From: Andreas Geissler Date: Tue, 21 Mar 2023 12:39:44 +0000 (+0000) Subject: Merge "[SO] Set override property for CNFM in BPMN Infra" X-Git-Tag: 12.0.0~86 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=ae76d2e31d845728ad34ea599a2254b77fd87132;hp=bc4d85d2c5352aa827846a39afd9ed34c356fae0;p=oom.git Merge "[SO] Set override property for CNFM in BPMN Infra" --- diff --git a/kubernetes/a1policymanagement/Chart.yaml b/kubernetes/a1policymanagement/Chart.yaml index 1fa512a50d..c6798d15b4 100644 --- a/kubernetes/a1policymanagement/Chart.yaml +++ b/kubernetes/a1policymanagement/Chart.yaml @@ -26,9 +26,6 @@ dependencies: - name: common version: ~12.x-0 repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator version: ~12.x-0 repository: '@local' diff --git a/kubernetes/a1policymanagement/resources/config/application.yaml b/kubernetes/a1policymanagement/resources/config/application.yaml index 29b0b9ad16..789f3eb673 100644 --- a/kubernetes/a1policymanagement/resources/config/application.yaml +++ b/kubernetes/a1policymanagement/resources/config/application.yaml @@ -49,26 +49,23 @@ logging: server: # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework. # See springboot documentation. - port: 8433 + #port: 8081 http-port: 8081 ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false key-store-type: PKCS12 - key-store-password: ${KEYSTORE_PASSWORD} - key-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 - key-password: ${KEYSTORE_PASSWORD} - key-alias: {{ .Values.certInitializer.fqi }} + key-store-password: "" + key-store: "" + key-password: "" + key-alias: "" app: # Location of the component configuration file. The file will only be used if the Consul database is not used; # configuration from the Consul will override the file. filepath: /opt/app/policy-agent/data/application_configuration.json webclient: - # Configuration of the trust store used for the HTTP client (outgoing requests) - # The file location and the password for the truststore is only relevant if trust-store-used == true - # Note that the same keystore as for the server is used. trust-store-used: false - trust-store-password: ${TRUSTSORE_PASSWORD} - trust-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks + trust-store-password: "" + trust-store: "" # Configuration of usage of HTTP Proxy for the southbound accesses. # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s http.proxy-host: diff --git a/kubernetes/a1policymanagement/resources/config/application_configuration.json b/kubernetes/a1policymanagement/resources/config/application_configuration.json index 5ee3f7d75d..837ce0c5b8 100644 --- a/kubernetes/a1policymanagement/resources/config/application_configuration.json +++ b/kubernetes/a1policymanagement/resources/config/application_configuration.json @@ -3,7 +3,7 @@ "controller": [ { "name": "controller1", - "baseUrl": "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.sdncLink .Values.sdncLinkHttp }}", + "baseUrl": "{{ .Values.sdncLink }}", "userName": "${A1CONTROLLER_USER}", "password": "${A1CONTROLLER_PASSWORD}" } diff --git a/kubernetes/a1policymanagement/templates/ingress.yaml b/kubernetes/a1policymanagement/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/a1policymanagement/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/a1policymanagement/templates/statefulset.yaml b/kubernetes/a1policymanagement/templates/statefulset.yaml index 89d131e26c..b1d04074f7 100644 --- a/kubernetes/a1policymanagement/templates/statefulset.yaml +++ b/kubernetes/a1policymanagement/templates/statefulset.yaml @@ -30,7 +30,7 @@ spec: spec: imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-bootstrap-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -39,10 +39,6 @@ spec: args: - -c - | - {{- if (include "common.needTLS" .) }} - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\ - | xargs -0) - {{- end }} cd /config-input for PFILE in `ls -1` do @@ -55,7 +51,7 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - name: A1CONTROLLER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - mountPath: /config-input name: {{ include "common.fullname" . }}-policy-conf-input - mountPath: /config @@ -97,10 +93,10 @@ spec: httpGet: path: /status port: {{ .Values.liveness.port }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - name: config mountPath: /opt/app/policy-agent/data/application_configuration.json subPath: application_configuration.json @@ -111,7 +107,7 @@ spec: mountPath: "/var/policy-management-service/database" resources: {{ include "common.resources" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + volumes: - name: {{ include "common.fullname" . }}-policy-conf-input configMap: name: {{ include "common.fullname" . }}-policy-conf diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml index bf49313787..93f57d3587 100644 --- a/kubernetes/a1policymanagement/values.yaml +++ b/kubernetes/a1policymanagement/values.yaml @@ -30,39 +30,6 @@ secrets: password: '{{ .Values.a1controller.password }}' passwordPolicy: required -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: a1p-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: a1p - fqi: a1p@a1p.onap.org - public_fqdn: a1p.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.a1p - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - image: onap/ccsdk-oran-a1policymanagementservice:1.3.2 userID: 1000 #Should match with image-defined user ID groupID: 999 #Should match with image-defined group ID @@ -72,21 +39,25 @@ replicaCount: 1 service: type: NodePort name: a1policymanagement - both_tls_and_plain: true ports: - name: api - port: 8433 - plain_port: 8081 + port: 8081 port_protocol: http nodePort: '94' +ingress: + enabled: false + service: + - baseaddr: 'a1policymanagement-api' + name: 'a1policymanagement' + port: 8081 + # SDNC Credentials are used here a1controller: user: admin password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U -sdncLink: https://sdnc.onap:8443 -sdncLinkHttp: http://sdnc.onap:8282 +sdncLink: http://sdnc.onap:8282 # The information about A1-Mediator/RICs can be added here. # The A1 policy management service supports both STD & OSC versions. # Alternatively, the A1 simulator from ORAN-SC can also be used. It provides STD & OSC versions for A1 termination. diff --git a/kubernetes/nbi/Chart.yaml b/kubernetes/nbi/Chart.yaml index ee1e330072..5f277876a3 100644 --- a/kubernetes/nbi/Chart.yaml +++ b/kubernetes/nbi/Chart.yaml @@ -26,9 +26,6 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: mongo version: ~12.x-0 repository: '@local' diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml index 9bab15f30c..fcb9b6e1bd 100644 --- a/kubernetes/nbi/templates/deployment.yaml +++ b/kubernetes/nbi/templates/deployment.yaml @@ -25,9 +25,6 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: -{{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} -{{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -35,36 +32,20 @@ spec: ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Dserver.ssl.key-store={{ .Values.certInitializer.credsPath }}/org.onap.nbi.p12 \ - -Dserver.ssl.key-store-type=PKCS12 \ - -Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/org.onap.nbi.trust.jks \ - -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \ - -Djavax.net.ssl.trustStoreType=jks\ - -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443" - exec java -XX:+UseContainerSupport $JAVA_OPTS -jar /opt/onap/app.jar - {{- end }} {{ if .Values.liveness.enabled }} livenessProbe: httpGet: - port: {{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }} + port: {{ .Values.service.internalPort }} path: {{ .Values.liveness.path }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: httpGet: - port: {{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }} + port: {{ .Values.service.internalPort }} path: {{ .Values.readiness.path }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -91,15 +72,15 @@ spec: - name: ONAP_K8SCLOUDOWNER value: {{ .Values.config.k8sCloudOwner }} - name: NBI_URL - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://nbi.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }}/nbi/api/v4" + value: "http://nbi.{{ include "common.namespace" . }}:{{ .Values.service.internalPort }}/nbi/api/v4" - name: SDC_HOST - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://sdc-be.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}8443{{ else }}8080{{ end }}" + value: "http://sdc-be.{{ include "common.namespace" . }}:8080" - name: SDC_HEADER_ECOMPINSTANCEID value: {{ .Values.config.ecompInstanceId }} - name: SDC_HEADER_AUTHORIZATION value: {{ .Values.sdc_authorization }} - name: AAI_HOST - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://aai.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}8443{{ else }}80{{ end }}" + value: "http://aai.{{ include "common.namespace" . }}:80" - name: AAI_HEADER_AUTHORIZATION value: {{ .Values.aai_authorization }} - name: SO_HOST @@ -118,7 +99,7 @@ spec: value: "msb-discovery.{{ include "common.namespace" . }}" - name: MSB_DISCOVERY_PORT value: "10081" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} + volumeMounts: - mountPath: /etc/localtime name: localtime readOnly: true @@ -132,7 +113,7 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + volumes: - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/nbi/tests/deployment_test.yaml b/kubernetes/nbi/tests/deployment_test.yaml index 7c8a1b0dbb..fe9d0d2977 100644 --- a/kubernetes/nbi/tests/deployment_test.yaml +++ b/kubernetes/nbi/tests/deployment_test.yaml @@ -98,7 +98,7 @@ tests: path: spec.template.spec.containers[0].env content: name: SDC_HOST - value: https://sdc-be.NAMESPACE:8443 + value: http://sdc-be.NAMESPACE:8080 - contains: path: spec.template.spec.containers[0].env content: @@ -113,7 +113,7 @@ tests: path: spec.template.spec.containers[0].env content: name: AAI_HOST - value: https://aai.NAMESPACE:8443 + value: http://aai.NAMESPACE:80 - contains: path: spec.template.spec.containers[0].env content: diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index dc323675ad..e2b7341b7c 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -24,31 +24,7 @@ global: service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera - aafEnabled: true - msbEnabled: true - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: nbi-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: nbi - fqi: nbi@nbi.onap.org - public_fqdn: nbi.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - -aafConfig: - permission_user: 1000 - permission_group: 999 + msbEnabled: false ################################################################# # Secrets metaconfig @@ -150,12 +126,10 @@ service: type: NodePort portName: api name: nbi - internalPort: 8443 - internalPlainPort: 8080 + internalPort: 8080 ports: - name: http - port: 8443 - plain_port: 8080 + port: 8080 nodePort: '74' ingress: @@ -163,8 +137,7 @@ ingress: service: - baseaddr: "nbi-api" name: "nbi" - port: 8443 - plain_port: 8080 + port: 8080 config: ssl: "redirect" # Resource Limit flavor -By Default using small