+++ /dev/null
----
-project_cfg: onap
-project: onap
-
-# Change this to ReleaseBranchName to modify the header
-default-version: kohn
-#
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
repository: '@local'
- name: cassandra
version: ~12.x-0
# be published independently to a repo (at this point)
repository: '@local'
condition: global.cassandra.localCluster
- - name: certInitializer
- version: ~12.x-0
- repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
repository: '@local'
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dependencies:
- name: common
- version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# limitations under the License.
*/}}
server.port=9516
-{{ if ( include "common.needTLS" .) }}
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-server.ssl.client-auth=need
-server.ssl.key-store-type=PKCS12
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
spring.main.allow-bean-definition-overriding=true
server.servlet.context-path=/services/babel-service
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
# Modifications Copyright © 2020,2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: apps/v1
kind: Deployment
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
spec:
- selector:
- matchLabels:
- app: {{ include "common.name" . }}
+ selector: {{- include "common.selectors" . | nindent 4 }}
replicas: {{ .Values.replicaCount }}
strategy:
type: {{ .Values.updateStrategy.type }}
maxSurge: {{ .Values.updateStrategy.maxSurge }}
{{- end }}
template:
- metadata:
- labels:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{- if .Values.global.aafEnabled }}
- command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
- echo "*** actual launch of AAI Babel"
- /bin/bash /opt/app/babel/bin/start.sh
- {{- end }}
- ports:
- - containerPort: {{ .Values.service.internalPort }}
+ ports: {{ include "common.containerPorts" . | nindent 12 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{ if .Values.liveness.enabled }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
- {{- if not (include "common.needTLS" .) }}
- name: KEY_STORE_PASSWORD
value: NotUsed
- {{- end }}
- name: CONFIG_HOME
value: /opt/app/babel/config
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
# side car containers
{{ include "common.log.sidecar" . | nindent 8 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
# limitations under the License.
*/}}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "common.servicename" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-spec:
- type: {{ .Values.service.type }}
- ports:
- {{- if eq .Values.service.type "NodePort" }}
- - port: {{ .Values.service.internalPort }}
- nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- {{- else }}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- {{- end }}
-
- selector:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
+{{ include "common.service" . }}
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
# Modifications Copyright © 2020, 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#################################################################
global: {}
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-babel-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai
- fqi: aai@aai.onap.org
- public_fqdn: aai.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
- echo "KEY_STORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "KEY_MANAGER_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
-
#################################################################
# Application configuration defaults.
#################################################################
service:
type: NodePort
- portName: http
- externalPort: 9516
internalPort: 9516
- nodePort: 79
+ ports:
+ - name: http
+ port: 9516
+ nodePort: 79
ingress:
enabled: false
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dependencies:
- name: common
- version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
-
-{{ if ( include "common.needTLS" .) }}
-aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
-aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
-aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
-{{ else }}
aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
-{{ end }}
{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
-{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
-aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
-{{ end }}
-
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }}
# ================================================================================
# Copyright � 2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
-spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }}
+spring.profiles.active={{ .Values.config.profiles.active }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8449
-{{ if ( include "common.needTLS" .) }}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
-server.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
-server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61649
-dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
-dmaap.ribbon.transportType={{ include "common.scheme" . }}
+dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904
+dmaap.ribbon.transportType=http
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
schema.service.nodes.endpoint=nodes?version=
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
-schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+schema.service.client=no-auth
-{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
-schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-schema.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
-schema.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
-{{ end }}
aperture.rdbmsname=aai_relational
-aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+aperture.service.client=no-auth
aperture.service.base.url=http://localhost:8457/aai/aperture
-{{ if ( include "common.needTLS" .) }}
-aperture.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
-aperture.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aperture.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
-aperture.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
-{{ end }}
aperture.service.timeout-in-milliseconds=300000
#To Expose the Prometheus scraping endpoint
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
hostname: aai-graphadmin
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
{{ if .Values.global.initContainers.enabled }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
- command:
{{ if .Values.global.jobs.migration.enabled }}
- /app/ready.py
value: {{ .Values.service.internalPort2 | quote }}
- name: INTERNAL_PORT_3
value: {{ .Values.service.internalPort3 | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
configMap:
name: {{ include "common.fullname" . }}
- name: properties
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: properties-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-properties
restartPolicy: {{ .Values.restartPolicy }}
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- command:
- /bin/bash
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
configMap:
name: {{ include "common.fullname" . }}
- name: properties
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: properties-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-properties
- name: migration
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
- command:
- /app/ready.py
args:
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
configMap:
name: {{ include "common.fullname" . }}
- name: properties
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: properties-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-properties
restartPolicy: Never
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
- command:
- /app/ready.py
args:
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
- name: properties
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: properties-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-properties
restartPolicy: Never
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if .Values.global.aafEnabled }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: properties-input
- - mountPath: /config
- name: properties
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- command:
- /bin/bash
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
{{if eq .Values.service.type "NodePort" -}}
- port: {{ .Values.service.internalPort }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
+ name: {{ .Values.service.portName }}
- port: {{ .Values.service.internalPort2 }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
name: {{ .Values.service.portName2 }}
name: {{ .Values.service.portName3 }}
{{- else -}}
- port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
+ name: {{ .Values.service.portName }}
- port: {{ .Values.service.internalPort2 }}
name: {{ .Values.service.portName2 }}
- port: {{ .Values.service.internalPort3 }}
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Specifies if the connection should be one way ssl, two way ssl or no auth
# will be set to no-auth if tls is disabled
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will
# make a rest request to schema service
translator:
realtime:
clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-graphadmin-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai
- fqi: aai@aai.onap.org
- public_fqdn: aai.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai
- user_id: &user_id 1000
- group_id: &group_id 1000
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export KEYSTORE_JKS_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- keytool -storepasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
- -storepass "${cadi_keystore_password_jks}" \
- -keystore {{ .Values.fqi_namespace }}.jks
- echo "*** set key password as same password as keystore password"
- keytool -keypasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
- -keystore {{ .Values.fqi_namespace }}.jks \
- -keypass "${cadi_keystore_password_jks}" \
- -storepass "${KEYSTORE_JKS_PLAIN_PASSWORD}" -alias {{ .Values.fqi }}
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
- echo "KEYSTORE_JKS_PLAIN_PASSWORD=${KEYSTORE_JKS_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
-
# application image
image: onap/aai-graphadmin:1.11.2
pullPolicy: Always
# Specify the profiles for the graphadmin microservice
profiles:
- # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and
- # serviceMesh.tls is set to tru
- active: dmaap #,one-way-ssl"
+
+ active: dmaap
# Specifies the timeout limit for the REST API requests
timeout:
# Not fully used for now
securityContext:
- user_id: *user_id
- group_id: *group_id
+ user_id: 1000
+ group_id: 1000
#Pods Service Account
serviceAccount:
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dependencies:
- name: common
- version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Model Loader Distribution Client Configuration
*/}}
ml.distribution.ACTIVE_SERVER_TLS_AUTH=false
-{{ if ( include "common.needTLS" .) }}
-ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443
-ml.distribution.ASDC_USE_HTTPS=true
-ml.distribution.KEYSTORE_PASSWORD=
-ml.distribution.KEYSTORE_FILE=
-ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp
-{{ else }}
ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080
ml.distribution.ASDC_USE_HTTPS=false
ml.distribution.KEYSTORE_PASSWORD=
ml.distribution.KEYSTORE_FILE=
ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp
-{{ end }}
{{- with (first .Values.kafkaUser.acls) }}
ml.distribution.CONSUMER_GROUP={{ .name }}
ml.distribution.CONSUMER_ID={{ .name }}-model-loader
ml.distribution.ARTIFACT_TYPES=MODEL_QUERY_SPEC,TOSCA_CSAR
# Model Loader AAI REST Client Configuration
-{{ if ( include "common.needTLS" .) }}
-ml.aai.BASE_URL=https://aai.{{.Release.Namespace}}:8443
-ml.aai.KEYSTORE_FILE=aai-os-cert.p12
-ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o
-ml.aai.USE_HTTPS= true
-{{ else }}
ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:80
ml.aai.USE_HTTPS= false
-{{ end }}
ml.aai.MODEL_URL=/aai/v*/service-design-and-creation/models/model/
ml.aai.NAMED_QUERY_URL=/aai/v*/service-design-and-creation/named-queries/named-query/
ml.aai.VNF_IMAGE_URL=/aai/v*/service-design-and-creation/vnf-images
# Model Loader Babel REST Client Configuration\r
ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516
ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts
-{{ if ( include "common.needTLS" .) }}
-ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12
-ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
-ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}
-ml.babel.USE_HTTPS= true
-{{ else }}
ml.babel.KEYSTORE_FILE=
ml.babel.KEYSTORE_PASSWORD=
ml.babel.TRUSTSTORE_FILE=
ml.babel.TRUSTSTORE_PASSWORD=
ml.babel.USE_HTTPS= false
-{{ end }}
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
# Modifications Copyright © 2020-2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- {{- if .Values.global.aafEnabled }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
- export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** Set obfuscated Truststore and Keystore password into configuration file"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- cd /config-input
- for PFILE in `ls -1`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: prop-config-input
- - mountPath: /config
- name: prop-config
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
secretKeyRef:
name: {{ include "common.name" . }}-ku
key: sasl.jaas.config
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/model-loader/config/model-loader.properties
subPath: model-loader.properties
name: prop-config
- - mountPath: /opt/app/model-loader/config/auth/
- name: auth-config
- mountPath: {{ .Values.log.path }}
name: logs
- mountPath: /opt/app/model-loader/logback.xml
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
- name: prop-config
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: prop-config-input
- {{- end }}
configMap:
name: {{ include "common.fullname" . }}-prop
- - name: auth-config
- secret:
- secretName: {{ include "common.fullname" . }}
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2020-2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
global: # global defaults
nodePortPrefix: 302
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-ml-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai
- fqi: aai@aai.onap.org
- public_fqdn: aai.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- appMountPath: /opt/app/model-loader/config/auth/aaf
- fqi_namespace: org.onap.aai
- user_id: &user_id 1000
- group_id: &group_id 1000
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
-
# application image
image: onap/model-loader:1.12.0
pullPolicy: Always
# Not fully used for now
securityContext:
- user_id: *user_id
- group_id: *group_id
+ user_id: 1000
+ group_id: 1000
#Log configuration
log:
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dependencies:
- name: common
- version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
+++ /dev/null
-# AAI -> aai@aai.onap.org
-Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# ModelLoader -> aai@aai.onap.org
-Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# AaiUI -> aai@aai.onap.org,
-Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# MSO -> so@so.onap.org
-Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03
-
-# SDNC -> sdnc@sdnc.onap.org
-Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03
-
-# DCAE -> dcae@dcae.onap.org
-Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03
-
-# POLICY -> policy@policy.onap.org
-Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# ASDC -> sdc@sdc.onap.org
-Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# OOF -> oof@oof.onap.org
-Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03
-
+++ /dev/null
-
-cadi_loglevel=INFO
-cadi_prop_files=/opt/app/aai-resources/resources/aaf/org.osaaf.location.props:/opt/app/aai-resources/resources/aaf/org.onap.aai.props
-
-# OAuth2
-aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token
-aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect
-
+++ /dev/null
-############################################################
-# Properties Generated by AT&T Certificate Manager
-# @copyright 2016, AT&T
-# Modifications Copyright © 2020 Orange
-############################################################
-cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
-cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile
-cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-cadi_keystore_password=${KEYSTORE_PASSWORD}
-
-cadi_alias=aai@aai.onap.org
-cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks
-cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD}
-cadi_loglevel=INFO
-cadi_bath_convert=/opt/app/aai-resources/resources/aaf/bath_config.csv
+++ /dev/null
-##
-## org.osaaf.location.props
-##
-## Localized Machine Information
-##
-# Almeda California ?
-cadi_latitude=37.78187
-cadi_longitude=-122.26147
-
-# Locate URL (which AAF Env)
-aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
-
-
-# AAF URL
-aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
-
-# AAF Environment Designation
-aaf_env=DEV
-
-# OAuth2 Endpoints
-aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token
-aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect
-
-
+++ /dev/null
-permission.type=org.onap.aai.resources
-permission.instance=*
\ No newline at end of file
# ================================================================================
# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
-{{ if ( include "common.needTLS" .) }}
-aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
-aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
-aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
-{{ else }}
aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
-{{ end }}
{{ if .Values.global.config.basic.auth.enabled }}
aai.tools.enableBasicAuth=true
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
-{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
-aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
-{{ end }}
-
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }}
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
-spring.profiles.active={{ .Values.global.config.profiles.active }}{{ .Values.global.aafEnabled | ternary ",aaf-auth" "" }}
+spring.profiles.active={{ .Values.global.config.profiles.active }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8447
-{{ if ( include "common.needTLS" .) }}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61647
-dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
-dmaap.ribbon.transportType={{ include "common.scheme" . }}
+dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904
+dmaap.ribbon.transportType=http
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
schema.service.nodes.endpoint=nodes?version=
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
-schema.service.client={{ (eq "true" ( include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
-
-{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD}
-schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-{{ end }}
+schema.service.client=no-auth
#to expose the Prometheus scraping endpoint
management.port=8448
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-aaf-props
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }}
# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
spec:
hostname: aai-resources
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ initContainers:
- name: {{ include "common.name" . }}-readiness
command:
- /app/ready.py
args:
- -c
- |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
echo "*** actual launch of AAI Resources"
/bin/bash /opt/app/aai-resources/docker-entrypoint.sh
env:
value: {{ .Values.global.config.userId | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.global.config.groupId | quote }}
- - name: POST_JAVA_OPTS
- value: '-Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword={{ .Values.certInitializer.truststorePassword }}'
- - name: TRUSTORE_ALL_PASSWORD
- value: {{ .Values.certInitializer.truststorePassword }}
- name: INTERNAL_PORT_1
value: {{ .Values.service.internalPort | quote }}
- name: INTERNAL_PORT_2
value: {{ .Values.service.internalPort2 | quote }}
- name: INTERNAL_PORT_3
value: {{ .Values.service.internalPort3 | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-resources/resources/etc/auth/realm.properties
name: {{ include "common.fullname" . }}-config
subPath: realm.properties
- - mountPath: /opt/app/aai-resources/resources/aaf/bath_config.csv
- name: {{ include "common.fullname" . }}-aaf-certs
- subPath: bath_config.csv
- - mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.props
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: org.onap.aai.props
- - mountPath: /opt/app/aai-resources/resources/aaf/org.osaaf.location.props
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: org.osaaf.location.props
- - mountPath: /opt/app/aai-resources/resources/aaf/permissions.properties
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: permissions.properties
- - mountPath: /opt/app/aai-resources/resources/cadi.properties
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: cadi.properties
- mountPath: /opt/app/aai-resources/resources/application.properties
name: {{ include "common.fullname" . }}-config
subPath: application.properties
httpGet:
path: /aai/util/echo?action=checkDB
port: {{ .Values.service.internalPort }}
- scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: LivenessCheck
httpGet:
path: /aai/util/echo?action=checkDB
port: {{ .Values.service.internalPort }}
- scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: ReadinessCheck
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
- name: {{ include "common.fullname" . }}-config
configMap:
name: {{ include "common.fullname" . }}
- - name: {{ include "common.fullname" . }}-aaf-properties
- configMap:
- name: {{ include "common.fullname" . }}-aaf-props
- - name: {{ include "common.fullname" . }}-aaf-certs
- secret:
- secretName: {{ include "common.fullname" . }}-aaf-keys
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
# Copyright (c) 2018 Amdocs, Bell Canada, AT&T
# Copyright (c) 2020 Nokia, Orange
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
migration:
enabled: false
- aafEnabled: false
-
config:
# Specifies that the cluster connected to a dynamic
# cluster being spinned up by kubernetes deployment
# Active spring profiles for the resources microservice
profiles:
- # aaf-auth profile will be automatically set if aaf enabled is set to true
- active: production,dmaap #,aaf-auth
+ active: production,dmaap
# Notification event specific properties
notification:
schema:
# Specifies if the connection should be one way ssl, two way ssl or no auth
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will make a rest request to schema service
translator:
list: schema-service
url: network
- name: aai-externalSystem
url: external-system
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-resources-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai-resources
- fqi: aai-resources@aai-resources.onap.org
- public_fqdn: aai-resources.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai-resources
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** save the generated passwords"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
# application image
image: onap/aai-resources:1.11.0
# Copyright © 2019 AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dependencies:
- name: common
- version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
# org.onap.aai
# ================================================================================
# Copyright © 2019 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ============LICENSE_END=========================================================
*/}}
-{{ if ( include "common.needTLS" .) }}
-aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
-aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
-aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
-{{ else }}
aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
-{{ end }}
{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
-{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
-aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
-{{ end }}
aai.default.api.version={{ .Values.global.config.schema.version.api.default }}
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties
server.port=8452
-{{ if ( include "common.needTLS" .) }}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-server.ssl.client-auth=want
-server.ssl.key-store-type=PKCS12
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
schema.configuration.location=N/A
schema.source.name={{ .Values.global.config.schema.source.name }}
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
- {{- if .Values.global.aafEnabled }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
- echo "*** obfuscate them "
- export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
- export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
- export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar")
- export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
- image: {{ include "repositoryGenerator.image.jetty" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-obfuscate
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- securityContext:
- runAsUser: {{ .Values.securityContext.user_id }}
- {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{- if .Values.global.aafEnabled }}
- command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
- echo "*** actual launch of AAI Schema Service"
- /bin/bash /opt/app/aai-schema-service/docker-entrypoint.sh
- {{- end }}
env:
- name: LOCAL_USER_ID
value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
value: {{ .Values.securityContext.group_id | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: aai-common-aai-auth-mount
secret:
secretName: aai-common-aai-auth
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
edge:
label: v12
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-schema-service-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai-schema-service
- fqi: aai-schema-service@aai-schema-service.onap.org
- public_fqdn: aai-schema-service.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai-schema-service
- user_id: &user_id 1000
- group_id: &group_id 1000
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
-
# application image
image: onap/aai-schema-service:1.11.0
pullPolicy: Always
# Not fully used for now
securityContext:
- user_id: *user_id
- group_id: *group_id
+ user_id: 1000
+ group_id: 1000
#Log configuration
log:
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dependencies:
- name: common
- version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config
oxm.schemaServiceTranslatorList=config
# The end point for onap is https://<hostname>:<port>/onap/schema-service/v1/
-{{ if ( include "common.needTLS" .) }}
-oxm.schemaServiceBaseUrl=https://<schema-service/config>/aai/schema-service/v1/
-oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD}
-oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD}
-{{ else }}
+
oxm.schemaServiceBaseUrl=http://<schema-service/config>/aai/schema-service/v1/
-{{ end }}
+
# Schema Service need this variable for the time being
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
*/}}
resources.hostname=aai
-{{ if ( include "common.needTLS" .) }}
-resources.port=8443
-resources.authType=SSL_BASIC
-resources.basicAuthUserName=aai@aai.onap.org
-resources.basicAuthPassword=1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek
-resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-resources.trust-store-password=${TRUSTSTORE_PASSWORD}
-resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-resources.client-cert-password=${KEYSTORE_PASSWORD}
-{{ else }}
+
resources.port=80
resources.authType=HTTP_NOAUTH
-{{ end }}
+
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# limitations under the License.
server.port=8000
-{{ if ( include "common.needTLS" .) }}
-server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
+
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# and in the values.yaml change the internalPort to 9517
#
-spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,{{ ( eq "true" ( include "common.needTLS" .)) | ternary "ssl" "http" }}
+spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,http
portal.cadiFileLocation={{.Values.config.cadiFileLocation}}
searchservice.hostname={{.Values.global.searchData.serviceName}}
searchservice.port=9509
-{{ if ( include "common.needTLS" .) }}
-searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-searchservice.client-cert-password=${KEYSTORE_PASSWORD}
-searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-searchservice.truststore-password=${TRUSTSTORE_PASSWORD}
-{{ end }}
schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties
+++ /dev/null
-cipher.enc.key=AGLDdG4D04BKm2IxIWEr8o==!
+++ /dev/null
-{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-################################################################################
-############################## Portal properties ###############################
-################################################################################
-
-# Java class that implements the ECOMP role and user mgt API
-*/}}
-portal.api.impl.class = org.onap.aai.sparky.security.portal.PortalRestAPICentralServiceImpl
-
-# Instance of ECOMP Portal where the app has been on-boarded
-# use insecure http for dev purposes to avoid self-signed certificate
-ecomp_rest_url = https://portal-app:8443/ONAPPORTAL/auxapi
-
-# Standard global logon page
-ecomp_redirect_url = https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm
-
-# Name of cookie to extract on login request
-csp_cookie_name = EPService
-# Alternate values: DEVL, V_DEVL, V_PROD
-csp_gate_keeper_prod_key = PROD
-
-# Toggles use of UEB
-ueb_listeners_enable = false
-# IDs application withing UEB flow
-ueb_app_key=ueb_key_7
-# Use this tag if the app is centralized
-role_access_centralized=remote
-
-# Connection and Read timeout values
-ext_req_connection_timeout=15000
-ext_req_read_timeout=20000
-
-#Add AAF namespace if the app is centralized
-auth_namespace={{ .Values.certInitializer.fqi_namespace }}
+++ /dev/null
-# Configure AAF
-aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
-aaf_url=<%=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
-
-#aaf_url=https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE
-# AAF Environment Designation
-
-#if you are running aaf service from a docker image you have to use aaf service IP and port number
-aaf_id={{ .Values.certInitializer.fqi }}
-#Encrypt the password using AAF Jar
-aaf_password={{ .Values.certInitializer.aafDeployPass }}
-# Sample CADI Properties, from CADI 1.4.2
-#hostname=org.onap.aai.orr
-csp_domain=PROD
-# Add Absolute path to Keyfile
-cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile
-cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-cadi_keystore_password=${KEYSTORE_PASSWORD}
-
-cadi_alias={{ .Values.certInitializer.fqi }}
-
-# This is required to accept Certificate Authentication from Certman certificates.
-# can be TEST, IST or PROD
-aaf_env=DEV
-
-# DEBUG prints off all the properties. Use to get started.
-cadi_loglevel=DEBUG
-
-# Add Absolute path to truststore2018.jks
-cadi_truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-# Note: This is the ONLY password that doesn't have to be encrypted. All Java's TrustStores are this passcode by default, because they are public certs
-cadi_truststore_password=${TRUSTSTORE_PASSWORD}
-
-# how to turn on SSL Logging
-#javax.net.debug=ssl
-
-# Use "maps.bing.com" to get Lat and Long for an Address
-AFT_LATITUDE=32.780140
-AFT_LONGITUDE=-96.800451
-AFT_ENVIRONMENT=AFTUAT
-AFT_DME2_CLIENT_IGNORE_SSL_CONFIG=true
-DME2.DEBUG=true
-AFT_DME2_HTTP_EXCHANGE_TRACE_ON=true
-
-cadi_latitude=32.780140
-cadi_longitude=-96.800451
-
-aaf_root_ns=com.att.aaf
-aaf_api_version=2.0
+++ /dev/null
-77E_fh-8gTjeg8egAo-JgNkXYm1FGEBPMo44vKPgKyGCJj9Dn0xJqIBct2Ko35X4_HSU3wPq3I2q
-YHIvJCjmzXTVu2zvu4rIGTlwycTtLGDkgPyhOYFytv4GgazbpSs9331MPUeVVrdpkDCQmjtHSB4m
-DThhfEe2lkbZ35ljX3sVSf3JDy4ngRot0ktQwnnY4vxFdgVUl7LzVinXWgFLoqMyXmKh_bGw9aUH
-VMgqFsF_YmqLZY5ZARAraeywktvrU5kXYh5SnfXoJy7XIk0TBjHKqO-1mW-TcIgS3_v6GIGkZnpq
-e1FyE8cS21gTPFlc1KDoWUZE2yoEsQKJc4RFWfjid_mE6nckxym1TOsEn3G2_TlkZvliN_QMDB_c
-RuFLDB9HCChm4YYHpSn-RBqtJFz29bMTHQX8VNVfZ_Zhh-4dWOlEfpSzJvAqm_boo-8y8YDGIusx
-mvKyPXEKVCuBOljHaKhYg0d43nAXIFsssKpjmtQizA2L_TP1Mo_lDFIlCsPcRlHKTvzkTstEAhRj
-JnepzA--olBMwBkPxjm1Y5XQBGZH72i_o4Hr7_NqHb9sP486I2Nd1-owjHkhacGrLO1oORnuBUxp
-_SnaXYywe9tTz3BcfFupXSoDv4Sj7g9B53yPIWmjGggigidql3SNJsui6qOtwDHOejzEDFm23Lj7
-fXD6sb52U_ul9ahi4CoLTzpvMsPRYOqyRCk8K8FVBauZbG5D42oaFPn0S0rCSHOCU1TXbRdTF-Cs
-I2R0pEHNgb33yx6vtInaTSYIQ5cxa3XDA_50AQearV5SuYSlp8dK0BkpVCKgvSQdTn-2WiaV_hvO
-KzG7D2adT1kYY6TjYMXIaUiJ33y1XSNDG0s6r4NG5dNE6Jj7thdpnV-AAZoi0uZh1_bsHKLVmHRr
-NCXAc6DZm1D4N9y5lOJwUprUlJisZXLFTQThGMRY5dtiY_eK9Xjj4FQygXXhuhFXHz2-e4YApORv
-lXDcT29IZuuI1j26bxdNdhNr1wZsqqievBN6l6OQMiP21eIrxAUu1BEmiVOrfOzaEjxldDN2gFum
-4-zf9gsQT9UT8KEuOje64wVeHr09JpWuddV9HOAMvqc6mKTWmvUv_QiLgtK_b39QccMrOfOA1usM
-biRJ9wuTYIr584Q9CjHEcm5e2YufcbF-IDZ4IDui8gNXyYJuusTYdspeKzrtiLKfgI56ZWA3it9G
-SOkN18YyUmhk7HFkx9qEifb4UEbUQPb0dyXBRotf-91c5CPkct-36uV4sZBA_AR1tX3-aRKKB_SQ
-B0zaG-eaEdEqKv-ZYHqk23ZxiEsCX3ZdY7VSMWztE3_D5n8UgEl4et5LVfnjvU-arVVO93WUbXk0
-zi2QrOwytOZ0StAvFdF1nVwWllPg4EYcn8qLJIaaBRvLMlpHixtwRhltwJeMmJl3ExImOxNhVbhF
-6LxVXW6JK8JfMIwb_TE4EShDBjemq76BojQOwrO4OAyPG7B5iUtefdY-Zu1EtjXPhrUgljI_A1tg
-5_2WNjNTCT7Bvig3saFsIRi3cvgIcMAF2H7kJYw3UDvCFnx4LIom2u6vSeyatPxEOhRfpP0KvgEU
-koM9DFJW7VWQ11mB_DcU2NoYHdFKFy_cM62kIvoRwZTADGryEtkLSWEDT8MLpVrGXP2RjSZ3HHqC
-vVpVqQHC2VIqNKi2uHtYCiTEfj81Z0rCrnH3hYIRoOSe5W6m17xyb0RloG0G44uK0oNCfDYLwK0L
-TJaBdWSIBYI__ISsKx8o8r-3XLtbwQPPhv4-LpGwJYd7sIcqnpTYAyNGSrbEM4ECzHCH9Hwf9Duy
-cAQGWqXIbTV9i8ryw8OhcCZPTf3noPZyhzzdegiv6KNT-BBbxsgtDehtP-jvpd9eAhjlfUV_hoFJ
-rBUVMFrIOEDnnItVqBDmnavRdhn6N9ObVjVMv_4inhkvtpBCEVxtVQT2kFuBmZvPu_uHHbXi7_g8
-SVs3AjJ2ya3pZraK6gH3IOYoGtTAH3rKl7XdTMjqWnUCbhepuJqeEOF-DhpsEW7Oo0Lqzbjg
\ No newline at end of file
+++ /dev/null
-{{/*\r
-# Copyright © 2018 Amdocs, Bell Canada, AT&T\r
-#\r
-# Licensed under the Apache License, Version 2.0 (the "License");\r
-# you may not use this file except in compliance with the License.\r
-# You may obtain a copy of the License at\r
-#\r
-# http://www.apache.org/licenses/LICENSE-2.0\r
-#\r
-# Unless required by applicable law or agreed to in writing, software\r
-# distributed under the License is distributed on an "AS IS" BASIS,\r
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
-# See the License for the specific language governing permissions and\r
-# limitations under the License.\r
-\r
-#####################################################################################\r
-############################## Portal Auth Properties ##############################\r
-#####################################################################################\r
-\r
-############################## Auth ##############################\r
-*/}}\r
-username={{.Values.config.portalUsername}}\r
-password={{.Values.config.portalPassword}}\r
-\r
-{{/*\r
-############################## ##############################\r
-#\r
-# ONAP Cookie Processing - During initial development, this flag, if true, will\r
-# prevent the portal interface's login processing from searching for a user\r
-# specific cookie, and will instead allow passage if a valid session cookie is\r
-# discovered.\r
-*/}}\r
-onap_enabled={{.Values.config.portalOnapEnabled}}\r
-onap.user_id_cookie_name={{.Values.config.portalCookieName}}\r
-cookie_decryptor_classname={{.Values.config.cookieDecryptorClass}}\r
-app_roles={{.Values.config.portalAppRoles}}\r
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-portal
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/portal/*").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-portal-props
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/portal/BOOT-INF/classes/*").AsConfig . | indent 2 }}
# Copyright (c) 2017 Amdocs, Bell Canada
# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: apps/v1
kind: Deployment
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
spec:
+ selector: {{- include "common.selectors" . | nindent 4 }}
replicas: {{ .Values.replicaCount }}
strategy:
type: {{ .Values.updateStrategy.type }}
maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }}
maxSurge: {{ .Values.updateStrategy.maxSurge }}
{{- end }}
- selector:
- matchLabels:
- app: {{ include "common.name" . }}
template:
- metadata:
- annotations:
- sidecar.istio.io/rewriteAppHTTPProbers: "false"
- labels:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
- name: {{ include "common.name" . }}
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- {{- if ( include "common.needTLS" .) }}
- - command:
- - sh
- args:
- - -c
- - |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \
- | xargs -0)
- if [ -z "$KEYSTORE_PASSWORD" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- fi
- echo "*** write them in portal part"
- cd /config-input
- for PFILE in `ls -1 .`
- do
- envsubst <${PFILE} >/config/${PFILE}
- done
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- - mountPath: /config-input
- name: portal-config-input
- - mountPath: /config
- name: portal-config
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- {{- end }}
+ initContainers:
- command:
- /app/ready.py
args:
args:
- -c
- |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \
- | xargs -0)
echo "*** actual launch of AAI Sparky BE"
/opt/app/sparky/bin/start.sh
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
- - mountPath: /opt/app/sparky/config/auth/csp-cookie-filter.properties
- name: auth-config
- subPath: csp-cookie-filter.properties
- - mountPath: /opt/app/sparky/config/portal/
- name: portal-config
- - mountPath: /opt/app/sparky/config/portal/BOOT-INF/classes/
- name: portal-config-props
- mountPath: {{ .Values.log.path }}
name: logs
- mountPath: /opt/app/sparky/config/application.properties
- mountPath: /opt/app/sparky/config/logging/logback.xml
name: config
subPath: logback.xml
- ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPlainPort }}
+ ports: {{ include "common.containerPorts" . | nindent 10 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
readinessProbe:
tcpSocket:
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
resources: {{ include "common.resources" . | nindent 10 }}
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
- name: config
configMap:
name: {{ include "common.fullname" . }}
- - name: portal-config
- {{- if .Values.global.aafEnabled }}
- emptyDir:
- medium: Memory
- - name: portal-config-input
- {{- end }}
- configMap:
- name: {{ include "common.fullname" . }}-portal
- - name: portal-config-props
- configMap:
- name: {{ include "common.fullname" . }}-portal-props
- - name: auth-config
- secret:
- secretName: {{ include "common.fullname" . }}
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
# limitations under the License.
*/}}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "common.servicename" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-spec:
- ports:
- - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }}
- port: {{ .Values.service.externalPort }}
- targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
- {{- if eq .Values.service.type "NodePort" }}
- nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- {{- end }}
- type: {{ .Values.service.type }}
- selector:
- app: {{ include "common.name" . }}
+{{ include "common.service" . }}
# Copyright (c) 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
searchData:
serviceName: aai-search-data
-
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-sparky-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: "aai"
- app_ns: "org.osaaf.aaf"
- fqi_namespace: "org.onap.aai"
- fqi: "aai@aai.onap.org"
- public_fqdn: "aaf.osaaf.org"
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- credsPath: /opt/app/osaaf/local
- aaf_add_config: |
- echo "*** changing passwords into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** save the generated passwords"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
-
# application image
image: onap/sparky-be:2.0.3
pullPolicy: Always
portalPassword: OBF:1t2v1vfv1unz1vgz1t3b # aaiui
portalCookieName: UserId
portalAppRoles: ui_view
- cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties
cookieDecryptorClass: org.onap.aai.sparky.security.BaseCookieDecryptor
# ONAP Cookie Processing - During initial development, the following flag, if true, will
portalOnapEnabled: true
#
-# override chart name (sparky-be) to share a common namespace
-# suffix with parent chart (aai)
-nsSuffix: aai
-
-
# default number of instances
replicaCount: 1
service:
type: NodePort
- portName: http
- externalPort: 8000
- internalPort: 8000
- internalPlainPort: 9517
- nodePort: 20
+ internalPort: 9517
+ ports:
+ - name: http
+ port: 8000
+ internal_port: 9517
+ nodePort: 20
ingress:
enabled: false
config:
ssl: "redirect"
+podAnnotations:
+ sidecar.istio.io/rewriteAppHTTPProbers: "false"
+
# Configure resource requests and limits
# ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2021-2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
dependencies:
- name: common
- version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: certInitializer
version: ~12.x-0
repository: '@local'
- name: repositoryGenerator
+++ /dev/null
-# AAI -> aai@aai.onap.org
-Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# ModelLoader -> aai@aai.onap.org
-Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# AaiUI -> aai@aai.onap.org,
-Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# MSO -> so@so.onap.org
-Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03
-
-# SDNC -> sdnc@sdnc.onap.org
-Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03
-
-# DCAE -> dcae@dcae.onap.org
-Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03
-
-# POLICY -> policy@policy.onap.org
-Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# ASDC -> sdc@sdc.onap.org
-Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03
-
-# OOF -> oof@oof.onap.org
-Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03
-
+++ /dev/null
-
-cadi_loglevel=INFO
-cadi_prop_files=/opt/app/aai-traversal/resources/aaf/org.osaaf.location.props:/opt/app/aai-traversal/resources/aaf/org.onap.aai.props
-
-# OAuth2
-aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token
-aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect
-
+++ /dev/null
-############################################################
-# Properties Generated by AT&T Certificate Manager
-# @copyright 2016, AT&T
-# Modifications Copyright (c) 2020 Orange
-############################################################
-cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
-cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile
-cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-cadi_keystore_password=${KEYSTORE_PASSWORD}
-
-#cadi_key_password=enc:9xs_lJ9QQRDoMcHqLbGg40-gefGrw-sLMjWL40ejbyqdC7Jt_pQfY6ajBLGcbLuL
-cadi_alias=aai@aai.onap.org
-cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks
-cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD}
-cadi_loglevel=INFO
-cadi_bath_convert=/opt/app/aai-traversal/resources/aaf/bath_config.csv
+++ /dev/null
-##
-## org.osaaf.location.props
-##
-## Localized Machine Information
-##
-# Almeda California ?
-cadi_latitude=37.78187
-cadi_longitude=-122.26147
-
-# Locate URL (which AAF Env)
-aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
-
-# AAF URL
-aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
-
-# AAF Environment Designation
-aaf_env=DEV
-
-# OAuth2 Endpoints
-aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token
-aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect
-
-
+++ /dev/null
-permission.type=org.onap.aai.traversal
-permission.instance=*
\ No newline at end of file
# ================================================================================
# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
-
-{{ if ( include "common.needTLS" .) }}
-aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
-aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
-aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
-{{else}}
aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
-{{ end }}
{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
-{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
-aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
-{{ end }}
-
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }}
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
server.servlet.context-path=/
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
-spring.profiles.active={{ .Values.global.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }}
+spring.profiles.active={{ .Values.global.config.profiles.active }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8446
-{{ if ( include "common.needTLS" .) }}
-server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-server.ssl.key-store-password=${KEYSTORE_PASSWORD}
-server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
-{{ else }}
security.require-ssl=false
server.ssl.enabled=false
-{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61647
-dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
-dmaap.ribbon.transportType={{ include "common.scheme" . }}
+dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904
+dmaap.ribbon.transportType=http
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
schema.service.custom.queries.endpoint=stored-queries
-schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
-
-{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
-schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
-schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD}
-schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
-{{ end }}
+schema.service.client=no-auth
#to expose the Prometheus scraping endpoint
management.port=8448
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
# Copyright © 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-aaf-props
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }}
# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
spec:
hostname: aai-traversal
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ initContainers:
- command:
- /app/ready.py
args:
args:
- -c
- |
- echo "*** retrieve Truststore and Keystore password"
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
echo "*** actual launch of AAI Resources"
/bin/bash /opt/app/aai-traversal/docker-entrypoint.sh
env:
- - name: TRUSTORE_ALL_PASSWORD
- value: {{ .Values.certInitializer.truststorePassword }}
- name: DISABLE_UPDATE_QUERY
value: {{ .Values.config.disableUpdateQuery | quote }}
- name: LOCAL_USER_ID
value: {{ .Values.service.internalPort2 | quote }}
- name: INTERNAL_PORT_3
value: {{ .Values.service.internalPort3 | quote }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-traversal/resources/etc/auth/realm.properties
name: {{ include "common.fullname" . }}-config
subPath: realm.properties
- - mountPath: /opt/app/aai-traversal/resources/aaf/bath_config.csv
- name: {{ include "common.fullname" . }}-aaf-certs
- subPath: bath_config.csv
- - mountPath: /opt/app/aai-traversal/resources/aaf/org.onap.aai.props
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: org.onap.aai.props
- - mountPath: /opt/app/aai-traversal/resources/aaf/org.osaaf.location.props
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: org.osaaf.location.props
- - mountPath: /opt/app/aai-traversal/resources/aaf/permissions.properties
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: permissions.properties
- - mountPath: /opt/app/aai-traversal/resources/cadi.properties
- name: {{ include "common.fullname" . }}-aaf-properties
- subPath: cadi.properties
- mountPath: /opt/app/aai-traversal/resources/application.properties
name: {{ include "common.fullname" . }}-config
subPath: application.properties
httpGet:
path: /aai/util/echo?action=checkDB
port: {{ .Values.service.internalPort }}
- scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: LivenessCheck
httpGet:
path: /aai/util/echo?action=checkDB
port: {{ .Values.service.internalPort }}
- scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: ReadinessCheck
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
- name: {{ include "common.fullname" . }}-config
configMap:
name: {{ include "common.fullname" . }}
- - name: {{ include "common.fullname" . }}-aaf-properties
- configMap:
- name: {{ include "common.fullname" . }}-aaf-props
- - name: {{ include "common.fullname" . }}-aaf-certs
- secret:
- secretName: {{ include "common.fullname" . }}-aaf
- - name: aai-common-aai-auth-mount
- secret:
- secretName: aai-common-aai-auth
restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
# Copyright (c) 2017-2018 AT&T
# Modifications Copyright (c) 2018 Amdocs, Bell Canada
# Modifications Copyright (c) 2020 Nokia, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
args:
- --container-name
- aai
- {{ if eq .Values.global.aafEnabled true }}
- - --container-name
- - aaf-locate
- {{ end }}
env:
- name: NAMESPACE
valueFrom:
- |
set -x
if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi
- {{- if (include "common.needTLS" .) }}
- until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done;
- bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh
- {{- else }}
until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do echo "Retrying to reach aai on port 80"; done;
bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh ;
{{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
- {{- end }}
+
env:
- name: LOCAL_USER_ID
value: {{ .Values.global.config.userId | quote }}
+++ /dev/null
-{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
-# Copyright © 2021 Orange
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-aaf
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }}
\ No newline at end of file
# Copyright (c) 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright (c) 2020 Nokia
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Declare variables to be passed into your templates.
global: # global defaults
nodePortPrefix: 302
- aafEnabled: true
cassandra:
#Service Name of the cassandra cluster to connect to.
# Active spring profiles for the resources microservice
profiles:
- active: production,dmaap #,aaf-auth ,keycloak
+ active: production,dmaap
# Notification event specific properties
notification:
schema:
# Specifies if the connection should be one way ssl, two way ssl or no auth
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will make a rest request to schema service
translator:
list: schema-service
realtime:
clients: SDNC,MSO,SO,robot-ete
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-traversal-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: aai-traversal
- fqi: aai-traversal@aai-traversal.onap.org
- public_fqdn: aai-traversal.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.aai-traversal
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** save the generated passwords"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
-
# application image
image: onap/aai-traversal:1.11.2
pullPolicy: Always
# default number of instances
replicaCount: 1
-minReadySeconds: 10
-updateStrategy:
- type: RollingUpdate
- maxUnavailable: 0
- maxSurge: 1
-
nodeSelector: {}
affinity: {}
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
log global
mode http
option httplog
-{{- if ( include "common.needTLS" .) }}
- option ssl-hello-chk
-{{- end }}
option httpchk
http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ=='
default-server init-addr none
default_backend IST_Default_8447
-{{- if ( include "common.needTLS" .) }}
-frontend IST_8443
- mode http
- bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
-# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
- log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
- option httplog
- log global
- option logasap
- option forwardfor
- capture request header Host len 100
- capture response header Host len 100
- option log-separate-errors
- option forwardfor
-
- http-request set-header X-Forwarded-Proto https
- http-request add-header X-Forwarded-Port 8443
-
- http-request set-header X-Forwarded-Proto https if { ssl_fc }
- http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
- http-request set-header X-AAI-SSL %[ssl_fc]
- http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
- http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
- http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
- http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
- http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
- http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
- http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
- http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
- http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
- http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
- http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
- http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
-#######################################
-## Request blocking configuration ###
-#######################################
- {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
- {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
- {{ $custom_config }}
- {{- end }}
- {{- end }}
-
-{{- end }}
-
#######################
#ACLS FOR PORT 8446####
#######################
stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
-{{- if ( include "common.needTLS" .) }}
- server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
-{{- else }}
server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
-{{- end }}
#######################
# BACKEND 8446#########
stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
-{{- if ( include "common.needTLS" .) }}
- server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
-{{- else }}
server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
-{{- end }}
{{/*
# Copyright (c) 2018 Amdocs, Bell Canada, AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ initContainers:
- command:
- /app/ready.py
args:
subPath: haproxy.cfg
{{ end }}
name: haproxy-cfg
- {{- include "common.certInitializer.volumeMount" . | nindent 8 }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPlainPort }}
- containerPort: {{ .Values.metricsService.internalPort }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
readinessProbe:
httpGet:
path: /aai/util/echo
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
- #scheme: HTTPS
- scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }}
+ port: {{ .Values.service.internalPort }}
+ scheme: HTTP
httpHeaders:
- name: X-FromAppId
value: OOM_ReadinessCheck
- name: haproxy-cfg
configMap:
name: aai-deployment-configmap
- {{ include "common.certInitializer.volumes" . | nindent 8 }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
heritage: {{ .Release.Service }}
spec:
ports:
- - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }}
- port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort .Values.service.externalPlainPort }}
- targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ - name: {{ .Values.service.portName }}
+ port: {{ .Values.service.externalPort }}
+ targetPort: {{ .Values.service.internalPort }}
{{- if eq .Values.service.type "NodePort" }}
+ {{ if not (include "common.ingressEnabled" .) }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
+ {{ end }}
{{- end }}
- type: {{ .Values.service.type }}
+ type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }}
selector:
app: {{ include "common.name" . }}
- clusterIP: {{ .Values.service.aaiServiceClusterIp }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
---
apiVersion: v1
spec:
ports:
- name: {{ .Values.service.portName }}
- port: {{ .Values.service.externalPlainPort }}
- targetPort: {{ .Values.service.internalPlainPort }}
+ port: {{ .Values.service.externalPort }}
+ targetPort: {{ .Values.service.internalPort }}
type: ClusterIP
selector:
app: {{ include "common.name" . }}
# Modifications Copyright (c) 2018 AT&T
# Modifications Copyright (c) 2020 Nokia, Orange
# Modifications Copyright (c) 2021 Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
restartPolicy: Always
- aafEnabled: true
- msbEnabled: true
- centralizedLoggingEnabled: true
+ msbEnabled: false
+ centralizedLoggingEnabled: false
cassandra:
#This will instantiate AAI cassandra cluster, default:shared cassandra.
serviceName: aai-resources
sparkyBe:
serviceName: aai-sparky-be
- dataRouter:
- serviceName: aai-data-router
- gizmo:
- serviceName: aai-gizmo
modelloader:
serviceName: aai-modelloader
searchData:
serviceName: aai-traversal
graphadmin:
serviceName: aai-graphadmin
- spike:
- serviceName: aai-spike
initContainers:
enabled: true
# Specifies if the connection should be one way ssl, two way ssl or no auth
# will be set to no-auth if tls is disabled
service:
- client: one-way-ssl
+ client: no-auth
# Specifies which translator to use if it has schema-service, then it will make a rest request to schema service
translator:
list: schema-service
aai-traversal:
logConfigMapNamePrefix: '{{ include "common.release" . }}-aai'
-#################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
- nameOverride: aai-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: "aai"
- app_ns: "org.osaaf.aaf"
- fqi_namespace: "org.onap.aai"
- fqi: "aai@aai.onap.org"
- public_fqdn: "aaf.osaaf.org"
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- credsPath: /opt/app/osaaf/local
- aaf_add_config: |
- echo "*** transform AAF certs into pem files"
- mkdir -p {{ .Values.credsPath }}/certs
- keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
- -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
- -alias ca_local_0 \
- -storepass $cadi_truststore_password
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** generating needed file"
- cat {{ .Values.credsPath }}/certs/cert.pem \
- {{ .Values.credsPath }}/certs/cacert.pem \
- {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
- > {{ .Values.credsPath }}/certs/fullchain.pem;
- chown 1001 {{ .Values.credsPath }}/certs/*
-
# application image
dockerhubRepository: registry.hub.docker.com
image: onap/aai-haproxy:1.11.0
service:
type: NodePort
portName: http
- externalPort: 8443
- internalPort: 8443
+ externalPort: 80
+ internalPort: 8080
nodePort: 33
- externalPlainPort: 80
- internalPlainPort: 8080
- nodeport: 33
- aaiServiceClusterIp:
sessionAffinity: None
metricsService:
service:
- baseaddr: "aai-api"
name: "aai"
- port: 8443
- plain_port: 80
+ port: 80
config:
ssl: "redirect"
{{- define "common.labels" -}}
{{- $dot := default . .dot -}}
app.kubernetes.io/name: {{ include "common.name" $dot }}
+app: {{ include "common.name" $dot }}
{{ if not .ignoreHelmChart }}
helm.sh/chart: {{ include "common.chart" $dot }}
{{- end }}
{{/*
# Copyright © 2020 Amdocs, Bell Canada, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
fieldPath: metadata.namespace
{{- end }}
{{- end }}
+
+{{/*
+ Use Authorization Policies or not.
+*/}}
+{{- define "common.useAuthorizationPolicies" -}}
+{{- if (include "common.onServiceMesh" .) }}
+{{- if .Values.global.authorizationPolicies -}}
+{{- if (default false .Values.global.authorizationPolicies.enabled) -}}
+true
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ Create Authorization Policy template.
+ If common.useAuthorizationPolicies returns true:
+ Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals
+ in the format:
+ authorizedPrincipals:
+ - serviceAccount: <serviceaccount name> (Mandatory)
+ namespace: <namespace name> (Optional, will default to onap)
+ allowedOperationMethods: <list of allowed HTTP operations (Optional, will default to ["GET", "POST", "PUT", "PATCH", "DELETE"])
+
+ If no authorizedPrincipals provided, will default to denying all requests to the app matched under the
+ spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: <app-to-match> ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service")
+
+ If common.useAuthorizationPolicies returns false:
+ Will not create an authorization policy
+*/}}
+{{- define "common.authorizationPolicy" -}}
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}}
+{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}}
+{{- $relName := include "common.release" . -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: {{ include "common.servicename" . }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipals }}
+{{- range $principal := $authorizedPrincipals }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ methods:
+{{- if $principal.allowedOperationMethods }}
+{{- range $method := $principal.allowedOperationMethods }}
+ - {{ $method }}
+{{- end }}
+{{- else }}
+{{- range $method := $defaultOperationMethods }}
+ - {{ $method }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end -}}
- name: mariadb-init\r
version: ~12.x-0\r
repository: 'file://../mariadb-init'\r
- condition: not global.mariadbGalera.localCluster
\ No newline at end of file
+ condition: global.mariadbGalera.globalCluster
\ No newline at end of file
mariadbGalera: &mariadbGalera
#This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
+ globalCluster: true
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
- name: mariadb-init
version: ~12.x-0
repository: '@local'
- condition: not global.mariadbGalera.localCluster
+ condition: global.mariadbGalera.globalCluster
- name: repositoryGenerator
version: ~12.x-0
repository: '@local'
# limitations under the License.
global:
mariadbGalera: &mariadbGalera
- #This flag allows EJBCA to instantiate its own mariadb-galera cluster
+ #This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
+ globalCluster: true
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512
spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG}
-
{{- if .Values.config.additional }}
{{ toYaml .Values.config.additional | nindent 2 }}
{{- end }}
spec:
config:
retention.ms: {{ .Values.config.dmiCmEventsTopic.retentionMs }}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+ name: {{ .Values.config.ncmpCmAvcSubscriptionTopic.name }}
+ labels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+spec:
+ config:
+ retention.ms: {{ .Values.config.ncmpCmAvcSubscriptionTopic.retentionMs }}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+ name: {{ .Values.config.ncmpCmEventsTopic.name }}
+ labels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+spec:
+ config:
+ retention.ms: {{ .Values.config.ncmpCmEventsTopic.retentionMs }}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+ name: {{ .Values.config.dmiCmAvcSubscriptionTopic.name }}
+ labels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+spec:
+ config:
+ retention.ms: {{ .Values.config.dmiCmAvcSubscriptionTopic.retentionMs }}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+ name: {{ .Values.config.dmiCmAvcSubscriptionResponseTopic.name }}
+ labels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+spec:
+ config:
+ retention.ms: {{ .Values.config.dmiCmAvcSubscriptionResponseTopic.retentionMs }}
{{- end }}
\ No newline at end of file
type: topic
name: {{ .Values.config.dmiCmEventsTopic.name }}
operation: All
+ - resource:
+ type: group
+ name: {{ .Values.config.ncmpCmAvcSubscriptionTopic.consumer.groupId }}
+ operation: All
+ - resource:
+ type: topic
+ name: {{ .Values.config.ncmpCmAvcSubscriptionTopic.name }}
+ operation: All
+ - resource:
+ type: group
+ name: {{ .Values.config.ncmpCmEventsTopic.consumer.groupId }}
+ operation: All
+ - resource:
+ type: topic
+ name: {{ .Values.config.ncmpCmEventsTopic.name }}
+ operation: All
+ - resource:
+ type: group
+ name: {{ .Values.config.dmiCmAvcSubscriptionTopic.consumer.groupId }}
+ operation: All
+ - resource:
+ type: topic
+ name: {{ .Values.config.dmiCmAvcSubscriptionTopic.name }}
+ operation: All
+ - resource:
+ type: group
+ name: {{ .Values.config.dmiCmAvcSubscriptionResponseTopic.consumer.groupId }}
+ operation: All
+ - resource:
+ type: topic
+ name: {{ .Values.config.dmiCmAvcSubscriptionResponseTopic.name }}
+ operation: All
{{- end }}
\ No newline at end of file
retentionMs: 7200000
consumer:
groupId: ncmp-group
+ ncmpCmAvcSubscriptionTopic:
+ name: cm-avc-subscription
+ retentionMs: 7200000
+ consumer:
+ groupId: ncmp-group
+ ncmpCmEventsTopic:
+ name: cm-events
+ retentionMs: 7200000
+ consumer:
+ groupId: ncmp-group
+ dmiCmAvcSubscriptionTopic:
+ name: ncmp-dmi-cm-avc-subscription-ncmp-dmi-plugin
+ retentionMs: 7200000
+ consumer:
+ groupId: ncmp-group
+ dmiCmAvcSubscriptionResponseTopic:
+ name: dmi-ncmp-cm-avc-subscription
+ retentionMs: 7200000
+ consumer:
+ groupId: ncmp-group
# Enable all CPS components by default
cps-core:
# Copyright (C) 2021 Nordix Foundation.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE DataFile Collector Helm charts
name: dcae-datafile-collector
version: 12.0.0
# Copyright (c) 2021 Nordix Foundation.
# Copyright (c) 2022 Nokia. All rights reserved.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# =========================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.9.0
+image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.10.0
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.heartbeat:2.6.0
+image: onap/org.onap.dcaegen2.services.heartbeat:2.6.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Copyright (c) 2021 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE RESTConf Collector
name: dcae-restconf-collector
version: 12.0.0
# ============================================================================
# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.3.4
+image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.4.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Copyright (C) 2021 Wipro Limited.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ============= LICENSE_END ==================================================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE Son-handler helm chart
name: dcae-son-handler
version: 12.0.0
# ============================================================================
# Copyright (C) 2021-2022 Wipro Limited.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.son-handler:2.1.11
+image: onap/org.onap.dcaegen2.services.son-handler:2.2.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ============LICENSE_END=========================================================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE TCA (Gen 2)
name: dcae-tcagen2
version: 12.0.0
# ================================================================================
# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved.
# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.4
+image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.4.0
pullPolicy: Always
# log directory where logging sidecar should look for log files
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.11.1
+image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.3
pullPolicy: Always
# log directory where logging sidecar should look for log files
# Copyright (c) 2021 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE VES-Mapper Microservice
name: dcae-ves-mapper
version: 12.0.0
# ============================================================================
# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.4.0
+image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.5.0
pullPolicy: Always
# Log directory where logging sidecar should look for log files
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
initContainers:
- {{- if not .Values.global.postgres.localCluster }}
- {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }}
+ {{- if .Values.global.postgres.localCluster }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }}
+ {{ else }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }}
{{- end }}
- name: {{ include "common.name" . }}-env-config
image: {{ include "repositoryGenerator.image.envsubst" . }}
unlimited: {}
readinessCheck:
- wait_for:
+ wait_for_global:
jobs:
- '{{ include "common.release" . }}-holmes-postgres-init-config-job'
+ wait_for_local:
+ - '{{ .Values.global.postgres.container.name }}'
#Pods Service Account
serviceAccount:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
initContainers:
- {{- if not .Values.global.postgres.localCluster }}
- {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }}
+ {{- if .Values.global.postgres.localCluster }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }}
+ {{ else }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }}
{{- end }}
- name: {{ include "common.name" . }}-env-config
image: {{ include "repositoryGenerator.image.envsubst" . }}
path: "/api/holmes-rule-mgmt/v1"
plain_port: 9101
- baseaddr: "holmes-rule-mgmt-ui"
- name: "holmes-rule-mgmt-ui"
+ name: "holmes-rule-mgmt"
path: "/iui/holmes"
plain_port: 9104
config:
unlimited: {}
readinessCheck:
- wait_for:
+ wait_for_global:
jobs:
- '{{ include "common.release" . }}-holmes-postgres-init-config-job'
+ wait_for_local:
+ - '{{ .Values.global.postgres.container.name }}'
#Pods Service Account
serviceAccount:
#Service Names of the postgres db to connect to.
#Override it to dbc-pg if localCluster is enabled.
postgres:
+ #This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
globalCluster: true
service:
- name: mariadb-init
version: ~12.x-0
repository: '@local'
- condition: not global.mariadbGalera.localCluster
+ condition: global.mariadbGalera.globalCluster
- name: readinessCheck
version: ~12.x-0
repository: '@local'
- command:
- /app/ready.py
args:
- - -j
- - "{{ include "common.release" . }}-{{ include "common.name" . }}-config-job"
+{{- if .Values.global.mariadbGalera.localCluster }}
+ - --container-name
+ - {{ index .Values "mariadb-galera" "nameOverride" }}
+{{- else }}
+ - --job-name
+ - {{ include "common.release" . }}-{{ include "common.name" . }}-config-job
+{{- end }}
env:
- name: NAMESPACE
valueFrom:
mountPath: /dockerdata-nfs
mariadbGalera:
- #This flag allows Modeling to instantiate its own mariadb-galera cluster
+ #This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
+ globalCluster: true
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
# Application configuration defaults.
#################################################################
# application image
-image: onap/msb/msb_apigateway:1.4.0
+image: onap/msb/msb_apigateway:1.6.0
pullPolicy: Always
istioSidecar: true
# Application configuration defaults.
#################################################################
# application image
-image: onap/msb/msb_apigateway:1.4.0
+image: onap/msb/msb_apigateway:1.6.0
pullPolicy: Always
istioSidecar: true
- name: mariadb-init
version: ~12.x-0
repository: '@local'
- condition: not global.mariadbGalera.localCluster
+ condition: global.mariadbGalera.globalCluster
- name: repositoryGenerator
version: ~12.x-0
repository: '@local'
nodePortPrefix: 302
mariadbGalera: &mariadbGalera
#This flag allows SO to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
localCluster: false
+ globalCluster: true
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
# Copyright © 2019 Amdocs, Bell Canada
# Copyright (c) 2020 Nordix Foundation, Modifications
# Modifications Copyright © 2020-2021 Nokia
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
+ # Global Istio Authorization Policy configuration
+ authorizationPolicies:
+ enabled: false
+
# metrics part
# If enabled, exporters (for prometheus) will be deployed
# if custom resources set to yes, CRD from prometheus operartor will be
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"]
args: ["/opt/app/policy/pdpx/etc/mounted/config.json"]
- ports:
- - containerPort: {{ .Values.service.internalPort }}
+ ports: {{ include "common.containerPorts" . | nindent 12 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
# application image
repository: nexus3.onap.org:10001
-image: onap/testsuite:1.11.1
+image: onap/testsuite:1.12.1
pullPolicy: Always
ubuntuInitImage: oomk8s/ubuntu-init:2.0.0
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-backend-all-plugins:1.12.2
-backendInitImage: onap/sdc-backend-init:1.12.2
+image: onap/sdc-backend-all-plugins:1.12.3
+backendInitImage: onap/sdc-backend-init:1.12.3
pullPolicy: Always
# application image
repository: nexus3.onap.org:10001
-image: onap/sdc-cassandra:1.12.2
-cassandraInitImage: onap/sdc-cassandra-init:1.12.2
+image: onap/sdc-cassandra:1.12.3
+cassandraInitImage: onap/sdc-cassandra-init:1.12.3
pullPolicy: Always
config:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-frontend:1.12.2
+image: onap/sdc-frontend:1.12.3
pullPolicy: Always
config:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-onboard-backend:1.12.2
-onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.2
+image: onap/sdc-onboard-backend:1.12.3
+onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.3
pullPolicy: Always
# flag to enable debugging - application support required
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-workflow-backend:1.11.1
-configInitImage: onap/sdc-workflow-init:1.11.1
+image: onap/sdc-workflow-backend:1.12.0
+configInitImage: onap/sdc-workflow-init:1.12.0
pullPolicy: Always
initJob:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-workflow-frontend:1.11.1
+image: onap/sdc-workflow-frontend:1.12.0
pullPolicy: Always
# flag to enable debugging - application support required
asdc-connections:
asdc-controller1:
user: mso
- consumerGroup: {{ .Values.config.kafka.sdcTopic.consumerGroup }}
- consumerId: {{ .Values.config.kafka.sdcTopic.clientId }}
+ {{ with (first .Values.kafkaUser.acls) }}
+ consumerId: {{ .name }}-sdc-controller
+ consumerGroup: {{ .name }}
+ {{ end }}
environmentName: AUTO
sdcAddress: sdc-be.{{ include "common.namespace" . }}:8080
password: {{ index .Values "mso" "asdc-connections" "asdc-controller1" "password" }}
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }}
- name: DB_ADMIN_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }}
- - name: SECURITY_PROTOCOL
- value: {{ .Values.config.kafka.securityProtocol }}
- - name: SASL_MECHANISM
- value: {{ .Values.config.kafka.saslMechanism }}
- name: SASL_JAAS_CONFIG
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.name" . }}-ku
+ key: sasl.jaas.config
envFrom:
- configMapRef:
name: {{ include "common.fullname" . }}-configmap
{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
+{{ include "common.kafkauser" . }}
login: '{{ .Values.db.adminName }}'
password: '{{ .Values.db.adminPassword }}'
passwordPolicy: required
- - uid: so-sdc-kafka-secret
- externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}'
- type: genericKV
- envs:
- - name: sasl.jaas.config
- value: '{{ .Values.config.someConfig }}'
- policy: generate
#secretsFilePaths: |
# - 'my file 1'
asdc-connections:
asdc-controller1:
password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F
-config:
- someConfig: blah
- kafka:
- securityProtocol: SASL_PLAINTEXT
- saslMechanism: SCRAM-SHA-512
- authType: simple
- sdcTopic:
- pattern: SDC-DIST
- consumerGroup: so
- clientId: SO-sdc-controller
replicaCount: 1
minReadySeconds: 10
containerPort: &containerPort 8085
logPath: ./logs/sdc/
app: sdc-controller
+
service:
type: ClusterIP
ports:
- name: http
port: *containerPort
+
updateStrategy:
type: RollingUpdate
maxUnavailable: 1
memory: 2Gi
cpu: 1000m
unlimited: {}
+
livenessProbe:
path: /manage/health
port: 8085
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
+
ingress:
enabled: false
+
nodeSelector: {}
tolerations: []
affinity: {}
+# Strimzi KafkaUser config
+kafkaUser:
+ acls:
+ - name: SO
+ type: group
+ operations: [Read]
+ - name: SDC-DISTR
+ type: topic
+ patternType: prefix
+ operations: [Read, Write]
+
#Pods Service Account
serviceAccount:
nameOverride: so-sdc-controller
{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# limitations under the License.
*/}}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
auth: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456
defaultCloudOwner: onap
- soSdcListenerKafkaUser: so-sdc-list-user
-
readinessCheck:
wait_for:
jobs:
name: 'so'
port: 8080
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: consul-read
+ - serviceAccount: consul-server-read
+ - serviceAccount: nbi-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
mso:
adapters:
requestDb:
db:
<<: *dbSecrets
logConfigMapNamePrefix: '{{ include "common.release" . }}-so'
- config:
- jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.soSdcListenerKafkaUser }}'
so-sdnc-adapter:
enabled: true
--- /dev/null
+{{/*
+# Copyright (c) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License..
+*/}}
+lowercaseOutputName: true
+rules:
+ - pattern: kafka.cruisecontrol<name=(.+)><>(\w+)
+ name: kafka_cruisecontrol_$1_$2
+ type: GAUGE
\ No newline at end of file
--- /dev/null
+{{/*
+# Copyright (c) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License..
+*/}}
+lowercaseOutputName: true
+rules:
+ # Special cases and very specific rules
+ - pattern: kafka.server<type=(.+), name=(.+), clientId=(.+), topic=(.+), partition=(.*)><>Value
+ name: kafka_server_$1_$2
+ type: GAUGE
+ labels:
+ clientId: "$3"
+ topic: "$4"
+ partition: "$5"
+ - pattern: kafka.server<type=(.+), name=(.+), clientId=(.+), brokerHost=(.+), brokerPort=(.+)><>Value
+ name: kafka_server_$1_$2
+ type: GAUGE
+ labels:
+ clientId: "$3"
+ broker: "$4:$5"
+ - pattern: kafka.server<type=(.+), cipher=(.+), protocol=(.+), listener=(.+), networkProcessor=(.+)><>connections
+ name: kafka_server_$1_connections_tls_info
+ type: GAUGE
+ labels:
+ cipher: "$2"
+ protocol: "$3"
+ listener: "$4"
+ networkProcessor: "$5"
+ - pattern: kafka.server<type=(.+), clientSoftwareName=(.+), clientSoftwareVersion=(.+), listener=(.+), networkProcessor=(.+)><>connections
+ name: kafka_server_$1_connections_software
+ type: GAUGE
+ labels:
+ clientSoftwareName: "$2"
+ clientSoftwareVersion: "$3"
+ listener: "$4"
+ networkProcessor: "$5"
+ - pattern: "kafka.server<type=(.+), listener=(.+), networkProcessor=(.+)><>(.+):"
+ name: kafka_server_$1_$4
+ type: GAUGE
+ labels:
+ listener: "$2"
+ networkProcessor: "$3"
+ - pattern: kafka.server<type=(.+), listener=(.+), networkProcessor=(.+)><>(.+)
+ name: kafka_server_$1_$4
+ type: GAUGE
+ labels:
+ listener: "$2"
+ networkProcessor: "$3"
+ # Some percent metrics use MeanRate attribute
+ # Ex) kafka.server<type=(KafkaRequestHandlerPool), name=(RequestHandlerAvgIdlePercent)><>MeanRate
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*><>MeanRate
+ name: kafka_$1_$2_$3_percent
+ type: GAUGE
+ # Generic gauges for percents
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*><>Value
+ name: kafka_$1_$2_$3_percent
+ type: GAUGE
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*, (.+)=(.+)><>Value
+ name: kafka_$1_$2_$3_percent
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ # Generic per-second counters with 0-2 key/value pairs
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*, (.+)=(.+), (.+)=(.+)><>Count
+ name: kafka_$1_$2_$3_total
+ type: COUNTER
+ labels:
+ "$4": "$5"
+ "$6": "$7"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*, (.+)=(.+)><>Count
+ name: kafka_$1_$2_$3_total
+ type: COUNTER
+ labels:
+ "$4": "$5"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*><>Count
+ name: kafka_$1_$2_$3_total
+ type: COUNTER
+ # Generic gauges with 0-2 key/value pairs
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+), (.+)=(.+)><>Value
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ "$6": "$7"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+)><>Value
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)><>Value
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ # Emulate Prometheus 'Summary' metrics for the exported 'Histogram's.
+ # Note that these are missing the '_sum' metric!
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+), (.+)=(.+)><>Count
+ name: kafka_$1_$2_$3_count
+ type: COUNTER
+ labels:
+ "$4": "$5"
+ "$6": "$7"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.*), (.+)=(.+)><>(\d+)thPercentile
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ "$6": "$7"
+ quantile: "0.$8"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+)><>Count
+ name: kafka_$1_$2_$3_count
+ type: COUNTER
+ labels:
+ "$4": "$5"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.*)><>(\d+)thPercentile
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ "$4": "$5"
+ quantile: "0.$6"
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)><>Count
+ name: kafka_$1_$2_$3_count
+ type: COUNTER
+ - pattern: kafka.(\w+)<type=(.+), name=(.+)><>(\d+)thPercentile
+ name: kafka_$1_$2_$3
+ type: GAUGE
+ labels:
+ quantile: "0.$4"
\ No newline at end of file
--- /dev/null
+{{/*
+# Copyright (c) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License..
+*/}}
+lowercaseOutputName: true
+rules:
+ # replicated Zookeeper
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+)><>(\\w+)"
+ name: "zookeeper_$2"
+ type: GAUGE
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+)><>(\\w+)"
+ name: "zookeeper_$3"
+ type: GAUGE
+ labels:
+ replicaId: "$2"
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+)><>(Packets\\w+)"
+ name: "zookeeper_$4"
+ type: COUNTER
+ labels:
+ replicaId: "$2"
+ memberType: "$3"
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+)><>(\\w+)"
+ name: "zookeeper_$4"
+ type: GAUGE
+ labels:
+ replicaId: "$2"
+ memberType: "$3"
+ - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+), name3=(\\w+)><>(\\w+)"
+ name: "zookeeper_$4_$5"
+ type: GAUGE
+ labels:
+ replicaId: "$2"
+ memberType: "$3"
\ No newline at end of file
{{/*
-# Copyright © 2021 Orange
+# Copyright (c) 2023 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License..
*/}}
-
+{{- if .Values.metrics.enabled }}
apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-aaf-keys
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }}
----
-{{ include "common.secretFast" . }}
+kind: ConfigMap
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+data: {{ tpl (.Files.Glob "resources/metrics/*").AsConfig . | nindent 2 }}
+{{ end }}
{{/*
-# Copyright © 2022 Nordix Foundation
+# Copyright (c) 2023 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License..
*/}}
+{{- if .Values.cruiseControl.kafkaRebalance.enabled }}
apiVersion: kafka.strimzi.io/v1beta2
-kind: KafkaUser
+kind: KafkaRebalance
metadata:
- name: {{ include "common.release" . }}-{{ .Values.global.soSdcListenerKafkaUser }}
+ name: {{ include "common.fullname" . }}-kafka-rebalance
labels:
strimzi.io/cluster: {{ include "common.release" . }}-strimzi
-spec:
- authentication:
- type: {{ .Values.config.kafka.saslMechanism | lower }}
- authorization:
- type: {{ .Values.config.kafka.authType }}
- acls:
- - resource:
- type: group
- name: {{ .Values.config.kafka.sdcTopic.consumerGroup }}
- operation: All
- - resource:
- type: topic
- patternType: prefix
- name: {{ .Values.config.kafka.sdcTopic.pattern }}
- operation: All
+spec: {}
+{{- end }}
--- /dev/null
+{{/*
+# Copyright (c) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License..
+*/}}
+{{- if .Values.metrics.podMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+ name: {{ include "common.fullname" . }}-podmonitor
+ ## podMonitor labels for prometheus to pick up the podMonitor
+ ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PodMonitor
+ ##
+ # labels:
+ # prometheus: kube-prometheus
+ labels: {{- toYaml $.Values.metrics.podMonitor.labels | nindent 4 }}
+spec:
+ selector:
+ matchLabels:
+ strimzi.io/cluster: {{ include "common.release" . }}-strimzi
+ podMetricsEndpoints:
+ - port: {{ .Values.metrics.podMonitor.port }}
+ {{- if .Values.metrics.podMonitor.relabelings }}
+ ## RelabelConfigs to apply to samples before scraping
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
+ ## Value is evalued as a template
+ relabelings: {{- toYaml .Values.metrics.podMonitor.relabelings | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.podMonitor.metricRelabelings }}
+ metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }}
+ ## MetricRelabelConfigs to apply to samples before ingestion
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
+ ## Value is evalued as a template
+ {{- end }}
+{{- end }}
size: {{ .Values.persistence.kafka.size }}
deleteClaim: true
class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }}
+ {{- if .Values.metrics.kafkaExporter.enabled }}
+ metricsConfig:
+ type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }}
+ valueFrom:
+ configMapKeyRef:
+ name: {{ include "common.fullname" . }}
+ key: kafka-metrics-config.yml
+ {{- end }}
zookeeper:
template:
pod:
size: {{ .Values.persistence.zookeeper.size }}
deleteClaim: true
class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }}
+ {{- if .Values.metrics.kafkaExporter.enabled }}
+ metricsConfig:
+ type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }}
+ valueFrom:
+ configMapKeyRef:
+ name: {{ include "common.fullname" . }}
+ key: zookeeper-metrics-config.yml
+ {{- end }}
entityOperator:
topicOperator: {}
userOperator: {}
-
+ {{- if .Values.cruiseControl.enabled }}
+ cruiseControl:
+ metricsConfig:
+ type: {{ .Values.cruiseControl.metricsConfig.type }}
+ valueFrom:
+ configMapKeyRef:
+ name: {{ include "common.fullname" . }}
+ key: cruisecontrol-metrics-config.yml
+ {{- end }}
+ {{- if .Values.metrics.kafkaExporter.enabled }}
+ kafkaExporter:
+ topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }}
+ groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }}
+ resources:
+ requests:
+ cpu: {{ .Values.metrics.kafkaExporter.resources.requests.cpu }}
+ memory: {{ .Values.metrics.kafkaExporter.resources.requests.memory }}
+ limits:
+ cpu: {{ .Values.metrics.kafkaExporter.resources.limits.cpu }}
+ memory: {{ .Values.metrics.kafkaExporter.resources.limits.memory }}
+ logging: {{ .Values.metrics.kafkaExporter.logging }}
+ enableSaramaLogging: {{ .Values.metrics.kafkaExporter.enableSaramaLogging }}
+ readinessProbe:
+ initialDelaySeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.timeoutSeconds }}
+ livenessProbe:
+ initialDelaySeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.timeoutSeconds }}
+ {{- end }}
exposedPort: *advertizedPortBroker2
exposedProtocol: TLS
+# Kafka Exporter for metrics
+metrics:
+ enabled: false
+ kafkaExporter:
+ enabled: false
+ metricsConfig:
+ type: jmxPrometheusExporter
+ topicRegex: ".*"
+ groupRegex: ".*"
+ resources:
+ requests:
+ cpu: 2000m
+ memory: 640Mi
+ limits:
+ cpu: 5000m
+ memory: 1280Mi
+ logging: debug
+ enableSaramaLogging: true
+ readinessProbe:
+ initialDelaySeconds: 15
+ timeoutSeconds: 5
+ livenessProbe:
+ initialDelaySeconds: 15
+ timeoutSeconds: 5
+ podMonitor:
+ # Prometheus pre requisite. Currently an optional addon in the OOM docs
+ enabled: false
+ # default port for strimzi metrics
+ port: "tcp-prometheus"
+ # podMonitor labels for prometheus to pick up the podMonitor
+ # dummy value
+ labels:
+ release: dummy
+ relabelings: []
+ metricRelabelings: []
+
+cruiseControl:
+## Cruise Control provides a Kafka metrics reporter implementation
+## once installed into the Kafka brokers, filters and records a wide range of metrics provided by the brokers themselves.
+## pre requisite is having 2 or more broker nodes
+ enabled: false
+ metricsConfig:
+ type: jmxPrometheusExporter
+ ## Custom resource for Kafka that can rebalance your cluster
+ # ref. https://strimzi.io/blog/2020/06/15/cruise-control/
+ kafkaRebalance:
+ enabled: false
+
######################
# Component overrides
######################
"path":"/iui/usecaseui",
"protocol": "REST",
"visualRange":"1",
- "port": "{{ .Values.service.port }}",
+ "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}",
+ "enable_ssl": false
}
]{{ end }}
"path":"/iui/usecaseui",
"protocol": "UI",
"visualRange":"1",
- "port": "http",
- "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}"
+ "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}",
+ "enable_ssl": false
}
]{{ end }}
[testenv:spelling]
basepython = python3.8
-whitelist_externals = wget
+allowlist_externals = wget
deps =
-r{toxinidir}/requirements.txt
-chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt
[testenv:checkbashisms]
deps =
-whitelist_externals =
+allowlist_externals =
{toxinidir}/.ci/check-bashisms.sh
commands =
{toxinidir}/.ci/check-bashisms.sh
[testenv:shellcheck]
basepython = python3
deps = shellcheck-py
-whitelist_externals = find
+allowlist_externals = find
commands =
find . -not -path '*/\.*' -name *.sh -exec shellcheck \{\} +
-r{toxinidir}/requirements.txt
-chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt
-chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt
-whitelist_externals = find
+allowlist_externals = find
commands =
find kubernetes/ TOSCA/ docs/ -name *.py -exec pylint --max-line-length=120 --disable=missing-docstring --method-rgx="(([a-z_][a-zA-Z0-9_]{2,})|(_[a-z0-9_]*)|(__[a-zA-Z][a-zA-Z0-9_]+__))$" --variable-rgx="[a-zA-Z_][a-zA-Z0-9_]{1,30}$" --reports=y --score=y --output-format=colorized \{\} +