From: Sylvain Desbureaux Date: Mon, 4 May 2020 06:55:59 +0000 (+0000) Subject: Merge "Making mounted volume non-root" X-Git-Tag: 6.0.0~95 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=006318ac37142eb823db4a2074ce6c8ad1629166;hp=b38185a167552adefcdd2a32e517e912e01dd683;p=oom.git Merge "Making mounted volume non-root" --- diff --git a/kubernetes/aai b/kubernetes/aai index 5ae975da2b..2d6141ab8b 160000 --- a/kubernetes/aai +++ b/kubernetes/aai @@ -1 +1 @@ -Subproject commit 5ae975da2bc5c09318465405a343146a56b42a3a +Subproject commit 2d6141ab8bd7bfe58f5da0483e578032226e7ebb diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index cde892002b..12991a831f 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -76,14 +76,14 @@ config: # It seems that the DB name is hardcoded. dbName: appcctl userName: appcctl - password: appcctl + # password: appcctl # userCredsExternalSecret: some secret sdncdb: # Warning: changing this config option may not work. # It seems that the DB name is hardcoded. dbName: sdnctl userName: sdnctl - password: gamma + # password: gamma # userCredsExternalSecret: some secret odlUid: 100 odlGid: 101 diff --git a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties index eee61e7e90..94f3466d9d 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties @@ -81,6 +81,7 @@ blueprintprocessor.resourceResolution.enabled=true blueprintprocessor.netconfExecutor.enabled=true blueprintprocessor.restConfExecutor.enabled=true blueprintprocessor.remoteScriptCommand.enabled=true +blueprintsprocessor.remote-script-command.response.log.enabled=false # Command executor blueprintsprocessor.grpcclient.remote-python.type=token-auth @@ -117,6 +118,9 @@ blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 # Self Service Response Kafka Message Producer blueprintsprocessor.messageproducer.self-service-api.bootstrapServers=message-router-kafka:9092 +# Kafka Audit Service Configurations +blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable=false + # Executor Options blueprintsprocessor.resourceResolution.enabled=true blueprintsprocessor.netconfExecutor.enabled=true diff --git a/kubernetes/cds/charts/cds-ui/templates/deployment.yaml b/kubernetes/cds/charts/cds-ui/templates/deployment.yaml index 79cffd16da..d7aad4d0c3 100644 --- a/kubernetes/cds/charts/cds-ui/templates/deployment.yaml +++ b/kubernetes/cds/charts/cds-ui/templates/deployment.yaml @@ -85,31 +85,9 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - # side car containers - # - name: filebeat-onap - # image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" - # imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - # volumeMounts: - # - mountPath: /usr/share/filebeat/filebeat.yml - # name: filebeat-conf - # subPath: filebeat.yml - # - mountPath: /home/esr/works/logs - # name: esr-server-logs - # - mountPath: /usr/share/filebeat/data - # name: esr-server-filebeat volumes: - name: localtime hostPath: path: /etc/localtime - # - name: filebeat-conf - # configMap: - # name: {{ include "common.fullname" . }}-esr-filebeat - # - name: esr-server-logs - # emptyDir: {} - # - name: esr-server-filebeat - # emptyDir: {} - # - name: esrserver-log - # configMap: - # name: {{ include "common.fullname" . }}-esr-esrserver-log imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/clamp/charts/clamp-backend/templates/configmap.yaml b/kubernetes/clamp/charts/clamp-backend/templates/configmap.yaml index 0011c6a6d4..f66312c741 100644 --- a/kubernetes/clamp/charts/clamp-backend/templates/configmap.yaml +++ b/kubernetes/clamp/charts/clamp-backend/templates/configmap.yaml @@ -26,16 +26,5 @@ metadata: data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} spring_application_json: {{ tpl .Values.config.springApplicationJson . | quote }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-clamp-filebeat-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/filebeat/*").AsConfig . | indent 2 }} + +{{ include "common.log.configMap" . }} diff --git a/kubernetes/clamp/charts/clamp-backend/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-backend/templates/deployment.yaml index bdae07a261..fa00ffed1a 100644 --- a/kubernetes/clamp/charts/clamp-backend/templates/deployment.yaml +++ b/kubernetes/clamp/charts/clamp-backend/templates/deployment.yaml @@ -48,17 +48,8 @@ spec: name: {{ include "common.name" . }}-readiness containers: # side car containers - - name: {{ include "common.name" . }}-filebeat-onap - image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-filebeat-conf - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - - name: {{ include "common.fullname" . }}-data-filebeat - mountPath: /usr/share/filebeat/data - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/onap + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} + # main container - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -81,8 +72,8 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/onap + - name: logs + mountPath: {{ .Values.log.path }} - mountPath: /opt/clamp/sdc-controllers-config.json name: {{ include "common.fullname" . }}-config subPath: sdc-controllers-config.json @@ -109,12 +100,8 @@ spec: items: - key: sdc-controllers-config.json path: sdc-controllers-config.json - - name: {{ include "common.fullname" . }}-filebeat-conf - configMap: - name: {{ include "common.release" . }}-clamp-filebeat-configmap - - name: {{ include "common.fullname" . }}-data-filebeat - emptyDir: {} - - name: {{ include "common.fullname" . }}-logs + - name: logs emptyDir: {} + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/clamp/charts/clamp-backend/values.yaml b/kubernetes/clamp/charts/clamp-backend/values.yaml index 48252176f9..ca444aa175 100644 --- a/kubernetes/clamp/charts/clamp-backend/values.yaml +++ b/kubernetes/clamp/charts/clamp-backend/values.yaml @@ -33,6 +33,10 @@ pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false +# log configuration +log: + path: /var/log/onap + ################################################################# # Application configuration defaults. ################################################################# diff --git a/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml b/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml index e4deab0e15..1eb20fce89 100644 --- a/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml +++ b/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml @@ -87,7 +87,7 @@ discovery.zen.minimum_master_nodes: 1 discovery.seed_hosts: [] # # Breaking change in 7.0 # # https://www.elastic.co/guide/en/elasticsearch/reference/7.0/breaking-changes-7.0.html#breaking_70_discovery_changes -cluster.initial_master_nodes: +cluster.initial_master_nodes: - cldash-es-node1 # - docker-test-node-1 # ---------------------------------- Various ----------------------------------- @@ -125,4 +125,4 @@ opendistro_security.check_snapshot_restore_write_privileges: true opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] cluster.routing.allocation.disk.threshold_enabled: false node.max_local_storage_nodes: 3 -######## End OpenDistro for Elasticsearch Security Demo Configuration ######## \ No newline at end of file +######## End OpenDistro for Elasticsearch Security Demo Configuration ######## diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf index 4b05910c02..c005fcca3e 100644 --- a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf +++ b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf @@ -59,7 +59,7 @@ filter { if [http_request_failure] or [@metadata][code] != 200 { mutate { - add_tag => [ "error" ] + add_tag => [ "error" ] } } @@ -195,7 +195,7 @@ filter { clones => [ "event-cl-aggs" ] add_tag => [ "event-cl-aggs" ] } - + if "event-cl-aggs" in [@metadata][request][tags]{ # # we only need a few fields for aggregations; remove all fields from clone except : @@ -204,7 +204,7 @@ filter { prune { whitelist_names => ["^@.*$","^topic$","^type$","^tags$","^flagFinalFailure$","^flagAbated$","^locationState$","^locationCity$","^vmName$","^vnfName$","^vnfType$","^requestID$","^closedLoopAlarmStart$","^closedLoopControlName$","^closedLoopAlarmEnd$","^target$","^target_type$","^triggerSourceName$","^policyScope$","^policyName$","^policyVersion$"] } - + } } } diff --git a/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bootstrap-database.sh b/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bootstrap-database.sh index 224a813db9..2e2ad2e1af 100755 --- a/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bootstrap-database.sh +++ b/kubernetes/clamp/charts/mariadb/resources/config/mariadb/docker-entrypoint-initdb.d/bootstrap-database.sh @@ -20,9 +20,9 @@ # limitations under the License. # ============LICENSE_END============================================ # =================================================================== -# +# ### mysql -uroot -p$MYSQL_ROOT_PASSWORD -f < /docker-entrypoint-initdb.d/bulkload/create-db.sql -## New model creation +## New model creation mysql -uroot -p$MYSQL_ROOT_PASSWORD -f cldsdb4 < /docker-entrypoint-initdb.d/bulkload/create-tables.sql diff --git a/kubernetes/clamp/resources/config/log/filebeat/filebeat.yml b/kubernetes/clamp/resources/config/log/filebeat/filebeat.yml new file mode 100644 index 0000000000..dab2e44f5e --- /dev/null +++ b/kubernetes/clamp/resources/config/log/filebeat/filebeat.yml @@ -0,0 +1,53 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +filebeat.prospectors: +#it is mandatory, in our case it's log +- input_type: log + #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. + paths: + - /var/log/onap/*/*/*/*.log + - /var/log/onap/*/*/*.log + - /var/log/onap/*/*.log + #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive + ignore_older: 48h + # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit + clean_inactive: 96h + +# Name of the registry file. If a relative path is used, it is considered relative to the +# data path. Else full qualified file name. +#filebeat.registry_file: ${path.data}/registry + + +output.logstash: + #List of logstash server ip addresses with port number. + #But, in our case, this will be the loadbalancer IP address. + #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. + hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"] + #If enable will do load balancing among availabe Logstash, automatically. + loadbalance: true + + #The list of root certificates for server verifications. + #If certificate_authorities is empty or not set, the trusted + #certificate authorities of the host system are used. + #ssl.certificate_authorities: $ssl.certificate_authorities + + #The path to the certificate for SSL client authentication. If the certificate is not specified, + #client authentication is not available. + #ssl.certificate: $ssl.certificate + + #The client certificate key used for client authentication. + #ssl.key: $ssl.key + + #The passphrase used to decrypt an encrypted key stored in the configured key file + #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/clamp/templates/configmap.yaml b/kubernetes/clamp/templates/configmap.yaml index 4278a6e6d3..3fce850140 100644 --- a/kubernetes/clamp/templates/configmap.yaml +++ b/kubernetes/clamp/templates/configmap.yaml @@ -25,3 +25,5 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} + +{{ include "common.log.configMap" . }} diff --git a/kubernetes/clamp/templates/deployment.yaml b/kubernetes/clamp/templates/deployment.yaml index e4ac4723da..e8a7cc25cd 100644 --- a/kubernetes/clamp/templates/deployment.yaml +++ b/kubernetes/clamp/templates/deployment.yaml @@ -48,17 +48,8 @@ spec: name: {{ include "common.name" . }}-readiness containers: # side car containers - - name: {{ include "common.name" . }}-filebeat-onap - image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-filebeat-conf - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - - name: {{ include "common.fullname" . }}-data-filebeat - mountPath: /usr/share/filebeat/data - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/nginx/ + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} + # main container - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -79,8 +70,8 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/nginx/ + - name: logs + mountPath: {{ .Values.log.path }} - mountPath: /etc/nginx/conf.d/default.conf name: {{ include "common.fullname" . }}-config subPath: default.conf @@ -101,13 +92,8 @@ spec: items: - key: default.conf path: default.conf - - name: {{ include "common.fullname" . }}-filebeat-conf - configMap: - name: {{ include "common.release" . }}-clamp-filebeat-configmap - - name: {{ include "common.fullname" . }}-data-filebeat - emptyDir: {} - - name: {{ include "common.fullname" . }}-logs + - name: logs emptyDir: {} + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/clamp/values.yaml b/kubernetes/clamp/values.yaml index 47eca67f91..0679982740 100644 --- a/kubernetes/clamp/values.yaml +++ b/kubernetes/clamp/values.yaml @@ -22,6 +22,7 @@ global: # global defaults readinessImage: readiness-check:2.0.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + centralizedLoggingEnabled: false subChartsOnly: enabled: true @@ -36,6 +37,10 @@ pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false +# log configuration +log: + path: /var/log/nginx/ + ################################################################# # Application configuration defaults. ################################################################# diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml index 105facf2b9..28c40e6da7 100644 --- a/kubernetes/common/dgbuilder/values.yaml +++ b/kubernetes/common/dgbuilder/values.yaml @@ -52,12 +52,12 @@ secrets: - uid: 'db-root-password' type: password externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' - password: '{{ .Values.config.dbRootPassword }}' + password: '{{ .Values.config.db.rootPassword }}' - uid: 'db-user-creds' type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.dbSdnctlPassword }}' + password: '{{ .Values.config.db.userPassword }}' - uid: 'http-user-creds' type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' @@ -118,8 +118,6 @@ config: restconfPassword: admin # restconfCredsExternalSecret: some secret - dbRootPassword: openECOMP1.0 - dbSdnctlPassword: gamma dbPodName: mysql-db dbServiceName: sdnc-dbhost # MD5 hash of dguser password ( default: test123 ) diff --git a/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh b/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh new file mode 100755 index 0000000000..42c5c89726 --- /dev/null +++ b/kubernetes/common/mariadb-galera/resources/config/configure-mysql.sh @@ -0,0 +1,89 @@ +#!/bin/bash +# +# Adfinis SyGroup AG +# openshift-mariadb-galera: mysql setup script +# + +set -eox pipefail + +echo 'Running mysql_install_db ...' +mysql_install_db --datadir=/var/lib/mysql +echo 'Finished mysql_install_db' + +mysqld --skip-networking --socket=/var/lib/mysql/mysql-init.sock --wsrep_on=OFF & +pid="$!" + +mysql=( mysql --protocol=socket -uroot -hlocalhost --socket=/var/lib/mysql/mysql-init.sock ) + +for i in {30..0}; do + if echo 'SELECT 1' | "${mysql[@]}" &> /dev/null; then + break + fi + echo 'MySQL init process in progress...' + sleep 1 +done +if [ "$i" = 0 ]; then + echo >&2 'MySQL init process failed.' + exit 1 +fi + +if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then + # sed is for https://bugs.mysql.com/bug.php?id=20545 + mysql_tzinfo_to_sql /usr/share/zoneinfo | sed 's/Local time zone must be set--see zic manual page/FCTY/' | "${mysql[@]}" mysql +fi + +function prepare_password { + echo -n $1 | sed -e "s/'/''/g" +} + +mysql_root_password=`prepare_password $MYSQL_ROOT_PASSWORD` +# add MariaDB root user +"${mysql[@]}" <<-EOSQL +-- What's done in this file shouldn't be replicated +-- or products like mysql-fabric won't work +SET @@SESSION.SQL_LOG_BIN=0; + +DELETE FROM mysql.user ; +CREATE USER 'root'@'%' IDENTIFIED BY '${mysql_root_password}' ; +GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ; +DROP DATABASE IF EXISTS test ; +FLUSH PRIVILEGES ; +EOSQL + +# add root password for subsequent calls to mysql +if [ ! -z "$MYSQL_ROOT_PASSWORD" ]; then + mysql+=( -p"${MYSQL_ROOT_PASSWORD}" ) +fi + +# add users require for Galera +# TODO: make them somehow configurable +"${mysql[@]}" <<-EOSQL +CREATE USER 'xtrabackup_sst'@'localhost' IDENTIFIED BY 'xtrabackup_sst' ; +GRANT RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'xtrabackup_sst'@'localhost' ; +CREATE USER 'readinessProbe'@'localhost' IDENTIFIED BY 'readinessProbe'; +EOSQL + +if [ "$MYSQL_DATABASE" ]; then + echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" | "${mysql[@]}" + mysql+=( "$MYSQL_DATABASE" ) +fi + +if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then + mysql_password=`prepare_password $MYSQL_PASSWORD` + echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$mysql_password' ;" | "${mysql[@]}" + + if [ "$MYSQL_DATABASE" ]; then + echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" + fi + + echo 'FLUSH PRIVILEGES ;' | "${mysql[@]}" +fi + +if ! kill -s TERM "$pid" || ! wait "$pid"; then + echo >&2 'MySQL init process failed.' + exit 1 +fi + +echo +echo 'MySQL init process done. Ready for start up.' +echo diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml index e7bb701930..a7064d7ce4 100644 --- a/kubernetes/common/mariadb-galera/templates/configmap.yaml +++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,4 +29,17 @@ metadata: data: my_extra.cnf: | {{ .Values.externalConfig | indent 4 }} -{{- end -}} +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 7157e3390b..855d50e5ea 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -47,6 +47,10 @@ spec: configMap: name: {{ include "common.fullname" . }}-external-config {{- end}} + - name: init-script + configMap: + name: {{ include "common.fullname" . }} + defaultMode: 0755 - name: localtime hostPath: path: /etc/localtime @@ -104,6 +108,9 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true + - mountPath: /usr/share/container-scripts/mysql/configure-mysql.sh + subPath: configure-mysql.sh + name: init-script {{- if .Values.persistence.enabled }} - mountPath: /var/lib/mysql name: {{ include "common.fullname" . }}-data diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml index 4ba11ec8c7..0163fbd5d4 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml @@ -82,6 +82,7 @@ spec: - sh - -exec - | + rm -rf '/var/lib/kafka/data/lost+found'; chown -R 1000:0 /var/lib/kafka/data; image: "{{ .Values.busyBoxRepository }}/{{ .Values.busyBoxImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} diff --git a/kubernetes/onap/resources/overrides/sm-onap.yaml b/kubernetes/onap/resources/overrides/sm-onap.yaml new file mode 100644 index 0000000000..796643171b --- /dev/null +++ b/kubernetes/onap/resources/overrides/sm-onap.yaml @@ -0,0 +1,139 @@ +# Copyright 2020 Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# This override file is used to deploy a core configuration. It is based on +# minimal-onap.yaml and Orange accomplishments [1][2][3]. +# It includes the following components: +# AAI, DMAAP, SDC, SDNC, SO (+ Cassandra) +# +# Minimal resources are also reviewed for the various containers +# AAI: no override => to be fixed +# DMAAP: no override # SO: no override +# SDC: new values +# SDNC: no override +# +# Replicas are set to: +# AAI Cassandra: 1 +# Cassandra: 3 (to allow reaching quorum) +# +# In addition, some parameters are set to limit the memory footprint. +# +# It overrides the default ONAP parent chart behaviour to deploy +# all of ONAP. +# +# helm deploy core local/onap --namespace onap -f core-onap.yaml +# +# [1] https://gitlab.com/Orange-OpenSource/lfn/onap/onap_oom_automatic_installation +# [2] https://wiki.lfnetworking.org/display/LN/Call%20for%20ONAP%20DDF%20Topics%20-%20Prague%202020#CallforONAPDDFTopics-Prague2020-OOM-IntroductionofServicemesh +# [3] https://wiki.lfnetworking.org/download/attachments/25364127/OOM%20Service%20Mesh%20Prague.pptx + +####################### +# Core ONAP deployment +####################### +global: + aafEnabled: false +aai: + enabled: true + global: + cassandra: + replicas: 1 + aai-cassandra: + replicaCount: 1 +aaf: + enabled: false +appc: + enabled: false +cassandra: + enabled: true + replicaCount: 3 +clamp: + enabled: false +cli: + enabled: false +consul: + enabled: false +contrib: + enabled: false +dcaegen2: + enabled: false +dmaap: + enabled: true +esr: + enabled: false +log: + enabled: false +mariadb-galera: + enabled: true +msb: + enabled: false +multicloud: + enabled: false +nbi: + enabled: false +oof: + enabled: false +policy: + enabled: false +pomba: + enabled: false +portal: + enabled: false +robot: + enabled: false +sdc: + enabled: true + sdc-be: + config: + javaOptions: "-Xdebug -agentlib:jdwp=transport=dt_socket,address=4000,server=y,suspend=n -Xmx512m -Xms256m" + sdc-fe: + resources: + small: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 10m + memory: 500Mi + sdc-cs: + config: + maxHeapSize: "512M" + heapNewSize: "256M" +sdnc: + enabled: true +sniro-emulator: + enabled: false +so: + enabled: true + config: + # openstack configuration + openStackUserName: "$OPENSTACK_USER_NAME" + openStackRegion: "$OPENSTACK_REGION" + openStackKeyStoneUrl: "$OPENSTACK_KEYSTONE_URL" + openStackServiceTenantName: "$OPENSTACK_TENANT_NAME" + openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD" +uui: + enabled: false +vid: + enabled: false +vfc: + enabled: false +vnfsdk: + enabled: false +cds: + enabled: true +dmaap: + enabled: true + dmaap-bc: + enabled: false diff --git a/kubernetes/policy/charts/pdp/templates/statefulset.yaml b/kubernetes/policy/charts/pdp/templates/statefulset.yaml index 8e0c40370d..b70b04b023 100644 --- a/kubernetes/policy/charts/pdp/templates/statefulset.yaml +++ b/kubernetes/policy/charts/pdp/templates/statefulset.yaml @@ -40,7 +40,7 @@ spec: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1 *.conf`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; chmod 0755 /config/${PFILE}; done" env: - name: JDBC_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} @@ -55,10 +55,14 @@ spec: - name: PDP_PAP_PDP_HTTP_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pap-http-creds" "key" "password") | indent 10 }} volumeMounts: - - mountPath: /config-input + - mountPath: /config-input/pe + name: pe-input + - mountPath: /config-input/pe-pdp + name: pe-pdp-input + - mountPath: /config/pe name: pe - - mountPath: /config - name: pe-processed + - mountPath: /config/pe-pdp + name: pe-pdp image: "{{ .Values.global.envsubstImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config @@ -89,14 +93,6 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: JDBC_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - - name: PDP_HTTP_USER_ID - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pdp-http-creds" "key" "login") | indent 10 }} - - name: PDP_HTTP_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pdp-http-creds" "key" "password") | indent 10 }} - - name: PDP_PAP_PDP_HTTP_USER_ID - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pap-http-creds" "key" "login") | indent 10 }} - - name: PDP_PAP_PDP_HTTP_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pap-http-creds" "key" "password") | indent 10 }} resources: {{ include "common.resources" . | indent 12 }} ports: @@ -118,10 +114,10 @@ spec: name: localtime readOnly: true - mountPath: /tmp/policy-install/config/base.conf - name: pe-processed + name: pe subPath: base.conf - mountPath: /tmp/policy-install/config/pdp-tweaks.sh - name: pe-pdp + name: pe-pdp-input subPath: pdp-tweaks.sh - mountPath: /tmp/policy-install/config/pdplp.conf name: pe-pdp @@ -166,7 +162,7 @@ spec: - name: policy-logback configMap: name: {{ include "common.fullname" . }}-log-configmap - - name: pe + - name: pe-input configMap: name: {{ include "common.release" . }}-pe-configmap defaultMode: 0755 @@ -174,11 +170,14 @@ spec: configMap: name: {{ include "common.release" . }}-pe-scripts-configmap defaultMode: 0777 - - name: pe-pdp + - name: pe-pdp-input configMap: name: {{ include "common.fullname" . }}-pe-configmap defaultMode: 0755 - - name: pe-processed + - name: pe + emptyDir: + medium: Memory + - name: pe-pdp emptyDir: medium: Memory imagePullSecrets: diff --git a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json index a52cc0f6d4..3b72d8ed90 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json +++ b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json @@ -21,16 +21,16 @@ "restServerParameters": { "host": "0.0.0.0", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34", + "userName": "${RESTSERVER_USER}", + "password": "${RESTSERVER_PASSWORD}", "https": true, "aaf": false }, "policyApiParameters": { "host": "policy-api", "port": 6969, - "userName": "healthcheck", - "password": "zb!XztG34", + "userName": "${API_USER}", + "password": "${API_PASSWORD}", "https": true, "aaf": false }, diff --git a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml index 5b02c177b5..9ac5d68a89 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml @@ -31,6 +31,28 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: API_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: pdpxconfig + - mountPath: /config + name: pdpxconfig-processed + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -63,7 +85,9 @@ spec: name: localtime readOnly: true - mountPath: /opt/app/policy/pdpx/etc/mounted - name: pdpxconfig + name: pdpxconfig-processed + emptyDir: + medium: Memory resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -82,5 +106,8 @@ spec: configMap: name: {{ include "common.fullname" . }}-configmap defaultMode: 0755 + - name: pdpxconfig-processed + emptyDir: + medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml index a2c0aa0e63..63f50fd7fa 100644 --- a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml @@ -21,6 +21,7 @@ ################################################################# global: persistence: {} + envsubstImage: dibi/envsubst ################################################################# # Secrets metaconfig @@ -32,6 +33,18 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + - uid: api-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}' + login: '{{ .Values.apiServer.user }}' + password: '{{ .Values.apiServer.password }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -49,6 +62,12 @@ debugEnabled: false db: user: policy_user password: policy_user +restServer: + user: healthcheck + password: zb!XztG34 +apiServer: + user: healthcheck + password: zb!XztG34 # default number of instances replicaCount: 1 diff --git a/kubernetes/portal/charts/portal-mariadb/resources/config/mariadb/oom_updates.sql b/kubernetes/portal/charts/portal-mariadb/resources/config/mariadb/oom_updates.sql index 7baf85f6c1..13b319c76a 100644 --- a/kubernetes/portal/charts/portal-mariadb/resources/config/mariadb/oom_updates.sql +++ b/kubernetes/portal/charts/portal-mariadb/resources/config/mariadb/oom_updates.sql @@ -23,7 +23,7 @@ while the OOM K8s version has these service split up. */ -- app_url is the FE, app_rest_endpoint is the BE --portal-sdk => TODO: doesn't open a node port yet -update fn_app set app_url = 'http://{{.Values.config.portalSdkHostName}}:{{.Values.config.portalSdkPort}}/ONAPPORTALSDK/welcome.htm', app_rest_endpoint = 'http://portal-sdk:8080/ONAPPORTALSDK/api/v3' where app_name = 'xDemo App'; +update fn_app set app_url = 'https://{{.Values.config.portalSdkHostName}}:{{.Values.config.portalSdkPort}}/ONAPPORTALSDK/welcome.htm', app_rest_endpoint = 'https://portal-sdk:8080/ONAPPORTALSDK/api/v3' where app_name = 'xDemo App'; --dmaap-bc => the dmaap-bc doesn't open a node port.. update fn_app set app_url = 'http://{{.Values.config.dmaapBcHostName}}:{{.Values.config.dmaapBcPort}}/ECOMPDBCAPP/dbc#/dmaap', app_rest_endpoint = 'http://dmaap-bc:8989/ECOMPDBCAPP/api/v2' where app_name = 'DMaaP Bus Ctrl'; --sdc-be => 8443:30204 diff --git a/kubernetes/robot b/kubernetes/robot index 431689c787..c81062626b 160000 --- a/kubernetes/robot +++ b/kubernetes/robot @@ -1 +1 @@ -Subproject commit 431689c7879a92be54477f13f8e39908db5f07f2 +Subproject commit c81062626b69160145baac5e6a5d670cb67211fa diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml index 3db3685b86..108c781f54 100644 --- a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml @@ -70,6 +70,19 @@ spec: mountPath: /config-input/ - name: sdc-environments-output mountPath: /config-output/ + - name: volume-permissions + image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //onboard/cert + securityContext: + runAsUser: 0 + volumeMounts: + - name: {{ include "common.fullname" . }}-cert-storage + mountPath: "/onboard/cert" containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml index 946cb3491f..4cfebbf72f 100644 --- a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml @@ -103,6 +103,9 @@ cert: volumeReclaimPolicy: Retain mountSubPath: /sdc/onbaording/cert +securityContext: + fsGroup: 35953 + runAsUser: 352070 ingress: enabled: false diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index 5701a91f27..2694b5de80 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -28,6 +28,8 @@ global: wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== ubuntuInitRepository: oomk8s ubuntuInitImage: ubuntu-init:1.0.0 + busyboxRepository: registry.hub.docker.com + busyboxImage: library/busybox:latest cassandra: #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled diff --git a/kubernetes/so/charts/so-nssmf-adapter/Chart.yaml b/kubernetes/so/charts/so-nssmf-adapter/Chart.yaml new file mode 100755 index 0000000000..b3311d1c8c --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: so-nssmf-adapter +version: 6.0.0 \ No newline at end of file diff --git a/kubernetes/so/charts/so-nssmf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-nssmf-adapter/resources/config/overrides/override.yaml new file mode 100755 index 0000000000..10741b75e7 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/resources/config/overrides/override.yaml @@ -0,0 +1,66 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +aai: + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + endpoint: https://aai.{{ include "common.namespace" . }}:8443 +logging: + path: logs +spring: + datasource: + jdbc-url: jdbc:mariadb://${DB_HOST}:${DB_PORT}/requestdb + username: ${DB_USERNAME} + password: ${DB_PASSWORD} + driver-class-name: org.mariadb.jdbc.Driver + jpa: + show-sql: false + hibernate: + dialect: org.hibernate.dialect.MySQL5Dialect + ddl-auto: validate + naming-strategy: org.hibernate.cfg.ImprovedNamingStrategy + enable-lazy-load-no-trans: true + security: + usercredentials: + - username: ${BPEL_USERNAME} + password: ${BPEL_PASSWORD} + role: BPEL-Client + - username: ${ACTUATOR_USERNAME} + password: ${ACTUATOR_PASSWORD} + role: ACTUATOR +server: + port: {{ index .Values.containerPort }} + tomcat: + max-threads: 50 + +mso: + site-name: localSite + logPath: ./logs/nssmf + msb-ip: msb-iag.{{ include "common.namespace" . }} + msb-port: 80 + adapters: + requestDb: + endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} +#Actuator +management: + endpoints: + web: + base-path: /manage + exposure: + include: "*" + metrics: + se-global-registry: false + export: + prometheus: + enabled: true # Whether exporting of metrics to Prometheus is enabled. + step: 1m # Step size (i.e. reporting frequency) to use. diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-nssmf-adapter/templates/configmap.yaml new file mode 100755 index 0000000000..85d00fddf3 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/templates/configmap.yaml @@ -0,0 +1,26 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | nindent 2 }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: +{{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-nssmf-adapter/templates/deployment.yaml new file mode 100755 index 0000000000..8d1eaf8ea4 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/templates/deployment.yaml @@ -0,0 +1,131 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} + minReadySeconds: {{ index .Values.minReadySeconds }} + strategy: + type: {{ index .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ index .Values.updateStrategy.maxSurge }} + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + spec: + initContainers: {{ include "so.certificate.container_importer" . | nindent 8 }} + - name: {{ include "common.name" . }}-readiness + command: + - /root/job_complete.py + args: + - --job-name + - {{ include "common.release" . }}-so-mariadb-config-job + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + containers: + - name: {{ include "common.name" . }} + command: + - sh + args: + - -c + - export BPEL_PASSWORD=`htpasswd -bnBC 10 "" $BPEL_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'`; export ACTUATOR_PASSWORD=`htpasswd -bnBC 10 "" $ACTUATOR_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'`; ./start-app.sh + image: {{ include "common.repository" . }}/{{ .Values.image }} + resources: {{ include "common.resources" . | nindent 12 }} + ports: {{- include "common.containerPorts" . | nindent 12 }} + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-so-db-secrets + key: mariadb.readwrite.host + - name: DB_PORT + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-so-db-secrets + key: mariadb.readwrite.port + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 14 }} + - name: DB_ADMIN_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} + - name: DB_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} + - name: TRUSTSTORE + value: {{ .Values.global.client.certs.truststore }} + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: BPEL_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-bpel-creds" "key" "login") | indent 14 }} + - name: BPEL_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-bpel-creds" "key" "password") | indent 14 }} + - name: ACTUATOR_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} + - name: ACTUATOR_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} + {{- if eq .Values.global.security.aaf.enabled true }} + - name: KEYSTORE + value: {{ .Values.global.client.certs.keystore }} + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-env + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 12 }} + - name: logs + mountPath: /app/logs + - name: config + mountPath: /app/config + readOnly: true + - name: {{ include "common.fullname" . }}-truststore + mountPath: /app/client + readOnly: true + livenessProbe: + httpGet: + path: {{ index .Values.livenessProbe.path}} + port: {{ index .Values.containerPort }} + scheme: {{ index .Values.livenessProbe.scheme}} + initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} + periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} + timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} + successThreshold: {{ index .Values.livenessProbe.successThreshold}} + failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} + volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + - name: logs + emptyDir: {} + - name: config + configMap: + name: {{ include "common.fullname" . }} + - name: {{ include "common.fullname" . }}-truststore + secret: + secretName: {{ include "common.release" . }}-so-truststore-secret + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/secret.yaml b/kubernetes/so/charts/so-nssmf-adapter/templates/secret.yaml new file mode 100644 index 0000000000..a39363ffdd --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/so/charts/so-nssmf-adapter/templates/service.yaml b/kubernetes/so/charts/so-nssmf-adapter/templates/service.yaml new file mode 100755 index 0000000000..cf08482ad2 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/templates/service.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.service" . }} diff --git a/kubernetes/so/charts/so-nssmf-adapter/values.yaml b/kubernetes/so/charts/so-nssmf-adapter/values.yaml new file mode 100755 index 0000000000..44536a8a33 --- /dev/null +++ b/kubernetes/so/charts/so-nssmf-adapter/values.yaml @@ -0,0 +1,136 @@ +# Copyright © 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + repository: nexus3.onap.org:10001 + readinessRepository: oomk8s + readinessImage: readiness-check:2.0.2 + persistence: + mountPath: /dockerdata-nfs + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-user-creds + name: '{{ include "common.release" . }}-so-bpmn-infra-db-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' + login: '{{ .Values.db.userName }}' + password: '{{ .Values.db.userPassword }}' + passwordPolicy: required + - uid: db-admin-creds + name: '{{ include "common.release" . }}-so-bpmn-infra-db-admin-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' + login: '{{ .Values.db.adminName }}' + password: '{{ .Values.db.adminPassword }}' + passwordPolicy: required + - uid: "so-onap-certs" + externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' + type: generic + filePaths: '{{ .Values.secretsFilePaths }}' + - uid: server-bpel-creds + name: '{{ include "common.release" . }}-so-server-bpel-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.server.bpelCredsExternalSecret) . }}' + login: '{{ .Values.server.bpel.username }}' + password: '{{ .Values.server.bpel.password }}' + passwordPolicy: required + - uid: server-actuator-creds + name: '{{ include "common.release" . }}-so-server-actuator-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.server.actuatorCredsExternalSecret) . }}' + login: '{{ .Values.server.actuator.username }}' + password: '{{ .Values.server.actuator.password }}' + passwordPolicy: required + + +#secretsFilePaths: | +# - 'my file 1' +# - '{{ include "templateThatGeneratesFileName" . }}' + +################################################################# +# Application configuration defaults. +################################################################# +repository: nexus3.onap.org:10001 +image: onap/so/nssmf-adapter:1.6.0 +pullPolicy: Always + +db: + userName: so_user + userPassword: so_User123 + # userCredsExternalSecret: some secret + adminName: so_admin + adminPassword: so_Admin123 + # adminCredsExternalSecret: some secret +server: + actuator: + username: mso_admin + password: password1$ + bpel: + username: bpel + password: password1$ + +replicaCount: 1 +minReadySeconds: 10 +containerPort: 8088 +logPath: ./logs/nssmf/ +app: nssmf-adapter +service: + type: ClusterIP + ports: + - name: api + port: 8088 +updateStrategy: + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + memory: 4Gi + cpu: 2000m + requests: + memory: 1Gi + cpu: 500m + large: + limits: + memory: 8Gi + cpu: 4000m + requests: + memory: 2Gi + cpu: 1000m + unlimited: {} +livenessProbe: + path: /manage/health + port: 8088 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 +ingress: + enabled: false +nodeSelector: {} +tolerations: [] +affinity: {} diff --git a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks index 96931ce168..9ebe9a8041 100644 Binary files a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks and b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks differ diff --git a/kubernetes/so/resources/config/log/logback.nssmf.xml b/kubernetes/so/resources/config/log/logback.nssmf.xml new file mode 100755 index 0000000000..b3117ee7a0 --- /dev/null +++ b/kubernetes/so/resources/config/log/logback.nssmf.xml @@ -0,0 +1,132 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${logDirectory}/${auditLogName}${jboss.server.name}.log + + ${logDirectory}/${auditLogName}${jboss.server.name}.log.%d + + + + ${auditPattern} + + + + 256 + + + + + ${logDirectory}/${metricsLogName}${jboss.server.name}.log + + ${logDirectory}/${metricsLogName}${jboss.server.name}.log.%d + + + + + ${metricPattern} + + + + + 256 + + + + + ${logDirectory}/${errorLogName}${jboss.server.name}.log + + ${logDirectory}/${errorLogName}${jboss.server.name}.log.%d + + + + INFO + + + ${errorPattern} + + + + + 256 + + + + + ${debugLogDirectory}/${debugLogName}${jboss.server.name}.log + + ${debugLogDirectory}/${debugLogName}${jboss.server.name}.log.%d + + + + ${debugPattern} + + + + + 256 + + true + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index e9c5637eef..6cbfc74b52 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -407,6 +407,28 @@ so-vfc-adapter: requestDb: auth: Basic YnBlbDpwYXNzd29yZDEk +so-nssmf-adapter: + certSecret: *so-certs + db: + <<: *dbSecrets + aaf: + auth: + username: so@so.onap.org + password: 8DB1C939BFC6A35C3832D0E52E452D0E05AE2537AF142CECD125FF827C05A972FDD0F4700547DA + aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.nssmfAdapterPerm + noAuthn: /manage/health + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + so-vnfm-adapter: certSecret: *so-certs aaf: