# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v2
description: Common templates for inclusion in other charts
name: common
-version: 13.2.1
+version: 13.2.3
{{/*
-# Copyright © 2022 Deutsche Telekom AG
+# Copyright © 2022-2024 Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
endpoint:
address: 0.0.0.0
{{- end }}
+ podSecurityContext:
+ fsGroup: 1001
+ runAsGroup: 1001
+ runAsUser: 1001
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ initContainerSecurityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ privileged: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ privileged: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
{{- end }}
{{ if .Values.k8ssandraOperator.stargate.enabled -}}
stargate:
name: {{ $datacenter.name }}
size: {{ $datacenter.size }}
{{- end }}
+ initContainers:
+ - name: server-config-init-base
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ privileged: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ - name: server-config-init
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ privileged: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ containers:
+ - name: cassandra
+ securityContext:
+ allowPrivilegeEscalation: false
+ #readOnlyRootFilesystem: true
+ privileged: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ - name: server-system-logger
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ privileged: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
podSecurityContext:
fsGroup: 999
runAsGroup: 999
{{- end -}}
{{- end -}}
+{{/*
+ Calculate if we require a sidecar killer.
+*/}}
+{{- define "common.requireSidecarKiller" -}}
+{{- if (include "common.onServiceMesh" .) }}
+{{- if eq .Values.global.serviceMesh.engine "istio" }}
+{{- if not (default false .Values.global.serviceMesh.nativeSidecars) -}}
+true
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
{{/*
Kills the sidecar proxy associated with a pod.
*/}}
{{- define "common.serviceMesh.killSidecar" -}}
-{{- if (include "common.onServiceMesh" .) }}
+{{- if (include "common.requireSidecarKiller" .) }}
RCODE="$?";
echo "*** script finished with exit code $RCODE" ;
echo "*** killing service mesh sidecar" ;
{{- define "common.waitForJobContainer" -}}
{{- $dot := default . .dot -}}
{{- $wait_for_job_container := default $dot.Values.wait_for_job_container .wait_for_job_container -}}
-{{- if (include "common.onServiceMesh" .) }}
+{{- if (include "common.requireSidecarKiller" .) }}
- name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $wait_for_job_container.name) (empty $wait_for_job_container.name) }}-service-mesh-wait-for-job-container
image: {{ include "repositoryGenerator.image.quitQuit" $dot }}
imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
# Copyright © 2018 Amdocs, Bell Canada
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v2
description: Chart for MariaDB Galera init job
name: mariadb-init
-version: 13.0.1
+version: 13.0.2
dependencies:
- name: common
--- /dev/null
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
--- /dev/null
+# Copyright © 2024 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v2
+description: Chart for MongoDB init job
+name: mongodb-init
+version: 13.0.2
+
+dependencies:
+ - name: common
+ version: ~13.x-0
+ repository: '@local'
+ - name: repositoryGenerator
+ version: ~13.x-0
+ repository: '@local'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
+ - name: serviceAccount
+ version: ~13.x-0
+ repository: '@local'
--- /dev/null
+# mongodb-init
+
+## Introduction
+
+Initialization scripts for mongo database.
+
+- not part of ONAP OOM yet
+
+## Requirements
+
+mongodb-init needs the following ONAP projects to work:
+
+- common/common
+- common/repositoryGenerator
+- common/serviceAccount
+- common/readinessCheck
--- /dev/null
+// Database Setup
+use ${MONGO_DATABASE}
+
+// UserCreation Setup
+db.createUser(
+ {
+ user: "${MONGODB_USER}",
+ pwd: "${MONGODB_PASSWORD}",
+ roles: [ { role: "readWrite", db: "${MONGO_DATABASE}" } ]
+ }
+)
--- /dev/null
+{{/*
+# Copyright © 2024 Deutsche Telekom
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
--- /dev/null
+{{/*
+# Copyright © 2024 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ include "common.fullname" . }}-config-job
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+spec:
+ backoffLimit: 20
+ template:
+ metadata:
+ labels:
+ app: {{ include "common.name" . }}
+ release: {{ include "common.release" . }}
+ name: {{ include "common.name" . }}
+ spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
+ initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
+ - name: {{ include "common.name" . }}-update-config
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ function prepare_password {
+ echo -n $1 | sed -e "s/'/''/g"
+ }
+ export MONGODB_PASSWORD=`prepare_password $MONGODB_PASSWORD_INPUT`;
+ export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`;
+ export MONGODB_USER=`prepare_password $MONGODB_USER_INPUT`;
+ export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`;
+ {{- if include "common.onServiceMesh" . }}
+ echo "waiting 15s for istio side cars to be up"; sleep 15s;
+ {{- end }}
+ cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done;
+ env:
+ - name: MONGODB_HOST
+ value: "{{ .Values.global.mongodb.service.name }}"
+ - name: MONGODB_USER_INPUT
+ #value: "{{ .Values.config.mgUserName }}"
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "login") | indent 10 }}
+ - name: MONGODB_PASSWORD_INPUT
+ #value: "{{ .Values.config.mgUserPassword }}"
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "password") | indent 10 }}
+ - name: MONGO_DATABASE
+ value: "{{ .Values.config.mgDatabase }}"
+ - name: MONGODB_ROOT_USER_INPUT
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootUserKey) | indent 10 }}
+ - name: MONGODB_ROOT_PASSWORD_INPUT
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootPasswordKey) | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input/setup.sql
+ name: config
+ subPath: setup.sql
+ - mountPath: /config
+ name: mgconf
+ containers:
+ - name: {{ include "common.name" . }}-setup-db
+ image: {{ include "repositoryGenerator.image.mongodbImage" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ function prepare_password {
+ echo -n $1 | sed -e "s/'/''/g"
+ }
+ export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`;
+ export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`;
+ mongosh "mongodb://${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$MONGODB_HOST" < /config/setup.sql
+ env:
+ - name: MONGODB_HOST
+ value: "{{ .Values.global.mongodb.service.name }}"
+ - name: MONGODB_ROOT_USER_INPUT
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_USER") | indent 10 }}
+ - name: MONGODB_ROOT_PASSWORD_INPUT
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_PASSWORD") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input/setup.sql
+ name: config
+ subPath: setup.sql
+ - mountPath: /config
+ name: mgconf
+ resources: {{ include "common.resources" . | nindent 10 }}
+ {{ include "common.waitForJobContainer" . | indent 6 | trim }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 10 }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity:
+{{ toYaml .Values.affinity | indent 10 }}
+ {{- end }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+ volumes:
+ - name: config
+ configMap:
+ name: {{ include "common.fullname" . }}
+ - name: mgconf
+ emptyDir:
+ medium: Memory
+ sizeLimit: 64Mi
+ restartPolicy: Never
+ imagePullSecrets:
+ - name: "{{ include "common.namespace" . }}-docker-registry-key"
--- /dev/null
+{{/*
+# ## Copyright © 2024 Deutsche Telekom
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# # http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+*/}}
+{{ include "common.secretFast" . }}
--- /dev/null
+# Copyright © 2024 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global:
+ mongodb:
+ service:
+ name: mgset
+ container:
+ name: mongodb
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: '{{ include "common.mongodb.secret.rootPassUID" . }}'
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.config.mgExternalSecret) . }}'
+ password: '{{ .Values.config.mgRootPasswordKey }}'
+ - uid: '{{ .Values.config.mgDatabase }}'
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.config.mgUserExternalSecret) . }}'
+ login: '{{ .Values.config.mgUserName }}'
+ password: '{{ .Values.config.mgUserPassword }}'
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+
+pullPolicy: Always
+
+# application configuration
+config:
+ mgUserName: testuser
+ mgUserPassword: testuser123
+ mgDatabase: testdb
+ mgDataPath: data
+ #mgRootPasswordExternalSecret: '{{ include "common.namespace" . }}-mongodb-db-root-password'
+ mgExternalSecret: '{{ include "common.name" . }}-mongo-secrets'
+ mgRootUserKey: MONGODB_DATABASE_ADMIN_USER
+ mgRootPasswordKey: MONGODB_DATABASE_ADMIN_PASSWORD
+ mgUserExternalSecret: '{{ include "common.release" . }}-{{ include "common.name" . }}-mg-secret'
+
+nodeSelector: {}
+
+affinity: {}
+
+flavor: small
+
+#resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+#
+# Example:
+# Configure resource requests and limits
+# ref: http://kubernetes.io/docs/user-guide/compute-resources/
+# Minimum memory for development is 2 CPU cores and 4GB memory
+# Minimum memory for production is 4 CPU cores and 8GB memory
+resources:
+ small:
+ limits:
+ cpu: "100m"
+ memory: "0.3Gi"
+ requests:
+ cpu: "10m"
+ memory: "0.09Gi"
+ large:
+ limits:
+ cpu: "2"
+ memory: "4Gi"
+ requests:
+ cpu: "1"
+ memory: "2Gi"
+ unlimited: {}
+
+#Pods Service Account
+serviceAccount:
+ nameOverride: mongodb-init
+ roles:
+ - read
+
+securityContext:
+ user_id: 100
+ group_id: 65533
+
+readinessCheck:
+ wait_for:
+ services:
+ - '{{ .Values.global.mongodb.service.name }}'
+
+wait_for_job_container:
+ containers:
+ - '{{ include "common.name" . }}-setup-db'
apiVersion: v2
description: Chart for Postgres init job
name: postgres-init
-version: 13.0.1
+version: 13.0.2
dependencies:
# Copyright © 2017 Amdocs, Bell Canada
# Copyright © 2021 AT&T
# Modifications Copyright (C) 2021 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "nginxImage") .) }}
{{- end -}}
+{{- define "repositoryGenerator.image.mongodbImage" -}}
+ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "mongodbImage") .) }}
+{{- end -}}
+
{{- define "repositoryGenerator.image.postgres" -}}
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "postgresImage") .) }}
{{- end -}}
kubectlImage: bitnami/kubectl:1.22.4
loggingImage: beats/filebeat:5.5.0
mariadbImage: bitnami/mariadb:10.5.8
+ mongodbImage: percona/percona-server-mongodb:7.0.5-3
nginxImage: bitnami/nginx:1.21.4
postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1
readinessImage: onap/oom/readiness:6.0.3
kubectlImage: dockerHubRepository
loggingImage: elasticRepository
mariadbImage: dockerHubRepository
+ mongodbImage: dockerHubRepository
nginxImage: dockerHubRepository
postgresImage: dockerHubRepository
readinessImage: repository
# mariadb client image
mariadbImage: bitnami/mariadb:10.5.8
+ # mongodb server image
+
+ mongodbImage: percona/percona-server-mongodb:7.0.5-3
+
# nginx server image
nginxImage: bitnami/nginx:1.21.4
tls: true
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
+ # if nativeSidecars are enabled in Istio, this value can be set to "true"
+ # and will disable the deployment of sidecar killer containers in jobs
+ nativeSidecars: false
# Global Istio Authorization Policy configuration
authorizationPolicies:
Code Review / oom.git / commitdiff