From: Sylvain Desbureaux Date: Tue, 18 Feb 2020 08:20:05 +0000 (+0000) Subject: Merge "Removed use of vfc-redis from etsicatalog component" X-Git-Tag: 6.0.0~382 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=a1f85b8cf2438c8096de910687a4621b94df3165;hp=43438220b7023918cacf2bcdbcbd41ae5c680226;p=oom.git Merge "Removed use of vfc-redis from etsicatalog component" --- diff --git a/INFO.yaml b/INFO.yaml index 33cae2aaf1..06cad4718e 100644 --- a/INFO.yaml +++ b/INFO.yaml @@ -78,10 +78,15 @@ committers: company: 'Orange' id: 'sdesbure' timezone: 'Paris/France' + - name: 'Krzysztof Opasiak' + email: 'k.opasiak@samsung.com' + company: 'Samsung' + id: 'kopasiak' + timezone: 'Poland/Warsaw' tsc: approval: 'https://lists.onap.org/pipermail/onap-tsc' changes: - type: 'Addition' name: 'Brian Freeman' name: 'Yang Xu' - link: 'TBD' \ No newline at end of file + link: 'TBD' diff --git a/docs/oom_developer_guide.rst b/docs/oom_developer_guide.rst index a2ccc1ba60..c3fb603d04 100644 --- a/docs/oom_developer_guide.rst +++ b/docs/oom_developer_guide.rst @@ -79,159 +79,123 @@ have been created following the guidelines provided. The top level of the ONAP charts is shown below: -.. graphviz:: +.. code-block:: bash + + common + ├── cassandra + │   ├── Chart.yaml + │   ├── requirements.yaml + │   ├── resources + │   │   ├── config + │   │   │   └── docker-entrypoint.sh + │   │   ├── exec.py + │   │   └── restore.sh + │   ├── templates + │   │   ├── backup + │   │   │   ├── configmap.yaml + │   │   │   ├── cronjob.yaml + │   │   │   ├── pv.yaml + │   │   │   └── pvc.yaml + │   │   ├── configmap.yaml + │   │   ├── pv.yaml + │   │   ├── service.yaml + │   │   └── statefulset.yaml + │   └── values.yaml + ├── common + │   ├── Chart.yaml + │   ├── templates + │   │   ├── _createPassword.tpl + │   │   ├── _ingress.tpl + │   │   ├── _labels.tpl + │   │   ├── _mariadb.tpl + │   │   ├── _name.tpl + │   │   ├── _namespace.tpl + │   │   ├── _repository.tpl + │   │   ├── _resources.tpl + │   │   ├── _secret.yaml + │   │   ├── _service.tpl + │   │   ├── _storage.tpl + │   │   └── _tplValue.tpl + │   └── values.yaml + ├── ... + └── postgres-legacy +    ├── Chart.yaml +   ├── requirements.yaml + ├── charts + └── configs - digraph onap_top_chart { - rankdir="LR"; - { - node [shape=folder] - oValues [label="values.yaml"] - oChart [label="Chart.yaml"] - dev [label="dev.yaml"] - prod [label="prod.yaml"] - crb [label="clusterrolebindings.yaml"] - secrets [label="secrets.yaml"] - } - { - node [style=dashed] - vCom [label="component"] - } +The common section of charts consists of a set of templates that assist with +parameter substitution (`_name.tpl`, `_namespace.tpl` and others) and a set of charts +for components used throughout ONAP. When the common components are used by other charts they +are instantiated each time or we can deploy a shared instances for several components. - onap -> oValues - onap -> oChart - onap -> templates - onap -> resources - oValues -> vCom - resources -> environments - environments -> dev - environments -> prod - templates -> crb - templates -> secrets - } +All of the ONAP components have charts that follow the pattern shown below: -Within the `values.yaml` file at the `onap` level, one will find a set of -boolean values that control which of the ONAP components get deployed as shown -below: +.. code-block:: bash + + name-of-my-component + ├── Chart.yaml + ├── requirements.yaml + ├── component + │   └── subcomponent-folder + ├── charts + │   └── subchart-folder + ├── resources + │   ├── folder1 + │   │   ├── file1 + │   │   └── file2 + │   └── folder1 + │   ├── file3 + │   └── folder3 + │      └── file4 + ├── templates + │   ├── NOTES.txt + │   ├── configmap.yaml + │   ├── deployment.yaml + │   ├── ingress.yaml + │   ├── job.yaml + │   ├── secrets.yaml + │   └── service.yaml + └── values.yaml + +Note that the component charts / components may include a hierarchy of sub +components and in themselves can be quite complex. + +You can use either `charts` or `components` folder for your subcomponents. +`charts` folder means that the subcomponent will always been deployed. + +`components` folders means we can choose if we want to deploy the sub component. + +This choice is done in root `values.yaml`: .. code-block:: yaml - aaf: # Application Authorization Framework - enabled: false - <...> - so: # Service Orchestrator - enabled: true - -By setting these flags a custom deployment can be created and used during -deployment by using the `-f` Helm option as follows:: - - > helm install local/onap -name development -f dev.yaml - -Note that there are one or more example deployment files in the -`onap/resources/environments/` directory. It is best practice to create a -unique deployment file for each environment used to ensure consistent -behaviour. - -To aid in the long term supportability of ONAP, a set of common charts have -been created (and will be expanded in subsequent releases of ONAP) that can be -used by any of the ONAP components by including the common component in its -`requirements.yaml` file. The common components are arranged as follows: - -.. graphviz:: - - digraph onap_common_chart { - rankdir="LR"; - { - node [shape=folder] - mValues [label="values.yaml"] - ccValues [label="values.yaml"] - comValues [label="values.yaml"] - comChart [label="Chart.yaml"] - ccChart [label="Chart.yaml"] - mChart [label="Chart.yaml"] - - mReq [label="requirements.yaml"] - mService [label="service.yaml"] - mMap [label="configmap.yaml"] - ccName [label="_name.tpl"] - ccNS [label="_namespace.tpl"] - } - { - cCom [label="common"] - mTemp [label="templates"] - ccTemp [label="templates"] - } - { - more [label="...",style=dashed] - } - - common -> comValues - common -> comChart - common -> cCom - common -> mysql - common -> more - - cCom -> ccChart - cCom -> ccValues - cCom -> ccTemp - ccTemp -> ccName - ccTemp -> ccNS - - mysql -> mValues - mysql -> mChart - mysql -> mReq - mysql -> mTemp - mTemp -> mService - mTemp -> mMap - } + --- + global: + key: value -The common section of charts consists of a set of templates that assist with -parameter substitution (`_name.tpl` and `_namespace.tpl`) and a set of charts -for components used throughout ONAP. Initially `mysql` is in the common area -but this will expand to include other databases like `mariadb-galera`, -`postgres`, and `cassandra`. Other candidates for common components include -`redis` and`kafka`. When the common components are used by other charts they -are instantiated each time. In subsequent ONAP releases some of the common -components could be a setup as services that are used by multiple ONAP -components thus minimizing the deployment and operational costs. - -All of the ONAP components have charts that follow the pattern shown below: - -.. graphviz:: - - digraph onap_component_chart { - rankdir="LR"; - { - node [shape=folder] - cValues [label="values.yaml"] - cChart [label="Chart.yaml"] - cService [label="service.yaml"] - cMap [label="configmap.yaml"] - cFiles [label="config file(s)"] - } - { - cCharts [label="charts"] - cTemp [label="templates"] - cRes [label="resources"] + component1: + enabled: true + component2: + enabled: true - } - { - sCom [label="component",style=dashed] - } +Then in `requirements.yaml`, you'll use these values: - component -> cValues - component -> cChart - component -> cCharts - component -> cTemp - component -> cRes - cTemp -> cService - cTemp -> cMap - cRes -> config - config -> cFiles - cCharts -> sCom - } +.. code-block:: yaml -Note that the component charts may include a hierarchy of components and in -themselves can be quite complex. + --- + dependencies: + - name: common + version: ~x.y-0 + repository: '@local' + - name: component1 + version: ~x.y-0 + repository: 'file://components/component1' + condition: component1.enabled + - name: component2 + version: ~x.y-0 + repository: 'file://components/component2' + condition: component2.enabled Configuration of the components varies somewhat from component to component but generally follows the pattern of one or more `configmap.yaml` files which can @@ -260,126 +224,134 @@ configuration as well as ONAP components configuration. One of the artifacts that OOM/Kubernetes uses to deploy ONAP components is the deployment specification, yet another yaml file. Within these deployment specs -are a number of parameters as shown in the following mariadb example: +are a number of parameters as shown in the following example: .. code-block:: yaml - apiVersion: extensions/v1beta1 - kind: Deployment + apiVersion: apps/v1 + kind: StatefulSet metadata: - name: mariadb + labels: + app.kubernetes.io/name: zookeeper + helm.sh/chart: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/instance: onap-oof + name: onap-oof-zookeeper + namespace: onap spec: - <...> + <...> + replicas: 3 + selector: + matchLabels: + app.kubernetes.io/name: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/instance: onap-oof + serviceName: onap-oof-zookeeper-headless template: - <...> + metadata: + labels: + app.kubernetes.io/name: zookeeper + helm.sh/chart: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/instance: onap-oof spec: - hostname: mariadb + <...> + affinity: containers: - - args: - image: nexus3.onap.org:10001/mariadb:10.1.11 - name: "mariadb" - env: - - name: MYSQL_ROOT_PASSWORD - value: password - - name: MARIADB_MAJOR - value: "10.1" + - name: zookeeper + <...> + image: gcr.io/google_samples/k8szk:v3 + imagePullPolicy: Always <...> - imagePullSecrets: - - name: onap-docker-registry-key - -Note that within the deployment specification, one of the container arguments -is the key/value pair image: nexus3.onap.org:10001/mariadb:10.1.11 which -specifies the version of the mariadb software to deploy. Although the -deployment specifications greatly simplify deployment, maintenance of the -deployment specifications themselves become problematic as software versions + ports: + - containerPort: 2181 + name: client + protocol: TCP + - containerPort: 3888 + name: election + protocol: TCP + - containerPort: 2888 + name: server + protocol: TCP + <...> + +Note that within the statefulset specification, one of the container arguments +is the key/value pair image: gcr.io/google_samples/k8szk:v3 which +specifies the version of the zookeeper software to deploy. Although the +statefulset specifications greatly simplify statefulset, maintenance of the +statefulset specifications themselves become problematic as software versions change over time or as different versions are required for different -deployments. For example, if the R&D team needs to deploy a newer version of +statefulsets. For example, if the R&D team needs to deploy a newer version of mariadb than what is currently used in the production environment, they would -need to clone the deployment specification and change this value. Fortunately, +need to clone the statefulset specification and change this value. Fortunately, this problem has been solved with the templating capabilities of Helm. -The following example shows how the deployment specifications are modified to +The following example shows how the statefulset specifications are modified to incorporate Helm templates such that key/value pairs can be defined outside of -the deployment specifications and passed during instantiation of the component. +the statefulset specifications and passed during instantiation of the component. .. code-block:: yaml - apiVersion: extensions/v1beta1 - kind: Deployment + apiVersion: apps/v1 + kind: StatefulSet metadata: - name: mariadb - namespace: "{{ .Values.nsPrefix }}-mso" + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} <...> template: - <...> + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} spec: - hostname: mariadb - containers: - - args: - image: {{ .Values.image.mariadb }} - imagePullPolicy: {{ .Values.pullPolicy }} - name: "mariadb" - env: - - name: MYSQL_ROOT_PASSWORD - value: password - - name: MARIADB_MAJOR - value: "10.1" <...> - imagePullSecrets: - - name: "{{ .Values.nsPrefix }}-docker-registry-key"apiVersion: extensions/v1beta1 - kind: Deployment - metadata: - name: mariadb - namespace: "{{ .Values.nsPrefix }}-mso" - spec: - <...> - template: - <...> - spec: - hostname: mariadb containers: - - args: - image: {{ .Values.image.mariadb }} - imagePullPolicy: {{ .Values.pullPolicy }} - name: "mariadb" - env: - - name: MYSQL_ROOT_PASSWORD - value: password - - name: MARIADB_MAJOR - value: "10.1" - <...> - imagePullSecrets: - - name: "{{ .Values.nsPrefix }}-docker-registry-key" - -This version of the deployment specification has gone through the process of -templating values that are likely to change between deployments. Note that the -image is now specified as: image: {{ .Values.image.mariadb }} instead of a -string used previously. During the deployment phase, Helm (actually the Helm + - name: {{ include "common.name" . }} + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + {{- range $index, $port := .Values.service.ports }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + {{- range $index, $port := .Values.service.headlessPorts }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + <...> + +This version of the statefulset specification has gone through the process of +templating values that are likely to change between statefulsets. Note that the +image is now specified as: image: {{ .Values.image }} instead of a +string used previously. During the statefulset phase, Helm (actually the Helm sub-component Tiller) substitutes the {{ .. }} entries with a variable defined in a values.yaml file. The content of this file is as follows: .. code-block:: yaml - nsPrefix: onap - pullPolicy: IfNotPresent - image: - readiness: oomk8s/readiness-check:2.0.0 - mso: nexus3.onap.org:10001/openecomp/mso:1.0-STAGING-latest - mariadb: nexus3.onap.org:10001/mariadb:10.1.11 + <...> + image: gcr.io/google_samples/k8szk:v3 + replicaCount: 3 + <...> + -Within the values.yaml file there is an image section with the key/value pair -mariadb: nexus3.onap.org:10001/mariadb:10.1.11 which is the same value used in +Within the values.yaml file there is an image key with the value +`gcr.io/google_samples/k8szk:v3` which is the same value used in the non-templated version. Once all of the substitutions are complete, the -resulting deployment specification ready to be used by Kubernetes. - -Also note that in this example, the namespace key/value pair is specified in -the values.yaml file. This key/value pair will be global across the entire -ONAP deployment and is therefore a prime example of where configuration -hierarchy can be very useful. +resulting statefulset specification ready to be used by Kubernetes. -When creating a deployment template consider the use of default values if -appropriate. Helm templating has built in support for DEFAULT values, here is +When creating a template consider the use of default values if appropriate. +Helm templating has built in support for DEFAULT values, here is an example: .. code-block:: yaml @@ -394,6 +366,227 @@ Helm template language is a superset of the Go template language). These functions include simple string operations like upper and more complex flow control operations like if/else. +OOM is mainly helm templating. In order to have consistent deployment of the +different components of ONAP, some rules must be followed. + +Templates are provided in order to create Kubernetes resources (Secrets, +Ingress, Services, ...) or part of Kubernetes resources (names, labels, +resources requests and limits, ...). + +Service template +---------------- + +In order to create a Service for a component, you have to create a file (with +`service` in the name. +For normal service, just put the following line: + +.. code-block:: yaml + + {{ include "common.service" . }} + +For headless service, the line to put is the following: + +.. code-block:: yaml + + {{ include "common.headlessService" . }} + +The configuration of the service is done in component `values.yaml`: + +.. code-block:: yaml + + service: + name: NAME-OF-THE-SERVICE + postfix: MY-POSTFIX + type: NodePort + annotations: + someAnnotationsKey: value + ports: + - name: tcp-MyPort + port: 5432 + nodePort: 88 + - name: http-api + port: 8080 + nodePort: 89 + - name: https-api + port: 9443 + nodePort: 90 + +`annotations` and `postfix` keys are optional. +if `service.type` is `NodePort`, then you have to give `nodePort` value for your +service ports (which is the end of the computed nodePort, see example). + +It would render the following Service Resource (for a component named +`name-of-my-component`, with version `x.y.z`, helm deployment name +`my-deployment` and `global.nodePortPrefix` `302`): + +.. code-block:: yaml + + apiVersion: v1 + kind: Service + metadata: + annotations: + someAnnotationsKey: value + name: NAME-OF-THE-SERVICE-MY-POSTFIX + labels: + app.kubernetes.io/name: name-of-my-component + helm.sh/chart: name-of-my-component-x.y.z + app.kubernetes.io/instance: my-deployment-name-of-my-component + app.kubernetes.io/managed-by: Tiller + spec: + ports: + - port: 5432 + targetPort: tcp-MyPort + nodePort: 30288 + - port: 8080 + targetPort: http-api + nodePort: 30289 + - port: 9443 + targetPort: https-api + nodePort: 30290 + selector: + app.kubernetes.io/name: name-of-my-component + app.kubernetes.io/instance: my-deployment-name-of-my-component + type: NodePort + +In the deployment or statefulSet file, you needs to set the good labels in order +for the service to match the pods. + +here's an example to be sure it matchs (for a statefulSet): + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} + <...> + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} + spec: + <...> + containers: + - name: {{ include "common.name" . }} + ports: + {{- range $index, $port := .Values.service.ports }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + {{- range $index, $port := .Values.service.headlessPorts }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + <...> + +The configuration of the service is done in component `values.yaml`: + +.. code-block:: yaml + + service: + name: NAME-OF-THE-SERVICE + headless: + postfix: NONE + annotations: + anotherAnnotationsKey : value + publishNotReadyAddresses: true + headlessPorts: + - name: tcp-MyPort + port: 5432 + - name: http-api + port: 8080 + - name: https-api + port: 9443 + +`headless.annotations`, `headless.postfix` and +`headless.publishNotReadyAddresses` keys are optional. + +If `headless.postfix` is not set, then we'll add `-headless` at the end of the +service name. + +If it set to `NONE`, there will be not postfix. + +And if set to something, it will add `-something` at the end of the service +name. + +It would render the following Service Resource (for a component named +`name-of-my-component`, with version `x.y.z`, helm deployment name +`my-deployment` and `global.nodePortPrefix` `302`): + +.. code-block:: yaml + + apiVersion: v1 + kind: Service + metadata: + annotations: + anotherAnnotationsKey: value + name: NAME-OF-THE-SERVICE + labels: + app.kubernetes.io/name: name-of-my-component + helm.sh/chart: name-of-my-component-x.y.z + app.kubernetes.io/instance: my-deployment-name-of-my-component + app.kubernetes.io/managed-by: Tiller + spec: + clusterIP: None + ports: + - port: 5432 + targetPort: tcp-MyPort + nodePort: 30288 + - port: 8080 + targetPort: http-api + nodePort: 30289 + - port: 9443 + targetPort: https-api + nodePort: 30290 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/name: name-of-my-component + app.kubernetes.io/instance: my-deployment-name-of-my-component + type: ClusterIP + +Previous example of StatefulSet would also match (except for the `postfix` part +obviously). + +Creating Deployment or StatefulSet +---------------------------------- + +Deployment and StatefulSet should use the `apps/v1` (which has appeared in +v1.9). +As seen on the service part, the following parts are mandatory: + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} + <...> + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} + spec: + <...> + containers: + - name: {{ include "common.name" . }} ONAP Application Configuration ------------------------------ @@ -423,18 +616,16 @@ SO deployment specification excerpt: .. code-block:: yaml - apiVersion: extensions/v1beta1 + apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "common.name" . }} + name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} template: metadata: labels: diff --git a/kubernetes/aaf/charts/aaf-cm/values.yaml b/kubernetes/aaf/charts/aaf-cm/values.yaml index 2bd05d81ed..4078fb3c22 100644 --- a/kubernetes/aaf/charts/aaf-cm/values.yaml +++ b/kubernetes/aaf/charts/aaf-cm/values.yaml @@ -63,7 +63,7 @@ ingress: resources: small: limits: - cpu: 20m + cpu: 400m memory: 300Mi requests: cpu: 1m diff --git a/kubernetes/aaf/charts/aaf-locate/values.yaml b/kubernetes/aaf/charts/aaf-locate/values.yaml index ce59d2dec9..74638d17a8 100644 --- a/kubernetes/aaf/charts/aaf-locate/values.yaml +++ b/kubernetes/aaf/charts/aaf-locate/values.yaml @@ -63,7 +63,7 @@ ingress: resources: small: limits: - cpu: 40m + cpu: 100m memory: 320Mi requests: cpu: 1m diff --git a/kubernetes/aaf/charts/aaf-sms/values.yaml b/kubernetes/aaf/charts/aaf-sms/values.yaml index 2de7466209..41bde75677 100644 --- a/kubernetes/aaf/charts/aaf-sms/values.yaml +++ b/kubernetes/aaf/charts/aaf-sms/values.yaml @@ -89,9 +89,9 @@ resources: small: limits: cpu: 100m - memory: 15Mi + memory: 30Mi requests: - cpu: 10m + cpu: 25m memory: 10Mi large: limits: diff --git a/kubernetes/aai b/kubernetes/aai index 1c9c9bba65..764cd85147 160000 --- a/kubernetes/aai +++ b/kubernetes/aai @@ -1 +1 @@ -Subproject commit 1c9c9bba658057f6147276fba4f84e7db9117e70 +Subproject commit 764cd8514707c1630dbfa6792b8d15953d5b9a59 diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index 14689d5b11..6aad5912f4 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -54,7 +54,7 @@ ODL_HOME=${ODL_HOME:-/opt/opendaylight/current} SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} APPC_HOME=${APPC_HOME:-/opt/onap/appc} SLEEP_TIME=${SLEEP_TIME:-120} -MYSQL_PASSWD=${MYSQL_ROOT_PASSWORDD} +MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} ENABLE_ODL_CLUSTER=${ENABLE_ODL_CLUSTER:-false} ENABLE_AAF=${ENABLE_AAF:-true} DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} diff --git a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties index b102b7c365..31ddc59983 100755 --- a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties @@ -82,7 +82,9 @@ blueprintsprocessor.grpcclient.remote-python.type=token-auth blueprintsprocessor.grpcclient.remote-python.host=cds-command-executor blueprintsprocessor.grpcclient.remote-python.port=50051 blueprintsprocessor.grpcclient.remote-python.token=Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== - +blueprintsprocessor.grpcclient.py-executor.host=py-executor-default:50052 +blueprintsprocessor.grpcclient.py-executor.trustCertCollection=/opt/app/onap/config/certs/py-executor/py-executor-chain.pem +blueprintsprocessor.grpcclient.py-executor.type=tls-auth # Config Data REST client settings blueprintsprocessor.restclient.sdnc.type=basic-auth blueprintsprocessor.restclient.sdnc.url=http://sdnc:8282 @@ -110,6 +112,12 @@ blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 # Self Service Response Kafka Message Producer blueprintsprocessor.messageproducer.self-service-api.bootstrapServers=message-router-kafka:9092 +# Executor Options +blueprintsprocessor.resourceResolution.enabled=true +blueprintsprocessor.netconfExecutor.enabled=true +blueprintsprocessor.restConfExecutor.enabled=true +blueprintsprocessor.cliExecutor.enabled=true +blueprintsprocessor.remoteScriptCommand.enabled=true # Used in Health Check blueprintsprocessor.messageproducer.self-service-api.type=kafka-basic-auth diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml index 2edc8071f9..e4f2aabfa0 100644 --- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml +++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml @@ -19,11 +19,7 @@ kind: CronJob metadata: name: {{ include "common.fullname" . }}-backup namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: schedule: {{ .Values.backup.cron | quote }} concurrencyPolicy: Forbid @@ -31,6 +27,10 @@ spec: jobTemplate: spec: template: + metadata: + labels: {{- include "common.labels" . | nindent 12 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" .) | nindent 12 }} + name: {{ include "common.name" . }} spec: restartPolicy: Never initContainers: diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml index fd0a758e63..76a224ab5f 100644 --- a/kubernetes/common/cassandra/templates/pv.yaml +++ b/kubernetes/common/cassandra/templates/pv.yaml @@ -12,35 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ include "common.release" $global }}-{{ $global.Values.service.name }}-{{ $i }} - namespace: {{ $global.Release.Namespace }} - labels: - type: {{ $global.Values.persistence.storageType }} - app: {{ $global.Values.service.name }} - chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $global }} - heritage: {{ $global.Release.Service }} -spec: - capacity: - storage: {{ $global.Values.persistence.size }} - accessModes: - {{- if $global.Values.backup.enabled }} - - ReadWriteMany - {{- else }} - - ReadWriteOnce - {{- end }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{ $i }} -{{- end -}} -{{- end -}} -{{- end -}} +{{ include "common.replicaPV" . }} diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml index 6cbddbea40..0b91076f82 100644 --- a/kubernetes/common/cassandra/templates/service.yaml +++ b/kubernetes/common/cassandra/templates/service.yaml @@ -12,38 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: {{ .Values.service.type }} - publishNotReadyAddresses: true - ports: - {{if eq .Values.service.type "NodePort" -}} - {{- $global := . }} - {{- range $index, $ports := .Values.service.ports }} - - port: {{ $ports.port }} - targetPort: {{ $ports.port }} - nodePort: {{ $global.Values.global.nodePortPrefix | default $global.Values.nodePortPrefix }}{{ $ports.nodePort }} - name: {{ $ports.name }} - {{- end }} -{{- else -}} - {{- range $index, $ports := .Values.service.ports }} - - port: {{ $ports.port }} - targetPort: {{ $ports.port }} - name: {{ $ports.name }} - {{- end }} -{{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None +{{ include "common.headlessService" . }} diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index b737a8f960..16aa27f68a 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -12,42 +12,25 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: apps/v1beta1 +apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.selectors" . | nindent 4 }} serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} podManagementPolicy: {{ .Values.podManagementPolicy }} updateStrategy: type: {{ .Values.updateStrategy.type }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: hostNetwork: {{ .Values.hostNetwork }} containers: - name: {{ include "common.name" . }} image: {{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - {{- range $index, $ports := .Values.service.ports }} - - containerPort: {{ $ports.port }} - {{- end }} + ports: {{ include "common.containerPorts" . | nindent 8 }} volumeMounts: - name: {{ include "common.fullname" . }}-data mountPath: /var/lib/cassandra diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index c3af7e59b2..dfa0a3e250 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -75,22 +75,27 @@ readiness: failureThreshold: 3 service: - type: ClusterIP name: cassandra - ports: - - name: intra + headless: + suffix: "" + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + publishNotReadyAddresses: true + headlessPorts: + - name: tcp-intra port: 7000 - name: tls port: 7001 - - name: jmx + - name: tcp-jmx port: 7199 - - name: cql + - name: tcp-cql port: 9042 - - name: thrift + - name: tcp-thrift port: 9160 - - name: agent + - name: tcp-agent port: 61621 +podAnnotations: {} podManagementPolicy: OrderedReady updateStrategy: type: RollingUpdate @@ -116,7 +121,7 @@ persistence: ## ## storageClass: "-" ## Not set as it depends of the backup enabledment or not. - #accessMode: ReadWriteOnce + accessMode: ReadWriteOnce size: 2Gi mountPath: /dockerdata-nfs mountSubPath: cassandra diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl new file mode 100644 index 0000000000..95d51e17b7 --- /dev/null +++ b/kubernetes/common/common/templates/_labels.tpl @@ -0,0 +1,62 @@ +{{/* +# Copyright © 2019 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + + + +{{/* +Common labels +*/}} +{{- define "common.labels" -}} +app.kubernetes.io/name: {{ include "common.name" . }} +helm.sh/chart: {{ include "common.chart" . }} +app.kubernetes.io/instance: {{ include "common.release" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.name" . }} +app.kubernetes.io/instance: {{ include "common.release" . }} +{{- end -}} + +{{/* + Generate "top" metadata for Deployment / StatefulSet / ... +*/}} +{{- define "common.resourceMetadata" -}} +name: {{ include "common.fullname" . }} +namespace: {{ include "common.namespace" . }} +labels: {{- include "common.labels" . | nindent 2 }} +{{- end -}} + +{{/* + Generate selectors for Deployment / StatefulSet / ... +*/}} +{{- define "common.selectors" -}} +matchLabels: {{- include "common.matchLabels" . | nindent 2 }} +{{- end -}} + +{{/* + Generate "template" metadata for Deployment / StatefulSet / ... +*/}} +{{- define "common.templateMetadata" -}} +{{- if .Values.podAnnotations }} +annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 2 }} +{{- end }} +labels: {{- include "common.labels" . | nindent 2 }} +name: {{ include "common.name" . }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_name.tpl b/kubernetes/common/common/templates/_name.tpl index 7719cdbb9f..943078ff2f 100644 --- a/kubernetes/common/common/templates/_name.tpl +++ b/kubernetes/common/common/templates/_name.tpl @@ -49,3 +49,7 @@ {{- define "common.release" -}} {{- first (regexSplit "-" .Release.Name -1) }} {{- end -}} + +{{- define "common.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl new file mode 100644 index 0000000000..9329572a92 --- /dev/null +++ b/kubernetes/common/common/templates/_pod.tpl @@ -0,0 +1,38 @@ +{{/* +# Copyright © 2019 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* + Generate the container port list. + Will use first ".Values.service.ports" list. + Will append ports from ".Values.service.headlessPorts" only if port number is + not already in port list. +*/}} +{{- define "common.containerPorts" -}} +{{- $ports := default (list) .Values.service.ports }} +{{- $portsNumber := list }} +{{- range $index, $port := $ports }} +{{- $portsNumber = append $portsNumber $port.port }} +{{- end }} +{{- range $index, $port := .Values.service.headlessPorts }} +{{- if not (has $port.port $portsNumber) }} +{{- $ports = append $ports $port }} +{{- end }} +{{- end }} +{{- range $index, $port := $ports }} +- containerPort: {{ $port.port }} + name: {{ $port.name }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_postgres.tpl b/kubernetes/common/common/templates/_postgres.tpl new file mode 100644 index 0000000000..45d903e574 --- /dev/null +++ b/kubernetes/common/common/templates/_postgres.tpl @@ -0,0 +1,65 @@ +{{/* +# Copyright © 2019 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{/* + UID of postgres root password +*/}} +{{- define "common.postgres.secret.rootPassUID" -}} + {{- printf "db-root-password" }} +{{- end -}} + +{{/* + Name of postgres secret +*/}} +{{- define "common.postgres.secret._secretName" -}} + {{- $global := .dot }} + {{- $chartName := tpl .chartName $global -}} + {{- include "common.secret.genName" (dict "global" $global "uid" (include .uidTemplate $global) "chartName" $chartName) }} +{{- end -}} + +{{/* + Name of postgres root password secret +*/}} +{{- define "common.postgres.secret.rootPassSecretName" -}} + {{- include "common.postgres.secret._secretName" (set . "uidTemplate" "common.postgres.secret.rootPassUID") }} +{{- end -}} + +{{/* + UID of postgres user credentials +*/}} +{{- define "common.postgres.secret.userCredentialsUID" -}} + {{- printf "db-user-credentials" }} +{{- end -}} + +{{/* + Name of postgres user credentials secret +*/}} +{{- define "common.postgres.secret.userCredentialsSecretName" -}} + {{- include "common.postgres.secret._secretName" (set . "uidTemplate" "common.postgres.secret.userCredentialsUID") }} +{{- end -}} + +{{/* + UID of postgres primary password +*/}} +{{- define "common.postgres.secret.primaryPasswordUID" -}} + {{- printf "primary-password" }} +{{- end -}} + +{{/* + Name of postgres user credentials secret +*/}} +{{- define "common.postgres.secret.primaryPasswordSecretName" -}} + {{- include "common.postgres.secret._secretName" (set . "uidTemplate" "common.postgres.secret.primaryPasswordUID") }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 77b77d059a..075f7965b9 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -20,7 +20,7 @@ The default will be the chart name (or .Values.nameOverride if set). And the use of .Values.service.name overrides all. - - .Values.service.name : override default service (ie. chart) name + - .Values.service.name: override default service (ie. chart) name */}} {{/* Expand the service name for a chart. @@ -28,4 +28,107 @@ {{- define "common.servicename" -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- default $name .Values.service.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* Define the metadata of Service + The function takes from one to three arguments (inside a dictionary): + - .dot : environment (.) + - .suffix : a string which will be added at the end of the name (with a '-'). + - .annotations: the annotations to add + Usage example: + {{ include "common.serviceMetadata" ( dict "suffix" "myService" "dot" .) }} + {{ include "common.serviceMetadata" ( dict "annotations" .Values.service.annotation "dot" .) }} +*/}} +{{- define "common.serviceMetadata" -}} + {{- $dot := default . .dot -}} + {{- $suffix := default "" .suffix -}} + {{- $annotations := default "" .annotations -}} +{{- if $annotations -}} +annotations: {{- include "common.tplValue" (dict "value" $annotations "context" $dot) | nindent 2 }} +{{- end }} +name: {{ include "common.servicename" $dot }}{{ if $suffix }}{{ print "-" $suffix }}{{ end }} +namespace: {{ include "common.namespace" $dot }} +labels: {{- include "common.labels" $dot | nindent 2 -}} +{{- end -}} + +{{/* Define the ports of Service + The function takes three arguments (inside a dictionary): + - .dot : environment (.) + - .ports : an array of ports + - .portType: the type of the service +*/}} +{{- define "common.servicePorts" -}} +{{- $portType := .portType -}} +{{- $dot := .dot -}} +{{- range $index, $port := .ports }} +- port: {{ $port.port }} + targetPort: {{ $port.name }} + {{- if (eq $portType "NodePort") }} + nodePort: {{ $dot.Values.global.nodePortPrefix | default $dot.Values.nodePortPrefix }}{{ $port.nodePort }} + {{- end }} + name: {{ $port.name }} +{{- end -}} +{{- end -}} + +{{/* Create generic service template + The function takes several arguments (inside a dictionary): + - .dot : environment (.) + - .ports : an array of ports + - .portType: the type of the service + - .suffix : a string which will be added at the end of the name (with a '-') + - .annotations: the annotations to add + - .publishNotReadyAddresses: if we publish not ready address + - .headless: if the service is headless +*/}} +{{- define "common.genericService" -}} +{{- $dot := default . .dot -}} +{{- $suffix := default "" .suffix -}} +{{- $annotations := default "" .annotations -}} +{{- $publishNotReadyAddresses := default false .publishNotReadyAddresses -}} +{{- $portType := .portType -}} +{{- $ports := .ports -}} +{{- $headless := default false .headless -}} +apiVersion: v1 +kind: Service +metadata: {{ include "common.serviceMetadata" (dict "suffix" $suffix "annotations" $annotations "dot" $dot ) | nindent 2 }} +spec: + {{- if $headless }} + clusterIP: None + {{- end }} + ports: {{- include "common.servicePorts" (dict "portType" $portType "ports" $ports "dot" $dot) | nindent 4 }} + {{- if $publishNotReadyAddresses }} + publishNotReadyAddresses: true + {{- end }} + type: {{ $portType }} + selector: {{- include "common.matchLabels" $dot | nindent 4 }} +{{- end -}} + +{{/* Create service template */}} +{{- define "common.service" -}} +{{- $suffix := default "" .Values.service.suffix -}} +{{- $annotations := default "" .Values.service.annotations -}} +{{- $publishNotReadyAddresses := default false .Values.service.publishNotReadyAddresses -}} +{{- $portType := .Values.service.type -}} +{{- $ports := .Values.service.ports -}} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "portType" $portType) }} +{{- end -}} + +{{/* Create headless service template */}} +{{- define "common.headlessService" -}} +{{- $suffix := include "common._makeHeadlessSuffix" . -}} +{{- $annotations := default "" .Values.service.headless.annotations -}} +{{- $publishNotReadyAddresses := default false .Values.service.headless.publishNotReadyAddresses -}} +{{- $ports := .Values.service.headlessPorts -}} +{{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "dot" . "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "portType" "ClusterIP" "headless" true ) }} +{{- end -}} + +{{/* + Generate the right suffix for headless service +*/}} +{{- define "common._makeHeadlessSuffix" -}} +{{- if hasKey .Values.service.headless "suffix" }} +{{- .Values.service.headless.suffix }} +{{- else }} +{{- print "headless" }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_storageClass.tpl b/kubernetes/common/common/templates/_storage.tpl similarity index 63% rename from kubernetes/common/common/templates/_storageClass.tpl rename to kubernetes/common/common/templates/_storage.tpl index 8fd1f9772b..ae9335909d 100644 --- a/kubernetes/common/common/templates/_storageClass.tpl +++ b/kubernetes/common/common/templates/_storage.tpl @@ -49,9 +49,36 @@ Calculate if we need a PV. If a storageClass is provided, then we don't need. */}} {{- define "common.needPV" -}} -{{- if or (or .Values.persistence.storageClassOverride .Values.persistence.storageClass) .Values.global.persistence.storageClass -}} - False -{{- else -}} +{{- if not (or (or .Values.persistence.storageClassOverride .Values.persistence.storageClass) .Values.global.persistence.storageClass) -}} True {{- end -}} {{- end -}} + +{{/* + Generate N PV for a statefulset +*/}} +{{- define "common.replicaPV" -}} +{{- $global := . }} +{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} +{{- if (include "common.needPV" .) -}} +{{- range $i := until (int $global.Values.replicaCount)}} +--- +kind: PersistentVolume +apiVersion: v1 +metadata: + name: {{ include "common.fullname" $global }}-data-{{$i}} + namespace: {{ include "common.namespace" $global }} + labels: {{- include "common.labels" $global | nindent 4 }} +spec: + capacity: + storage: {{ $global.Values.persistence.size}} + accessModes: + - {{ $global.Values.persistence.accessMode }} + persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} + storageClassName: "{{ include "common.fullname" $global }}-data" + hostPath: + path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/postgres/charts/pgpool/templates/secrets.yaml b/kubernetes/common/common/templates/_tplValue.tpl similarity index 54% rename from kubernetes/common/postgres/charts/pgpool/templates/secrets.yaml rename to kubernetes/common/common/templates/_tplValue.tpl index 3b89371ad4..b74ecbda19 100644 --- a/kubernetes/common/postgres/charts/pgpool/templates/secrets.yaml +++ b/kubernetes/common/common/templates/_tplValue.tpl @@ -1,4 +1,5 @@ -# Copyright © 2018 Amdocs, Bell Canada +{{/* +# Copyright © 2019 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,18 +12,17 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +*/}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -type: Opaque -data: - db-user-password: {{ default "" .Values.credentials.pgpassword | b64enc | quote }} - +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplValue" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml index cac6f79f16..f6ce95a65f 100644 --- a/kubernetes/common/mariadb-init/values.yaml +++ b/kubernetes/common/mariadb-init/values.yaml @@ -37,7 +37,7 @@ secrets: password: '{{ tpl (default "" .global.mariadbGalera.userRootPassword) . }}' - uid: '{{ .Values.config.mysqlDatabase }}' type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.mysqlExternalSecret) . }}' + externalSecret: '{{ tpl (default "" .Values.config.userCredentialsExternalSecret) . }}' login: '{{ .Values.config.userName }}' password: '{{ .Values.config.userPassword }}' passwordPolicy: required @@ -56,7 +56,7 @@ config: userPassword: Ci@shsOd3pky1Vji userName: u5WZ1GMSIS1wHZF # set this value if you would like to use external secret instead of providing a password - # mysqlExternalsecret: some-secret-name + # userCredentialsExternalsecret: some-secret-name mysqlDatabase: ynsaUCru6mUNwGal mysqlAdditionalDatabases: {} # add addtional dabases diff --git a/kubernetes/common/postgres/charts/pgpool/configs/pgpool.conf b/kubernetes/common/postgres/charts/pgpool/configs/pgpool.conf deleted file mode 100644 index f335174f40..0000000000 --- a/kubernetes/common/postgres/charts/pgpool/configs/pgpool.conf +++ /dev/null @@ -1,677 +0,0 @@ -# ---------------------------- -# pgPool-II configuration file a custom version -# ---------------------------- -# -# This file consists of lines of the form: -# -# name = value -# -# Whitespace may be used. Comments are introduced with "#" anywhere on a line. -# The complete list of parameter names and allowed values can be found in the -# pgPool-II documentation. -# -# This file is read on server startup and when the server receives a SIGHUP -# signal. If you edit the file on a running system, you have to SIGHUP the -# server for the changes to take effect, or use "pgpool reload". Some -# parameters, which are marked below, require a server shutdown and restart to -# take effect. -# - - -#------------------------------------------------------------------------------ -# CONNECTIONS -#------------------------------------------------------------------------------ - -# - pgpool Connection Settings - - -listen_addresses = '*' - # Host name or IP address to listen on: - # '*' for all, '' for no TCP/IP connections - # (change requires restart) -#port = 9999 -port = 5432 - # Port number - # (change requires restart) -socket_dir = '/tmp' - # Unix domain socket path - # The Debian package defaults to - # /var/run/postgresql - # (change requires restart) - - -# - pgpool Communication Manager Connection Settings - - -pcp_port = 9898 - # Port number for pcp - # (change requires restart) -pcp_socket_dir = '/tmp' - # Unix domain socket path for pcp - # The Debian package defaults to - # /var/run/postgresql - # (change requires restart) - -# - Backend Connection Settings - - -backend_hostname0 = '{{.Values.container.name.primary}}' -backend_port0 = 5432 -backend_weight0= 1 -backend_flag0= 'DISALLOW_TO_FAILOVER' - -backend_hostname1 = '{{.Values.container.name.replica}}' -backend_port1 = 5432 -backend_weight1= 1 -backend_flag1= 'DISALLOW_TO_FAILOVER' - -#backend_hostname0 = 'master' - # Host name or IP address to connect to for backend 0 -#backend_port0 = 5432 - # Port number for backend 0 -#backend_weight0 = 1 - # Weight for backend 0 (only in load balancing mode) -#backend_data_directory0 = '/data' - # Data directory for backend 0 -#backend_flag0 = 'ALLOW_TO_FAILOVER' - # Controls various backend behavior - # ALLOW_TO_FAILOVER or DISALLOW_TO_FAILOVER -#backend_hostname1 = 'standby' -#backend_port1 = 5432 -#backend_weight1 = 1 -#backend_data_directory1 = '/data1' -#backend_flag1 = 'ALLOW_TO_FAILOVER' - -# - Authentication - - -enable_pool_hba = on - # Use pool_hba.conf for client authentication -pool_passwd = 'pool_passwd' - # File name of pool_passwd for md5 authentication. - # "" disables pool_passwd. - # (change requires restart) -authentication_timeout = 60 - # Delay in seconds to complete client authentication - # 0 means no timeout. - -# - SSL Connections - - -ssl = off - # Enable SSL support - # (change requires restart) -#ssl_key = './server.key' - # Path to the SSL private key file - # (change requires restart) -#ssl_cert = './server.cert' - # Path to the SSL public certificate file - # (change requires restart) -#ssl_ca_cert = '' - # Path to a single PEM format file - # containing CA root certificate(s) - # (change requires restart) -#ssl_ca_cert_dir = '' - # Directory containing CA root certificate(s) - # (change requires restart) - - -#------------------------------------------------------------------------------ -# POOLS -#------------------------------------------------------------------------------ - -# - Pool size - - -num_init_children = 5 - # Number of pools - # (change requires restart) -max_pool = 1 - # Number of connections per pool - # (change requires restart) - -# - Life time - - -child_life_time = 300 - # Pool exits after being idle for this many seconds -child_max_connections = 0 - # Pool exits after receiving that many connections - # 0 means no exit -connection_life_time = 0 - # Connection to backend closes after being idle for this many seconds - # 0 means no close -client_idle_limit = 0 - # Client is disconnected after being idle for that many seconds - # (even inside an explicit transactions!) - # 0 means no disconnection - - -#------------------------------------------------------------------------------ -# LOGS -#------------------------------------------------------------------------------ - -# - Where to log - - -log_destination = 'stderr' - # Where to log - # Valid values are combinations of stderr, - # and syslog. Default to stderr. - -# - What to log - - -print_timestamp = on - # Print timestamp on each line - # (change requires restart) - -log_connections = on - # Log connections -log_hostname = on - # Hostname will be shown in ps status - # and in logs if connections are logged -log_statement = on - # Log all statements -log_per_node_statement = off - # Log all statements - # with node and backend informations -log_standby_delay = 'if_over_threshold' - # Log standby delay - # Valid values are combinations of always, - # if_over_threshold, none - -# - Syslog specific - - -syslog_facility = 'LOCAL0' - # Syslog local facility. Default to LOCAL0 -syslog_ident = 'pgpool' - # Syslog program identification string - # Default to 'pgpool' - -# - Debug - - -debug_level = 1 - # Debug message verbosity level - # 0 means no message, 1 or more mean verbose - - -#------------------------------------------------------------------------------ -# FILE LOCATIONS -#------------------------------------------------------------------------------ - -pid_file_name = '/tmp/pgpool.pid' - # PID file name - # (change requires restart) -logdir = '/tmp' - # Directory of pgPool status file - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONNECTION POOLING -#------------------------------------------------------------------------------ - -connection_cache = off - # Activate connection pools - # (change requires restart) - - # Semicolon separated list of queries - # to be issued at the end of a session - # The default is for 8.3 and later -reset_query_list = 'ABORT; DISCARD ALL' - # The following one is for 8.2 and before -#reset_query_list = 'ABORT; RESET ALL; SET SESSION AUTHORIZATION DEFAULT' - - -#------------------------------------------------------------------------------ -# REPLICATION MODE -#------------------------------------------------------------------------------ - -replication_mode = off - # Activate replication mode - # (change requires restart) -replicate_select = off - # Replicate SELECT statements - # when in replication or parallel mode - # replicate_select is higher priority than - # load_balance_mode. - -insert_lock = off - # Automatically locks a dummy row or a table - # with INSERT statements to keep SERIAL data - # consistency - # Without SERIAL, no lock will be issued -lobj_lock_table = '' - # When rewriting lo_creat command in - # replication mode, specify table name to - # lock - -# - Degenerate handling - - -replication_stop_on_mismatch = off - # On disagreement with the packet kind - # sent from backend, degenerate the node - # which is most likely "minority" - # If off, just force to exit this session - -failover_if_affected_tuples_mismatch = off - # On disagreement with the number of affected - # tuples in UPDATE/DELETE queries, then - # degenerate the node which is most likely - # "minority". - # If off, just abort the transaction to - # keep the consistency - - -#------------------------------------------------------------------------------ -# LOAD BALANCING MODE -#------------------------------------------------------------------------------ - -load_balance_mode = on - # Activate load balancing mode - # (change requires restart) -ignore_leading_white_space = on - # Ignore leading white spaces of each query -white_function_list = '' - # Comma separated list of function names - # that don't write to database - # Regexp are accepted -black_function_list = 'currval,lastval,nextval,setval' - # Comma separated list of function names - # that write to database - # Regexp are accepted - - -#------------------------------------------------------------------------------ -# MASTER/SLAVE MODE -#------------------------------------------------------------------------------ - -master_slave_mode = on - # Activate master/slave mode - # (change requires restart) -master_slave_sub_mode = 'stream' - # Master/slave sub mode - # Valid values are combinations slony or - # stream. Default is slony. - # (change requires restart) - -# - Streaming - - -sr_check_period = 10 - # Streaming replication check period - # Disabled (0) by default -sr_check_user = '{{.Values.credentials.pgusername}}' - # Streaming replication check user - # This is neccessary even if you disable streaming - # replication delay check by sr_check_period = 0 -sr_check_password = '{{.Values.credentials.pgpassword}}' - # Password for streaming replication check user -delay_threshold = 10000000 - # Threshold before not dispatching query to standby node - # Unit is in bytes - # Disabled (0) by default - -# - Special commands - - -follow_master_command = '' - # Executes this command after master failover - # Special values: - # %d = node id - # %h = host name - # %p = port number - # %D = database cluster path - # %m = new master node id - # %H = hostname of the new master node - # %M = old master node id - # %P = old primary node id - # %r = new master port number - # %R = new master database cluster path - # %% = '%' character - - -#------------------------------------------------------------------------------ -# PARALLEL MODE -#------------------------------------------------------------------------------ - -parallel_mode = off - # Activates parallel query mode - # (change requires restart) -pgpool2_hostname = '' - # Set pgpool2 hostname - # (change requires restart) - -# - System DB info - - -#system_db_hostname = 'localhost' - # (change requires restart) -#system_db_port = 5432 - # (change requires restart) -#system_db_dbname = 'pgpool' - # (change requires restart) -#system_db_schema = 'pgpool_catalog' - # (change requires restart) -#system_db_user = 'pgpool' - # (change requires restart) -#system_db_password = '' - # (change requires restart) - - -#------------------------------------------------------------------------------ -# HEALTH CHECK -#------------------------------------------------------------------------------ - -health_check_period = 20 - # Health check period - # Disabled (0) by default -health_check_timeout = 10 - # Health check timeout - # 0 means no timeout -health_check_user = '{{.Values.credentials.pgusername}}' - # Health check user -health_check_password = '{{.Values.credentials.pgpassword}}' - # Password for health check user -health_check_max_retries = 3 -connect_timeout = 10000 # Timeout value in milliseconds before giving up to connect to backend. - - # Maximum number of times to retry a failed health check before giving up. -health_check_retry_delay = 1 - # Amount of time to wait (in seconds) between retries. - - -#------------------------------------------------------------------------------ -# FAILOVER AND FAILBACK -#------------------------------------------------------------------------------ - -failover_command = '' - # Executes this command at failover - # Special values: - # %d = node id - # %h = host name - # %p = port number - # %D = database cluster path - # %m = new master node id - # %H = hostname of the new master node - # %M = old master node id - # %P = old primary node id - # %r = new master port number - # %R = new master database cluster path - # %% = '%' character -failback_command = '' - # Executes this command at failback. - # Special values: - # %d = node id - # %h = host name - # %p = port number - # %D = database cluster path - # %m = new master node id - # %H = hostname of the new master node - # %M = old master node id - # %P = old primary node id - # %r = new master port number - # %R = new master database cluster path - # %% = '%' character - -fail_over_on_backend_error = off - # Initiates failover when reading/writing to the - # backend communication socket fails - # If set to off, pgpool will report an - # error and disconnect the session. - -search_primary_node_timeout = 10 - # Timeout in seconds to search for the - # primary node when a failover occurs. - # 0 means no timeout, keep searching - # for a primary node forever. - -#------------------------------------------------------------------------------ -# ONLINE RECOVERY -#------------------------------------------------------------------------------ - -recovery_user = '{{.Values.credentials.pgusername}}' - # Online recovery user -recovery_password = '{{.Values.credentials.pgpassword}}' - # Online recovery password -recovery_1st_stage_command = '' - # Executes a command in first stage -recovery_2nd_stage_command = '' - # Executes a command in second stage -recovery_timeout = 90 - # Timeout in seconds to wait for the - # recovering node's postmaster to start up - # 0 means no wait -client_idle_limit_in_recovery = 0 - # Client is disconnected after being idle - # for that many seconds in the second stage - # of online recovery - # 0 means no disconnection - # -1 means immediate disconnection - - -#------------------------------------------------------------------------------ -# WATCHDOG -#------------------------------------------------------------------------------ - -# - Enabling - - -use_watchdog = off - # Activates watchdog - # (change requires restart) - -# -Connection to up stream servers - - -trusted_servers = '' - # trusted server list which are used - # to confirm network connection - # (hostA,hostB,hostC,...) - # (change requires restart) -ping_path = '/bin' - # ping command path - # (change requires restart) - -# - Watchdog communication Settings - - -wd_hostname = '' - # Host name or IP address of this watchdog - # (change requires restart) -wd_port = 9000 - # port number for watchdog service - # (change requires restart) -wd_authkey = '' - # Authentication key for watchdog communication - # (change requires restart) - -# - Virtual IP control Setting - - -delegate_IP = '' - # delegate IP address - # If this is empty, virtual IP never bring up. - # (change requires restart) -ifconfig_path = '/sbin' - # ifconfig command path - # (change requires restart) -if_up_cmd = 'ifconfig eth0:0 inet $_IP_$ netmask 255.255.255.0' - # startup delegate IP command - # (change requires restart) -if_down_cmd = 'ifconfig eth0:0 down' - # shutdown delegate IP command - # (change requires restart) - -arping_path = '/usr/sbin' # arping command path - # (change requires restart) - -arping_cmd = 'arping -U $_IP_$ -w 1' - # arping command - # (change requires restart) - -# - Behaivor on escalation Setting - - -clear_memqcache_on_escalation = on - # Clear all the query cache on shared memory - # when standby pgpool escalate to active pgpool - # (= virtual IP holder). - # This should be off if client connects to pgpool - # not using virtual IP. - # (change requires restart) -wd_escalation_command = '' - # Executes this command at escalation on new active pgpool. - # (change requires restart) - -# - Lifecheck Setting - - -# -- common -- - -wd_lifecheck_method = 'heartbeat' - # Method of watchdog lifecheck ('heartbeat' or 'query') - # (change requires restart) -wd_interval = 10 - # lifecheck interval (sec) > 0 - # (change requires restart) - -# -- heartbeat mode -- - -wd_heartbeat_port = 9694 - # Port number for receiving heartbeat signal - # (change requires restart) -wd_heartbeat_keepalive = 2 - # Interval time of sending heartbeat signal (sec) - # (change requires restart) -wd_heartbeat_deadtime = 30 - # Deadtime interval for heartbeat signal (sec) - # (change requires restart) -heartbeat_destination0 = 'host0_ip1' - # Host name or IP address of destination 0 - # for sending heartbeat signal. - # (change requires restart) -heartbeat_destination_port0 = 9694 - # Port number of destination 0 for sending - # heartbeat signal. Usually this is the - # same as wd_heartbeat_port. - # (change requires restart) -heartbeat_device0 = '' - # Name of NIC device (such like 'eth0') - # used for sending/receiving heartbeat - # signal to/from destination 0. - # This works only when this is not empty - # and pgpool has root privilege. - # (change requires restart) - -#heartbeat_destination1 = 'host0_ip2' -#heartbeat_destination_port1 = 9694 -#heartbeat_device1 = '' - -# -- query mode -- - -wd_life_point = 3 - # lifecheck retry times - # (change requires restart) -wd_lifecheck_query = 'SELECT 1' - # lifecheck query to pgpool from watchdog - # (change requires restart) -wd_lifecheck_dbname = 'template1' - # Database name connected for lifecheck - # (change requires restart) -wd_lifecheck_user = 'nobody' - # watchdog user monitoring pgpools in lifecheck - # (change requires restart) -wd_lifecheck_password = '' - # Password for watchdog user in lifecheck - # (change requires restart) - -# - Other pgpool Connection Settings - - -#other_pgpool_hostname0 = 'host0' - # Host name or IP address to connect to for other pgpool 0 - # (change requires restart) -#other_pgpool_port0 = 5432 - # Port number for othet pgpool 0 - # (change requires restart) -#other_wd_port0 = 9000 - # Port number for othet watchdog 0 - # (change requires restart) -#other_pgpool_hostname1 = 'host1' -#other_pgpool_port1 = 5432 -#other_wd_port1 = 9000 - - -#------------------------------------------------------------------------------ -# OTHERS -#------------------------------------------------------------------------------ -relcache_expire = 0 - # Life time of relation cache in seconds. - # 0 means no cache expiration(the default). - # The relation cache is used for cache the - # query result against PostgreSQL system - # catalog to obtain various information - # including table structures or if it's a - # temporary table or not. The cache is - # maintained in a pgpool child local memory - # and being kept as long as it survives. - # If someone modify the table by using - # ALTER TABLE or some such, the relcache is - # not consistent anymore. - # For this purpose, cache_expiration - # controls the life time of the cache. -relcache_size = 256 - # Number of relation cache - # entry. If you see frequently: - # "pool_search_relcache: cache replacement happend" - # in the pgpool log, you might want to increate this number. - -check_temp_table = on - # If on, enable temporary table check in SELECT statements. - # This initiates queries against system catalog of primary/master - # thus increases load of master. - # If you are absolutely sure that your system never uses temporary tables - # and you want to save access to primary/master, you could turn this off. - # Default is on. - - -#------------------------------------------------------------------------------ -# ON MEMORY QUERY MEMORY CACHE -#------------------------------------------------------------------------------ -memory_cache_enabled = off - # If on, use the memory cache functionality, off by default -memqcache_method = 'shmem' - # Cache storage method. either 'shmem'(shared memory) or - # 'memcached'. 'shmem' by default - # (change requires restart) -memqcache_memcached_host = 'localhost' - # Memcached host name or IP address. Mandatory if - # memqcache_method = 'memcached'. - # Defaults to localhost. - # (change requires restart) -memqcache_memcached_port = 11211 - # Memcached port number. Mondatory if memqcache_method = 'memcached'. - # Defaults to 11211. - # (change requires restart) -memqcache_total_size = 67108864 - # Total memory size in bytes for storing memory cache. - # Mandatory if memqcache_method = 'shmem'. - # Defaults to 64MB. - # (change requires restart) -memqcache_max_num_cache = 1000000 - # Total number of cache entries. Mandatory - # if memqcache_method = 'shmem'. - # Each cache entry consumes 48 bytes on shared memory. - # Defaults to 1,000,000(45.8MB). - # (change requires restart) -memqcache_expire = 0 - # Memory cache entry life time specified in seconds. - # 0 means infinite life time. 0 by default. - # (change requires restart) -memqcache_auto_cache_invalidation = on - # If on, invalidation of query cache is triggered by corresponding - # DDL/DML/DCL(and memqcache_expire). If off, it is only triggered - # by memqcache_expire. on by default. - # (change requires restart) -memqcache_maxcache = 409600 - # Maximum SELECT result size in bytes. - # Must be smaller than memqcache_cache_block_size. Defaults to 400KB. - # (change requires restart) -memqcache_cache_block_size = 1048576 - # Cache block size in bytes. Mandatory if memqcache_method = 'shmem'. - # Defaults to 1MB. - # (change requires restart) -memqcache_oiddir = '/var/log/pgpool/oiddir' - # Temporary work directory to record table oids - # (change requires restart) -white_memqcache_table_list = '' - # Comma separated list of table names to memcache - # that don't write to database - # Regexp are accepted -black_memqcache_table_list = '' - # Comma separated list of table names not to memcache - # that don't write to database - # Regexp are accepted diff --git a/kubernetes/common/postgres/charts/pgpool/configs/pool_hba.conf b/kubernetes/common/postgres/charts/pgpool/configs/pool_hba.conf deleted file mode 100644 index 580185c6f0..0000000000 --- a/kubernetes/common/postgres/charts/pgpool/configs/pool_hba.conf +++ /dev/null @@ -1,68 +0,0 @@ -# pgpool Client Authentication Configuration File a custom version -# =============================================== -# -# The format rule in this file follows the rules in the PostgreSQL -# Administrator's Guide. Refer to chapter "Client Authentication" for a -# complete description. A short synopsis follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which user names they can use, which databases they -# can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTION] -# host DATABASE USER CIDR-ADDRESS METHOD [OPTION] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket. -# -# DATABASE can be "all", "sameuser", a database name, or a comma-separated -# list thereof. Note that "samegroup" like in PostgreSQL's pg_hba.conf -# file is not supported, since pgpool does not know which group a user -# belongs to. Also note that the database specified here may not exist in -# the backend PostgreSQL. pgpool will authenticate based on the database's -# name, not based on whether it exists or not. -# -# USER can be "all", a user name, or a comma-separated list thereof. In -# both the DATABASE and USER fields you can also write a file name prefixed -# with "@" to include names from a separate file. Note that a group name -# prefixed with "+" like in PostgreSQL's pg_hba.conf file is not supported -# because of the same reason as "samegroup" token. Also note that a user -# name specified here may not exist in the backend PostgreSQL. pgpool will -# authenticate based on the user's name, not based on whether he/she exists. -# -# CIDR-ADDRESS specifies the set of hosts the record matches. -# It is made up of an IP address and a CIDR mask that is an integer -# (between 0 and 32 (IPv4) that specifies the number of significant bits in -# the mask. Alternatively, you can write an IP address and netmask in -# separate columns to specify the set of hosts. -# -# METHOD can be "trust", "reject", "md5" or "pam". Note that "pam" sends passwords -# in clear text. -# -# OPTION is the name of the PAM service. Default service name is "pgpool" -# -# Database and user names containing spaces, commas, quotes and other special -# characters must be quoted. Quoting one of the keywords "all" or "sameuser" -# makes the name lose its special character, and just match a database or -# username with that name. -# -# This file is read on pgpool startup. If you edit the file on a running -# system, you have to restart the pgpool for the changes to take effect. - -# Put your actual configuration here -# ---------------------------------- -# -# If you want to allow non-local connections, you need to add more -# "host" records. In that case you will also need to make pgpool listen -# on a non-local interface via the listen_addresses configuration parameter. -# - -# TYPE DATABASE USER CIDR-ADDRESS METHOD - -# "local" is for Unix domain socket connections only -#local all all trust -# IPv4 local connections: -host all all 0.0.0.0/0 md5 - diff --git a/kubernetes/common/postgres/charts/pgpool/templates/deployment.yaml b/kubernetes/common/postgres/charts/pgpool/templates/deployment.yaml deleted file mode 100644 index c24916ad22..0000000000 --- a/kubernetes/common/postgres/charts/pgpool/templates/deployment.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} -kind: Deployment -apiVersion: extensions/v1beta1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 2 - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-job - image: "{{.Values.repository}}/{{.Values.image}}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: pgpool-pgconf - mountPath: /pgconf/pgpoolconfigdir - readOnly: false - - name: pgpool-pgconf-static - mountPath: /configdir/ - readOnly: false - command: - - /bin/sh - args: - - -c - - | - cp /configdir/pgpool.conf /pgconf/pgpoolconfigdir/ - cp /configdir/pool_hba.conf /pgconf/pgpoolconfigdir/ - pg_md5 -f /pgconf/pgpoolconfigdir/pgpool.conf --md5auth --username=${PG_USER} ${PG_PASSWORD} - env: - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-user-password - - name: PG_USER - value: {{ index .Values.credentials.pgusername }} - containers: - - image: "{{.Values.repository}}/{{.Values.image}}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }} - env: - - name: PG_PRIMARY_SERVICE_NAME - value: {{.Values.container.name.primary}} - - name: PG_REPLICA_SERVICE_NAME - value: {{.Values.container.name.replica}} - - name: PG_USERNAME - value: {{.Values.credentials.pgusername}} - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-user-password - ports: - - containerPort: 5432 - name: pgpool - protocol: TCP - readinessProbe: - tcpSocket: - port: 5432 - initialDelaySeconds: 20 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 5432 - initialDelaySeconds: 15 - periodSeconds: 20 - volumeMounts: - - name: pgpool-pgconf - mountPath: /pgconf/pgpoolconfigdir - readOnly: false - volumes: - - name: pgpool-pgconf - emptyDir: {} - - name: pgpool-pgconf-static - configMap: - name: {{ include "common.fullname" . }}-pgpool-configmap diff --git a/kubernetes/common/postgres/charts/pgpool/templates/service.yaml b/kubernetes/common/postgres/charts/pgpool/templates/service.yaml deleted file mode 100644 index 696b22a80d..0000000000 --- a/kubernetes/common/postgres/charts/pgpool/templates/service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/postgres/charts/pgpool/values.yaml b/kubernetes/common/postgres/charts/pgpool/values.yaml deleted file mode 100644 index 8ceff8f964..0000000000 --- a/kubernetes/common/postgres/charts/pgpool/values.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - readinessRepository: oomk8s - readinessImage: readiness-check:2.0.0 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -repository: crunchydata -image: crunchy-pgpool:centos7-10.4-2.0.0 -pullPolicy: Always - -container: - port: 5432 - name: - primary: pgset-primary - replica: pgset-replica -credentials: - pgusername: testuser - pgpassword: password -service: - name: pgpool - portName: tcp-postgres - type: ClusterIP - externalPort: 5432 - internalPort: 5432 diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl new file mode 100644 index 0000000000..3777c1b2e4 --- /dev/null +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -0,0 +1,135 @@ +{{/* +# Copyright © 2018 Amdocs, AT&T, Bell Canada +# Copyright © 2020 Samsung Electronics +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} + +{{- define "common.postgres.deployment" -}} + {{- $dot := .dot }} + {{- $pgMode := .pgMode }} +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: {{ include "common.fullname" $dot }}-{{ $pgMode }} + namespace: {{ include "common.namespace" $dot }} + labels: + app: {{ include "common.name" $dot }}-{{ $pgMode }} + chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} + release: {{ include "common.release" $dot }} + heritage: {{ $dot.Release.Service }} + name: "{{ index $dot.Values "container" "name" $pgMode }}" +spec: + serviceName: {{ $dot.Values.service.name }} + replicas: 1 + template: + metadata: + labels: + app: {{ include "common.name" $dot }}-{{ $pgMode }} + release: {{ include "common.release" $dot }} + name: "{{ index $dot.Values "container" "name" $pgMode }}" + spec: + initContainers: + - name: init-sysctl + command: + - /bin/sh + - -c + - | + chown 26:26 /podroot/; + chmod 700 /podroot/; + image: {{ $dot.Values.global.busyboxRepository | default $dot.Values.busyboxRepository }}/{{ $dot.Values.busyboxImage }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + volumeMounts: + - name: {{ include "common.fullname" $dot }}-data + mountPath: /podroot/ + containers: + - name: {{ include "common.name" $dot }} + image: "{{ $dot.Values.postgresRepository }}/{{ $dot.Values.image }}" + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + ports: + - containerPort: {{ $dot.Values.service.internalPort }} + name: {{ $dot.Values.service.portName }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq $dot.Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ $dot.Values.service.internalPort }} + initialDelaySeconds: {{ $dot.Values.liveness.initialDelaySeconds }} + periodSeconds: {{ $dot.Values.liveness.periodSeconds }} + timeoutSeconds: {{ $dot.Values.liveness.timeoutSeconds }} + {{- end }} + readinessProbe: + tcpSocket: + port: {{ $dot.Values.service.internalPort }} + initialDelaySeconds: {{ $dot.Values.readiness.initialDelaySeconds }} + periodSeconds: {{ $dot.Values.readiness.periodSeconds }} + env: + - name: PGHOST + value: /tmp + - name: PG_PRIMARY_USER + value: primaryuser + - name: PG_MODE + value: {{ $pgMode }} + - name: PG_PRIMARY_HOST + value: "{{ $dot.Values.container.name.primary }}" + - name: PG_REPLICA_HOST + value: "{{ $dot.Values.container.name.replica }}" + - name: PG_PRIMARY_PORT + value: "{{ $dot.Values.service.internalPort }}" + - name: PG_PRIMARY_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.primaryPasswordUID" .) "key" "password") | indent 10 }} + - name: PG_USER + {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.userCredentialsUID" .) "key" "login") | indent 10 }} + - name: PG_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.userCredentialsUID" .) "key" "password") | indent 10 }} + - name: PG_DATABASE + value: "{{ $dot.Values.config.pgDatabase }}" + - name: PG_ROOT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }} + volumeMounts: + - name: pool-hba-conf + mountPath: /pgconf/pool_hba.conf + subPath: pool_hba.conf + - mountPath: /pgdata + name: {{ include "common.fullname" $dot }}-data + - mountPath: /backup + name: {{ include "common.fullname" $dot }}-backup + readOnly: true + resources: +{{ include "common.resources" $dot | indent 12 }} + {{- if $dot.Values.nodeSelector }} + nodeSelector: +{{ toYaml $dot.Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if $dot.Values.affinity }} + affinity: +{{ toYaml $dot.Values.affinity | indent 10 }} + {{- end }} + volumes: + - name: localtime + hostPath: + path: /etc/localtime + - name: {{ include "common.fullname" $dot }}-backup + emptyDir: {} + - name: {{ include "common.fullname" $dot }}-data +{{- if $dot.Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "common.fullname" $dot }}-{{ $pgMode }} +{{- else }} + emptyDir: {} +{{ end }} + - name: pool-hba-conf + configMap: + name: {{ include "common.fullname" $dot }} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/deployment-primary.yaml b/kubernetes/common/postgres/templates/deployment-primary.yaml index b234dc2092..c8a000142e 100644 --- a/kubernetes/common/postgres/templates/deployment-primary.yaml +++ b/kubernetes/common/postgres/templates/deployment-primary.yaml @@ -13,126 +13,4 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }}-primary - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-primary - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: "{{ .Values.container.name.primary }}" -spec: - serviceName: {{ .Values.service.name }} - replicas: 1 - template: - metadata: - labels: - app: {{ include "common.name" . }}-primary - release: {{ include "common.release" . }} - name: "{{ .Values.container.name.primary }}" - spec: - initContainers: - - name: init-sysctl - command: - - /bin/sh - - -c - - | - chown 26:26 /podroot/; - chmod 700 /podroot/; - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.busyboxImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /podroot/ - containers: - - name: {{ include "common.name" . }} - image: "{{ .Values.postgresRepository }}/{{ .Values.image }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{- end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: PGHOST - value: /tmp - - name: PG_PRIMARY_USER - value: primaryuser - - name: PG_MODE - value: primary - - name: PG_PRIMARY_HOST - value: "{{ .Values.container.name.primary }}" - - name: PG_REPLICA_HOST - value: "{{ .Values.container.name.replica }}" - - name: PG_PRIMARY_PORT - value: "{{ .Values.service.internalPort }}" - - name: PG_PRIMARY_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: pg-primary-password - - name: PG_USER - value: "{{ .Values.config.pgUserName }}" - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: pg-user-password - - name: PG_DATABASE - value: "{{ .Values.config.pgDatabase }}" - - name: PG_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: pg-root-password - volumeMounts: - - name: pool-hba-conf - mountPath: /pgconf/pool_hba.conf - subPath: pool_hba.conf - - mountPath: /pgdata - name: {{ include "common.fullname" . }}-data - - mountPath: /backup - name: {{ include "common.fullname" . }}-backup - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-backup - emptyDir: {} - - name: {{ include "common.fullname" . }}-data -{{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-primary -{{- else }} - emptyDir: {} -{{ end }} - - name: pool-hba-conf - configMap: - name: {{ include "common.fullname" . }} +{{ include "common.postgres.deployment" (dict "dot" . "pgMode" "primary") }} diff --git a/kubernetes/common/postgres/templates/deployment-replica.yaml b/kubernetes/common/postgres/templates/deployment-replica.yaml index 72a8736e17..dc19c2d985 100644 --- a/kubernetes/common/postgres/templates/deployment-replica.yaml +++ b/kubernetes/common/postgres/templates/deployment-replica.yaml @@ -13,126 +13,4 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }}-replica - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-replica - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - name: "{{ .Values.container.name.replica }}" -spec: - serviceName: {{ .Values.service.name }} - replicas: 1 - template: - metadata: - labels: - app: {{ include "common.name" . }}-replica - release: {{ include "common.release" . }} - name: "{{ .Values.container.name.replica }}" - spec: - initContainers: - - name: init-sysctl - command: - - /bin/sh - - -c - - | - chown 26:26 /podroot/; - chmod 700 /podroot/; - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.busyboxImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /podroot/ - containers: - - name: {{ include "common.name" . }} - image: "{{ .Values.postgresRepository }}/{{ .Values.image }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: PGHOST - value: /tmp - - name: PG_PRIMARY_USER - value: primaryuser - - name: PG_MODE - value: replica - - name: PG_PRIMARY_HOST - value: "{{.Values.container.name.primary}}" - - name: PG_REPLICA_HOST - value: "{{.Values.container.name.replica}}" - - name: PG_PRIMARY_PORT - value: "{{.Values.service.internalPort}}" - - name: PG_PRIMARY_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: pg-primary-password - - name: PG_USER - value: "{{.Values.config.pgUserName}}" - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: pg-user-password - - name: PG_DATABASE - value: "{{.Values.config.pgDatabase}}" - - name: PG_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: pg-root-password - volumeMounts: - - name: pool-hba-conf - mountPath: /pgconf/pool_hba.conf - subPath: pool_hba.conf - - mountPath: /pgdata - name: {{ include "common.fullname" . }}-data - - mountPath: /backup - name: {{ include "common.fullname" . }}-backup - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-backup - emptyDir: {} - - name: {{ include "common.fullname" . }}-data -{{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-replica -{{- else }} - emptyDir: {} -{{ end }} - - name: pool-hba-conf - configMap: - name: {{ include "common.fullname" . }} +{{ include "common.postgres.deployment" (dict "dot" . "pgMode" "replica") }} diff --git a/kubernetes/common/postgres/templates/pvc-primary.yaml b/kubernetes/common/postgres/templates/pvc-primary.yaml index fa25f19077..a47d3ed56e 100644 --- a/kubernetes/common/postgres/templates/pvc-primary.yaml +++ b/kubernetes/common/postgres/templates/pvc-primary.yaml @@ -41,5 +41,4 @@ spec: {{- else }} storageClassName: {{ include "common.storageClass" . }} {{- end }} - storageClassName: "{{ include "common.fullname" . }}-primary" {{- end -}} diff --git a/kubernetes/common/postgres/templates/secrets.yaml b/kubernetes/common/postgres/templates/secrets.yaml index db1bc5bb15..4c68015528 100644 --- a/kubernetes/common/postgres/templates/secrets.yaml +++ b/kubernetes/common/postgres/templates/secrets.yaml @@ -13,19 +13,4 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - pg-primary-password: {{ .Values.config.pgPrimaryPassword | b64enc | quote }} - pg-user-password: {{ .Values.config.pgUserPassword | b64enc | quote }} - pg-root-password: {{ .Values.config.pgRootPassword | b64enc | quote }} - +{{ include "common.secret" . }} diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml index 3104ee79d2..c2131e9ad0 100644 --- a/kubernetes/common/postgres/values.yaml +++ b/kubernetes/common/postgres/values.yaml @@ -21,6 +21,24 @@ global: readinessRepository: oomk8s readinessImage: readiness-check:2.0.0 +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: '{{ include "common.postgres.secret.rootPassUID" . }}' + type: password + externalSecret: '{{ tpl (default "" .Values.config.pgRootPasswordExternalSecret) . }}' + password: '{{ .Values.config.pgRootPassword }}' + - uid: '{{ include "common.postgres.secret.userCredentialsUID" . }}' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgUserExternalSecret) . }}' + login: '{{ .Values.config.pgUserName }}' + password: '{{ .Values.config.pgUserPassword }}' + - uid: '{{ include "common.postgres.secret.primaryPasswordUID" . }}' + type: password + externalSecret: '{{ tpl (default "" .Values.config.pgPrimaryPasswordExternalSecret) . }}' + password: '{{ .Values.config.pgPrimaryPassword }}' + ################################################################# # Application configuration defaults. ################################################################# @@ -46,22 +64,6 @@ container: primary: pgset-primary replica: pgset-replica -pgpool: - container: - port: 5432 - name: - primary: pgset-primary - replica: pgset-replica - credentials: - pgusername: testuser - pgpassword: password - service: - name: pgpool - - -# default number of instances -replicaCount: 2 - nodeSelector: {} affinity: {} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md new file mode 100644 index 0000000000..dced68d7c6 --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md @@ -0,0 +1,23 @@ +# Motivations +Ingress controller implementation in the ONAP cluster is based on the virtual host routing. +Testing ONAP cluster requires a lot of entries on the target machines in the /etc/hosts. +Adding many entries into the configuration files on testing machines is quite problematic and error prone. +The better wait is to create central DNS server with entries for all virtual host pointed to simpledemo.onap.org and add custom DNS server as a target DNS server for testing machines and/or as external DNS for kubernetes cluster. + +# How to deploy test DNS server: +Run script ./deploy\_dns.sh + +# How to add DNS address on testing machines: +See post deploy info + +# Test DNS inside cluster (optional) +1. You can add the following entry after DNS deploy on running cluster at the end of cluster.yaml file (rke) +~~~yaml +dns: + provider: coredns + upstreamnameservers: + - :31555 +~~~ +2. You can edit coredns configuration with command: + kubectl -n kube-system edit configmap coredns + diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore new file mode 100644 index 0000000000..dacad44a66 --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore @@ -0,0 +1,37 @@ +# +# Copyright 2020 Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml new file mode 100644 index 0000000000..a618fd792c --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml @@ -0,0 +1,20 @@ +# +# Copyright 2020 Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: v1 +appVersion: "1.0" +description: bind9 DNS server for kubernetes cluster +name: bind9dns +version: 0.1.0 diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt new file mode 100644 index 0000000000..7211966b89 --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the installed DNS host and port by running this commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range $.Values.ingress.paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bind9dns.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo DNS host: $NODE_IP dns port: $NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "bind9dns.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bind9dns.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bind9dns.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl new file mode 100644 index 0000000000..3efbbbf831 --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* + + Copyright 2020 Samsung Electronics Co., Ltd. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +*/}} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "bind9dns.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "bind9dns.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "bind9dns.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml new file mode 100644 index 0000000000..1a76ba0a96 --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml @@ -0,0 +1,76 @@ +{{/* + Copyright 2020 Samsung Electronics Co., Ltd. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "bind9dns.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "bind9dns.name" . }} + helm.sh/chart: {{ include "bind9dns.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "bind9dns.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "bind9dns.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: DNS_FORWARDER + value: {{ .Values.dnsconf.forwarder }} + - name: WILDCARD_DNS + value: {{ .Values.dnsconf.wildcard }} + - name: ALLOW_RECURSION + value: any + - name: ALLOW_QUERY + value: any + ports: + - name: dnsport + containerPort: {{ .Values.service.port }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.port }} + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + tcpSocket: + port: {{ .Values.service.port }} + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml new file mode 100644 index 0000000000..715f2ff78e --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml @@ -0,0 +1,39 @@ +{{/* + Copyright 2020 Samsung Electronics Co., Ltd. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +*/}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "bind9dns.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "bind9dns.name" . }} + helm.sh/chart: {{ include "bind9dns.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + nodePort: {{ .Values.service.nodePort }} + protocol: TCP + name: dnstcp + - port: {{ .Values.service.port }} + nodePort: {{ .Values.service.nodePort }} + protocol: UDP + name: dnsudp + selector: + app.kubernetes.io/name: {{ include "bind9dns.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..4fe5d05b02 --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml @@ -0,0 +1,34 @@ +{{/* + Copyright 2020 Samsung Electronics Co., Ltd. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +*/}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "bind9dns.fullname" . }}-test-connection" + labels: + app.kubernetes.io/name: {{ include "bind9dns.name" . }} + helm.sh/chart: {{ include "bind9dns.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "bind9dns.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml new file mode 100644 index 0000000000..c9e19f41d0 --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml @@ -0,0 +1,46 @@ +# +# Copyright 2020 Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +image: + repository: luccksam/docker-bind + tag: 0.1.0 + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: + type: NodePort + port: 53 + nodePort: 31555 + +ingress: + enabled: false + annotations: {} + paths: [] + hosts: + - dnsserver.local + tls: [] + +resources: {} +nodeSelector: {} +tolerations: [] +affinity: {} + +dnsconf: + forwarder: "8.8.8.8,8.8.4.4" + wildcard: "simpledemo.onap.org=0.0.0.0" diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh new file mode 100755 index 0000000000..a78bc077d8 --- /dev/null +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh @@ -0,0 +1,62 @@ +#!/bin/bash -e +# +# Copyright 2020 Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +DNS_PORT=31555 +CLUSTER_CONTROL=$( kubectl get no -l node-role.kubernetes.io/controlplane=true -o jsonpath='{.items..metadata.name}') +CLUSTER_IP=$(kubectl get no $CLUSTER_CONTROL -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') +SPATH="$( dirname "$( which "$0" )" )" + + + +usage() { +cat << ==usage +$0 [cluster_domain] [helm_chart_args ...] + [cluster_domain] Default value simpledemo.onap.org + [helm_chart_args...] Optional arguments passed to helm install command +==usage +} + + +target_machine_notice_info() { +cat << ==infodeploy +Extra DNS server already deployed: +1. You can add the DNS server to the target machine using following commands: + sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT + sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT + sudo sysctl -w net.ipv4.conf.all.route_localnet=1 + sudo sysctl -w net.ipv4.ip_forward=1 +2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine +==infodeploy +} + +deploy() { + pushd "$SPATH/bind9dns" > /dev/null + if [ $# -eq 0 ]; then + local cl_domain="simpledemo.onap.org" + else + local cl_domain=$1 + shift + fi + helm install . --set dnsconf.wildcard="$cl_domain=$CLUSTER_IP" $@ + popd > /dev/null + target_machine_notice_info +} + +if [[ $# -eq 1 ]] && [[ $1 == "-h" || $1 == "--help" ]]; then + usage +else + deploy $@ +fi diff --git a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml b/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml index 937828a759..af0f59b768 100644 --- a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml +++ b/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml @@ -10,6 +10,8 @@ metadata: kind: ConfigMap apiVersion: v1 +data: + enable-underscores-in-headers: "on" metadata: name: nginx-configuration namespace: ingress-nginx diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/k8s-plugin.json b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/k8s-plugin.json index d459d5bb95..e5057427e8 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/k8s-plugin.json +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/k8s-plugin.json @@ -28,11 +28,11 @@ "config_path": "/usr/share/filebeat/filebeat.yml", "config_subpath": "filebeat.yml", "image" : "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}", - "config_map" : "dcae-filebeat-configmap" + "config_map" : "{{ include "common.release" . }}-dcae-filebeat-configmap" }, "tls": { - "cert_path": "/opt/tls/shared", + "cert_path": "/opt/app/osaaf", "image": "{{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}", "component_ca_cert_path": "/opt/dcae/cacert/cacert.pem", "ca_cert_configmap": "{{ include "common.fullname" . }}-dcae-cacert" diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml deleted file mode 100644 index 2718e1882f..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml +++ /dev/null @@ -1,32 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2017-2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -{{ if .Values.componentImages.dashboard }} -dashboard_docker_image: {{ include "common.repository" . }}/{{ .Values.componentImages.dashboard }} -{{ end }} -external_port: {{ .Values.config.address.dashboard.port }} -external_tls_port: {{ .Values.config.address.dashboard.portSecure }} -database_cluster_name: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }} -database_cluster_fqdn: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }}.{{ .Values.postgres.suffix }} -database_name: "dashboard_pg" -cloudify_ip: {{ .Values.config.address.cm.host }} -cloudify_user: "admin" -cloudify_password: "admin" -consul_url: {{ .Values.config.address.consul_ui }} -postgres_port: "5432" -replicas: 1 diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml index d41fef9180..7a28812278 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml @@ -68,11 +68,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: aaf_locator_fqdn + value: dcae image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {} volumeMounts: - - mountPath: /opt/tls/shared + - mountPath: /opt/app/osaaf name: tls-info containers: - name: {{ include "common.name" . }} diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml index 60a8d912f7..20caa5c122 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml @@ -27,7 +27,7 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 tlsRepository: nexus3.onap.org:10001 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3 + tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 config: logstashServiceName: log-ls @@ -95,7 +95,7 @@ postgres: # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.6.4 +image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.9.0 default_k8s_location: central # DCAE component images to be deployed via Cloudify Manager @@ -103,7 +103,7 @@ default_k8s_location: central componentImages: holmes_rules: onap/holmes/rule-management:1.2.7 holmes_engine: onap/holmes/engine-management:1.2.6 - tca: onap/org.onap.dcaegen2.deployments.tca-cdap-container:1.1.2 + tca: onap/org.onap.dcaegen2.deployments.tca-cdap-container:1.2.2 ves: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.5.2 snmptrap: onap/org.onap.dcaegen2.collectors.snmptrap:1.4.0 prh: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.5.0 diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/configmap.yaml index b8dadaae89..f1add2dac1 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/configmap.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/configmap.yaml @@ -27,7 +27,7 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: dcae-filebeat-configmap + name: {{ include "common.release" . }}-dcae-filebeat-configmap namespace: {{include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} @@ -42,7 +42,7 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: dcae-filebeat-configmap + name: {{ include "common.release" . }}-dcae-filebeat-configmap namespace: {{ .Values.dcae_ns }} data: {{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml index d843290be1..9bee0510cd 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml @@ -57,11 +57,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: aaf_locator_fqdn + value: dcae image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {} volumeMounts: - - mountPath: /opt/tls/shared + - mountPath: /opt/app/osaaf name: tls-info containers: - name: {{ include "common.name" . }} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index 60fd7e55b3..673b01776e 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -26,6 +26,8 @@ global: readinessImage: readiness-check:2.0.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + tlsRepository: nexus3.onap.org:10001 + tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 repositoryCred: user: docker password: docker diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/deployment.yaml index 131137ecb3..fe681ca566 100644 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/deployment.yaml @@ -50,6 +50,8 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + - name: aaf_locator_fqdn + value: dcae {{- if .Values.service.secure.enabled }} - name: init-tls env: @@ -62,7 +64,7 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {} volumeMounts: - - mountPath: /opt/tls/shared + - mountPath: /opt/app/osaaf name: tls-info {{ end }} containers: diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml index 8cff544d93..98faef0792 100644 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml @@ -26,7 +26,7 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 tlsRepository: nexus3.onap.org:10001 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3 + tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 repositoryCred: user: docker password: docker diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml index ca9551bc6a..116a77fd8b 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml @@ -65,11 +65,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: aaf_locator_fqdn + value: dcae image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {} volumeMounts: - - mountPath: /opt/tls/shared + - mountPath: /opt/app/osaaf name: tls-info containers: - name: {{ include "common.name" . }} diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml index 615afc42c2..03cb99ad14 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml @@ -25,7 +25,7 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 tlsRepository: nexus3.onap.org:10001 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3 + tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 config: logstashServiceName: log-ls @@ -89,17 +89,6 @@ postgres: persistence: mountSubPath: dcae-dashboard/data mountInitPath: dcae-dashboard - pgpool: - nameOverride: dcae-dashboard-pgpool - service: - name: dcae-dashboard-pgpool - credentials: - pgusername: dcae_dashboard - pgpassword: onapdemodb - container: - name: - primary: dcae-dashboard-pgpool-primary - replica: dcae-dashboard-pgpool-replica # Resource Limit flavor -By Default using small flavor: small @@ -123,4 +112,3 @@ resources: # Kubernetes namespace for components deployed via Cloudify manager # If empty, use the common namespace # dcae_ns: "dcae" - diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/deployment.yaml index 54beb0933b..9563f94fd9 100644 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/deployment.yaml @@ -61,11 +61,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: aaf_locator_fqdn + value: dcae image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {} volumeMounts: - - mountPath: /opt/tls/shared + - mountPath: /opt/app/osaaf name: tls-info - name: init-consul image: {{ .Values.global.consulLoaderRepository }}/{{ .Values.global.consulLoaderImage }} diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml index 30893b6d7c..c78625227a 100644 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml @@ -25,7 +25,7 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 tlsRepository: nexus3.onap.org:10001 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3 + tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderRepository: nexus3.onap.org:10001 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 repositoryCred: diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-policy-handler/templates/deployment.yaml index 21601eeba9..dd5fd05d88 100644 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-policy-handler/templates/deployment.yaml @@ -61,11 +61,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: aaf_locator_fqdn + value: dcae image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {} volumeMounts: - - mountPath: /opt/tls/shared + - mountPath: /opt/app/osaaf name: tls-info - name: init-consul image: {{ .Values.global.consulLoaderRepository }}/{{ .Values.global.consulLoaderImage }} diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/values.yaml b/kubernetes/dcaegen2/components/dcae-policy-handler/values.yaml index 3b15c55118..8517073729 100644 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-policy-handler/values.yaml @@ -25,7 +25,7 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 tlsRepository: nexus3.onap.org:10001 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3 + tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderRepository: nexus3.onap.org:10001 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 repositoryCred: diff --git a/kubernetes/dcaegen2/components/dcae-servicechange-handler/values.yaml b/kubernetes/dcaegen2/components/dcae-servicechange-handler/values.yaml index 0b88a65c69..63ce3db3fc 100644 --- a/kubernetes/dcaegen2/components/dcae-servicechange-handler/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-servicechange-handler/values.yaml @@ -25,7 +25,7 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 tlsRepository: nexus3.onap.org:10001 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3 + tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 repositoryCred: user: docker password: docker diff --git a/kubernetes/dcaegen2/values.yaml b/kubernetes/dcaegen2/values.yaml index 254ec398f6..dfc4dbf949 100644 --- a/kubernetes/dcaegen2/values.yaml +++ b/kubernetes/dcaegen2/values.yaml @@ -19,7 +19,8 @@ global: nodePortPrefix: 302 tlsRepository: nexus3.onap.org:10001 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3 +# Have to use locally-define tlsImage until inventory API can use 2.x.y +# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderRepository: nexus3.onap.org:10001 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 redis: diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml index f0e9e179fa..513963067f 100644 --- a/kubernetes/dmaap/components/dmaap-bc/values.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/values.yaml @@ -119,17 +119,6 @@ postgres: persistence: mountSubPath: dbc/data mountInitPath: dbc - pgpool: - nameOverride: dbc-pgpool - service: - name: dbc-pgpool - credentials: - pgusername: dmaap_admin - pgpassword: onapdemodb - container: - name: - primary: dbc-pgpool-primary - replica: dbc-pgpool-replica ingress: enabled: false diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml index f6dcae2cac..5ef7c2f242 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml @@ -46,6 +46,22 @@ spec: apiVersion: v1 fieldPath: metadata.namespace {{- if .Values.global.aafEnabled }} + - name: {{ include "common.name" . }}-aaf-readiness + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /root/ready.py + args: + - --container-name + - aaf-locate + - --container-name + - aaf-cm + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace - name: {{ include "common.name" . }}-dr-node-aaf-config image: "{{ include "common.repository" . }}/{{ .Values.global.aafAgentImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -174,12 +190,12 @@ spec: - name: {{ include "common.fullname" . }}-logs emptyDir: {} {{- if not .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-event-logs-pvc + - name: {{ include "common.fullname" . }}-event-logs emptyDir: {} - name: {{ include "common.fullname" . }}-data emptyDir: {} {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-aaf-props-pvc + - name: {{ include "common.fullname" . }}-aaf-props emptyDir: {} {{- end }} {{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml index 1b992af27e..00e0d2d339 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml @@ -22,7 +22,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-node:2.1.3 +image: onap/dmaap/datarouter-node:2.1.4 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties index c7714d33a4..34662ae9e3 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties +++ b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties @@ -50,7 +50,6 @@ org.onap.dmaap.datarouter.provserver.https.include.protocols = TLSv1.1|TLSv1.2 # AAF config org.onap.dmaap.datarouter.provserver.cadi.enabled = false -org.onap.dmaap.datarouter.provserver.passwordencryption = PasswordEncryptionKey#@$%^&1234# org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.feed org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub org.onap.dmaap.datarouter.provserver.aaf.instance = legacy diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml index 4eb0888712..6435b0a641 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml @@ -54,6 +54,8 @@ spec: args: - --container-name - aaf-locate + - --container-name + - aaf-cm env: - name: NAMESPACE valueFrom: diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index 80b15c7063..8e3364f879 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -23,7 +23,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-prov:2.1.3 +image: onap/dmaap/datarouter-prov:2.1.4 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml index 30e4c77576..aa97e32a9a 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml @@ -75,6 +75,7 @@ spec: - -exec - | chown -R 1000:1000 /opt/kafka/data; + rm -rf '/opt/kafka/data/lost+found'; cp /opt/kafka/tmpconfig/server.properties /opt/kafka/config/; chown 1000:1000 /opt/kafka/config/server.properties; cd /opt/kafka/config; diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml index 06c966997f..935c090751 100644 --- a/kubernetes/dmaap/components/message-router/values.yaml +++ b/kubernetes/dmaap/components/message-router/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/dmaap/dmaap-mr:1.1.16 +image: onap/dmaap/dmaap-mr:1.1.17 pullPolicy: Always kafka: diff --git a/kubernetes/multicloud/charts/multicloud-fcaps/templates/deployment.yaml b/kubernetes/multicloud/charts/multicloud-fcaps/templates/deployment.yaml index e2837ef7f0..30d521ac2a 100644 --- a/kubernetes/multicloud/charts/multicloud-fcaps/templates/deployment.yaml +++ b/kubernetes/multicloud/charts/multicloud-fcaps/templates/deployment.yaml @@ -40,6 +40,8 @@ spec: spec: containers: - env: + - name: MSB_PROTO + value: {{ .Values.config.msbprotocol }} - name: MSB_ADDR value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - name: MSB_PORT @@ -54,6 +56,8 @@ spec: value: "{{ .Values.config.aai.username }}" - name: AAI_PASSWORD value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "{{ .Values.config.ssl_enabled }}" name: {{ include "common.name" . }} volumeMounts: - mountPath: /var/log/onap @@ -74,7 +78,7 @@ spec: httpGet: path: /api/multicloud-fcaps/v1/healthcheck port: {{ .Values.service.internalPort }} - scheme: HTTP + scheme: HTTPS initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} diff --git a/kubernetes/multicloud/charts/multicloud-fcaps/templates/service.yaml b/kubernetes/multicloud/charts/multicloud-fcaps/templates/service.yaml index 75cd4c0dda..fabe32e0ff 100644 --- a/kubernetes/multicloud/charts/multicloud-fcaps/templates/service.yaml +++ b/kubernetes/multicloud/charts/multicloud-fcaps/templates/service.yaml @@ -32,6 +32,7 @@ metadata: "url": "/api/multicloud-fcaps/v0", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" }, { @@ -40,6 +41,7 @@ metadata: "url": "/api/multicloud-fcaps/v1", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" } ]' diff --git a/kubernetes/multicloud/charts/multicloud-fcaps/values.yaml b/kubernetes/multicloud/charts/multicloud-fcaps/values.yaml index 075a196cf8..4b34784ccd 100644 --- a/kubernetes/multicloud/charts/multicloud-fcaps/values.yaml +++ b/kubernetes/multicloud/charts/multicloud-fcaps/values.yaml @@ -23,7 +23,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/multicloud/openstack-fcaps:1.4.1 +image: onap/multicloud/openstack-fcaps:1.5.3 pullPolicy: Always #Istio sidecar injection policy @@ -31,8 +31,10 @@ istioSidecar: false # application configuration config: + ssl_enabled: true + msbprotocol: https msbgateway: msb-iag - msbPort: 80 + msbPort: 443 aai: port: 8443 schemaVersion: v13 diff --git a/kubernetes/multicloud/charts/multicloud-starlingx/resources/config/log/log.yml b/kubernetes/multicloud/charts/multicloud-starlingx/resources/config/log/log.yml index 8ec5449266..9112e352e4 100644 --- a/kubernetes/multicloud/charts/multicloud-starlingx/resources/config/log/log.yml +++ b/kubernetes/multicloud/charts/multicloud-starlingx/resources/config/log/log.yml @@ -15,6 +15,10 @@ version: 1 disable_existing_loggers: False loggers: + starlingx_base: + handlers: [starlingx_handler] + level: "DEBUG" + propagate: False starlingx: handlers: [starlingx_handler] level: "DEBUG" diff --git a/kubernetes/multicloud/charts/multicloud-starlingx/templates/deployment.yaml b/kubernetes/multicloud/charts/multicloud-starlingx/templates/deployment.yaml index 1ee8172ae2..f132cc73b2 100644 --- a/kubernetes/multicloud/charts/multicloud-starlingx/templates/deployment.yaml +++ b/kubernetes/multicloud/charts/multicloud-starlingx/templates/deployment.yaml @@ -40,6 +40,8 @@ spec: spec: containers: - env: + - name: MSB_PROTO + value: {{ .Values.config.msbprotocol }} - name: MSB_ADDR value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - name: MSB_PORT @@ -54,6 +56,8 @@ spec: value: "{{ .Values.config.aai.username }}" - name: AAI_PASSWORD value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "{{ .Values.config.ssl_enabled }}" name: {{ include "common.name" . }} volumeMounts: - mountPath: /var/log/onap @@ -76,7 +80,7 @@ spec: httpGet: path: /api/multicloud-starlingx/v0/swagger.json port: {{ .Values.service.internalPort }} - scheme: HTTP + scheme: HTTPS initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} diff --git a/kubernetes/multicloud/charts/multicloud-starlingx/templates/service.yaml b/kubernetes/multicloud/charts/multicloud-starlingx/templates/service.yaml index 7e01150e31..cf67f106ee 100644 --- a/kubernetes/multicloud/charts/multicloud-starlingx/templates/service.yaml +++ b/kubernetes/multicloud/charts/multicloud-starlingx/templates/service.yaml @@ -32,6 +32,7 @@ metadata: "url": "/api/multicloud-starlingx/v0", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" }, { @@ -40,6 +41,7 @@ metadata: "url": "/api/multicloud-starlingx/v1", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" } ]' diff --git a/kubernetes/multicloud/charts/multicloud-starlingx/values.yaml b/kubernetes/multicloud/charts/multicloud-starlingx/values.yaml index 26ecf93367..2dffd1c959 100644 --- a/kubernetes/multicloud/charts/multicloud-starlingx/values.yaml +++ b/kubernetes/multicloud/charts/multicloud-starlingx/values.yaml @@ -23,7 +23,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/multicloud/openstack-starlingx:1.4.1 +image: onap/multicloud/openstack-starlingx:1.5.3 pullPolicy: Always #Istio sidecar injection policy @@ -31,8 +31,10 @@ istioSidecar: false # application configuration config: + ssl_enabled: true + msbprotocol: https msbgateway: msb-iag - msbPort: 80 + msbPort: 443 aai: port: 8443 schemaVersion: v13 diff --git a/kubernetes/multicloud/charts/multicloud-windriver/templates/deployment.yaml b/kubernetes/multicloud/charts/multicloud-windriver/templates/deployment.yaml index d0af26c0a0..dc8744cb9e 100644 --- a/kubernetes/multicloud/charts/multicloud-windriver/templates/deployment.yaml +++ b/kubernetes/multicloud/charts/multicloud-windriver/templates/deployment.yaml @@ -49,6 +49,8 @@ spec: name: artifact-data containers: - env: + - name: MSB_PROTO + value: {{ .Values.config.msbprotocol }} - name: MSB_ADDR value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - name: MSB_PORT @@ -63,6 +65,8 @@ spec: value: "{{ .Values.config.aai.username }}" - name: AAI_PASSWORD value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "{{ .Values.config.ssl_enabled }}" name: {{ include "common.name" . }} volumeMounts: - mountPath: /var/log/onap @@ -85,7 +89,7 @@ spec: httpGet: path: /api/multicloud-titaniumcloud/v1/swagger.json port: {{ .Values.service.internalPort }} - scheme: HTTP + scheme: HTTPS initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} diff --git a/kubernetes/multicloud/charts/multicloud-windriver/templates/service.yaml b/kubernetes/multicloud/charts/multicloud-windriver/templates/service.yaml index 43fc99cd90..5a555b3222 100644 --- a/kubernetes/multicloud/charts/multicloud-windriver/templates/service.yaml +++ b/kubernetes/multicloud/charts/multicloud-windriver/templates/service.yaml @@ -33,6 +33,7 @@ metadata: "url": "/api/multicloud-titanium_cloud/v0", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" }, { @@ -41,6 +42,7 @@ metadata: "url": "/api/multicloud-titaniumcloud/v0", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" }, { @@ -49,6 +51,7 @@ metadata: "url": "/api/multicloud-titaniumcloud/v1", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" } ]' diff --git a/kubernetes/multicloud/charts/multicloud-windriver/values.yaml b/kubernetes/multicloud/charts/multicloud-windriver/values.yaml index abc77260ad..1104fa0696 100644 --- a/kubernetes/multicloud/charts/multicloud-windriver/values.yaml +++ b/kubernetes/multicloud/charts/multicloud-windriver/values.yaml @@ -26,7 +26,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/multicloud/openstack-windriver:1.4.1 +image: onap/multicloud/openstack-windriver:1.5.3 pullPolicy: Always #Istio sidecar injection policy @@ -34,8 +34,10 @@ istioSidecar: true # application configuration config: + ssl_enabled: true + msbprotocol: https msbgateway: msb-iag - msbPort: 80 + msbPort: 443 aai: port: 8443 schemaVersion: v13 diff --git a/kubernetes/multicloud/templates/deployment.yaml b/kubernetes/multicloud/templates/deployment.yaml index ed74032e85..3d75b78187 100644 --- a/kubernetes/multicloud/templates/deployment.yaml +++ b/kubernetes/multicloud/templates/deployment.yaml @@ -40,7 +40,7 @@ spec: containers: - env: - name: MSB_PROTO - value: {{ .Values.config.msbprotocol }}.{{ include "common.namespace" . }} + value: {{ .Values.config.msbprotocol }} - name: MSB_ADDR value: {{ .Values.config.msbgateway }}.{{ include "common.namespace" . }} - name: MSB_PORT diff --git a/kubernetes/multicloud/templates/service.yaml b/kubernetes/multicloud/templates/service.yaml index 12bbb298b8..3f950db038 100644 --- a/kubernetes/multicloud/templates/service.yaml +++ b/kubernetes/multicloud/templates/service.yaml @@ -33,7 +33,7 @@ metadata: "url": "/api/multicloud/v0", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", - "enable_ssl": "{{ .Values.config.ssl_enabled }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" }, { @@ -42,7 +42,7 @@ metadata: "url": "/api/multicloud/v1", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", - "enable_ssl": "{{ .Values.config.ssl_enabled }}", + "enable_ssl": {{ .Values.config.ssl_enabled }}, "visualRange": "1" } ]' diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml index ceaf12b844..1fad1fc5aa 100644 --- a/kubernetes/nbi/templates/deployment.yaml +++ b/kubernetes/nbi/templates/deployment.yaml @@ -56,12 +56,9 @@ spec: - name: SPRING_DATASOURCE_URL value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "config" "mysqlDatabase" }} - name: SPRING_DATASOURCE_USERNAME - value: {{ index .Values "mariadb-galera" "config" "userName" }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "nbi-db-secret" "key" "login") | indent 14 }} - name: SPRING_DATASOURCE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.mariadbSecret" . }} - key: {{ include "common.mariadbSecretParam" . }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "nbi-db-secret" "key" "password") | indent 14 }} - name: SPRING_DATA_MONGODB_HOST value: {{ .Values.mongo.service.name }}.{{ include "common.namespace" . }} - name: SPRING_DATA_MONGODB_PORT diff --git a/kubernetes/common/postgres/charts/pgpool/requirements.yaml b/kubernetes/nbi/templates/secret.yaml similarity index 81% rename from kubernetes/common/postgres/charts/pgpool/requirements.yaml rename to kubernetes/nbi/templates/secret.yaml index 5b097f3ab7..dee311c336 100644 --- a/kubernetes/common/postgres/charts/pgpool/requirements.yaml +++ b/kubernetes/nbi/templates/secret.yaml @@ -1,4 +1,4 @@ -# Copyright © 2018 Amdocs, AT&T, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,7 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -dependencies: - - name: common - version: ~5.x-0 - repository: '@local' +{{ include "common.secret" . }} diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index 30f7d2d18e..29939722d6 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -29,6 +29,17 @@ global: internalPort: 3306 nameOverride: mariadb-galera +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: nbi-db-secret + name: '{{ include "common.release" . }}-nbi-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + subChartsOnly: enabled: true @@ -49,15 +60,17 @@ config: ecompInstanceId: OOM openStackRegion: RegionOne openStackVNFTenantId: 31047205ce114b60833b23e400d6a535 + db: + userName: rene + # userPassword: password + # userCredentialsExternalSecret: some-secret mariadb-galera: # '&mariadbConfig' means we "store" the values for later use in the file # with '*mariadbConfig' pointer. config: &mariadbConfig - userName: rene - userPassword: lkjgklqsdareyhjujlnnbvfvdttuiukgpiokqbfsjdhfigquosegombvjfqhb - mariadbRootPassword: dhqjdshjdsguryebvcnbvcvdsqghyjqgktgjjfhjfghbfs - mysqlDatabase: nbi + userCredentialsExternalSecret: '{{ include "common.release" . }}-nbi-db-secret' + mysqlDatabase: nbi nameOverride: nbi-galera service: name: nbi-galera diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 5344a423f3..2395495df3 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -173,4 +173,4 @@ vid: vnfsdk: enabled: false modeling: - enabled: false \ No newline at end of file + enabled: false diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml index 0e6b4c8791..d7a0ea5ca3 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml @@ -60,8 +60,8 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: - name: {{ include "common.release" . }}-cmso-db - key: db-root-password + name: {{ include "common.release" . }}-cmso-db-db-root-password + key: password terminationMessagePolicy: File volumeMounts: - name: {{ include "common.fullname" . }}-config @@ -84,8 +84,8 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: - name: {{ include "common.release" . }}-cmso-db - key: db-root-password + name: {{ include "common.release" . }}-cmso-db-db-root-password + key: password - name: JAVA_TRUSTSTORE value: /share/etc/certs/{{ .Values.global.truststoreFile }} - name: SSL_KEYSTORE diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml index e7b5eed924..385d61684f 100644 --- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml +++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml @@ -60,8 +60,8 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: - name: {{ include "common.release" . }}-cmso-db - key: db-root-password + name: {{ include "common.release" . }}-cmso-db-db-root-password + key: password terminationMessagePolicy: File volumeMounts: - name: {{ include "common.fullname" . }}-config @@ -90,7 +90,7 @@ spec: - name: {{ include "common.fullname" . }}-config mountPath: /share/etc/config ports: - - containerPort: 5000 + - containerPort: 5000 resources: {{ include "common.resources" . }} - name: {{ include "common.name" . }} @@ -108,8 +108,8 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: - name: {{ include "common.release" . }}-cmso-db - key: user-password + name: {{ include "common.release" . }}-cmso-db-db-user-credentials + key: password - name: JAVA_TRUSTSTORE value: /share/etc/certs/{{ .Values.global.truststoreFile }} - name: SSL_KEYSTORE diff --git a/kubernetes/robot b/kubernetes/robot index 091f164a83..591bfdea4f 160000 --- a/kubernetes/robot +++ b/kubernetes/robot @@ -1 +1 @@ -Subproject commit 091f164a832479cb40ad6f5d7e4960269e75f87f +Subproject commit 591bfdea4f1d833abee3c7e60f084da546d9082a diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index a7006bc56c..6abf911a89 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -29,7 +29,7 @@ global: ubuntuInitRepository: oomk8s ubuntuInitImage: ubuntu-init:1.0.0 cassandra: - #This flag allows SDC to instantiate its own cluster, serviceName + #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled localCluster: false #The cassandra service name to connect to (default: shared cassandra service) diff --git a/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml index 5930b5d5be..a714ba9328 100755 --- a/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/resources/config/overrides/override.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. aai: - auth: 221187EFA3AD4E33600DE0488F287099934CE65C3D0697BCECC00BB58E784E07CD74A24581DC31DBC086FF63DF116378776E9BE3D1325885 + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} dme2: timeout: '30000' endpoint: https://aai.{{ include "common.namespace" . }}:8443 @@ -21,7 +21,7 @@ aai: cds: endpoint: cds-blueprints-processor-grpc port: 9111 - auth: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== + auth: {{ .Values.cds.auth }} timeout: 600 camunda: bpm: @@ -51,10 +51,12 @@ mso: rainyDay: retryDurationMultiplier: 2 maxRetries: 5 - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + msoKey: {{ .Values.mso.key }} correlation: timeout: 60 logPath: logs + config: + cadi: {{ include "cadi.keys" . | nindent 8}} async: core-pool-size: 50 max-pool-size: 50 @@ -64,10 +66,10 @@ mso: endpoint: http://so-openstack-adapter.{{ include "common.namespace" . }}:8087/CompleteMsoProcess requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.adapters.requestDb.auth )}} db: - auth: A3745B5DBE165EFCF101D85A6FC81C211AB8BF604F8861B6C413D5DC90F8F30E0139DE44B8A342F4EF70AF - password: wLg4sjrAFUS8rfVfdvTXeQ== + auth: {{ .Values.mso.adapters.db.auth }} + password: {{ .Values.mso.adapters.db.password }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083/services/RequestsDbAdapter spring: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 @@ -79,7 +81,7 @@ mso: db: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083/services/RequestsDbAdapter po: - auth: A3745B5DBE165EFCF101D85A6FC81C211AB8BF604F8861B6C413D5DC90F8F30E0139DE44B8A342F4EF70AF + auth: {{ .Values.mso.adapters.po.auth }} sdnc: endpoint: http://so-sdnc-adapter.{{ include "common.namespace" . }}:8086/adapters/SDNCAdapter rest: @@ -112,7 +114,7 @@ mso: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} default: adapter: namespace: http://org.onap.mso @@ -129,7 +131,7 @@ mso: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083/ rollback: 'true' sdnc: - password: 1D78CFC35382B6938A989066A7A7EAEF4FE933D2919BABA99EB4763737F39876C333EE5F + password: {{ .Values.mso.sdnc.password }} service: agnostic: sniro: @@ -137,12 +139,12 @@ mso: host: http://sniro-emulator:80 site-name: CamundaEngine sniro: - auth: test:testpwd + auth: {{ .Values.mso.sniro.auth }} callback: http://so-openstack-adapter.{{ include "common.namespace" . }}:8087/adapters/rest/SDNCNotify - endpoint: http://replaceme:28090/optimizationInstance/V1/create + endpoint: {{ .Values.mso.sniro.endpoint }} timeout: PT30M oof: - auth: test:testpwd + auth: {{ .Values.mso.oof.auth }} callbackEndpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698/api/oof/v1/placement timeout: PT30M @@ -361,7 +363,7 @@ so: vnfm: adapter: url: https://so-vnfm-adapter.{{ include "common.namespace" . }}:9092/so/vnfm-adapter/v1/ - auth: Basic dm5mbTpwYXNzd29yZDEk + auth: {{ .Values.so.vnfm.adapter.auth }} org: onap: so: diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml b/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml index d873beb62c..b57205223e 100755 --- a/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/templates/configmap.yaml @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml b/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml index 931a89516b..91e9be6376 100755 --- a/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml +++ b/kubernetes/so/charts/so-bpmn-infra/templates/deployment.yaml @@ -85,6 +85,22 @@ spec: secretKeyRef: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.admin.password + {{- if eq .Values.global.security.aaf.enabled true }} + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -95,16 +111,7 @@ spec: - name: config mountPath: /app/config readOnly: true - livenessProbe: - httpGet: - path: {{- index .Values.livenessProbe.path|indent 2}} - port: {{ index .Values.containerPort }} - scheme: {{- index .Values.livenessProbe.scheme| indent 2}} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} - periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} - timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} - successThreshold: {{ index .Values.livenessProbe.successThreshold}} - failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} +{{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml index 2ea2cffe27..952642c48a 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/resources/config/overrides/override.yaml @@ -19,12 +19,14 @@ ssl-enable: false mso: logPath: logs site-name: onapheat + config: + cadi: {{ include "cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.db.auth )}} spring: datasource: hikari: diff --git a/kubernetes/so/charts/so-catalog-db-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-catalog-db-adapter/templates/configmap.yaml index d873beb62c..b57205223e 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/templates/configmap.yaml @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml index 931a89516b..91e9be6376 100755 --- a/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-catalog-db-adapter/templates/deployment.yaml @@ -85,6 +85,22 @@ spec: secretKeyRef: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.admin.password + {{- if eq .Values.global.security.aaf.enabled true }} + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -95,16 +111,7 @@ spec: - name: config mountPath: /app/config readOnly: true - livenessProbe: - httpGet: - path: {{- index .Values.livenessProbe.path|indent 2}} - port: {{ index .Values.containerPort }} - scheme: {{- index .Values.livenessProbe.scheme| indent 2}} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} - periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} - timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} - successThreshold: {{ index .Values.livenessProbe.successThreshold}} - failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} +{{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml index 4bf20a683b..4710fea218 100755 --- a/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/resources/config/overrides/override.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. aai: - auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} endpoint: https://aai.{{ include "common.namespace" . }}:8443 server: port: {{ index .Values.containerPort }} @@ -58,7 +58,7 @@ org: default_keystone_url_version: /v2.0 default_keystone_reg_ex: "/[vV][0-9]" vnf: - bpelauth: D1A67FA93B6A6419132D0F83CC771AF774FD3C60853C50C22C8C6FC5088CC79E9E81EDE9EA39F22B2F66A0068E + bpelauth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} checkRequiredParameters: true addGetFilesOnVolumeReq: false sockettimeout: 30 @@ -69,7 +69,7 @@ org: valet_enabled: false fail_requests_on_valet_failure: false network: - bpelauth: D1A67FA93B6A6419132D0F83CC771AF774FD3C60853C50C22C8C6FC5088CC79E9E81EDE9EA39F22B2F66A0068E + bpelauth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} sockettimeout: 5 connecttimeout: 5 retrycount: 5 @@ -96,22 +96,21 @@ ecomp: pollTimeout: 7500 pollInterval: 15 mso: - auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.encrypted "value2" .Values.mso.auth )}} logPath: ./logs/openstack msb-ip: msb-iag.{{ include "common.namespace" . }} msb-port: 80 workflow: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/sobpmnengine - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + msoKey: {{ .Values.mso.msoKey }} config: - cadi: - aafId: poBpmn + cadi: {{ include "cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} site-name: localDevEnv async: core-pool-size: 50 diff --git a/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml index d873beb62c..b57205223e 100755 --- a/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/templates/configmap.yaml @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml index 931a89516b..91e9be6376 100755 --- a/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-openstack-adapter/templates/deployment.yaml @@ -85,6 +85,22 @@ spec: secretKeyRef: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.admin.password + {{- if eq .Values.global.security.aaf.enabled true }} + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -95,16 +111,7 @@ spec: - name: config mountPath: /app/config readOnly: true - livenessProbe: - httpGet: - path: {{- index .Values.livenessProbe.path|indent 2}} - port: {{ index .Values.containerPort }} - scheme: {{- index .Values.livenessProbe.scheme| indent 2}} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} - periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} - timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} - successThreshold: {{ index .Values.livenessProbe.successThreshold}} - failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} +{{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-request-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-request-db-adapter/resources/config/overrides/override.yaml index 6d746ede18..8dde3b7f99 100755 --- a/kubernetes/so/charts/so-request-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-request-db-adapter/resources/config/overrides/override.yaml @@ -20,9 +20,11 @@ ssl-enable: false mso: logPath: logs site-name: localSite + config: + cadi: {{- include "cadi.keys" . | nindent 8}} adapters: requestDb: - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 spring: datasource: diff --git a/kubernetes/so/charts/so-request-db-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-request-db-adapter/templates/configmap.yaml index d873beb62c..b57205223e 100755 --- a/kubernetes/so/charts/so-request-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/charts/so-request-db-adapter/templates/configmap.yaml @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-request-db-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-request-db-adapter/templates/deployment.yaml index 931a89516b..91e9be6376 100755 --- a/kubernetes/so/charts/so-request-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-request-db-adapter/templates/deployment.yaml @@ -85,6 +85,22 @@ spec: secretKeyRef: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.admin.password + {{- if eq .Values.global.security.aaf.enabled true }} + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -95,16 +111,7 @@ spec: - name: config mountPath: /app/config readOnly: true - livenessProbe: - httpGet: - path: {{- index .Values.livenessProbe.path|indent 2}} - port: {{ index .Values.containerPort }} - scheme: {{- index .Values.livenessProbe.scheme| indent 2}} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} - periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} - timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} - successThreshold: {{ index .Values.livenessProbe.successThreshold}} - failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} +{{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-sdc-controller/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-sdc-controller/resources/config/overrides/override.yaml index 44544f49e7..8d02cc1f5c 100755 --- a/kubernetes/so/charts/so-sdc-controller/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-sdc-controller/resources/config/overrides/override.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. aai: - auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + auth: {{.Values.aai.auth}} server: port: {{ index .Values.containerPort }} spring: @@ -44,20 +44,22 @@ request: pool-name: reqdb-pool registerMbeans: false mso: - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + msoKey: {{ index .Values.mso.msoKey }} logPath: ./logs/sdc + config: + cadi: {{ include "cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} site-name: onapheat camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} aai: endpoint: https://aai.{{ include "common.namespace" . }}:8443 asdc-connections: @@ -67,7 +69,7 @@ mso: consumerId: SO-COpenSource-Env11 environmentName: AUTO asdcAddress: sdc-be.{{ include "common.namespace" . }}:8443 - password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F + password: {{ index .Values "mso" "asdc-connections" "asdc-controller1" "password" }} pollingInterval: 60 pollingTimeout: 60 relevantArtifactTypes: HEAT,HEAT_ENV,HEAT_VOL @@ -82,7 +84,7 @@ mso: config: activity: endpoint: http://sdc-wfd-be:8080 - key: 566B754875657232314F5548556D3665 + key: {{ .Values.mso.asdc.config.key }} components: count: 3, componentNames: SO,AAI,SDNC diff --git a/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml b/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml index d873beb62c..b57205223e 100755 --- a/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml +++ b/kubernetes/so/charts/so-sdc-controller/templates/configmap.yaml @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml b/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml index 931a89516b..91e9be6376 100755 --- a/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml +++ b/kubernetes/so/charts/so-sdc-controller/templates/deployment.yaml @@ -85,6 +85,22 @@ spec: secretKeyRef: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.admin.password + {{- if eq .Values.global.security.aaf.enabled true }} + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -95,16 +111,7 @@ spec: - name: config mountPath: /app/config readOnly: true - livenessProbe: - httpGet: - path: {{- index .Values.livenessProbe.path|indent 2}} - port: {{ index .Values.containerPort }} - scheme: {{- index .Values.livenessProbe.scheme| indent 2}} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} - periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} - timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} - successThreshold: {{ index .Values.livenessProbe.successThreshold}} - failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} +{{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/charts/so-sdnc-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-sdnc-adapter/resources/config/overrides/override.yaml index 5062a1f8f0..a20d2178ba 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-sdnc-adapter/resources/config/overrides/override.yaml @@ -19,12 +19,14 @@ mso: max-pool-size: 50 queue-capacity: 500 logPath: ./logs/sdnc + config: + cadi: {{ include "cadi.keys" . | nindent 14}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} site-name: onapheat org: onap: @@ -100,7 +102,7 @@ org: changedelete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf delete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf rollback: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf - bpelauth: 4C18603C5AE7E3A42A6CED95CDF9C0BA9B2109B3725747662E5D34E5FDF63DA9ADEBB08185098F14699195FDE9475100 + bpelauth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.bpelauth )}} bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/SDNCAdapterCallbackService generic-resource: network-topology-operation: @@ -139,7 +141,7 @@ org: myurl: http://so-sdnc-adapter.{{ include "common.namespace" . }}:8086/adapters/rest/SDNCNotify rest: bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - sdncauth: ED07A7EE5F099FA53369C3DF2240AD68A00154676EEDBC6F8C16BAA83B1912941B8941ABD48683D2C1072DA7040659692DE936A59BBF42A038CF71DE67B4A375190071EC76EA657801B033C135 + sdncauth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.sdncauth )}} sdncconnecttime: 5000 sdncurl10: 'http://sdnc.{{ include "common.namespace" . }}:8282/restconf/operations/GENERIC-RESOURCE-API:' sdncurl11: 'http://sdnc.{{ include "common.namespace" . }}:8282/restconf/operations/VNFTOPOLOGYAIC-API:' @@ -159,7 +161,7 @@ org: '': query: GET|60000|sdncurl12| network: - encryptionKey: 07a7159d3bf51a0e53be7a8f89699be7 + encryptionKey: {{ index .Values.org.onap.so.adapters.sdnc.network.encryptionKey }} spring: security: usercredentials: diff --git a/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml index d873beb62c..b57205223e 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml +++ b/kubernetes/so/charts/so-sdnc-adapter/templates/configmap.yaml @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml index ab489160fc..5c7f3ab0ca 100755 --- a/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-sdnc-adapter/templates/deployment.yaml @@ -70,6 +70,22 @@ spec: secretKeyRef: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.admin.password + {{- if eq .Values.global.security.aaf.enabled true }} + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -80,16 +96,7 @@ spec: - name: config mountPath: /app/config readOnly: true - livenessProbe: - httpGet: - path: {{- index .Values.livenessProbe.path|indent 2}} - port: {{ index .Values.containerPort }} - scheme: {{- index .Values.livenessProbe.scheme| indent 2}} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} - periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} - timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} - successThreshold: {{ index .Values.livenessProbe.successThreshold}} - failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} +{{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/common/postgres/charts/pgpool/Chart.yaml b/kubernetes/so/charts/so-secrets/Chart.yaml similarity index 86% rename from kubernetes/common/postgres/charts/pgpool/Chart.yaml rename to kubernetes/so/charts/so-secrets/Chart.yaml index e2818139fa..be61d24840 100644 --- a/kubernetes/common/postgres/charts/pgpool/Chart.yaml +++ b/kubernetes/so/charts/so-secrets/Chart.yaml @@ -1,4 +1,4 @@ -# Copyright © 2018 Amdocs, AT&T, Bell Canada +# Copyright © 2018 AT&T USA # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,8 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: v1 -description: ONAP Postgres Server -name: pgpool +description: A Helm chart for so secrets +name: so-secrets version: 5.0.0 diff --git a/kubernetes/common/postgres/charts/pgpool/templates/configmap.yaml b/kubernetes/so/charts/so-secrets/templates/secrets.yaml old mode 100755 new mode 100644 similarity index 73% rename from kubernetes/common/postgres/charts/pgpool/templates/configmap.yaml rename to kubernetes/so/charts/so-secrets/templates/secrets.yaml index 099c8dd12e..9a749638f0 --- a/kubernetes/common/postgres/charts/pgpool/templates/configmap.yaml +++ b/kubernetes/so/charts/so-secrets/templates/secrets.yaml @@ -1,4 +1,4 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2018 AT&T USA # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,16 +11,17 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: - name: {{ include "common.fullname" . }}-pgpool-configmap + name: {{ .Release.Name }}-so-client-certs-secret namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} + release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} + trustStorePassword: {{ .Values.global.client.certs.trustStorePassword }} + keyStorePassword: {{ .Values.global.client.certs.keyStorePassword}} +type: Opaque diff --git a/kubernetes/so/charts/so-vfc-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-vfc-adapter/resources/config/overrides/override.yaml index dee73abd41..ea61f502f2 100755 --- a/kubernetes/so/charts/so-vfc-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-vfc-adapter/resources/config/overrides/override.yaml @@ -37,12 +37,14 @@ server: mso: site-name: localSite logPath: ./logs/vfc + config: + cadi: {{ include "cadi.keys" . | nindent 8}} msb-ip: msb-iag.{{ include "common.namespace" . }} msb-port: 80 adapters: requestDb: endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} #Actuator management: security: diff --git a/kubernetes/so/charts/so-vfc-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-vfc-adapter/templates/configmap.yaml index d873beb62c..b57205223e 100755 --- a/kubernetes/so/charts/so-vfc-adapter/templates/configmap.yaml +++ b/kubernetes/so/charts/so-vfc-adapter/templates/configmap.yaml @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-vfc-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-vfc-adapter/templates/deployment.yaml index 931a89516b..44040c2c43 100755 --- a/kubernetes/so/charts/so-vfc-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-vfc-adapter/templates/deployment.yaml @@ -85,6 +85,22 @@ spec: secretKeyRef: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.admin.password + {{- if eq .Values.global.security.aaf.enabled true }} + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-vnfm-adapter/resources/config/overrides/override.yaml b/kubernetes/so/charts/so-vnfm-adapter/resources/config/overrides/override.yaml index 5213700df0..ebfbc44685 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/charts/so-vnfm-adapter/resources/config/overrides/override.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. aai: - auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} version: v15 endpoint: https://aai.{{ include "common.namespace" . }}:8443 spring: @@ -37,15 +37,17 @@ http: trust-store: classpath:org.onap.so.trust.jks trust-store-password: ',sx#.C*W)]wVgJC6ccFHI#:H' mso: - key: 07a7159d3bf51a0e53be7a8f89699be7 + key: {{ .Values.mso.key }} site-name: localSite logPath: ./logs/vnfm-adapter + config: + cadi: {{ include "cadi.keys" . | nindent 8}} msb-ip: msb-iag.{{ include "common.namespace" . }} msb-port: 80 sdc: - username: mso - password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F - key: 566B754875657232314F5548556D3665 + username: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.username "value2" .Values.sdc.username )}} + password: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.password "value2" .Values.sdc.password )}} + key: {{ .Values.sdc.key }} endpoint: https://sdc-be.{{ include "common.namespace" . }}:8443 vnfmadapter: endpoint: https://so-vnfm-adapter.{{ include "common.namespace" . }}:9092 diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/configmap.yaml b/kubernetes/so/charts/so-vnfm-adapter/templates/configmap.yaml index c79e58a711..b57205223e 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/templates/configmap.yaml +++ b/kubernetes/so/charts/so-vnfm-adapter/templates/configmap.yaml @@ -1,4 +1,4 @@ -# Copyright © 2019 Nordix Foundation +# Copyright © 2018 AT&T USA # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml index a253a21ecc..c297ac3ce8 100755 --- a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml +++ b/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml @@ -39,6 +39,23 @@ spec: image: {{ include "common.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | indent 12 }} + {{- if eq .Values.global.security.aaf.enabled true }} + env: + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/resources/config/overrides/override.yaml b/kubernetes/so/resources/config/overrides/override.yaml index 1aeb50dd23..c57ed023ef 100755 --- a/kubernetes/so/resources/config/overrides/override.yaml +++ b/kubernetes/so/resources/config/overrides/override.yaml @@ -4,21 +4,22 @@ server: max-threads: 50 ssl-enable: false mso: - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 - logPath: logs - site-name: onapheat + msoKey: {{ .Values.global.app.msoKey }} + logPath: ./logs/apih + site-name: {{ index .Values.global.app.siteName }} adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: Basic YnBlbDpwYXNzd29yZDEk + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} config: path: /src/main/resources/ + cadi: {{ include "cadi.keys" . | nindent 10}} infra: default: alacarte: @@ -30,14 +31,14 @@ mso: default: testApi: GR_API camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ - camundaAuth: AE2E9BE6EF9249085AF98689C4EE087736A5500629A72F35068FFB88813A023581DD6E765071F1C04075B36EA4213A + camundaAuth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.camundaAuth )}} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 sdc: client: - auth: 878785F4F31BC9CFA5AB52A172008212D8845ED2DE08AD5E56AF114720A4E49768B8F95CDA2EB971765D28EDCDAA24 + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.sdc.client.auth )}} activate: instanceid: test userid: cs0008 @@ -48,7 +49,8 @@ mso: count: 3 aai: endpoint: https://aai.{{ include "common.namespace" . }}:8443 - auth: 6E081E10B1CA43A843E303733A74D9B23B601A6E22A21C7EF2C7F15A42F81A1A4E85E65268C2661F71321052C7F3E55B96A8E1E951F8BF6F + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + extApi: endpoint: http://nbi.onap:8080/nbi/api/v3 so: @@ -57,17 +59,16 @@ mso: username: testuser password: VjR5NDcxSzA= host: http://dmaap-bc.{{ include "common.namespace" . }}:8080 - auth: 51EA5414022D7BE536E7516C4D1A6361416921849B72C0D6FC1C7F262FD9F2BBC2AD124190A332D9845A188AD80955567A4F975C84C221EEA8243BFD92FFE6896CDD1EA16ADD34E1E3D47D4A + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.so.operationalEnv.dmaap.auth )}} publisher: topic: com.att.ecomp.mso.operationalEnvironmentEvent health: - auth: Basic bXNvX2FkbWlufHBhc3N3b3JkMSQ= + auth: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.health.auth )}} endpoints: - subsystem: apih uri: http://so-bpmn-infra:8081 - subsystem: catalogdb uri: http://so-catalog-db-adapter:8082 - spring: datasource: hikari: @@ -120,4 +121,4 @@ org: cloud-owner: CloudOwner adapters: network: - encryptionKey: 07a7159d3bf51a0e53be7a8f89699be7 + encryptionKey: {{ .Values.global.app.msoKey }} diff --git a/kubernetes/so/templates/_cadiValues.tpl b/kubernetes/so/templates/_cadiValues.tpl new file mode 100644 index 0000000000..426facc4b1 --- /dev/null +++ b/kubernetes/so/templates/_cadiValues.tpl @@ -0,0 +1,19 @@ +{{- define "cadi.keys" -}} +cadiLoglevel: DEBUG +cadiKeyFile: /org.onap.so.keyfile +cadiTrustStore: /app/org.onap.so.trust.jks +cadiTruststorePassword: {{ .Values.global.app.cadi.cadiTruststorePassword }} +cadiLatitude: {{ .Values.global.app.cadi.cadiLatitude }} +cadiLongitude: {{ .Values.global.app.cadi.cadiLongitude }} +aafEnv: {{ .Values.global.app.cadi.aafEnv }} +aafApiVersion: 2.0 +aafRootNs: {{ .Values.global.app.cadi.aafRootNs }} +aafId: {{ .Values.mso.config.cadi.aafId }} +aafPassword: {{ .Values.mso.config.cadi.aafPassword }} +aafLocateUrl: {{ .Values.global.app.cadi.aafLocateUrl }} +aafUrl: {{ .Values.global.app.cadi.aafUrl }} +apiEnforcement: {{ .Values.mso.config.cadi.apiEnforcement }} +{{- if (.Values.global.app.cadi.noAuthn) }} +noAuthn: {{ .Values.mso.config.cadi.noAuthn }} +{{- end }} +{{- end }} diff --git a/kubernetes/so/templates/_livenessProbe.tpl b/kubernetes/so/templates/_livenessProbe.tpl new file mode 100644 index 0000000000..4181beb1f8 --- /dev/null +++ b/kubernetes/so/templates/_livenessProbe.tpl @@ -0,0 +1,17 @@ +{{- define "helpers.livenessProbe" -}} +livenessProbe: + httpGet: + path: {{- index .Values.livenessProbe.path|indent 2}} + port: {{ index .Values.containerPort }} + scheme: {{- index .Values.livenessProbe.scheme| indent 2}} + {{- if eq .Values.global.security.aaf.enabled true }} + httpHeaders: + - name: Authorization + value: {{ index .Values.global.aaf.auth.header }} + {{- end }} + initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} + periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} + timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} + successThreshold: {{ index .Values.livenessProbe.successThreshold}} + failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} +{{- end -}} diff --git a/kubernetes/so/templates/_profileProperty.tpl b/kubernetes/so/templates/_profileProperty.tpl new file mode 100644 index 0000000000..113bc343d0 --- /dev/null +++ b/kubernetes/so/templates/_profileProperty.tpl @@ -0,0 +1,3 @@ +{{- define "helpers.profileProperty" -}} + {{ if eq .condition true }}{{.value1}}{{else}}{{.value2}} {{ end }} +{{- end -}} diff --git a/kubernetes/so/templates/configmap.yaml b/kubernetes/so/templates/configmap.yaml index d873beb62c..b57205223e 100755 --- a/kubernetes/so/templates/configmap.yaml +++ b/kubernetes/so/templates/configmap.yaml @@ -15,6 +15,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} + ACTIVE_PROFILE: {{ include "helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index 931a89516b..91e9be6376 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -85,6 +85,22 @@ spec: secretKeyRef: name: {{ include "common.release" . }}-so-db-secrets key: mariadb.admin.password + {{- if eq .Values.global.security.aaf.enabled true }} + - name: TRUSTSTORE + value: /app/org.onap.so.trust.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: trustStorePassword + - name: KEYSTORE + value: /app/org.onap.so.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name}}-so-client-certs-secret + key: keyStorePassword + {{- end }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap @@ -95,16 +111,7 @@ spec: - name: config mountPath: /app/config readOnly: true - livenessProbe: - httpGet: - path: {{- index .Values.livenessProbe.path|indent 2}} - port: {{ index .Values.containerPort }} - scheme: {{- index .Values.livenessProbe.scheme| indent 2}} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} - periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} - timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} - successThreshold: {{ index .Values.livenessProbe.successThreshold}} - failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} +{{ include "helpers.livenessProbe" .| indent 8 }} ports: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 9af34af88e..5a06253863 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -39,14 +39,40 @@ global: dbUser: root dbPassword: secretpassword msbEnabled: true - + security: + aaf: + enabled: false + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= + encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 + app: + siteName: onapheat + auth: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 + defaultCloudOwner: onap + cadi: + cadiLoglevel: DEBUG + cadiKeyFile: /app/org.onap.so.keyfile + cadiTrustStore: /app/org.onap.so.trust.jks + cadiTruststorePassword: enc:MFpuxKeYK6Eo6QXjDUjtOBbp0FthY7SB4mKSIJm_RWC + cadiLatitude: 38.4329 + cadiLongitude: -90.43248 + aafEnv: IST + aafApiVersion: 2.1 + aafRootNs: org.onap.so + aafLocateUrl: https://aaf-locate.onap:8095 + aafUrl: https://aaf-locate.onap:8095/locate/org.osaaf.aaf.service:2.1 + msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + client: + certs: + trustStorePassword: b25hcDRzbw== + keyStorePassword: c280b25hcA== ################################################################# # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 image: onap/so/api-handler-infra:1.5.3 pullPolicy: Always - replicaCount: 1 minReadySeconds: 10 containerPort: 8080 @@ -115,3 +141,175 @@ ingress: port: 8080 config: ssl: "none" + +mso: + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.apihPerm + noAuthn: /manage/health + camundaAuth: AE2E9BE6EF9249085AF98689C4EE087736A5500629A72F35068FFB88813A023581DD6E765071F1C04075B36EA4213A + sdc: + client: + auth: 878785F4F31BC9CFA5AB52A172008212D8845ED2DE08AD5E56AF114720A4E49768B8F95CDA2EB971765D28EDCDAA24 + aai: + auth: 6E081E10B1CA43A843E303733A74D9B23B601A6E22A21C7EF2C7F15A42F81A1A4E85E65268C2661F71321052C7F3E55B96A8E1E951F8BF6F + so: + operationalEnv: + dmaap: + auth: 51EA5414022D7BE536E7516C4D1A6361416921849B72C0D6FC1C7F262FD9F2BBC2AD124190A332D9845A188AD80955567A4F975C84C221EEA8243BFD92FFE6896CDD1EA16ADD34E1E3D47D4A + health: + auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ= +so-bpmn-infra: + cds: + auth: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== + aai: + auth: 221187EFA3AD4E33600DE0488F287099934CE65C3D0697BCECC00BB58E784E07CD74A24581DC31DBC086FF63DF116378776E9BE3D1325885 + mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + db: + auth: A3745B5DBE165EFCF101D85A6FC81C211AB8BF604F8861B6C413D5DC90F8F30E0139DE44B8A342F4EF70AF + password: wLg4sjrAFUS8rfVfdvTXeQ== + po: + auth: A3745B5DBE165EFCF101D85A6FC81C211AB8BF604F8861B6C413D5DC90F8F30E0139DE44B8A342F4EF70AF + config: + cadi: + aafId: so@so.onap.org + aaafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.bpmnPerm + noAuthn: /manage/health + sdnc: + password: 1D78CFC35382B6938A989066A7A7EAEF4FE933D2919BABA99EB4763737F39876C333EE5F + sniro: + auth: test:testpwd + endpoint: http://replaceme:28090/optimizationInstance/V1/create + oof: + auth: test:testpwd + so: + vnfm: + adapter: + auth: Basic dm5mbTpwYXNzd29yZDEk +so-catalog-db-adapter: + mso: + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.catalogDbAdapterPerm + noAuthn: /manage/health + adapters: + db: + auth: Basic YnBlbDpwYXNzd29yZDEk +so-openstack-adapter: + aaf: + auth: + encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F + aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + org: + onap: + so: + adapters: + bpelauth: D1A67FA93B6A6419132D0F83CC771AF774FD3C60853C50C22C8C6FC5088CC79E9E81EDE9EA39F22B2F66A0068E + valet: + basic_auth: bXNvOkphY2tkYXdzIGxvdmUgbXkgYmlnIHNwaGlueCBvZiBxdWFydHouCg== + mso: + msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.openStackAdapterPerm + noAuthn: /manage/health + db: + auth: Basic YnBlbDpwYXNzd29yZDEk +so-request-db-adapter: + mso: + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.requestDbAdapterPerm + noAuthn: /manage/health + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk +so-sdc-controller: + aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + mso: + msoKey: 07a7159d3bf51a0e53be7a8f89699be7 + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.sdcControllerPerm + noAuthn: /manage/health + asdc: + config: + key: 566B754875657232314F5548556D3665 + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + asdc-connections: + asdc-controller1: + password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F +so-sdnc-adapter: + org: + onap: + so: + adapters: + sdnc: + bpelauth: 4C18603C5AE7E3A42A6CED95CDF9C0BA9B2109B3725747662E5D34E5FDF63DA9ADEBB08185098F14699195FDE9475100 + sdncauth: ED07A7EE5F099FA53369C3DF2240AD68A00154676EEDBC6F8C16BAA83B1912941B8941ABD48683D2C1072DA7040659692DE936A59BBF42A038CF71DE67B4A375190071EC76EA657801B033C135 + network: + encryptionKey: 07a7159d3bf51a0e53be7a8f89699be7 + mso: + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.sdncAdapterPerm + noAuthn: /manage/health + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk + rest: + aafEncrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 +so-vfc-adapter: + mso: + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.vfcAdapterPerm + noAuthn: /manage/health + adapters: + requestDb: + auth: Basic YnBlbDpwYXNzd29yZDEk +so-vnfm-adapter: + aaf: + auth: + username: so@so.onap.org + password: 8DB1C939BFC6A35C3832D0E52E452D0E05AE2537AF142CECD125FF827C05A972FDD0F4700547DA + aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + sdc: + username: mso + password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F + key: 566B754875657232314F5548556D3665 + mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 + config: + cadi: + aafId: so@so.onap.org + aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 + apiEnforcement: org.onap.so.vnfmAdapterPerm + noAuthn: /manage/health diff --git a/kubernetes/vfc/charts/vfc-catalog/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-catalog/templates/deployment.yaml index d8ac61bae7..8e5d097e40 100644 --- a/kubernetes/vfc/charts/vfc-catalog/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-catalog/templates/deployment.yaml @@ -68,6 +68,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - name: MYSQL_ADDR diff --git a/kubernetes/vfc/charts/vfc-catalog/templates/service.yaml b/kubernetes/vfc/charts/vfc-catalog/templates/service.yaml index 7f7e668e58..a9c382a3f7 100644 --- a/kubernetes/vfc/charts/vfc-catalog/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-catalog/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/catalog/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-ems-driver/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-ems-driver/templates/deployment.yaml index 4feba42c6c..446bcb96d5 100644 --- a/kubernetes/vfc/charts/vfc-ems-driver/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-ems-driver/templates/deployment.yaml @@ -69,6 +69,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - name: VES_ADDR diff --git a/kubernetes/vfc/charts/vfc-ems-driver/templates/service.yaml b/kubernetes/vfc/charts/vfc-ems-driver/templates/service.yaml index 4da613f4e5..394c69d6a3 100644 --- a/kubernetes/vfc/charts/vfc-ems-driver/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-ems-driver/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/emsdriver/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-generic-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-generic-vnfm-driver/templates/deployment.yaml index bb608295f5..5e84c86ad1 100644 --- a/kubernetes/vfc/charts/vfc-generic-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-generic-vnfm-driver/templates/deployment.yaml @@ -53,6 +53,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" volumeMounts: diff --git a/kubernetes/vfc/charts/vfc-generic-vnfm-driver/templates/service.yaml b/kubernetes/vfc/charts/vfc-generic-vnfm-driver/templates/service.yaml index cf48f76d35..e5a244e9d8 100644 --- a/kubernetes/vfc/charts/vfc-generic-vnfm-driver/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-generic-vnfm-driver/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/gvnfmdriver/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-huawei-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-huawei-vnfm-driver/templates/deployment.yaml index 544d423ae7..163214a692 100644 --- a/kubernetes/vfc/charts/vfc-huawei-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-huawei-vnfm-driver/templates/deployment.yaml @@ -70,6 +70,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" volumeMounts: diff --git a/kubernetes/vfc/charts/vfc-huawei-vnfm-driver/templates/service.yaml b/kubernetes/vfc/charts/vfc-huawei-vnfm-driver/templates/service.yaml index 5141429bf0..b8a6b07b32 100644 --- a/kubernetes/vfc/charts/vfc-huawei-vnfm-driver/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-huawei-vnfm-driver/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/huaweivnfmdriver/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-juju-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-juju-vnfm-driver/templates/deployment.yaml index 12534bc94a..008d480194 100644 --- a/kubernetes/vfc/charts/vfc-juju-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-juju-vnfm-driver/templates/deployment.yaml @@ -69,6 +69,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName}}:{{ .Values.global.config.msbPort }}" volumeMounts: diff --git a/kubernetes/vfc/charts/vfc-juju-vnfm-driver/templates/service.yaml b/kubernetes/vfc/charts/vfc-juju-vnfm-driver/templates/service.yaml index 8b42bf7c18..ea94a3f518 100644 --- a/kubernetes/vfc/charts/vfc-juju-vnfm-driver/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-juju-vnfm-driver/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/jujuvnfmdriver/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-multivim-proxy/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-multivim-proxy/templates/deployment.yaml index 3f9cd5fad2..be76d55c96 100644 --- a/kubernetes/vfc/charts/vfc-multivim-proxy/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-multivim-proxy/templates/deployment.yaml @@ -69,6 +69,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" resources: diff --git a/kubernetes/vfc/charts/vfc-multivim-proxy/templates/service.yaml b/kubernetes/vfc/charts/vfc-multivim-proxy/templates/service.yaml index 3dc7a4db86..7b4f74e4e6 100644 --- a/kubernetes/vfc/charts/vfc-multivim-proxy/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-multivim-proxy/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/multivimproxy/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-nokia-v2vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-nokia-v2vnfm-driver/templates/deployment.yaml index 3bac8c6523..3f747ce3a6 100644 --- a/kubernetes/vfc/charts/vfc-nokia-v2vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-nokia-v2vnfm-driver/templates/deployment.yaml @@ -71,6 +71,10 @@ spec: env: - name: EXTERNAL_PORT value: "8089" + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" resources: diff --git a/kubernetes/vfc/charts/vfc-nokia-v2vnfm-driver/templates/service.yaml b/kubernetes/vfc/charts/vfc-nokia-v2vnfm-driver/templates/service.yaml index e2ae287d61..98b00c1eaa 100644 --- a/kubernetes/vfc/charts/vfc-nokia-v2vnfm-driver/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-nokia-v2vnfm-driver/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/NokiaSVNFM/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-nslcm/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-nslcm/templates/deployment.yaml index 8110315a0e..fc6c736fbd 100644 --- a/kubernetes/vfc/charts/vfc-nslcm/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-nslcm/templates/deployment.yaml @@ -68,6 +68,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - name: MYSQL_ADDR diff --git a/kubernetes/vfc/charts/vfc-nslcm/templates/service.yaml b/kubernetes/vfc/charts/vfc-nslcm/templates/service.yaml index 4500742c87..5484b2cfa2 100644 --- a/kubernetes/vfc/charts/vfc-nslcm/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-nslcm/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/nslcm/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-resmgr/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-resmgr/templates/deployment.yaml index 6c6ba6401b..ce381d7140 100644 --- a/kubernetes/vfc/charts/vfc-resmgr/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-resmgr/templates/deployment.yaml @@ -69,6 +69,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" volumeMounts: diff --git a/kubernetes/vfc/charts/vfc-resmgr/templates/service.yaml b/kubernetes/vfc/charts/vfc-resmgr/templates/service.yaml index 2f072377eb..2923f73c5e 100644 --- a/kubernetes/vfc/charts/vfc-resmgr/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-resmgr/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/resmgr/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-vnflcm/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-vnflcm/templates/deployment.yaml index 208b0c345a..e99f4d1120 100644 --- a/kubernetes/vfc/charts/vfc-vnflcm/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-vnflcm/templates/deployment.yaml @@ -68,6 +68,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - name: MYSQL_ADDR diff --git a/kubernetes/vfc/charts/vfc-vnflcm/templates/service.yaml b/kubernetes/vfc/charts/vfc-vnflcm/templates/service.yaml index 21fd31a66e..049e7e1ccc 100644 --- a/kubernetes/vfc/charts/vfc-vnflcm/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-vnflcm/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/vnflcm/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-vnfmgr/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-vnfmgr/templates/deployment.yaml index c3e6238c34..66db39ec36 100644 --- a/kubernetes/vfc/charts/vfc-vnfmgr/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-vnfmgr/templates/deployment.yaml @@ -68,6 +68,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - name: MYSQL_ADDR diff --git a/kubernetes/vfc/charts/vfc-vnfmgr/templates/service.yaml b/kubernetes/vfc/charts/vfc-vnfmgr/templates/service.yaml index 9c7f64a3fb..d87ad801ba 100644 --- a/kubernetes/vfc/charts/vfc-vnfmgr/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-vnfmgr/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/vnfmgr/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-vnfres/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-vnfres/templates/deployment.yaml index a913138193..f5fc28466a 100644 --- a/kubernetes/vfc/charts/vfc-vnfres/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-vnfres/templates/deployment.yaml @@ -68,6 +68,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - name: MYSQL_ADDR diff --git a/kubernetes/vfc/charts/vfc-vnfres/templates/service.yaml b/kubernetes/vfc/charts/vfc-vnfres/templates/service.yaml index 2b470ba772..902b4ed481 100644 --- a/kubernetes/vfc/charts/vfc-vnfres/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-vnfres/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/vnfres/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-workflow-engine/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-workflow-engine/templates/deployment.yaml index 91cc63b3e7..410d4b6b5b 100644 --- a/kubernetes/vfc/charts/vfc-workflow-engine/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-workflow-engine/templates/deployment.yaml @@ -69,6 +69,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: SERVICE_IP valueFrom: fieldRef: diff --git a/kubernetes/vfc/charts/vfc-workflow-engine/templates/service.yaml b/kubernetes/vfc/charts/vfc-workflow-engine/templates/service.yaml index a94a475b88..fc41fe0da6 100644 --- a/kubernetes/vfc/charts/vfc-workflow-engine/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-workflow-engine/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/activiti-rest", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-workflow/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-workflow/templates/deployment.yaml index aa8b8619ed..534979b835 100644 --- a/kubernetes/vfc/charts/vfc-workflow/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-workflow/templates/deployment.yaml @@ -69,6 +69,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: SERVICE_IP valueFrom: fieldRef: diff --git a/kubernetes/vfc/charts/vfc-workflow/templates/service.yaml b/kubernetes/vfc/charts/vfc-workflow/templates/service.yaml index cedab28818..5a780c8f94 100644 --- a/kubernetes/vfc/charts/vfc-workflow/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-workflow/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/workflow/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-zte-sdnc-driver/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-zte-sdnc-driver/templates/deployment.yaml index 3f9cd5fad2..be76d55c96 100644 --- a/kubernetes/vfc/charts/vfc-zte-sdnc-driver/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-zte-sdnc-driver/templates/deployment.yaml @@ -69,6 +69,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" resources: diff --git a/kubernetes/vfc/charts/vfc-zte-sdnc-driver/templates/service.yaml b/kubernetes/vfc/charts/vfc-zte-sdnc-driver/templates/service.yaml index 394b1ce3df..9a0aa1ccbe 100644 --- a/kubernetes/vfc/charts/vfc-zte-sdnc-driver/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-zte-sdnc-driver/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/ztesdncdriver/v1", "protocol": "REST", "port": "{{.Values.service.externalPort}}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/charts/vfc-zte-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/charts/vfc-zte-vnfm-driver/templates/deployment.yaml index c6dd85458a..5f5e710632 100644 --- a/kubernetes/vfc/charts/vfc-zte-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/charts/vfc-zte-vnfm-driver/templates/deployment.yaml @@ -69,6 +69,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}" + - name: SSL_ENABLED + value: "{{ .Values.global.config.ssl_enabled }}" - name: MSB_ADDR value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" volumeMounts: diff --git a/kubernetes/vfc/charts/vfc-zte-vnfm-driver/templates/service.yaml b/kubernetes/vfc/charts/vfc-zte-vnfm-driver/templates/service.yaml index 9c27abe0af..5b22914f38 100644 --- a/kubernetes/vfc/charts/vfc-zte-vnfm-driver/templates/service.yaml +++ b/kubernetes/vfc/charts/vfc-zte-vnfm-driver/templates/service.yaml @@ -30,6 +30,7 @@ metadata: "url": "/api/ztevnfmdriver/v1", "protocol": "REST", "port": "{{ .Values.service.externalPort }}", + "enable_ssl": {{ .Values.global.config.ssl_enabled }}, "visualRange":"1" } ]' diff --git a/kubernetes/vfc/values.yaml b/kubernetes/vfc/values.yaml index 303010389a..eb6638b18b 100644 --- a/kubernetes/vfc/values.yaml +++ b/kubernetes/vfc/values.yaml @@ -14,15 +14,17 @@ global: config: + ssl_enabled: false + msbprotocol: https msbServiceName: msb-iag - msbPort: 80 + msbPort: 443 dbServiceName: vfc-db dbPort: 3306 dbUser: root mariadbRootPassword: secretpassword redisServiceName: vfc-redis redisPort: 6379 - reg_to_msb_when_start: True + reg_to_msb_when_start: False persistence: mountPath: /dockerdata-nfs diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml index 0a5c0c5ba4..d449da1140 100644 --- a/kubernetes/vid/templates/deployment.yaml +++ b/kubernetes/vid/templates/deployment.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -105,14 +106,9 @@ spec: - name: VID_MYSQL_DBNAME value: {{ index .Values "mariadb-galera" "config" "mysqlDatabase" }} - name: VID_MYSQL_USER - value: {{ index .Values "mariadb-galera" "config" "userName" }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 14 }} - name: VID_MYSQL_PASS - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-db - key: db-user-password - #valueFrom: - # secretKeyRef: {name: {{ include "common.fullname" . }}, key: vid-password} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }} - name: VID_MYSQL_MAXCONNECTIONS value: "{{ .Values.config.vidmysqlmaxconnections }}" volumeMounts: diff --git a/kubernetes/vid/templates/job.yaml b/kubernetes/vid/templates/job.yaml index 625fb0c6a1..75e40a1201 100644 --- a/kubernetes/vid/templates/job.yaml +++ b/kubernetes/vid/templates/job.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -60,14 +61,11 @@ spec: - /dbcmd-config/db_cmd.sh env: - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-db - key: db-user-password + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 10 }} - name: MYSQL_HOST value: {{ index .Values "mariadb-galera" "service" "name" }} - name: MYSQL_USER - value: {{ index .Values "mariadb-galera" "config" "userName" }} + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 10 }} - name: MYSQL_PORT value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" restartPolicy: Never diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml index 2a66c4fbec..44a9b3e9e0 100644 --- a/kubernetes/vid/templates/secrets.yaml +++ b/kubernetes/vid/templates/secrets.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,19 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - vid-password: {{ .Values.config.vidmysqlpassword | b64enc | quote }} +{{ include "common.secret" . }} --- apiVersion: v1 kind: Secret @@ -39,18 +28,3 @@ metadata: type: Opaque data: {{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-db - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -type: Opaque -data: - db-user-password: {{ index .Values "mariadb-galera" "config" "userPassword" | b64enc | quote }} - db-root-password: {{ index .Values "mariadb-galera" "config" "mariadbRootPassword" | b64enc | quote }} diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml index 805e337f57..e8d0595284 100644 --- a/kubernetes/vid/values.yaml +++ b/kubernetes/vid/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2020 Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,17 @@ global: loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: vid-db-user-secret + name: '{{ include "common.release" . }}-vid-db-user-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + subChartsOnly: enabled: true @@ -35,7 +47,10 @@ mariadb_image: library/mariadb:10 # application configuration config: - vidmysqlpassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + db: + userName: vidadmin +# userCredentialsExternalSecret: some secret +# userPassword: password vidkeystorepassword: '\^7w\!f+aR\{EJcTRsDuA7x\,+c\!' asdcclientrestauth: "Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU=" asdcclientrestport: "8443" @@ -54,9 +69,7 @@ config: mariadb-galera: config: - userName: vidadmin - userPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - mariadbRootPassword: kjgsdhjqhawxvnbpoiawsfgjsqhsgjhjhdqihhjqdvcbxkjchizpw + userCredentialsExternalSecret: '{{ include "common.release" . }}-vid-db-user-secret' mysqlDatabase: vid_openecomp_epsdk nameOverride: vid-galera service: diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index 55f81acc24..ab6bae3d5f 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -53,17 +53,6 @@ postgres: pgPrimaryPassword: postgres pgUserPassword: postgres pgRootPassword: postgres - pgpool: - nameOverride: vnfsdk-pgpool - service: - name: vnfsdk-pgpool - credentials: - pgusername: postgres - pgpassword: postgres - container: - name: - primary: pgpool-primary - replica: pgpool-replica # flag to enable debugging - application support required debugEnabled: false