirsISyLqBIXoGT7WtaXBLZarYhJ4P7TplhyWuwe
-sV6jxkZLIRLj31ihf32adFIhPZQKxaHbbFnyEylLTdPuZGy3nvdmjajZuomOFF8h
-HhDIouSJAtgkuWVsMiX6iR1qG9//6ymnZMvUyDGr8bkZURhMqesAejwP4aKxqDZg
-B0uVjapQTJH4ES0M+2PoY9gP8uh0dc3TusOs1QYJiA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB
-RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN
-MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG
-A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL
-neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d
-o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3
-nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV
-v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO
-15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw
-gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV
-M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/
-BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
-AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q
-ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl
-u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+
-+pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/
-QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht
-8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX
-kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3
-aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky
-uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w
-tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep
-BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k=
------END CERTIFICATE-----
-Bag Attributes
- friendlyName: aai@aai.onap.org
- localKeyID: 54 69 6D 65 20 31 35 38 34 34 37 36 39 33 36 35 31 35
-Key Attributes: <No Attributes>
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCi/h12Y7NEJYBT
-+zHZD2RxhlnSv/FqCrAMFyaVLY4/QwCi79//FjaDMTa6BdcYYRcbo8JTHhgQcZ5H
-HJ7MRD/5z6RKMV7QVNRrxnU6Np3dUOwl+N9nX33g2lX30pOuvDVPCr0SLt2mTKlQ
-DyRnESODt4zXVNQXiNLrHk0TJWzGKHm4mMgXsSsbCKZIQqzKalyxd7NiAb1n9U8G
-llaZiViXkxaPNPoXQWAZ9JtqNZq4yJ8Q9qOa+fxlefovLHREIjbn4EJw6FLpS9hc
-Vf6MT+46gRsqDDPXW0h2vIQWteItV8PTW6FpzHTZgKvOPW7ndFaIPpsI/Jq0qjWF
-Cx/5oOQRAgMBAAECggEAVYWGSf9IKYKP0gDkh+LmrhZzfPxPnHddJgrjqLSNha4P
-YG8CliK+mZmyAGteECGpcUw8g0YwFDi5dtCSldVdyCLmLjO3bxKDnsUz70aHEIAM
-WGQ8PE5Diz6kivMHoFCKnB2jVS4YCNECqco4LIg2nT8q/DU7T9nv6YQtptUlPNdY
-OmJRXfUfcBSUINqVi/VbEjHtbZqc6dgvaRNEF0CYtqHm7P51BXGa3pH+6drL+U+a
-o3T4yHrEsDKUaQzJZoiJneexwN91x42gcyHzg30UZVgCP+9Zt2GQWXqpENNZjGlI
-bwzouvBj266ViBNbuu3tar58MASOCnCKGA0Jrs3P3QKBgQD0ENenvzaqNzV0A47x
-+RI76DM2eorY2dxh+4txAt1pXlkbMZuWXjs1ysBPYaGHZRitiCFcaSwdP2T0oCET
-ojYEU97bJkKlcuw2scAqznSi7U0uSaStwaWzEviGTsQ51MKghRESMfpt3BxZqyi0
-BV+fPeRk3l3xaw1AuZQ/JTn0qwKBgQCq9msPcbRzKvsmfsAVvjKAodzl6EaM+PcF
-YLnJLurjCtdyjj1lRaCBg9bRbaRbt9YPg4VA5oMYm2SuwbJQQHjqaeN+SpnV8GGc
-nPsZgoSlfZrnLovyGgC3muiA3uSPREZWUlp+IE8qlQ8VztSWkNyxNej4nhxk2UTH
-DOE2ZmNyMwKBgFD+yeKkZUrFuZp/l8+bfb6dx2kb77oZSrbFmLfvYHUYV2/b3atg
-KDwoxftSBh39odvs4k1dpcMrB6DbBz8RxOVYxAtsPg/T/KoGASTzkOeE4ukqjVkQ
-e6Ha+NjxiNM8VT6aCllEdrxAoLPtRju/0MTy8Dm9ReXZRfOl4pm2C+6zAoGAY2D6
-uu+NxaSmeaoUXo9BLCTrE3oCCNBwR2ACnz/2qiQTOTQV3FitBJxusy7Y67fhZwM8
-4o0ch6FM1Yki7iOMJjeHVlJnOkWReEiIbjvAf7KT6O7VytXytMgHf2IR2nYFrQgS
-Ml71pfsf2b1xNlTe9OQxmNPQDY9+u3ZxM/4wsKECgYBPvlYMaZNIOLFf7VXzUYGG
-rkXMpbLgLvIHvhF+4nsvspPVSqPeWjh2KMee3tMamy93H4R66G/KfoQw02JuZH+N
-HbGnnpyLa2jGjY0NkXEo08o2wsqv2QFtT/SFRoDLkah8rwZUwpxIg0akgrwwTslO
-rzAazDQvlb0itUxgU4qgqw==
------END PRIVATE KEY-----
frontend IST_8443
mode http
- bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+ bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
option httplog
frontend IST_8443
mode http
- bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+ bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
option httplog
{{ else }}
{{ tpl (.Files.Glob "resources/config/haproxy/haproxy.cfg").AsConfig . | indent 2 }}
{{ end }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: aai-haproxy-secret
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/haproxy/aai.pem").AsSecrets . | indent 2 }}
-# This is a shared key for both resources and traversal
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: aai-auth-truststore-secret
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }}
-
{{ if .Values.global.installSidecarSecurity }}
---
apiVersion: v1
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- command:
- /app/ready.py
args:
subPath: haproxy.cfg
{{ end }}
name: haproxy-cfg
- - mountPath: /etc/ssl/private/aai.pem
- name: aai-pem
- subPath: aai.pem
+ {{- include "common.certInitializer.volumeMount" . | nindent 8 }}
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
- name: haproxy-cfg
configMap:
name: aai-deployment-configmap
- - name: aai-pem
- secret:
- secretName: aai-haproxy-secret
+ {{ include "common.certInitializer.volumes" . | nindent 8 }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
# since when this is enabled, it prints a lot of information to console
enabled: false
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: "aai"
+ app_ns: "org.osaaf.aaf"
+ fqi_namespace: "org.onap.aai"
+ fqi: "aai@aai.onap.org"
+ public_fqdn: "aaf.osaaf.org"
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ credsPath: /opt/app/osaaf/local
+ aaf_add_config: |
+ echo "*** retrieving passwords from AAF"
+ /opt/app/aaf_config/bin/agent.sh local showpass \
+ {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ export $(grep '^c' {{ .Values.credsPath }}/mycreds.prop | xargs -0)
+ echo "*** transform AAF certs into pem files"
+ mkdir -p {{ .Values.credsPath }}/certs
+ keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
+ -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
+ -alias ca_local_0 \
+ -storepass $cadi_truststore_password
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** generating needed file"
+ cat {{ .Values.credsPath }}/certs/cert.pem \
+ {{ .Values.credsPath }}/certs/cacert.pem \
+ {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ > {{ .Values.credsPath }}/certs/fullchain.pem;
+ chown 1001 {{ .Values.credsPath }}/certs/*
+
# application image
dockerhubRepository: registry.hub.docker.com
image: aaionap/haproxy:1.4.2
cpu: 2
memory: 2Gi
unlimited: {}
-
--- /dev/null
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: Template used to add cmpv2 certificates to components
+name: cmpv2Certificate
+version: 7.0.0
--- /dev/null
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~7.x-0
+ repository: 'file://../common'
+ - name: repositoryGenerator
+ version: ~7.x-0
+ repository: 'file://../repositoryGenerator'
--- /dev/null
+{{/*
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{/*
+In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each
+certificate will be requested from separate init container
+
+Minimum example of array in target component values.yaml:
+certificates:
+ - mountPath: /var/custom-certs
+ commonName: common-name
+
+Full example (other fields are ignored):
+certificates:
+ - mountPath: /var/custom-certs
+ caName: RA
+ outputType: JKS
+ commonName: common-name
+ dnsNames:
+ - dns-name-1
+ - dns-name-2
+ ipAddresses:
+ - 192.168.0.1
+ - 192.168.0.2
+ emailAddresses:
+ - email-1@onap.org
+ - email-2@onap.org
+ uris:
+ - http://uri-1.onap.org
+ - http://uri-2.onap.org
+ subject:
+ organization: Linux-Foundation
+ country: US
+ locality: San Francisco
+ province: California
+ organizationalUnit: ONAP
+
+There also need to be some includes used in a target component deployment (indent values may need to be adjusted):
+ 1. In initContainers section:
+ {{ include "common.certServiceClient.initContainer" . | indent 6 }}
+ 2. In volumeMounts section of container using certificates:
+ {{ include "common.certServiceClient.volumeMounts" . | indent 10 }}
+ 3. In volumes section:
+ {{ include "common.certServiceClient.volumes" . | indent 8 }}
+
+*/}}
+
+{{- define "common.certServiceClient.initContainer" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
+{{- range $index, $certificate := $dot.Values.certificates -}}
+{{/*# General certifiacate attributes #*/}}
+{{- $commonName := $certificate.commonName -}}
+{{/*# SAN's #*/}}
+{{- $dnsNames := default (list) $certificate.dnsNames -}}
+{{- $ipAddresses := default (list) $certificate.ipAddresses -}}
+{{- $uris := default (list) $certificate.uris -}}
+{{- $emailAddresses := default (list) $certificate.emailAddresses -}}
+{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}}
+{{- $sans := join "," $sansList }}
+{{/*# Subject #*/}}
+{{- $organization := $subchartGlobal.certificate.default.subject.organization -}}
+{{- $country := $subchartGlobal.certificate.default.subject.country -}}
+{{- $locality := $subchartGlobal.certificate.default.subject.locality -}}
+{{- $province := $subchartGlobal.certificate.default.subject.province -}}
+{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}}
+{{- if $certificate.subject -}}
+{{- $organization := $certificate.subject.organization -}}
+{{- $country := $certificate.subject.country -}}
+{{- $locality := $certificate.subject.locality -}}
+{{- $province := $certificate.subject.province -}}
+{{- $orgUnit := $certificate.subject.organizationalUnit -}}
+{{- end -}}
+{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}}
+{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}}
+{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
+{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
+{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}
+{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}}
+{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}}
+{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}}
+{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}}
+{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}}
+- name: certs-init-{{ $index }}
+ image: {{ include "repositoryGenerator.image.certserviceclient" $dot }}
+ imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
+ env:
+ - name: REQUEST_URL
+ value: {{ $requestUrl | quote }}
+ - name: REQUEST_TIMEOUT
+ value: {{ $requestTimeout | quote }}
+ - name: OUTPUT_PATH
+ value: {{ $certPath | quote }}
+ - name: OUTPUT_TYPE
+ value: {{ $outputType | quote }}
+ - name: CA_NAME
+ value: {{ $caName | quote }}
+ - name: COMMON_NAME
+ value: {{ $commonName | quote }}
+ - name: SANS
+ value: {{ $sans | quote }}
+ - name: ORGANIZATION
+ value: {{ $organization | quote }}
+ - name: ORGANIZATION_UNIT
+ value: {{ $orgUnit | quote }}
+ - name: LOCATION
+ value: {{ $locality | quote }}
+ - name: STATE
+ value: {{ $province | quote }}
+ - name: COUNTRY
+ value: {{ $country | quote }}
+ - name: KEYSTORE_PATH
+ value: {{ $keystorePath | quote }}
+ - name: KEYSTORE_PASSWORD
+ value: {{ $keystorePassword | quote }}
+ - name: TRUSTSTORE_PATH
+ value: {{ $truststorePath | quote }}
+ - name: TRUSTSTORE_PASSWORD
+ value: {{ $truststorePassword | quote }}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: {{ $certPath }}
+ name: cmpv2-certs-volume-{{ $index }}
+ - mountPath: {{ $certificatesSecretMountPath }}
+ name: certservice-tls-volume
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "common.certServiceClient.volumes" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
+{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}}
+- name: certservice-tls-volume
+ secret:
+ secretName: {{ $certificatesSecretName }}
+{{ range $index, $certificate := $dot.Values.certificates -}}
+- name: cmpv2-certs-volume-{{ $index }}
+ emptyDir:
+ medium: Memory
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "common.certServiceClient.volumeMounts" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
+{{- range $index, $certificate := $dot.Values.certificates -}}
+{{- $mountPath := $certificate.mountPath -}}
+- mountPath: {{ $mountPath }}
+ name: cmpv2-certs-volume-{{ $index }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
--- /dev/null
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+# Global configuration default values that can be inherited by
+# all subcharts.
+#################################################################
+global:
+ # Enabling CMPv2
+ cmpv2Enabled: true
+ CMPv2CertManagerIntegration: false
+
+ certificate:
+ default:
+ subject:
+ organization: "Linux-Foundation"
+ country: "US"
+ locality: "San-Francisco"
+ province: "California"
+ organizationalUnit: "ONAP"
+
+ platform:
+ certServiceClient:
+ secret:
+ name: oom-cert-service-client-tls-secret
+ mountPath: /etc/onap/oom/certservice/certs/
+ envVariables:
+ certPath: "/var/custom-certs"
+ # Client configuration related
+ caName: "RA"
+ requestURL: "https://oom-cert-service:8443/v1/certificate/"
+ requestTimeout: "30000"
+ keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
+ outputType: "P12"
+ keystorePassword: "secret"
+ truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
+ truststorePassword: "secret"
-# Copyright © 2020 Nokia
+# Copyright © 2020-2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
global:
platform:
certServiceClient:
- image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2
+ image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
secretName: oom-cert-service-client-tls-secret
envVariables:
# Certificate related
keystorePassword: "secret"
truststorePassword: "secret"
certPostProcessor:
- image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.2
+ image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
# we should wait for other pods to be up before trying to join
# otherwise we got "no such host" errors when trying to resolve other members
for i in $(seq 0 $((${INITIAL_CLUSTER_SIZE} - 1))); do
+ if [ "${SET_NAME}-${i}" == "${HOSTNAME}" ]; then
+ echo "Skipping self-checking"
+ continue
+ fi
while true; do
echo "Waiting for ${SET_NAME}-${i}.${SERVICE_NAME} to come up"
ping -W 1 -c 1 ${SET_NAME}-${i}.${SERVICE_NAME} > /dev/null && break
value: {{ .Values.galera.name | quote }}
- name: MARIADB_GALERA_CLUSTER_ADDRESS
value: "gcomm://{{ template "common.name" . }}-headless.{{ include "common.namespace" . }}.svc.{{ .Values.global.clusterDomain }}"
+ # Bitnami init script don't behave well in dual stack env.
+ # set it here as long as https://github.com/bitnami/charts/issues/4077 is not solved.
+ - name: MARIADB_GALERA_NODE_ADDRESS
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
- name: MARIADB_ROOT_USER
value: {{ .Values.rootUser.user | quote }}
- name: MARIADB_ROOT_PASSWORD
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }}
{{- end -}}
+{{- define "repositoryGenerator.image.certserviceclient" -}}
+ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }}
+{{- end -}}
+
{{- define "repositoryGenerator.image.envsubst" -}}
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }}
{{- end -}}
# Copyright © 2020 Orange
+# Copyright © 2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# common global images
busyboxImage: busybox:1.32
curlImage: curlimages/curl:7.69.1
+ certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
envsubstImage: dibi/envsubst:1
# there's only latest image for htpasswd
htpasswdImage: xmartlabs/htpasswd:latest
imageRepoMapping:
busyboxImage: dockerHubRepository
curlImage: dockerHubRepository
+ certServiceClientImage: repository
envsubstImage: dockerHubRepository
htpasswdImage: dockerHubRepository
jreImage: repository
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada
# Modifications (c) 2020 Nokia. All rights reserved.
+# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: mongo
version: ~7.x-0
repository: '@local'
- - name: cmpv2Config
- version: ~7.x-0
- repository: '@local'
- name: repositoryGenerator
version: ~7.x-0
repository: '@local'
+++ /dev/null
-{{/*
-#============LICENSE_START========================================================
-#=================================================================================
-# Copyright (c) 2017-2018 AT&T Intellectual Property. All rights reserved.
-# Modifications Copyright © 2018 Amdocs, Bell Canada
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ if .Values.componentImages.datafile_collector }}
-tag_version: {{ include "repositoryGenerator.repository" . }}/{{ .Values.componentImages.datafile_collector }}
-{{ end }}
-replicas: 1
-log_directory: "/var/log/ONAP"
-topic_name: "unauthenticated.VES_NOTIFICATION_OUTPUT"
-envs: {}
-use_tls: true
-PM_MEAS_FILES_feed0_location: "loc00"
-feed0_name: "bulk_pm_feed"
-consumer_id: "C12"
-consumer_group: "OpenDcae-c12"
-cert_directory: "/opt/app/datafile/etc/cert/"
-external_port: ":0"
-datafile-collector_memory_limit: "512Mi"
-datafile-collector_memory_request: "512Mi"
-datafile-collector_cpu_limit: "250m"
-datafile-collector_cpu_request: "250m"
-external_cert_use_external_tls: false
-external_cert_ca_name: "RA"
-external_cert_common_name: "dcae-datafile-collector"
-external_cert_sans: "dcae-datafile-collector,datafile-collector,datafile"
-external_cert_cert_type: "P12"
+++ /dev/null
-{{/*
-#============LICENSE_START========================================================
-#=================================================================================
-# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
-# Modifications Copyright © 2018 Amdocs, Bell Canada
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ if .Values.componentImages.snmptrap }}
-tag_version: {{ include "repositoryGenerator.repository" . }}/{{ .Values.componentImages.snmptrap }}
-{{ end }}
-external_port: {{ .Values.config.address.snmptrap.port }}
# ================================================================================
# Copyright (c) 2017-2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada
+# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# limitations under the License.
# ============LICENSE_END=========================================================
*/}}
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-dcae-config
- namespace: {{ include "common.namespace" . }}
-data:
-{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
----
apiVersion: v1
kind: ConfigMap
metadata:
# ================================================================================
# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada
+# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
volumeMounts:
- mountPath: /inputs
name: {{ include "common.fullname" . }}-dcae-inputs
- - mountPath: /dcae-configs
- name: {{ include "common.fullname" . }}-dcae-config
- mountPath: /etc/localtime
name: localtime
readOnly: true
- name: {{ include "common.fullname" . }}-dcae-inputs
emptyDir:
medium: Memory
- - name: {{ include "common.fullname" . }}-dcae-config
- configMap:
- name: {{ include "common.fullname" . }}-dcae-config
- name: localtime
hostPath:
path: /etc/localtime
#=================================================================================
# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada
+# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
disableNfsProvisioner: true
# application image
-image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:2.2.4
+image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:3.0.0
default_k8s_location: central
# DCAE component images to be deployed via Cloudify Manager
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T
+# Copyright (c) 2021 J. F. Lucas. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
version: ~7.x-0
repository: '@local'
- name: repositoryGenerator
+ version: ~7.x-0
+ repository: '@local'
+ - name: cmpv2Config
version: ~7.x-0
repository: '@local'
\ No newline at end of file
# limitations under the License.
# ============LICENSE_END=========================================================
*/}}
-
{
"namespace": "{{ if .Values.dcae_ns }}{{ .Values.dcae_ns}}{{ else }}{{include "common.namespace" . }}{{ end}}",
"consul_dns_name": "{{ .Values.config.address.consul.host }}.{{ include "common.namespace" . }}",
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada
+# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# limitations under the License.
# ============LICENSE_END=========================================================
*/}}
-
apiVersion: v1
kind: ConfigMap
metadata:
---
apiVersion: v1
kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-plugins
+ namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/config/plugins/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
metadata:
name: {{ include "common.release" . }}-dcae-filebeat-configmap
namespace: {{include "common.namespace" . }}
# ================================================================================
# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada
-# Copyright (c) 2020 J. F. Lucas. All rights reserved.
+# Copyright (c) 2020-2021 J. F. Lucas. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- ip: "127.0.0.1"
hostnames:
- "dcae-cloudify-manager"
+ # Cloudify requires a fixed hostname across restarts
+ hostname: dcae-cloudify-manager
initContainers:
- name: {{ include "common.name" . }}-readiness
image: {{ include "repositoryGenerator.image.readiness" . }}
args:
- --container-name
- aaf-cm
+ - --container-name
+ - consul-server
- "-t"
- "15"
env:
- {{ include "common.namespace" . }}
- --configmap
- {{ .Values.multisiteConfigMapName }}
+ - name: init-consul
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.consulLoaderImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ args:
+ - --key
+ - k8s-plugin|/plugin-configs/k8s-plugin.json
+ - --key
+ - dmaap-plugin|/plugin-configs/dmaap-plugin.json
+ resources: {}
+ volumeMounts:
+ - mountPath: /plugin-configs
+ name: plugin-configs
- name: init-tls
env:
- name: POD_IP
- name: {{ include "common.fullname" .}}-kubeconfig
configMap:
name: {{ .Values.multisiteConfigMapName }}
+ - name: plugin-configs
+ configMap:
+ name: {{ include "common.fullname" . }}-plugins
- name: dcae-token
secret:
secretName: dcae-token
# ================================================================================
# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada
-# Copyright (c) 2020 J. F. Lucas. All rights reserved.
+# Copyright (c) 2020-2021 J. F. Lucas. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
nodePortPrefix: 302
persistence: {}
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
+ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0
repositoryCred:
user: docker
password: docker
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.deployments.cm-container:3.4.2
+image: onap/org.onap.dcaegen2.deployments.cm-container:4.1.0
pullPolicy: Always
# name of shared ConfigMap with kubeconfig for multiple clusters
# image for cleanup job container
cleanupImage: onap/org.onap.dcaegen2.deployments.dcae-k8s-cleanup-container:1.0.0
+# default location for k8s deployments via Cloudify
+default_k8s_location: central
+
# probe configuration parameters
liveness:
initialDelaySeconds: 10
mountInitPath: dcaemod
# application image
-image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.12.3
+image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.12.4
# Resource Limit flavor -By Default using small
flavor: small
# Should have a proper readiness endpoint or script
# application image
-image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.2.0
+image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.2.1
# Resource Limit flavor -By Default using small
flavor: small
{{- end -}}
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 10 }}
- {{- end -}}
+ {{- end }}
# Filebeat sidecar container
- name: {{ include "common.name" . }}-filebeat-onap
image: {{ include "repositoryGenerator.image.logging" . }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 10 }}
- {{- end -}}
+ {{- end }}
# Filebeat sidecar container
- name: {{ include "common.name" . }}-filebeat-onap
image: {{ include "repositoryGenerator.image.logging" . }}
type: {{ $root.Values.service.type }}
externalTrafficPolicy: Local
selector:
- statefulset.kubernetes.io/pod-name: {{ include "common.release" $root }}-{{ $root.Values.service.name }}-{{ $i }}
+ statefulset.kubernetes.io/pod-name: {{ include "common.release" $root }}-{{ $root.Values.service.name }}-{{ $i }}
ports:
- port: {{ $root.Values.service.externalPort }}
targetPort: {{ $root.Values.service.externalPort }}
service:
type: NodePort
name: message-router-kafka
- portName: message-router-kafka
+ portName: tcp-message-router-kafka
internalPort: 9092
internalSSLPort: 9093
externalPort: 9091
value: "{{ .Values.zkConfig.clientPort }}"
- name: KAFKA_OPTS
value: "{{ .Values.zkConfig.kafkaOpts }}"
+ - name: ZOOKEEPER_QUORUM_LISTEN_ON_ALL_IPS
+ value: "true"
- name: ZOOKEEPER_SERVER_ID
valueFrom:
fieldRef:
type: ClusterIP
name: message-router-zookeeper
portName: message-router-zookeeper
- clientPortName: client
+ clientPortName: tcp-client
clientPort: 2181
- serverPortName: server
+ serverPortName: tcp-server
serverPort: 2888
- leaderElectionPortName: leader-election
+ leaderElectionPortName: tcp-leader
leaderElectionPort: 3888
ingress:
# Copyright © 2019 Amdocs, Bell Canada
# Copyright (c) 2020 Nordix Foundation, Modifications
-# Modifications Copyright © 2020 Nokia
+# Modifications Copyright © 2020-2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
CMPv2CertManagerIntegration: false
platform:
certServiceClient:
- image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2
+ image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
secret:
name: oom-cert-service-client-tls-secret
mountPath: /etc/onap/oom/certservice/certs/
envVariables:
+ certPath: "/var/custom-certs"
# Certificate related
cmpv2Organization: "Linux-Foundation"
cmpv2OrganizationalUnit: "ONAP"
-# Copyright © 2020, Nokia
+# Copyright © 2020-2021, Nokia
# Modifications Copyright © 2020, Nordix Foundation, Orange
# Modifications Copyright © 2020 Nokia
#
# Deployment configuration
repository: "nexus3.onap.org:10001"
-image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.2
+image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3
pullPolicy: Always
replicaCount: 1
# validator settings
#default_error_message = Default error message
-login_url_no_ret_val = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/login.htm
+login_url_no_ret_val = https://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm
user_attribute_name = user
# Copyright © 2017 Amdocs, Bell Canada,
# Copyright © 2020 highstreet technologies GmbH
+# Copyright © 2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: certInitializer
version: ~7.x-0
repository: '@local'
+ - name: cmpv2Certificate
+ version: ~7.x-0
+ repository: '@local'
- name: logConfiguration
version: ~7.x-0
repository: '@local'
faultConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPFaultVESMsgConsumer
TransportType=HTTPNOAUTH
host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}}
+{{- if .Values.config.sdnr.dmaapProxy.enabled }}
+{{- if .Values.config.sdnr.dmaapProxy.usepwd }}
+jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME}
+jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD}
+{{- end }}
+jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }}
+{{- end }}
topic=unauthenticated.SEC_FAULT_OUTPUT
contenttype=application/json
group=myG
pnfRegConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPPNFRegVESMsgConsumer
TransportType=HTTPNOAUTH
host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}}
+{{- if .Values.config.sdnr.dmaapProxy.enabled }}
+{{- if .Values.config.sdnr.dmaapProxy.usepwd }}
+jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME}
+jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD}
+{{- end }}
+jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }}
+{{- end }}
topic=unauthenticated.VES_PNFREG_OUTPUT
contenttype=application/json
group=myG
{{/*
# Copyright © 2020 Samsung Electronics
# Copyright © 2017 Amdocs, Bell Canada
+# Copyright © 2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "login") | indent 10 }}
- name: ODL_ADMIN_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }}
+ {{ if and .Values.config.sdnr.dmaapProxy.enabled .Values.config.sdnr.dmaapProxy.usepwd }}
+ - name: DMAAP_HTTP_PROXY_USERNAME
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "login") | indent 10 }}
+ - name: DMAAP_HTTP_PROXY_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "password") | indent 10 }}
+ {{- end }}
+
volumeMounts:
- mountPath: /config-input
name: {{ include "common.name" . }}-readiness
{{ end -}}
{{ include "common.certInitializer.initContainer" . | indent 6 }}
-
- {{ if .Values.global.cmpv2Enabled }}
- - name: certs-init
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.platform.certServiceClient.image }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- env:
- - name: REQUEST_URL
- value: {{ .Values.global.platform.certServiceClient.envVariables.requestURL }}
- - name: REQUEST_TIMEOUT
- value: "30000"
- - name: OUTPUT_PATH
- value: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
- - name: CA_NAME
- value: {{ .Values.global.platform.certServiceClient.envVariables.caName }}
- - name: COMMON_NAME
- value: {{ .Values.global.platform.certServiceClient.envVariables.common_name }}
- - name: ORGANIZATION
- value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Organization }}
- - name: ORGANIZATION_UNIT
- value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}
- - name: LOCATION
- value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Location }}
- - name: STATE
- value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2State }}
- - name: COUNTRY
- value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Country }}
- - name: KEYSTORE_PATH
- value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePath }}
- - name: KEYSTORE_PASSWORD
- value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePassword }}
- - name: TRUSTSTORE_PATH
- value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePath }}
- - name: TRUSTSTORE_PASSWORD
- value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePassword }}
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: File
- volumeMounts:
- - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
- name: certs
- - mountPath: {{ .Values.global.platform.certServiceClient.secret.mountPath }}
- name: certservice-tls-volume
- {{ end }}
-
- - name: {{ include "common.name" . }}-init-files
+{{ include "common.certServiceClient.initContainer" . | indent 6 }}
+ - name: {{ include "common.name" . }}-chown
image: {{ include "repositoryGenerator.image.busybox" . }}
command:
- sh
- |
mkdir {{ .Values.persistence.mdsalPath }}/daexim
mkdir {{ .Values.persistence.mdsalPath }}/journal
- mkdir {{ .Values.persistence.mdsalPath }}/snapshots
+ mkdir {{ .Values.persistence.mdsalPath }}/snapshots
chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }}
{{- if .Values.global.aafEnabled }}
chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }}
volumeMounts:
{{ include "common.certInitializer.volumeMount" . | indent 10 }}
+{{ include "common.certServiceClient.volumeMounts" . | indent 10 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: {{ .Values.config.odl.etcDir }}/mountpoint-state-provider.properties
name: properties
subPath: mountpoint-state-provider.properties
- {{ if .Values.global.cmpv2Enabled }}
- - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
- name: certs
- {{- end }}
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
- name: properties
emptyDir:
medium: Memory
- {{ if .Values.global.cmpv2Enabled }}
- - name: certs
- emptyDir:
- medium: Memory
- - name: certservice-tls-volume
- secret:
- secretName: {{ .Values.global.platform.certServiceClient.secret.name }}
- {{- end }}
{{ if not .Values.persistence.enabled }}
- name: {{ include "common.fullname" . }}-data
emptyDir: {}
{{ else }}
{{ include "common.certInitializer.volumes" . | nindent 8 }}
+{{ include "common.certServiceClient.volumes" . | nindent 8 }}
volumeClaimTemplates:
- metadata:
name: {{ include "common.fullname" . }}-data
# Copyright © 2020 Samsung Electronics, highstreet technologies GmbH
# Copyright © 2017 Amdocs, Bell Canada
+# Copyright © 2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
- service: mariadb-galera
- # Enabling CMPv2
- cmpv2Enabled: true
+ # Enabling CMPv2 with CertManager
CMPv2CertManagerIntegration: false
- platform:
- certServiceClient:
- image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2
- secret:
- name: oom-cert-service-client-tls-secret
- mountPath: /etc/onap/oom/certservice/certs/
- envVariables:
- # Certificate related
- cert_path: /var/custom-certs
- cmpv2Organization: "Linux-Foundation"
- cmpv2OrganizationalUnit: "ONAP"
- cmpv2Location: "San-Francisco"
- cmpv2Country: "US"
- # Client configuration related
- caName: "RA"
- common_name: "sdnc.simpledemo.onap.org"
- requestURL: "https://oom-cert-service:8443/v1/certificate/"
- requestTimeout: "30000"
- keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
- outputType: "P12"
- keystorePassword: "secret"
- truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
- truststorePassword: "secret"
#################################################################
# Secrets metaconfig
password: '{{ .Values.config.odlPassword }}'
# For now this is left hardcoded but should be revisited in a future
passwordPolicy: required
+ - uid: dmaap-proxy-creds
+ name: &dmaapProxyCredsSecretName '{{ include "common.release" . }}-sdnc-dmaap-proxy-creds'
+ type: basicAuth
+ externalSecret: '{{ .Values.config.dmaapProxyCredsExternalSecret }}'
+ login: '{{ .Values.config.sdnr.dmaapProxy.user }}'
+ password: '{{ .Values.config.sdnr.dmaapProxy.password }}'
+ # For now this is left hardcoded but should be revisited in a future
+ passwordPolicy: required
- uid: netbox-apikey
type: password
externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}'
# Certificates
#################################################################
certificates:
- - commonName: sdnc.simpledemo.onap.org
+ - mountPath: /var/custom-certs
+ commonName: sdnc.simpledemo.onap.org
dnsNames:
- sdnc.simpledemo.onap.org
p12Keystore:
sdnrdbTrustAllCerts: true
mountpointRegistrarEnabled: false
mountpointStateProviderEnabled: false
+ # enable and set dmaap-proxy for mountpointRegistrar
+ dmaapProxy:
+ enabled: false
+ usepwd: true
+ user: addUserHere
+ password: addPasswordHere
+ url: addProxyUrlHere
+
+
Code Review / oom.git / commitdiff