[AAI] Fix Kyverno Policy violations

- Refactored code for readiness check and use library readinessCheck
- Fixed securityContext settings
- Limit emptyVolume size and make it configurable
- Important: Need to use aai-haproxy docker image version >= 1.15.2
- Refactore meta labels and use common.labels instead

Issue-ID: AAI-4044
Change-Id: I346316e64cb67222836951cf12b3772bbf509c6a
Signed-off-by: Andreas Seelinger <andreas.seelinger@accenture.com>

diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml
index 351f01a..7707833 100644 (file)
--- a/kubernetes/aai/Chart.yaml
+++ b/kubernetes/aai/Chart.yaml
@@ -18,7 +18,7 @@
 apiVersion: v2
 description: ONAP Active and Available Inventory
 name: aai
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common
@@ -34,6 +34,9 @@ dependencies:
   - name: repositoryGenerator
     version: ~13.x-0
     repository: '@local'
+  - name: readinessCheck
+    version: ~13.x-0
+    repository: '@local'
   - name: aai-babel
     version: ~15.x-0
     repository: 'file://components/aai-babel'

diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml
index d578306..2d0a78b 100644 (file)
--- a/kubernetes/aai/components/aai-babel/Chart.yaml
+++ b/kubernetes/aai/components/aai-babel/Chart.yaml
@@ -18,7 +18,7 @@
 apiVersion: v2
 description: Babel microservice
 name: aai-babel
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common

diff --git a/kubernetes/aai/components/aai-babel/templates/configmap.yaml b/kubernetes/aai/components/aai-babel/templates/configmap.yaml
index baee38c..39d494a 100644 (file)
--- a/kubernetes/aai/components/aai-babel/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/configmap.yaml
@@ -21,10 +21,6 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-configmap
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}

diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
index f3fc04c..782ed12 100644 (file)
--- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
@@ -38,10 +38,12 @@ spec:
   template:
     metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       containers:
         - name: {{ include "common.name" . }}
           image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          {{ include "common.containerSecurityContext" . | indent 10 | trim }}
           ports:
             {{- if .Values.debug.enabled }}
             - containerPort: {{ .Values.debug.port }}
@@ -99,6 +101,10 @@ spec:
           - mountPath: /opt/app/babel/config/logback.xml
             name: config
             subPath: logback.xml
+          - mountPath: /opt/app/babel/logs
+            name: babel-logs
+          - mountPath: /tmp
+            name: tmp
           resources: {{ include "common.resources" . | nindent 12 }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
@@ -120,7 +126,14 @@ spec:
           secret:
             secretName: {{ include "common.fullname" . }}-babel-secrets
         - name: logs
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }}
+        - name: tmp
+          emptyDir:
+            sizeLimit: {{ .Values.volumes.tmpSizeLimit }}
+        - name: babel-logs
+          emptyDir:
+            sizeLimit: {{ .Values.volumes.babelLogsSizeLimit }}
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }}
 
       {{- include "common.imagePullSecrets" . | nindent 6 }}

diff --git a/kubernetes/aai/components/aai-babel/templates/secrets.yaml b/kubernetes/aai/components/aai-babel/templates/secrets.yaml
index 9d7d2c5..3f2b97c 100644 (file)
--- a/kubernetes/aai/components/aai-babel/templates/secrets.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/secrets.yaml
@@ -21,11 +21,7 @@ kind: Secret
 metadata:
   name: {{ include "common.fullname" . }}-babel-secrets
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}

diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml
index c07b124..2a57bb2 100644 (file)
--- a/kubernetes/aai/components/aai-babel/values.yaml
+++ b/kubernetes/aai/components/aai-babel/values.yaml
@@ -144,3 +144,15 @@ log:
   level:
     root: INFO
 logConfigMapNamePrefix: '{{ include "common.fullname" . }}'
+
+volumes:
+  artifactDataSizeLimit: 50Mi
+  babelLogsSizeLimit: 100Mi
+  tmpSizeLimit: 100Mi
+
+securityContext:
+  user_id: 1000
+  group_id: 101
+
+podAnnotations:
+  checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'

diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml
index 1264d73..1331541 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml
@@ -22,7 +22,7 @@
 apiVersion: v2
 description: ONAP AAI GraphAdmin
 name: aai-graphadmin
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml
index 4e9bf7f..04692fe 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml
@@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2
 kind: KafkaUser
 metadata:
   name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }}
-  labels:
+  labels: {{- include "common.labels" . | nindent 4 }}
     strimzi.io/cluster: {{ include "common.release" . }}-strimzi
 spec:
   authentication:

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
index ddf752b..1a32d7b 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
@@ -25,11 +25,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
   {{- if .Values.global.jobs.migration.enabled }}
   annotations:
     "helm.sh/hook": pre-upgrade,pre-install
@@ -47,11 +43,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-properties
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
   {{- if .Values.global.jobs.migration.enabled }}
   annotations:
     "helm.sh/hook": pre-upgrade,pre-install
@@ -68,11 +60,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-migration
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-upgrade,pre-install
     "helm.sh/hook-weight": "0"

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
index 6ac078b..991727d 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
@@ -23,20 +23,7 @@
 */}}
 apiVersion: apps/v1
 kind: Deployment
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    {{- if .Chart.AppVersion }}
-    version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-    {{- else }}
-    version: "{{ .Chart.Version | replace "+" "_" }}"
-    {{- end }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 spec:
   {{- if .Values.config.debug.enabled }}
   replicas: 1
@@ -54,19 +41,7 @@ spec:
     matchLabels:
       app: {{ include "common.name" . }}
   template:
-    metadata:
-      labels:
-        app: {{ include "common.name" . }}
-        release: {{ include "common.release" . }}
-        app.kubernetes.io/name: {{ include "common.name" . }}
-        {{- if .Chart.AppVersion }}
-        version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-        {{- else }}
-        version: "{{ .Chart.Version | replace "+" "_" }}"
-        {{- end }}
-      name: {{ include "common.name" . }}
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
       hostname: aai-graphadmin
       terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
@@ -207,11 +182,14 @@ spec:
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
       - name: tmp-volume
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.tmpSizeLimit }}
       - name: logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
       - name: script-logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.scriptlogSizeLimit }}
       {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
       - name: config
         configMap:

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
index 3f0c4e1..1cc431c 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
@@ -41,11 +41,7 @@ kind: Job
 metadata:
   name: {{ include "common.fullname" . }}-db-backup
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}-job
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-upgrade,pre-install
     "helm.sh/hook-weight": "2"
@@ -54,38 +50,19 @@ spec:
   backoffLimit: 20
   template:
     metadata:
-      labels:
-        app: {{ include "common.name" . }}-job
-        release: {{ include "common.release" . }}
+      labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }}
       name: {{ include "common.name" . }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
       {{- if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
-      - command:
-        - /bin/bash
-        - -c
-        - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }}
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: {{ include "repositoryGenerator.image.readiness" . }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        name: {{ include "common.name" . }}-db-backup-readiness
-        resources:
-          limits:
-            cpu: "100m"
-            memory: "500Mi"
-          requests:
-            cpu: "3m"
-            memory: "20Mi"
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForCassandraService ) | indent 6 | trim}}
       {{- end }}
       containers:
       - name: {{ include "common.name" . }}-db-backup-job
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         command:
         - sh
         args:

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
index 5d7e9b6..19e62ae 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
@@ -40,18 +40,12 @@ kind: Job
 metadata:
   name: {{ include "common.fullname" . }}-create-db-schema
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}-job
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }}
 spec:
   backoffLimit: 20
   template:
     metadata:
-      labels:
-        app: {{ include "common.name" . }}-job
-        release: {{ include "common.release" . }}
+      labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }}
       name: {{ include "common.name" . }}
     spec:
       initContainers:

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
index 4ec2306..f6f2f8b 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
@@ -41,11 +41,7 @@ kind: Job
 metadata:
   name: {{ include "common.fullname" . }}-migration
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}-job
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }}
   annotations:
     "helm.sh/hook": post-upgrade,post-rollback,post-install
     "helm.sh/hook-weight": "1"
@@ -54,35 +50,12 @@ spec:
   backoffLimit: 20
   template:
     metadata:
-      labels:
-        app: {{ include "common.name" . }}-job
-        release: {{ include "common.release" . }}
+      labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }}
       name: {{ include "common.name" . }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
-      - command:
-        - /app/ready.py
-        args:
-        - --service-name
-        - {{ .Values.global.cassandra.serviceName }}
-        - --service-name
-        - aai-schema-service
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: {{ include "repositoryGenerator.image.readiness" . }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        name: {{ include "common.name" . }}-readiness
-        resources:
-          limits:
-            cpu: "100m"
-            memory: "500Mi"
-          requests:
-            cpu: "3m"
-            memory: "20Mi"
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForWithSchemaService) | indent 6 | trim }}
       - command:
         - sh
         args:
@@ -125,6 +98,7 @@ spec:
            echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
            sh docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ;
            {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         volumeMounts:
         - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
           name: config
@@ -172,11 +146,7 @@ kind: Job
 metadata:
   name: {{ include "common.fullname" . }}-db-backup-job
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}-db-backup-job
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-upgrade,pre-install
     "helm.sh/hook-weight": "2"
@@ -185,9 +155,7 @@ spec:
   backoffLimit: 20
   template:
     metadata:
-      labels:
-        app: {{ include "common.name" . }}-db-backup-job
-        release: {{ include "common.release" . }}
+      labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 8 }}
       name: {{ include "common.name" . }}
     spec:
       initContainers:

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml
index 563b920..cd72d7f 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml
@@ -16,16 +16,13 @@
 
 {{- if .Values.global.jobs.migration.enabled -}}
 {{- if eq "True" (include "common.needPV" .) -}}
+{{- if not .Values.persistence.storageClass -}}
 kind: PersistentVolume
 apiVersion: v1
 metadata:
   name: {{ include "common.fullname" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
-    release: "{{ include "common.release" . }}"
-    heritage: "{{ .Release.Service }}"
+  labels: {{- include "common.labels" . | nindent 4 }}
     name: {{ include "common.fullname" . }}
   annotations:
     "helm.sh/hook": pre-upgrade,pre-install
@@ -42,3 +39,4 @@ spec:
     path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath1 }}
 {{- end -}}
 {{- end -}}
+{{- end -}}

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml
index bf89006..19c1016 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml
@@ -20,11 +20,7 @@ apiVersion: v1
 metadata:
   name: {{ include "common.fullname" . }}-migration
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ include "common.release" . }}"
-    heritage: "{{ .Release.Service }}"
+  labels: {{- include "common.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-upgrade,pre-install
     "helm.sh/hook-weight": "-1"

diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
index 16924e9..b7c09cf 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
@@ -25,12 +25,7 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -58,6 +53,4 @@ spec:
     name: {{ .Values.service.actuatorPortName }}
     targetPort: {{ .Values.service.appPort }}
   {{- end}}
-  selector:
-    app: {{ include "common.name" . }}
-    release: {{ include "common.release" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}

diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml
index fab3423..a272775 100644 (file)
--- a/kubernetes/aai/components/aai-graphadmin/values.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/values.yaml
@@ -103,7 +103,7 @@ global: # global defaults
       clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1
 
 # application image
-image: onap/aai-graphadmin:1.15.1
+image: onap/aai-graphadmin:1.15.2
 pullPolicy: Always
 restartPolicy: Always
 flavor: small
@@ -229,6 +229,23 @@ readinessCheck:
     services:
       - '{{ .Values.global.cassandra.serviceName }}'
       - aai-schema-service
+  waitForCassandra:
+    containers:
+      - aai-schema-service
+    apps:
+      - cassandra
+  waitForLocalCassandra:
+    containers:
+      - aai-schema-service
+    apps:
+      - aai-cassandra
+  waitForCassandraService:
+    services:
+      - '{{ .Values.global.cassandra.serviceName }}'
+  waitForWithSchemaService:
+    services:
+      - '{{ .Values.global.cassandra.serviceName }}'
+      - aai-schema-service
 
 service:
   type: ClusterIP
@@ -291,8 +308,8 @@ resources:
       cpu: "1"
       memory: "4Gi"
     requests:
-      cpu: "0.5"
-      memory: "1.6Gi"
+      cpu: "500m"
+      memory: "1600Mi"
   large:
     limits:
       cpu: "2"
@@ -319,9 +336,9 @@ metrics:
 
     selector:
       app: '{{ include "common.name" . }}'
-      chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-      release: '{{ include "common.release" . }}'
-      heritage: '{{ .Release.Service }}'
+      helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      app.kubernetes.io/instance: '{{ include "common.release" . }}'
+      app.kubernetes.io/managed-by: '{{ .Release.Service }}'
 
     relabelings: []
 
@@ -369,3 +386,11 @@ kafkaUser:
     - name: AAI-EVENT
       type: topic
       operations: [Read, Write]
+
+volumes:
+  logSizeLimit: 64Mi
+  scriptlogSizeLimit: 300Mi
+  tmpSizeLimit: 500Mi
+
+podAnnotations:
+  checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'

diff --git a/kubernetes/aai/components/aai-modelloader/Chart.yaml b/kubernetes/aai/components/aai-modelloader/Chart.yaml
index 23ce50a..2f56133 100644 (file)
--- a/kubernetes/aai/components/aai-modelloader/Chart.yaml
+++ b/kubernetes/aai/components/aai-modelloader/Chart.yaml
@@ -17,7 +17,7 @@
 apiVersion: v2
 description: ONAP AAI modelloader
 name: aai-modelloader
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common

diff --git a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml
index d3fd509..c298462 100644 (file)
--- a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml
@@ -19,11 +19,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-prop
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "resources/config/model-loader.properties").AsConfig . | indent 2 }}
 {{ tpl (.Files.Glob "resources/application.properties").AsConfig . | indent 2 }}
@@ -33,10 +29,6 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-log
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "resources/config/log/logback.xml").AsConfig . | indent 2 }}

diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
index 486ffba..f3753d0 100644 (file)
--- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
@@ -19,20 +19,7 @@
 
 apiVersion: apps/v1
 kind: Deployment
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    {{- if .Chart.AppVersion }}
-    version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-    {{- else }}
-    version: "{{ .Chart.Version | replace "+" "_" }}"
-    {{- end }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 spec:
   {{- if .Values.debug.enabled }}
   replicas: 1
@@ -51,17 +38,7 @@ spec:
     matchLabels:
       app: {{ include "common.name" . }}
   template:
-    metadata:
-      labels:
-        app: {{ include "common.name" . }}
-        release: {{ include "common.release" . }}
-        app.kubernetes.io/name: {{ include "common.name" . }}
-        {{- if .Chart.AppVersion }}
-        version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-        {{- else }}
-        version: "{{ .Chart.Version | replace "+" "_" }}"
-        {{- end }}
-      name: {{ include "common.name" . }}
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
       {{- if .Values.nodeSelector }}
       nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
@@ -69,10 +46,12 @@ spec:
       {{- if .Values.affinity }}
       affinity: {{ toYaml .Values.affinity | nindent 8 }}
       {{- end }}
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       containers:
       - name: {{ include "common.name" . }}
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         env:
         - name: CONFIG_HOME
           value: /opt/app/model-loader/config/
@@ -90,8 +69,8 @@ spec:
           value: {{ .Values.debug.args | quote }}
         {{- end }}
         ports:
-        - containerPort: 9500
-          name: http
+        - containerPort: {{ .Values.service.appPort }}
+          name: {{ .Values.service.appPortName }}
         {{- if .Values.debug.enabled }}
         - containerPort: {{ .Values.debug.port }}
           name: {{ .Values.debug.portName }}
@@ -109,6 +88,8 @@ spec:
           name: prop-config
         - mountPath: {{ .Values.log.path }}
           name: logs
+        - mountPath: /tmp
+          name: tmp
         - mountPath: /opt/app/model-loader/logback.xml
           name: log-config
           subPath: logback.xml
@@ -121,7 +102,11 @@ spec:
         configMap:
           name: {{ include "common.fullname" . }}-prop
       - name: logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
+      - name: tmp
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.tmpSizeLimit }}
       {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
       - name: log-config
         configMap:

diff --git a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml
index 1eb564e..961a850 100644 (file)
--- a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml
+++ b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml
@@ -19,8 +19,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
   name: {{ include "common.fullname" . }}
-  labels:
-    {{- include "common.labels" . | nindent 4 }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:

diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml
index d76b1d3..6c8cdb7 100644 (file)
--- a/kubernetes/aai/components/aai-modelloader/values.yaml
+++ b/kubernetes/aai/components/aai-modelloader/values.yaml
@@ -74,17 +74,22 @@ nodeSelector: {}
 
 affinity: {}
 
+service:
+  # REST API port for the graphadmin microservice
+  appPortName: http
+  appPort: 9500
+
 # probe configuration parameters
 liveness:
-  initialDelaySeconds: 10
-  periodSeconds: 10
-  # necessary to disable liveness probe when setting breakpoints
-  # in debugger so K8s doesn't restart unresponsive container
   enabled: true
+  path: /healthz
+  periodSeconds: 10
+  initialDelaySeconds: 10
 
 readiness:
-  initialDelaySeconds: 10
+  path: /healthz
   periodSeconds: 10
+  initialDelaySeconds: 10
 
 resources:
   small:
@@ -92,7 +97,7 @@ resources:
       cpu: "1"
       memory: "4Gi"
     requests:
-      cpu: "0.5"
+      cpu: "500m"
       memory: "1Gi"
   large:
     limits:
@@ -135,3 +140,7 @@ log:
   level:
     root: INFO
 logConfigMapNamePrefix: '{{ include "common.fullname" . }}'
+
+volumes:
+  logSizeLimit: 64Mi
+  tmpSizeLimit: 100Mi

diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml
index 7d7075e..c83a286 100644 (file)
--- a/kubernetes/aai/components/aai-resources/Chart.yaml
+++ b/kubernetes/aai/components/aai-resources/Chart.yaml
@@ -18,7 +18,7 @@
 apiVersion: v2
 description: ONAP AAI resources
 name: aai-resources
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common
@@ -30,3 +30,6 @@ dependencies:
   - name: serviceAccount
     version: ~13.x-0
     repository: '@local'
+  - name: readinessCheck
+    version: ~13.x-0
+    repository: '@local'
\ No newline at end of file

diff --git a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml
index 6b703e7..f6063a0 100644 (file)
--- a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml
+++ b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml
@@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2
 kind: KafkaUser
 metadata:
   name: {{ include "common.release" . }}-{{ .Values.global.aaiKafkaUser }}
-  labels:
+  labels: {{- include "common.labels" . | nindent 4 }}
     strimzi.io/cluster: {{ include "common.release" . }}-strimzi
 spec:
   authentication:

diff --git a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml
index ed1f8e3..29b191b 100644 (file)
--- a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml
@@ -4,11 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "common.fullname" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml
index c3c2262..8e13c8c 100644 (file)
--- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml
@@ -20,11 +20,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }}
 {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }}

diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
index 4c6c12b..cb434ed 100644 (file)
--- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
@@ -20,20 +20,7 @@
 
 apiVersion: apps/v1
 kind: Deployment
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    {{- if .Chart.AppVersion }}
-    version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-    {{- else }}
-    version: "{{ .Chart.Version | replace "+" "_" }}"
-    {{- end }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 spec:
   {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }}
   replicas: 1
@@ -53,19 +40,7 @@ spec:
     matchLabels:
       app: {{ include "common.name" . }}
   template:
-    metadata:
-      labels:
-        app: {{ include "common.name" . }}
-        release: {{ include "common.release" . }}
-        app.kubernetes.io/name: {{ include "common.name" . }}
-        {{- if .Chart.AppVersion }}
-        version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-        {{- else }}
-        version: "{{ .Chart.Version | replace "+" "_" }}"
-        {{- end }}
-      name: {{ include "common.name" . }}
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
       {{- if .Values.global.msbEnabled }}
         {{ $values := .Values }}
         msb.onap.org/service-info: '[
@@ -99,44 +74,20 @@ spec:
     spec:
       hostname: aai-resources
       terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
-      - name: {{ include "common.name" . }}-readiness
-        command:
-        - /app/ready.py
-        args:
-        {{- if .Values.global.jobs.migration.enabled }}
-        - --job-name
-        - {{ include "common.release" . }}-aai-graphadmin-migration
-        {{- else }}
-          {{- if .Values.global.jobs.createSchema.enabled  }}
-        - --job-name
-        - {{ include "common.release" . }}-aai-graphadmin-create-db-schema
-          {{- else }}
-        - --service-name
-        - {{ .Values.global.cassandra.serviceName }}
-        - --service-name
-        - aai-schema-service
-          {{- end }}
-        {{- end }}
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: {{ include "repositoryGenerator.image.readiness" . }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        resources:
-          limits:
-            cpu: "100m"
-            memory: "500Mi"
-          requests:
-            cpu: "3m"
-            memory: "20Mi"
+      {{- if .Values.global.jobs.migration.enabled }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }}
+      {{- else if .Values.global.jobs.createSchema.enabled  }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }}
+      {{- else }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }}
+      {{- end }}
       containers:
       - name: {{ include "common.name" . }}
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         env:
         {{- if .Values.config.env }}
         {{- range $key,$value := .Values.config.env }}
@@ -189,6 +140,8 @@ spec:
         - mountPath: /opt/app/aai-resources/resources/application-keycloak.properties
           name: {{ include "common.fullname" . }}-config
           subPath: application-keycloak.properties
+        - mountPath: /tmp
+          name: tmp
         ports:
         - containerPort: {{ .Values.service.resourcesPort }}
           name: {{ .Values.service.resourcesPortName }}
@@ -252,7 +205,11 @@ spec:
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
       - name: logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
+      - name: tmp
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.tmpSizeLimit }}
       {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
       - name: {{ include "common.fullname" . }}-config
         configMap:

diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml
index 308dc05..605679e 100644 (file)
--- a/kubernetes/aai/components/aai-resources/templates/service.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/service.yaml
@@ -19,12 +19,7 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -54,8 +49,6 @@ spec:
     name: {{ .Values.service.metricsPortName }}
     targetPort: {{ .Values.service.metricsPortName }}
   {{- end }}
-  selector:
-    app: {{ include "common.name" . }}
-    release: {{ include "common.release" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
   clusterIP: None
   sessionAffinity: {{ .Values.service.sessionAffinity }}

diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml
index 8902762..7cba7a4 100644 (file)
--- a/kubernetes/aai/components/aai-resources/values.yaml
+++ b/kubernetes/aai/components/aai-resources/values.yaml
@@ -134,7 +134,7 @@ aai_enpoints:
     url: external-system
 
 # application image
-image: onap/aai-resources:1.15.1
+image: onap/aai-resources:1.15.2
 pullPolicy: Always
 restartPolicy: Always
 flavor: small
@@ -354,9 +354,9 @@ metrics:
     ##
     selector:
       app: '{{ include "common.name" . }}'
-      chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-      release: '{{ include "common.release" . }}'
-      heritage: '{{ .Release.Service }}'
+      helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      app.kubernetes.io/instance: '{{ include "common.release" . }}'
+      app.kubernetes.io/managed-by: '{{ .Release.Service }}'
 
     ## RelabelConfigs to apply to samples before scraping
     ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
@@ -421,3 +421,26 @@ kafkaUser:
     - name: AAI-EVENT
       type: topic
       operations: [Read, Write]
+
+volumes:
+  logSizeLimit: 50Mi
+  tmpSizeLimit: 100Mi
+
+securityContext:
+  user_id: 1000
+  group_id: 1000
+
+readinessCheck:
+  wait_for_migration:
+    jobs:
+      - '{{ include "common.release" . }}-aai-graphadmin-migration'
+  wait_for_createSchema:
+    jobs:
+      - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema'
+  wait_for_cassandra:
+    services:
+      - '{{ .Values.global.cassandra.serviceName }}'
+      - aai-schema-service
+
+podAnnotations:
+  checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'

diff --git a/kubernetes/aai/components/aai-schema-service/Chart.yaml b/kubernetes/aai/components/aai-schema-service/Chart.yaml
index 512090d..b10eaa2 100644 (file)
--- a/kubernetes/aai/components/aai-schema-service/Chart.yaml
+++ b/kubernetes/aai/components/aai-schema-service/Chart.yaml
@@ -18,7 +18,7 @@
 apiVersion: v2
 description: ONAP AAI Schema Service
 name: aai-schema-service
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common

diff --git a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
index 9573871..0490f43 100644 (file)
--- a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
@@ -19,11 +19,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-log
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "config/logback.xml").AsConfig . | indent 2 }}
 ---
@@ -32,11 +28,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-localhost-access-log
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "config/localhost-access-logback.xml").AsConfig . | indent 2 }}
 ---
@@ -45,11 +37,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-aaiconfig
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "config/aaiconfig.properties").AsConfig . | indent 2 }}
 ---
@@ -58,11 +46,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-springapp
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "config/application.properties").AsConfig . | indent 2 }}
 ---
@@ -71,10 +55,6 @@ kind: ConfigMap
 metadata:
   name: {{ include "common.fullname" . }}-realm
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
 {{ tpl (.Files.Glob "config/realm.properties").AsConfig . | indent 2 }}

diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
index 7254670..9fadcd7 100644 (file)
--- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
@@ -19,20 +19,7 @@
 
 apiVersion: apps/v1
 kind: Deployment
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    {{- if .Chart.AppVersion }}
-    version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-    {{- else }}
-    version: "{{ .Chart.Version | replace "+" "_" }}"
-    {{- end }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "" "labels" .Values.labels "annotations" .Values.annotations ) | nindent 2 }}
 spec:
   {{- if .Values.debug.enabled }}
   replicas: 1
@@ -51,24 +38,30 @@ spec:
     matchLabels:
       app: {{ include "common.name" . }}
   template:
-    metadata:
-      labels:
-        app: {{ include "common.name" . }}
-        release: {{ include "common.release" . }}
-        app.kubernetes.io/name: {{ include "common.name" . }}
-        {{- if .Chart.AppVersion }}
-        version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-        {{- else }}
-        version: "{{ .Chart.Version | replace "+" "_" }}"
-        {{- end }}
-      name: {{ include "common.name" . }}
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
+      initContainers:
+      - command: ["cp", "-R", "/opt/app/aai-schema-service/.", "/opt/app/aai-schema-service_rw/"]
+        image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: copy-base-folder
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 3m
+            memory: 20Mi
+        volumeMounts:
+        - mountPath: /opt/app/aai-schema-service_rw
+          name: aai-schema-service
       containers:
       - name: {{ include "common.name" . }}
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         env:
         {{- if .Values.profiling.enabled }}
         - name: PRE_JVM_ARGS
@@ -79,6 +72,8 @@ spec:
           value: {{ .Values.debug.args | quote }}
         {{- end }}
         volumeMounts:
+        - mountPath: /opt/app/aai-schema-service
+          name: aai-schema-service
         - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties
           name: aaiconfig-conf
           subPath: aaiconfig.properties
@@ -138,8 +133,12 @@ spec:
       - name: aai-common-aai-auth-mount
         secret:
           secretName: aai-common-aai-auth
+      - name: aai-schema-service
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.aaiSizeLimit }}
       - name: logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
       {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
       - name: log-conf
         configMap:

diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml
index 412b62c..de0270f 100644 (file)
--- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml
@@ -19,12 +19,7 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -45,6 +40,4 @@ spec:
     name: {{ .Values.service.debugPortName }}
     targetPort: {{ .Values.service.debugPortName }}
   {{- end }}
-  selector:
-    app: {{ include "common.name" . }}
-    release: {{ include "common.release" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}

diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml
index 0ffeb55..3763db9 100644 (file)
--- a/kubernetes/aai/components/aai-schema-service/values.yaml
+++ b/kubernetes/aai/components/aai-schema-service/values.yaml
@@ -178,3 +178,10 @@ log:
   level:
     root: INFO
 logConfigMapNamePrefix: '{{ include "common.fullname" . }}'
+
+volumes:
+  logSizeLimit: 50Mi
+  aaiSizeLimit: 150Mi
+
+podAnnotations:
+  checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'

diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml
index 9c9185b..074e266 100644 (file)
--- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml
@@ -17,7 +17,7 @@
 apiVersion: v2
 description: ONAP AAI sparky-be
 name: aai-sparky-be
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common
@@ -29,3 +29,6 @@ dependencies:
   - name: serviceAccount
     version: ~13.x-0
     repository: '@local'
+  - name: readinessCheck
+    version: ~13.x-0
+    repository: '@local'
\ No newline at end of file

diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml
index 7c958fa..407850e 100644 (file)
--- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml
@@ -17,13 +17,6 @@
 ---
 apiVersion: v1
 kind: ConfigMap
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 data:
 {{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }}

diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
index 28fe1d5..ede5b60 100644 (file)
--- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
@@ -38,32 +38,14 @@ spec:
   template:
     metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
-      - command:
-        - /app/ready.py
-        args:
-        - --service-name
-        - aai
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: {{ include "repositoryGenerator.image.readiness" . }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        name: {{ include "common.name" . }}-readiness
-        resources:
-          limits:
-            cpu: "100m"
-            memory: "500Mi"
-          requests:
-            cpu: "3m"
-            memory: "20Mi"
+      {{ include "common.readinessCheck.waitFor" . | nindent 8 }}
       containers:
       - name: {{ include "common.name" . }}
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         command:
         - sh
         args:
@@ -158,9 +140,11 @@ spec:
         configMap:
           name: {{ include "common.fullname" . }}
       - name: logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
       - name: modeldir
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.modeldirSizeLimit }}
       restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
       {{- include "common.imagePullSecrets" . | nindent 6 }}

diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml
index c4b90d3..9cbe9e5 100644 (file)
--- a/kubernetes/aai/components/aai-sparky-be/values.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/values.yaml
@@ -128,23 +128,24 @@ serviceMesh:
 
 podAnnotations:
   sidecar.istio.io/rewriteAppHTTPProbers: "false"
+  checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'
 
 # Configure resource requests and limits
 # ref: http://kubernetes.io/docs/user-guide/compute-resources/
 resources:
   small:
     limits:
-      cpu: "0.5"
+      cpu: "500m"
       memory: "4Gi"
     requests:
-      cpu: "0.25"
+      cpu: "250m"
       memory: "1Gi"
   large:
     limits:
       cpu: "1"
       memory: "8Gi"
     requests:
-      cpu: "0.5"
+      cpu: "500m"
       memory: "2Gi"
   unlimited: {}
 
@@ -158,3 +159,16 @@ serviceAccount:
 log:
   path: /var/log/onap
 logConfigMapNamePrefix: '{{ include "common.fullname" . }}'
+
+volumes:
+  logSizeLimit: 64Mi
+  modeldirSizeLimit: 64Mi
+
+securityContext:
+  user_id: 1000
+  group_id: 1000
+
+readinessCheck:
+  wait_for:
+    services:
+      - aai

diff --git a/kubernetes/aai/components/aai-traversal/Chart.yaml b/kubernetes/aai/components/aai-traversal/Chart.yaml
index e9545b7..f4e458f 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/Chart.yaml
+++ b/kubernetes/aai/components/aai-traversal/Chart.yaml
@@ -17,7 +17,7 @@
 apiVersion: v2
 description: ONAP AAI traversal
 name: aai-traversal
-version: 15.0.0
+version: 15.0.1
 
 dependencies:
   - name: common
@@ -29,3 +29,6 @@ dependencies:
   - name: serviceAccount
     version: ~13.x-0
     repository: '@local'
+  - name: readinessCheck
+    version: ~13.x-0
+    repository: '@local'

diff --git a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml
index 7c6a252..966e566 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml
+++ b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml
@@ -17,7 +17,7 @@ apiVersion: kafka.strimzi.io/v1beta2
 kind: KafkaUser
 metadata:
   name: {{ include "common.release" . }}-{{ .Values.global.aaiTravKafkaUser }}
-  labels:
+  labels: {{- include "common.labels" . | nindent 4 }}
     strimzi.io/cluster: {{ include "common.release" . }}-strimzi
 spec:
   authentication:

diff --git a/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml
index 76d2611..a14a9b5 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml
@@ -1,14 +1,7 @@
 {{- if .Values.autoscaling.enabled }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml
index 905c21f..e9415df 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml
@@ -18,14 +18,7 @@
 
 apiVersion: v1
 kind: ConfigMap
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 data:
 {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }}
 {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }}

diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
index 6d97b0e..d12fc6b 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
@@ -20,20 +20,7 @@
 
 apiVersion: apps/v1
 kind: Deployment
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    {{- if .Chart.AppVersion }}
-    version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-    {{- else }}
-    version: "{{ .Chart.Version | replace "+" "_" }}"
-    {{- end }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 spec:
   {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }}
   replicas: 1
@@ -53,19 +40,7 @@ spec:
     matchLabels:
       app: {{ include "common.name" . }}
   template:
-    metadata:
-      labels:
-        app: {{ include "common.name" . }}
-        release: {{ include "common.release" . }}
-        app.kubernetes.io/name: {{ include "common.name" . }}
-        {{- if .Chart.AppVersion }}
-        version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-        {{- else }}
-        version: "{{ .Chart.Version | replace "+" "_" }}"
-        {{- end }}
-      name: {{ include "common.name" . }}
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
       {{- if .Values.global.msbEnabled }}
         {{ $values := .Values }}
         msb.onap.org/service-info: '[
@@ -119,43 +94,19 @@ spec:
       hostname: aai-traversal
       terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
       initContainers:
-      - command:
-        - /app/ready.py
-        args:
       {{- if .Values.global.jobs.migration.enabled }}
-        - --job-name
-        - {{ include "common.release" . }}-aai-graphadmin-migration
-      {{- else  }}
-        {{- if .Values.global.jobs.createSchema.enabled  }}
-        - --job-name
-        - {{ include "common.release" . }}-aai-graphadmin-create-db-schema
-        {{- else }}
-        - --service-name
-        - {{ .Values.global.cassandra.serviceName }}
-        - --service-name
-        - aai-schema-service
-        {{- end }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }}
+      {{- else if .Values.global.jobs.createSchema.enabled  }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_createSchema) | nindent 8 }}
+      {{- else }}
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }}
       {{- end }}
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: {{ include "repositoryGenerator.image.readiness" . }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        name: {{ include "common.name" . }}-readiness
-        resources:
-          limits:
-            cpu: "100m"
-            memory: "500Mi"
-          requests:
-            cpu: "3m"
-            memory: "20Mi"
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       containers:
       - name: {{ include "common.name" . }}
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         env:
         {{- if .Values.config.env }}
         {{- range $key,$value := .Values.config.env }}
@@ -219,6 +170,8 @@ spec:
         - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties
           name: {{ include "common.fullname" . }}-config
           subPath: application-keycloak.properties
+        - mountPath: /tmp
+          name: tmp
         ports:
         - containerPort: {{ .Values.service.traversalPort }}
           name: {{ .Values.service.traversalPortName }}
@@ -277,9 +230,14 @@ spec:
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
       - name: logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
+      - name: tmp
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.tmpSizeLimit }}
       - name: {{ include "common.fullname" . }}-logs-misc
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logmiscSizeLimit }}
       {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
       - name: {{ include "common.fullname" . }}-config
         configMap:

diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml
index db90f82..3ea973f 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/templates/job.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml
@@ -24,11 +24,7 @@ kind: Job
 metadata:
   name: {{ include "common.fullname" . }}-update-query-data
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 {{ if .Values.global.jobs.migration.enabled }}
   annotations:
     "helm.sh/hook": post-upgrade,post-rollback,post-install
@@ -38,33 +34,12 @@ metadata:
 spec:
   template:
     metadata:
-      labels:
-        app: {{ include "common.name" . }}-job
-        release: {{ include "common.release" . }}
+      labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }}
       name: {{ include "common.name" . }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
-      - name: {{ include "common.name" . }}-readiness
-        image: {{ include "repositoryGenerator.image.readiness" . }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        command:
-        - /app/ready.py
-        args:
-        - --service-name
-        - aai
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        resources:
-          limits:
-            cpu: "100m"
-            memory: "500Mi"
-          requests:
-            cpu: "3m"
-            memory: "20Mi"
+      {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_service) | nindent 6 }}
       - name: {{ include "common.name" . }}-wait-for-aai-haproxy
         image: {{ include "repositoryGenerator.image.readiness" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -85,6 +60,16 @@ spec:
           requests:
             cpu: "3m"
             memory: "20Mi"
+        securityContext:
+          runAsUser: 100
+          runAsGroup: 65533
+          readOnlyRootFilesystem: true
+          privileged: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+              - CAP_NET_RAW
       containers:
       - name: {{ include "common.name" . }}-job
         image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
@@ -101,6 +86,7 @@ spec:
            sh -x /opt/app/aai-traversal/bin/install/updateQueryData.sh ;
 
            {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         resources: {{ include "common.resources" . | nindent 10 }}
         volumeMounts:
         - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties
@@ -127,9 +113,11 @@ spec:
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
       - name: {{ include "common.fullname" . }}-logs
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
       - name: {{ include "common.fullname" . }}-logs-misc
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logmiscSizeLimit }}
       {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
       - name: {{ include "common.fullname" . }}-config
         configMap:

diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml
index 49ed563..60e8efc 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/templates/service.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml
@@ -19,12 +19,7 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -54,8 +49,6 @@ spec:
     name: {{ .Values.service.metricsPortName }}
     targetPort: {{ .Values.service.metricsPortName }}
   {{- end }}
-  selector:
-    app: {{ include "common.name" . }}
-    release: {{ include "common.release" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
   clusterIP: None
   sessionAffinity: {{ .Values.service.sessionAffinity }}

diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml
index e19ea65..fd82068 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/values.yaml
+++ b/kubernetes/aai/components/aai-traversal/values.yaml
@@ -111,7 +111,7 @@ global: # global defaults
     someConfig: random
 
 # application image
-image: onap/aai-traversal:1.15.1
+image: onap/aai-traversal:1.15.2
 pullPolicy: Always
 restartPolicy: Always
 flavor: small
@@ -353,6 +353,9 @@ endpoints:
   info:
     enabled: true
 
+podAnnotations:
+  checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'
+
 metrics:
   serviceMonitor:
     enabled: true
@@ -383,9 +386,9 @@ metrics:
     ##
     selector:
       app: '{{ include "common.name" . }}'
-      chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-      release: '{{ include "common.release" . }}'
-      heritage: '{{ .Release.Service }}'
+      helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      app.kubernetes.io/instance: '{{ include "common.release" . }}'
+      app.kubernetes.io/managed-by: '{{ .Release.Service }}'
 
     ## RelabelConfigs to apply to samples before scraping
     ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
@@ -418,6 +421,30 @@ log:
     root: INFO
     base: INFO # base package (org.onap.aai)
 logConfigMapNamePrefix: '{{ include "common.fullname" . }}'
+
+volumes:
+  logSizeLimit: 50Mi
+  logmiscSizeLimit: 50Mi
+  tmpSizeLimit: 100Mi
+
+securityContext:
+  user_id: 1000
+  group_id: 1000
+
+readinessCheck:
+  wait_for_migration:
+    jobs:
+      - '{{ include "common.release" . }}-aai-graphadmin-migration'
+  wait_for_createSchema:
+    jobs:
+      - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema'
+  wait_for_cassandra:
+    services:
+      - '{{ .Values.global.cassandra.serviceName }}'
+      - aai-schema-service
+  wait_for_service:
+    services:
+      - aai
 #################################################################
 # Secrets metaconfig
 #################################################################

diff --git a/kubernetes/aai/resources/config/haproxy/resolvers.conf b/kubernetes/aai/resources/config/haproxy/resolvers.conf
new file mode 100644 (file)
index 0000000..c456e35
--- /dev/null
+++ b/kubernetes/aai/resources/config/haproxy/resolvers.conf
@@ -0,0 +1,3 @@
+resolvers kubernetes
+  nameserver dns1 {{.Values.config.NAME_SERVER}}:53
+  hold valid      1s

diff --git a/kubernetes/aai/templates/authorizationpolicy.yaml b/kubernetes/aai/templates/authorizationpolicy.yaml
index fa59f52..f48e06e 100644 (file)
--- a/kubernetes/aai/templates/authorizationpolicy.yaml
+++ b/kubernetes/aai/templates/authorizationpolicy.yaml
@@ -27,6 +27,7 @@ kind: AuthorizationPolicy
 metadata:
   name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}}
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:

diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml
index dac36d7..c66af50 100644 (file)
--- a/kubernetes/aai/templates/configmap.yaml
+++ b/kubernetes/aai/templates/configmap.yaml
@@ -22,12 +22,9 @@ kind: ConfigMap
 metadata:
   name: aai-deployment-configmap
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 data:
+{{ tpl (.Files.Glob "resources/config/haproxy/resolvers.conf").AsConfig . | indent 2 }}
 {{ if .Values.global.installSidecarSecurity }}
 {{ tpl (.Files.Glob "resources/config/haproxy/haproxy-pluggable-security.cfg").AsConfig . | indent 2 }}
 {{ else }}
@@ -40,6 +37,7 @@ kind: Secret
 metadata:
   name: aai-fproxy-auth-certs
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/fproxy/auth/*").AsSecrets . | indent 2 }}
@@ -49,6 +47,7 @@ kind: Secret
 metadata:
   name: aai-rproxy-auth-certs
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/rproxy/auth/*").AsSecrets . | indent 2 }}
@@ -58,6 +57,7 @@ kind: Secret
 metadata:
   name: aai-rproxy-security-config
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/rproxy/security/*").AsSecrets . | indent 2 }}

diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml
index 58bbc8a..a743592 100644 (file)
--- a/kubernetes/aai/templates/deployment.yaml
+++ b/kubernetes/aai/templates/deployment.yaml
@@ -18,20 +18,7 @@
 
 apiVersion: apps/v1
 kind: Deployment
-metadata:
-  name: {{ include "common.fullname" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    {{- if .Chart.AppVersion }}
-    version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-    {{- else }}
-    version: "{{ .Chart.Version | replace "+" "_" }}"
-    {{- end }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 spec:
   selector:
     matchLabels:
@@ -46,59 +33,48 @@ spec:
       maxSurge: {{ .Values.updateStrategy.maxSurge }}
     {{- end }}
   template:
-    metadata:
-      labels:
-        app: {{ include "common.name" . }}
-        release: {{ include "common.release" . }}
-        app.kubernetes.io/name: {{ include "common.name" . }}
-        {{- if .Chart.AppVersion }}
-        version: "{{ .Chart.AppVersion | replace "+" "_" }}"
-        {{- else }}
-        version: "{{ .Chart.Version | replace "+" "_" }}"
-        {{- end }}
-      name: {{ include "common.release" . }}
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
       terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
-      - command:
-        - /app/ready.py
-        args:
-        - --service-name
-        - aai-resources
-        - --service-name
-        - aai-traversal
-        - --service-name
-        - aai-graphadmin
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        image: {{ include "repositoryGenerator.image.readiness" . }}
+      {{ include "common.readinessCheck.waitFor" . | indent 6 | trim}}
+      - command: ["/bin/sh","-c"]
+        args: ['cp -R /usr/local/etc/haproxy /usr/local/etc/haproxy_rw/']
+        image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}'
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        name: {{ include "common.name" . }}-readiness
+        name: copy-haproxy-config
         resources:
-          requests:
-            memory: {{ .Values.haproxy.initContainers.resources.memory }}
-            cpu: {{ .Values.haproxy.initContainers.resources.cpu }}
           limits:
-            memory: {{ .Values.haproxy.initContainers.resources.memory }}
-            cpu: {{ .Values.haproxy.initContainers.resources.cpu }}
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 2m
+            memory: 100Mi
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /usr/local/etc/haproxy_rw
+          name: haproxy-etc
       containers:
       - name: {{ include "common.name" . }}
-        image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}"
+        image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}'
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         volumeMounts:
+        - mountPath: /usr/local/etc/haproxy
+          name: haproxy-etc
+        - mountPath: /usr/local/etc/haproxy/resolvers.conf
+          name: haproxy-config
+          subPath: resolvers.conf
+          readOnly: true
         - mountPath: /usr/local/etc/haproxy/haproxy.cfg
         {{ if .Values.global.installSidecarSecurity }}
           subPath: haproxy-pluggable-security.cfg
         {{ else }}
           subPath: haproxy.cfg
         {{ end }}
-          name: haproxy-cfg
+          name: haproxy-config
         ports:
         - containerPort: {{ .Values.service.internalPort }}
           name: {{ .Values.service.portName }}
@@ -113,7 +89,11 @@ spec:
           initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
           periodSeconds: {{ .Values.liveness.periodSeconds }}
         {{ end -}}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        resources: {{ include "common.resources" . | nindent 10 }}
         readinessProbe:
+          initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readiness.periodSeconds }}
           httpGet:
             path: /aai/util/echo
             port: {{ .Values.service.internalPort }}
@@ -129,9 +109,6 @@ spec:
               value: OOM_ReadinessCheck_TID
             - name: Accept
               value: application/json
-          initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
-          periodSeconds: {{ .Values.readiness.periodSeconds }}
-        resources: {{ include "common.resources" . | nindent 10 }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
@@ -142,7 +119,10 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
-        - name: haproxy-cfg
-          configMap:
-            name: aai-deployment-configmap
+      - name: haproxy-config
+        configMap:
+          name: aai-deployment-configmap
+      - name: haproxy-etc
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.haProxySizeLimit }}
       {{- include "common.imagePullSecrets" . | nindent 6 }}

diff --git a/kubernetes/aai/templates/secret.yaml b/kubernetes/aai/templates/secret.yaml
index d868b95..1a592a0 100644 (file)
--- a/kubernetes/aai/templates/secret.yaml
+++ b/kubernetes/aai/templates/secret.yaml
@@ -19,11 +19,7 @@ kind: Secret
 metadata:
   name: aai-common-aai-auth
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
@@ -33,6 +29,7 @@ kind: Secret
 metadata:
   name: aai-common-truststore
   namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }}

diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml
index b5a8cc1..1509311 100644 (file)
--- a/kubernetes/aai/templates/service.yaml
+++ b/kubernetes/aai/templates/service.yaml
@@ -19,12 +19,7 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   ports:
   - name: {{ .Values.service.portName }}
@@ -36,8 +31,7 @@ spec:
     {{    end }}
     {{- end }}
   type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }}
-  selector:
-    app: {{ include "common.name" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
   sessionAffinity: {{ .Values.service.sessionAffinity }}
 ---
 apiVersion: v1
@@ -45,38 +39,26 @@ kind: Service
 metadata:
   name: {{ include "common.servicename" . }}-internal
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   ports:
     - name: {{ .Values.service.portName }}
       port: {{ .Values.service.externalPort }}
       targetPort: {{ .Values.service.internalPort }}
   type: ClusterIP
-  selector:
-    app: {{ include "common.name" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "common.servicename" . }}-metrics
   namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}-metrics
-    app.kubernetes.io/name: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
+  labels: {{- include "common.labels" . | nindent 4 }}
 spec:
   ports:
     - port: {{ .Values.metricsService.externalPort }}
       targetPort: {{ .Values.metricsService.internalPort }}
       name: {{ .Values.metricsService.portName }}
   type: {{ .Values.metricsService.type }}
-  selector:
-    app: {{ include "common.name" . }}
+  selector: {{- include "common.matchLabels" . | nindent 4 }}
   clusterIP: None

diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index e129220..a000d2f 100644 (file)
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -309,7 +309,7 @@ aai-traversal:
 
 # application image
 dockerhubRepository: registry.hub.docker.com
-image: onap/aai-haproxy:1.11.0
+image: onap/aai-haproxy:1.15.2
 pullPolicy: Always
 
 flavor: small
@@ -321,6 +321,9 @@ debugEnabled: false
 config:
   logstashServiceName: log-ls
   logstashPort: 5044
+  # IP address of name server is needed in nginx configuration. The secure endpoint for logging with Keycloak need the ip address in the config file.
+  # You can find this ip address in the /etc/resolv.conf This file is generated by k8s. The name server ip address is in all k8s cluster the same.
+  NAME_SERVER: coredns.kube-system
 
 # default number of instances
 replicaCount: 1
@@ -408,9 +411,9 @@ metrics:
 
     selector:
       app: '{{ include "common.name" . }}-metrics'
-      chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-      release: '{{ include "common.release" . }}'
-      heritage: '{{ .Release.Service }}'
+      helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      app.kubernetes.io/instance: '{{ include "common.release" . }}'
+      app.kubernetes.io/managed-by: '{{ .Release.Service }}'
 
     relabelings: []
 
@@ -459,15 +462,15 @@ resources:
       cpu: "2"
       memory: "4Gi"
     requests:
-      cpu: "1"
-      memory: "1.2Gi"
+      cpu: "500m"
+      memory: "1200Mi"
   large:
     limits:
       cpu: "4"
       memory: "8Gi"
     requests:
-      cpu: "2"
-      memory: "2.4Gi"
+      cpu: "1"
+      memory: "2400Mi"
   unlimited: {}
 
 #Pods Service Account
@@ -475,3 +478,20 @@ serviceAccount:
   nameOverride: aai
   roles:
     - read
+
+securityContext:
+  user_id: 99
+  group_id: 99
+
+readinessCheck:
+  wait_for:
+    services:
+      - aai-resources
+      - aai-traversal
+      - aai-graphadmin
+
+volumes:
+  haProxySizeLimit: 20Mi
+
+podAnnotations:
+  checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'