# enable all component's Ingress interfaces
enable_all: false
# default Ingress base URL
- # can be overwritten in component by setting ingress.baseurlOverride
+ # All http requests via ingress will be redirected
virtualhost:
+ # Default Ingress base URL
+ # can be overwritten in component by setting ingress.baseurlOverride
baseurl: "simpledemo.onap.org"
+ # prefix for baseaddr
+ # can be overwritten in component by setting ingress.preaddrOverride
+ preaddr: ""
+ # postfix for baseaddr
+ # can be overwritten in component by setting ingress.postaddrOverride
+ postaddr: ""
# All http requests via ingress will be redirected on Ingress controller
# only valid for Istio Gateway (ServiceMesh enabled)
config:
- enable_all: true → enables Ingress configuration in each component
- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components,
resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride
+- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components,
+ resulting in e.g. "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.preaddrOverride
+- virtualhost.postaddr: "-post" → sets globally a postfix for the Application name for all Interfaces set by the components,
+ resulting in e.g. "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: ingress.postaddrOverride
- config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443)
- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret
- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate
<recommended-istio-version> with the version defined in
the :ref:`versions_table` table::
- > helm upgrade -i istio-ingressgateway istio/gateway -n istio-ingress
+ > helm upgrade -i istio-ingress istio/gateway -n istio-ingress
--version <recommended-istio-version> --wait
Kiali Installation
{{- define "ingress.config.host" -}}
{{- $dot := default . .dot -}}
{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
+{{- $preaddr := default "" $dot.Values.global.ingress.virtualhost.preaddr -}}
+{{- $preaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $preaddr "parent" (default (dict) $dot.Values.ingress) "var" "preaddrOverride") -}}
+{{- $postaddr := default "" $dot.Values.global.ingress.virtualhost.postaddr -}}
+{{- $postaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $postaddr "parent" (default (dict) $dot.Values.ingress) "var" "postaddrOverride") -}}
{{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}}
{{- $burl := include "common.ingress._overrideIfDefined" (dict "currVal" $burl "parent" (default (dict) $dot.Values.ingress) "var" "baseurlOverride") -}}
-{{ printf "%s.%s" $baseaddr $burl }}
+{{ printf "%s%s%s.%s" $preaddr $baseaddr $postaddr $burl }}
{{- end -}}
{{/*
- Helper function to add the tls route
+ Istio Helper function to add the tls route
*/}}
-{{- define "ingress.config.tls" -}}
+{{- define "istio.config.tls_simple" -}}
{{- $dot := default . .dot -}}
-{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
+ tls:
{{- if $dot.Values.global.ingress.config }}
-{{- if $dot.Values.global.ingress.config.ssl }}
-{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }}
+{{- if $dot.Values.global.ingress.config.tls }}
+ credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }}
+{{- else }}
+ credentialName: "ingress-tls-secret"
+{{- end }}
+{{- else }}
+ credentialName: "ingress-tls-secret"
+{{- end }}
+ mode: SIMPLE
+{{- end -}}
+
+{{/*
+ Istio Helper function to add the tls route
+*/}}
+{{- define "istio.config.tls" -}}
+{{- $dot := default . .dot -}}
+{{- $service := (required "'service' param, set to the specific service, is required." .service) -}}
+{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
+{{- if $service.exposedPort }}
+{{- if $service.exposedProtocol }}
+{{- if eq $service.exposedProtocol "TLS" }}
+ {{ include "istio.config.tls_simple" (dict "dot" $dot ) }}
+{{- end }}
+{{- end }}
+{{- else }}
+{{- if $dot.Values.global.ingress.config }}
+{{- if $dot.Values.global.ingress.config.ssl }}
+{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }}
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
- tls:
-{{- if $dot.Values.global.ingress.config }}
-{{- if $dot.Values.global.ingress.config.tls }}
- credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }}
-{{- else }}
- credentialName: "ingress-tls-secret"
-{{- end }}
-{{- else }}
- credentialName: "ingress-tls-secret"
-{{- end }}
- mode: SIMPLE
+ {{ include "istio.config.tls_simple" (dict "dot" $dot ) }}
hosts:
- {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
+{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
+{{/*
+ Istio Helper function to add the external port of the service
+*/}}
+{{- define "istio.config.port" -}}
+{{- $dot := default . .dot -}}
+{{- if .exposedPort }}
+ number: {{ .exposedPort }}
+{{- if .exposedProtocol }}
+ name: {{ .baseaddr }}
+ protocol: {{ .exposedProtocol }}
+{{- else }}
+ name: http
+ protocol: HTTP
+{{- end -}}
+{{- else }}
+ number: 80
+ name: http
+ protocol: HTTP
+{{- end -}}
+{{- end -}}
+
{{/*
Helper function to add the route to the service
*/}}
{{- end -}}
{{/*
- Helper function to add the route to the service
+ Istio Helper function to add the route to the service
*/}}
{{- define "istio.config.route" -}}
{{- $dot := default . .dot -}}
name: {{ $baseaddr }}-gateway
spec:
selector:
- istio: ingressgateway # use Istio default gateway implementation
+ istio: ingress # use Istio default gateway implementation
servers:
- port:
- number: 80
- name: http
- protocol: HTTP
+ {{- include "istio.config.port" . }}
hosts:
- {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
- {{ include "ingress.config.tls" (dict "dot" $dot "baseaddr" $baseaddr) }}
+ {{- include "istio.config.tls" (dict "dot" $dot "service" . "baseaddr" $baseaddr) }}
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
polBasicAuthPassword: zb!XztG34
polUrl:
https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision
- http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision
+ http: http://policy-xacml-pdp:6969/policy/pdpx/v1/decision
polEnv: TEST
polReqId: xx
disableHostVerification: true
aaiAuth: QUFJOkFBSQ==
aaiUri:
https: https://aai:8443/aai/v14/
- http: http://aai:8080/aai/v14/
+ http: http://aai:80/aai/v14/
# default number of instances
replicaCount: 1
# enable all component's Ingress interfaces
enable_all: true
# All http requests via ingress will be redirected
+ virtualhost:
+ # Default Ingress base URL
+ # can be overwritten in component by setting ingress.baseurlOverride
+ baseurl: "simpledemo.onap.org"
+ # prefix for baseaddr
+ # can be overwritten in component by setting ingress.preaddrOverride
+ preaddr: ""
+ # postfix for baseaddr
+ # can be overwritten in component by setting ingress.postaddrOverride
+ postaddr: ""
config:
ssl: "redirect"
# you can set an own Secret containing a certificate
enabled: false
# enable all component's Ingress interfaces
enable_all: false
- # default Ingress base URL
- # can be overwritten in component vy setting ingress.baseurlOverride
+
+ # default Ingress base URL and preAddr- and postAddr settings
+ # Ingress URLs result:
+ # <preaddr><component.ingress.service.baseaddr><postaddr>.<baseurl>
virtualhost:
+ # Default Ingress base URL
+ # can be overwritten in component by setting ingress.baseurlOverride
baseurl: "simpledemo.onap.org"
- # All http requests via ingress will be redirected on Ingress controller
+ # prefix for baseaddr
+ # can be overwritten in component by setting ingress.preaddrOverride
+ preaddr: ""
+ # postfix for baseaddr
+ # can be overwritten in component by setting ingress.postaddrOverride
+ postaddr: ""
+
+ # All http (port 80) requests via ingress will be redirected
+ # to port 443 on Ingress controller
# only valid for Istio Gateway (ServiceMesh enabled)
config:
ssl: "redirect"
resources:
- nst
+ nsst_selection:
+ policy_fetch: by_scope
+ policy_scope:
+ -
+ scope:
+ - OSDF_GUILIN
+ services:
+ - nsst
+ resources:
+ - nsst
+
subnet_selection:
policy_fetch: by_scope
policy_scope:
# limitations under the License.
*/}}
-mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; };
+mysqlcmd() { mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; };
for db in migration pooling policyadmin policyclamp operationshistory clampacm
do
- mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};"
- mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;"
+ mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};"
+ mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;"
done
mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;"
fieldPath: metadata.namespace
containers:
- name: {{ include "common.name" . }}-galera-config
- image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadb.image }}
+ image: {{ include "repositoryGenerator.image.mariadb" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
volumeMounts:
- mountPath: /dbcmd-config/db.sh
{{ include "common.resources" . }}
{{- if (include "common.onServiceMesh" .) }}
- name: policy-service-mesh-wait-for-job-container
- image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0
+ image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
command:
- /bin/sh
initContainers: {{ if .Values.global.postgres.localCluster }}{{ include "common.readinessCheck.waitFor" . | nindent 6 }}{{ end }}
containers:
- name: {{ include "common.name" . }}-pg-config
- image: {{ .Values.repository }}/{{ .Values.postgresImage }}
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
volumeMounts:
- mountPath: /docker-entrypoint-initdb.d/db-pg.sh
{{ include "common.resources" . }}
{{- if (include "common.onServiceMesh" .) }}
- name: policy-service-mesh-wait-for-job-container
- image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0
+ image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
command:
- /bin/sh
{{ include "common.resources" . }}
{{- if (include "common.onServiceMesh" .) }}
- name: policy-service-mesh-wait-for-job-container
- image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0
+ image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
command:
- /bin/sh
{{ include "common.resources" . }}
{{- if (include "common.onServiceMesh" .) }}
- name: policy-service-mesh-wait-for-job-container
- image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0
+ image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
command:
- /bin/sh
# DB configuration defaults.
#################################################################
-repository: nexus3.onap.org:10001
-pullPolicy: Always
-
-mariadb:
- image: mariadb:10.5.8
-
dbmigrator:
image: onap/policy-db-migrator:2.5.1
schema: policyadmin