From: Andreas Geissler Date: Tue, 7 Mar 2023 14:21:34 +0000 (+0000) Subject: Merge "[CDS-BP-PROC] Move to use strimzi kafka template" X-Git-Tag: 12.0.0~100 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=4665f6050dea6c1b35756523e829c827ff1e407e;hp=d3c55abb3bbdab8e864a4997f7699cae8a253e37;p=oom.git Merge "[CDS-BP-PROC] Move to use strimzi kafka template" --- diff --git a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml index 3ef9519d55..f5f53f9f00 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,6 +29,6 @@ dependencies: - name: serviceAccount version: ~12.x-0 repository: '@local' - - name: certInitializer + - name: readinessCheck version: ~12.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer b/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer deleted file mode 100755 index e9a50d7ea0..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties index 2818fd99b4..7351b1f193 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties @@ -1,6 +1,6 @@ {{/* # -# Copyright (c) 2017-2022 AT&T, IBM, Bell Canada, Nordix Foundation. +# Copyright (c) 2017-2023 AT&T, IBM, Bell Canada, Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -101,11 +101,7 @@ blueprintsprocessor.restclient.sdnc.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoG # AAI Data REST Client settings blueprintsprocessor.restclient.aai-data.type=basic-auth -{{ if ( include "common.needTLS" .) }} -blueprintsprocessor.restclient.aai-data.url=https://{{ .Values.global.aaiData.ServiceName }}:8443 -{{- else -}} blueprintsprocessor.restclient.aai-data.url=http://{{ .Values.global.aaiData.ServiceName }}:{{ .Values.global.aaiData.ExternalPlainPort }} -{{- end }} blueprintsprocessor.restclient.aai-data.username=aai@aai.onap.org blueprintsprocessor.restclient.aai-data.password=demo123456! blueprintsprocessor.restclient.aai-data.additionalHeaders.X-TransactionId=cds-transaction-id @@ -121,70 +117,44 @@ blueprintsprocessor.restclient.cps-data.additionalHeaders.Accept=application/jso blueprintsprocessor.restclient.cps-data.additionalHeaders.Content-Type=application/json # Self Service Request Kafka Message Consumer -blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable={{ .Values.kafkaRequestConsumer.enabled }} -blueprintsprocessor.messageconsumer.self-service-api.type={{ .Values.kafkaRequestConsumer.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable=true +blueprintsprocessor.messageconsumer.self-service-api.type=kafka-scram-plain-text-auth blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ .Values.kafkaRequestConsumer.bootstrapServers }} +{{- with (first .Values.kafkaUser.acls) }} +blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .name }} {{- end }} -blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .Values.kafkaRequestConsumer.groupId }} -blueprintsprocessor.messageconsumer.self-service-api.topic={{ .Values.kafkaRequestConsumer.topic }} -blueprintsprocessor.messageconsumer.self-service-api.clientId={{ .Values.kafkaRequestConsumer.clientId }} -blueprintsprocessor.messageconsumer.self-service-api.pollMillSec={{ .Values.kafkaRequestConsumer.pollMillSec }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageconsumer.self-service-api.topic=cds.blueprint-processor.self-service-api.request +blueprintsprocessor.messageconsumer.self-service-api.clientId=request-receiver-client-id +blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 +blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${SASL_JAAS_PASS} # Self Service Response Kafka Message Producer -blueprintsprocessor.messageproducer.self-service-api.type={{ .Values.kafkaRequestProducer.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ .Values.kafkaRequestProducer.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.clientId={{ .Values.kafkaRequestProducer.clientId }} -blueprintsprocessor.messageproducer.self-service-api.topic={{ .Values.kafkaRequestProducer.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.clientId=request-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.topic=cds.blueprint-processor.self-service-api.response +blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.scramPassword=${SASL_JAAS_PASS} # AUDIT KAFKA FEATURE CONFIGURATION # Audit feature dumps CDS request to a topic as well as a truncated response message to another topic. ## Audit request -blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable={{ .Values.kafkaAuditRequest.enabled }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.type={{ .Values.kafkaAuditRequest.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable=true +blueprintsprocessor.messageproducer.self-service-api.audit.request.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId={{ .Values.kafkaAuditRequest.clientId }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.topic={{ .Values.kafkaAuditRequest.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId=audit-request-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.audit.request.topic=cds.blueprint-processor.self-service-api.audit.request +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${SASL_JAAS_PASS} ## Audit response -blueprintsprocessor.messageproducer.self-service-api.audit.response.type={{ .Values.kafkaAuditResponse.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId={{ .Values.kafkaAuditResponse.clientId }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.topic={{ .Values.kafkaAuditResponse.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId=audit-response-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.audit.response.topic=cds.blueprint-processor.self-service-api.audit.response +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${SASL_JAAS_PASS} # Executor Options blueprintsprocessor.resourceResolution.enabled=true diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml deleted file mode 100644 index 555f4d4e60..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ if eq .Values.useStrimziKafka true }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaRequestConsumer.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaRequestProducer.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaAuditRequest.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaAuditResponse.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 -{{ end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml deleted file mode 100644 index 65ee1d2a96..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ if eq .Values.useStrimziKafka true }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: group - name: {{ .Values.kafkaRequestConsumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaRequestConsumer.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaRequestProducer.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaAuditRequest.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaAuditResponse.topic }} - operation: All -{{ end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index 520516d7c9..a6e3a52bf7 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,38 +18,26 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} strategy: type: RollingUpdate rollingUpdate: - # This allow a new pod to be ready before terminating the old one + # This allows a new pod to be ready before terminating the old one # causing no downtime when replicas is set to 1 maxUnavailable: 0 - # maxSurge to 1 is very important for the hazelcast integration # we only want one pod at a time to restart not multiple # and break the hazelcast cluster. We should not use % maxSurge value # ref : https://hazelcast.com/blog/rolling-upgrade-hazelcast-imdg-on-kubernetes/ maxSurge: 1 template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -75,21 +63,6 @@ spec: name: {{ include "common.name" . }}-update-config - command: - - /app/ready.py - args: - - --container-name - - cds-db - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - - name: fix-permission - command: - chown - -R - 1000:1000 @@ -99,6 +72,8 @@ spec: volumeMounts: - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints + name: fix-permission + containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -110,8 +85,6 @@ spec: value: {{ if (gt (int (.Values.replicaCount)) 2) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }} - name: CLUSTER_ID value: {{ .Values.cluster.clusterName }} - - name: AAF_CREDSPATH - value: {{ .Values.certInitializer.credsPath }} - name: CLUSTER_NODE_ID valueFrom: fieldRef: @@ -122,10 +95,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "login") | indent 12 }} - name: CPS_PASS_PLAIN {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "password") | indent 12 }} - {{ if .Values.useStrimziKafka }} - - name: JAAS_PASS - value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-kafka-secret" "key" "password") | indent 12 }} - {{ end }} + - name: SASL_JAAS_PASS + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: password ports: - containerPort: {{ .Values.service.http.internalPort }} - containerPort: {{ .Values.service.grpc.internalPort }} @@ -133,7 +107,7 @@ spec: startupProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.startup.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== @@ -146,7 +120,7 @@ spec: livenessProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.liveness.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== @@ -157,14 +131,14 @@ spec: readinessProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.readiness.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - mountPath: /etc/localtime name: localtime readOnly: true @@ -180,11 +154,6 @@ spec: - mountPath: {{ .Values.config.appConfigDir }}/hazelcast.yaml name: {{ include "common.fullname" . }}-config subPath: hazelcast.yaml - - - mountPath: {{ .Values.config.appConfigDir }}/ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-config - subPath: ONAP_RootCA.cer - - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints resources: {{ include "common.resources" . | nindent 12 }} @@ -197,7 +166,7 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + volumes: - name: localtime hostPath: path: /etc/localtime @@ -213,8 +182,6 @@ spec: path: logback.xml - key: hazelcast.yaml path: hazelcast.yaml - - key: ONAP_RootCA.cer - path: ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml index 153740c553..84ccfc5f5e 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada +# Modification Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,13 +31,10 @@ spec: ports: - port: {{ .Values.service.http.externalPort }} targetPort: {{ .Values.service.http.internalPort }} - {{- if eq .Values.service.http.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.http.nodePort }} - {{- end}} - name: {{ .Values.service.http.portName | default "http" }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.http.portName | default "http" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} --- apiVersion: v1 kind: Service @@ -56,8 +54,8 @@ spec: targetPort: {{ .Values.service.grpc.internalPort }} name: {{ .Values.service.grpc.portName | default "grpc" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} --- apiVersion: v1 kind: Service @@ -75,10 +73,7 @@ spec: ports: - port: {{ .Values.service.cluster.externalPort }} targetPort: {{ .Values.service.cluster.internalPort }} - {{- if eq .Values.service.cluster.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.cluster.nodePort }} - {{- end}} name: {{ .Values.service.cluster.portName | default "cluster" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index cd12c5c8d1..d713d10fad 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,20 +18,13 @@ # Global configuration defaults. ################################################################# global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefixExt: 304 - # image pull policy pullPolicy: Always - persistence: mountPath: /dockerdata-nfs - # This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - # This concerns CDS/AAI communication through HTTP when TLS is not being needed # Port value should match the one in aai/values.yml : service.externalPlainPort aaiData: @@ -39,9 +32,6 @@ global: ServiceName: aai # domain # http://aai:80 or https://aai:443 - #AAF is enabled by default - #aafEnabled: true - #enable importCustomCerts to add custom CA to blueprint processor pod #importCustomCertsEnabled: true @@ -65,13 +55,6 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.sdncDB.dbRootPassExternalSecret) . }}' password: '{{ .Values.config.sdncDB.dbRootPass }}' passwordPolicy: required - - uid: cds-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: password - value: '{{ .Values.config.someConfig }}' - policy: generate - uid: cps-creds type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.cps.cpsUserExternalSecret) . }}' @@ -79,31 +62,6 @@ secrets: password: '{{ .Values.config.cps.cpsPassword }}' passwordPolicy: required -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: cds-blueprints-processor-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: sdnc-cds - fqi: sdnc-cds@sdnc-cds.onap.org - public_fqdn: sdnc-cds.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.sdnc-cds - #enable below if we need custom CA to be added to blueprint processor pod - #importCustomCertsEnabled: true - #truststoreMountpath: /opt/onap/cds - #truststoreOutputFileName: truststoreONAPall.jks - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# @@ -132,7 +90,6 @@ config: # dbCredsExternalSecret: # dbRootPassword: password # dbRootPassExternalSecret - someConfig: blah cps: cpsUsername: '' cpsPassword: '' @@ -145,46 +102,52 @@ nodeSelector: {} affinity: {} -# If useStrimziKafka is true, the following also applies: -# strimzi will create an associated kafka user and the topics defined for Request and Audit elements below. -# The connection type must be kafka-scram-plain-text-auth -# The bootstrapServers will target the strimzi kafka cluster by default -useStrimziKafka: false -cdsKafkaUser: cds-kafka-user +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: cds-bp-processor + type: group + operations: [Read] + - name: cds.blueprint-processor + type: topic + patternType: prefix + operations: [Read, Write] +# Strimzi KafkaTopic config +kafkaTopic: + - name: cds.blueprint-processor.self-service-api.request + - name: cds.blueprint-processor.self-service-api.response + - name: cds.blueprint-processor.self-service-api.audit.request + - name: cds.blueprint-processor.self-service-api.audit.response + + +containerHttpPort: &svc_http_port 8080 +containerGrpcPort: &svc_grpc_port 9111 +containerTcpPort: &svc_tcp_port 5701 -kafkaRequestConsumer: - enabled: false - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - groupId: cds-consumer - topic: cds.blueprint-processor.self-service-api.request - clientId: request-receiver-client-id - pollMillSec: 1000 -kafkaRequestProducer: - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: request-producer-client-id - topic: cds.blueprint-processor.self-service-api.response - enableIdempotence: false -kafkaAuditRequest: - enabled: false - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: audit-request-producer-client-id - topic: cds.blueprint-processor.self-service-api.audit.request - enableIdempotence: false -kafkaAuditResponse: - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: audit-response-producer-client-id - topic: cds.blueprint-processor.self-service-api.audit.response - enableIdempotence: false +service: + http: + type: ClusterIP + portName: http + internalPort: *svc_http_port + externalPort: *svc_http_port + grpc: + type: ClusterIP + portName: grpc + internalPort: *svc_grpc_port + externalPort: *svc_grpc_port + cluster: + type: ClusterIP + portName: tcp-cluster + internalPort: *svc_tcp_port + externalPort: *svc_tcp_port + port: *svc_http_port # probe configuration parameters startup: initialDelaySeconds: 10 failureThreshold: 30 periodSeconds: 10 + port: *svc_http_port liveness: initialDelaySeconds: 1 @@ -193,28 +156,13 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: false + port: *svc_http_port readiness: initialDelaySeconds: 120 periodSeconds: 10 timeoutSeconds: 20 - -service: - http: - type: ClusterIP - portName: http - internalPort: 8080 - externalPort: 8080 - grpc: - type: ClusterIP - portName: grpc - internalPort: 9111 - externalPort: 9111 - cluster: - type: ClusterIP - portName: tcp-cluster - internalPort: 5701 - externalPort: 5701 + port: *svc_http_port persistence: volumeReclaimPolicy: Retain @@ -227,9 +175,7 @@ persistence: cluster: # Cannot have cluster enabled if the replicaCount is not at least 3 enabled: false - clusterName: cds-cluster - # Defines the number of node to be part of the CP subsystem/raft algorithm. This value should be # between 3 and 7 only. groupSize: 3 @@ -271,6 +217,10 @@ resources: memory: 4Gi unlimited: {} +readinessCheck: + wait_for: + - cds-db + #Pods Service Account serviceAccount: nameOverride: cds-blueprints-processor diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index 58e6b65c6f..27d5e84b19 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -1,7 +1,7 @@ # Copyright © 2020 Samsung Electronics # Copyright © 2019 Orange, Bell Canada # Copyright © 2017 Amdocs, Bell Canada -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +23,6 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - cdsKafkaUser: cds-kafka-user ################################################################# # Secrets metaconfig @@ -42,7 +41,6 @@ secrets: # application images pullPolicy: Always - subChartsOnly: enabled: true @@ -214,7 +212,6 @@ cds-blueprints-processor: dbPort: 3306 dbName: *mysqlDbName dbCredsExternalSecret: *dbUserSecretName - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.kafkaUser }}' cds-command-executor: enabled: true @@ -228,11 +225,9 @@ cds-sdc-listener: cds-ui: enabled: true - #Resource Limit flavor -By Default using small flavor: small -#segregation for different envionment (Small and Large) - +#segregation for different environment (Small and Large) resources: small: limits: diff --git a/kubernetes/common/mariadb-galera/templates/pdb.yaml b/kubernetes/common/mariadb-galera/templates/pdb.yaml index 4697934879..1d9d4141ab 100644 --- a/kubernetes/common/mariadb-galera/templates/pdb.yaml +++ b/kubernetes/common/mariadb-galera/templates/pdb.yaml @@ -15,7 +15,7 @@ */}} {{- if .Values.podDisruptionBudget.create }} -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: