[OOM] Fixing k8s ServiceAccounts

[oom.git] / kubernetes / sdnc / values.yaml

# Copyright © 2020 Samsung Electronics, highstreet technologies GmbH
# Copyright © 2017 Amdocs, Bell Canada
# Copyright © 2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#################################################################
# Global configuration defaults.
#################################################################
global:
  nodePortPrefix: 302
  nodePortPrefixExt: 304
  persistence:
    mountPath: /dockerdata-nfs
  centralizedLoggingEnabled: true
  mariadbGalera:
    #This flag allows SO to instantiate its own mariadb-galera cluster
    #If shared instance is used, this chart assumes that DB already exists
    localCluster: false
    service: mariadb-galera
    internalPort: 3306
    nameOverride: mariadb-galera


#################################################################
# Secrets metaconfig
#################################################################
secrets:
  - uid: db-root-password
    name: &rootDbSecret '{{ include "common.release" . }}-sdnc-db-root-password'
    type: password
    # If we're using shared mariadb, we need to use the secret name (second
    # part).
    # If not, we do the same trick than for user db secret hat allows you
    # override this secret using external one with the same field that is used
    # to pass this to subchart.
    externalSecret: '{{ .Values.global.mariadbGalera.localCluster |
      ternary ((hasSuffix "sdnc-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) |
                  ternary
                    ""
                    (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .))
              (include "common.mariadb.secret.rootPassSecretName"
                (dict "dot" .
                      "chartName" .Values.global.mariadbGalera.nameOverride)) }}'
    password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}'
  - uid: db-secret
    name: &dbSecretName '{{ include "common.release" . }}-sdnc-db-secret'
    type: basicAuth
    # This is a nasty trick that allows you override this secret using external one
    # with the same field that is used to pass this to subchart
    externalSecret: '{{ (hasSuffix "sdnc-db-secret" (index .Values "mariadb-galera" "db" "externalSecret")) |
      ternary
        ""
        (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) }}'
    login: '{{ index .Values "mariadb-galera" "db" "user" }}'
    password: '{{ index .Values "mariadb-galera" "db" "password" }}'
  - uid: odl-creds
    name: &odlCredsSecretName '{{ include "common.release" . }}-sdnc-odl-creds'
    type: basicAuth
    externalSecret: '{{ .Values.config.odlCredsExternalSecret }}'
    login: '{{ .Values.config.odlUser }}'
    password: '{{ .Values.config.odlPassword }}'
    # For now this is left hardcoded but should be revisited in a future
    passwordPolicy: required
  - uid: netbox-apikey
    type: password
    externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}'
    password: '{{ .Values.config.netboxApikey }}'
    passwordPolicy: required
  - uid: aai-truststore-password
    type: password
    externalSecret: '{{ .Values.config.aaiTruststoreExternalSecret }}'
    password: '{{ .Values.config.aaiTruststorePassword }}'
    passwordPolicy: required
  - uid: ansible-truststore-password
    type: password
    externalSecret: '{{ .Values.config.ansibleTruststoreExternalSecret }}'
    password: '{{ .Values.config.ansibleTruststorePassword }}'
    passwordPolicy: required
  - uid: truststore-password
    type: password
    externalSecret: '{{ .Values.config.truststoreExternalSecret }}'
    password: '{{ .Values.config.truststorePassword }}'
    passwordPolicy: required
  - uid: keystore-password
    type: password
    externalSecret: '{{ .Values.config.keystoreExternalSecret }}'
    password: '{{ .Values.config.keystorePassword }}'
    passwordPolicy: required
  - uid: dmaap-authkey
    type: password
    externalSecret: '{{ .Values.config.dmaapAuthKeyExternalSecret }}'
    password: '{{ .Values.config.dmaapAuthKey }}'
    passwordPolicy: required
  - uid: aai-user-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.aaiCredsExternalSecret}}'
    login: '{{ .Values.config.aaiUser }}'
    password: '{{ .Values.config.aaiPassword }}'
    passwordPolicy: required
  - uid: so-user-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.soCredsExternalSecret}}'
    login: '{{ .Values.config.soUser }}'
    password: '{{ .Values.config.soPassword }}'
    passwordPolicy: required
  - uid: neng-user-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.nengCredsExternalSecret}}'
    login: '{{ .Values.config.nengUser }}'
    password: '{{ .Values.config.nengPassword }}'
    passwordPolicy: required
  - uid: cds-user-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.cdsCredsExternalSecret}}'
    login: '{{ .Values.config.cdsUser }}'
    password: '{{ .Values.config.cdsPassword }}'
    passwordPolicy: required
  - uid: honeycomb-user-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.honeycombCredsExternalSecret}}'
    login: '{{ .Values.config.honeycombUser }}'
    password: '{{ .Values.config.honeycombPassword }}'
    passwordPolicy: required
  - uid: dmaap-user-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.dmaapCredsExternalSecret}}'
    login: '{{ .Values.config.dmaapUser }}'
    password: '{{ .Values.config.dmaapPassword }}'
    passwordPolicy: required
  - uid: modeling-user-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.modelingCredsExternalSecret}}'
    login: '{{ .Values.config.modelingUser }}'
    password: '{{ .Values.config.modelingPassword }}'
    passwordPolicy: required
  - uid: restconf-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.restconfCredsExternalSecret}}'
    login: '{{ .Values.config.restconfUser }}'
    password: '{{ .Values.config.restconfPassword }}'
    passwordPolicy: required
  - uid: ansible-creds
    name: &ansibleSecretName '{{ include "common.release" . }}-sdnc-ansible-creds'
    type: basicAuth
    externalSecret: '{{ .Values.config.ansibleCredsExternalSecret}}'
    login: '{{ .Values.config.ansibleUser }}'
    password: '{{ .Values.config.ansiblePassword }}'
    passwordPolicy: required
  - uid: scaleout-creds
    type: basicAuth
    externalSecret: '{{ .Values.config.scaleoutCredsExternalSecret}}'
    login: '{{ .Values.config.scaleoutUser }}'
    password: '{{ .Values.config.scaleoutPassword }}'
    passwordPolicy: required
  - uid: oauth-token-secret
    type: password
    externalSecret: '{{ ternary (tpl (default "" .Values.config.sdnr.oauth.tokenExternalSecret) .) "oauth-disabled" .Values.config.sdnr.oauth.enabled }}'
    password: '{{ .Values.config.sdnr.oauth.tokenSecret }}'
    passwordPolicy: required
  - uid: keycloak-secret
    type: password
    externalSecret: '{{ ternary (tpl (default "" .Values.config.sdnr.oauth.providersSecrets.keycloakExternalSecret) .) "oauth-disabled" .Values.config.sdnr.oauth.enabled }}'
    password: '{{ .Values.config.sdnr.oauth.providersSecrets.keycloak }}'
    passwordPolicy: required
  - uid: ves-collector-secret
    type: basicAuth
    login: '{{ .Values.config.sdnr.vesCollector.username }}'
    password: '{{ .Values.config.sdnr.vesCollector.password }}'
#################################################################
# Certificates
#################################################################
certificates:
  - mountPath:  /var/custom-certs
    commonName: sdnc.simpledemo.onap.org
    dnsNames:
        - sdnc.simpledemo.onap.org
    keystore:
      outputType:
        - jks
      passwordSecretRef:
        create: true
        name: sdnc-cmpv2-keystore-password
        key: password
    issuer:
      group: certmanager.onap.org
      kind: CMPv2Issuer
      name: cmpv2-issuer-onap
#################################################################
# Application configuration defaults.
#################################################################
# application images

pullPolicy: Always
image: onap/sdnc-image:2.5.5

# flag to enable debugging - application support required
debugEnabled: false

# application configuration
config:
  odlUid: 100
  odlGid: 101
  odlUser: admin
  odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
  # odlCredsExternalSecret: some secret
  netboxApikey: onceuponatimeiplayedwithnetbox20180814
  # netboxApikeyExternalSecret: some secret
  aaiTruststorePassword: changeit
  # aaiTruststoreExternalSecret: some secret
  ansibleTruststorePassword: changeit
  # ansibleTruststoreExternalSecret: some secret
  truststorePassword: adminadmin
  # truststoreExternalSecret: some secret
  keystorePassword: adminadmin
  # keystoreExternalSecret: some secret
  aaiUser: sdnc@sdnc.onap.org
  aaiPassword: demo123456!
  # aaiCredsExternalSecret: some secret
  soUser: sdncaBpmn
  soPassword: password1$
  # soCredsExternalSecret: some secret
  nengUser: ccsdkapps
  nengPassword: ccsdkapps
  # nengCredsExternalSecret: some secret
  cdsUser: ccsdkapps
  cdsPassword: ccsdkapps
  # cdsCredsExternalSecret: some secret
  honeycombUser: admin
  honeycombPassword: admin
  # honeycombCredsExternalSecret: some secret
  dmaapUser: admin
  dmaapPassword: admin
  dmaapAuthKey: "fs20cKwalJ6ry4kX:7Hqm6BDZK47IKxGRkOPFk33qMYs="
  # dmaapCredsExternalSecret: some secret
  # dmaapAuthKeyExternalSecret: some secret
  modelingUser: ccsdkapps
  modelingPassword: ccsdkapps
  # modelingCredsExternalSecret: some secret
  restconfUser: admin
  restconfPassword: admin
  # restconfCredsExternalSecret: some secret
  scaleoutUser: admin
  scaleoutPassword: admin
  # scaleoutExternalSecret: some secret
  ansibleUser: sdnc
  ansiblePassword: sdnc
  # ansibleCredsExternalSecret: some secret

  dbSdnctlDatabase: &sdncDbName sdnctl
  enableClustering: true
  sdncHome: /opt/onap/sdnc
  binDir: /opt/onap/sdnc/bin
  etcDir: /opt/onap/sdnc/data
  geoEnabled: false
# if geoEnabled is set to true here, mysql.geoEnabled must be set to true
# if geoEnabled is set to true the following 3 values must be set to their proper values
  myODLCluster: 127.0.0.1
  peerODLCluster: 127.0.0.1
  isPrimaryCluster: true
  configDir: /opt/onap/sdnc/data/properties
  ccsdkConfigDir: /opt/onap/ccsdk/data/properties
  dmaapTopic: SUCCESS
  dmaapPort: 3904
  logstashServiceName: log-ls
  logstashPort: 5044
  ansibleServiceName: sdnc-ansible-server
  ansiblePort: 8000
  javaHome: /opt/java/openjdk

  odl:
    etcDir: /opt/opendaylight/etc
    binDir: /opt/opendaylight/bin
    gcLogDir: /opt/opendaylight/data/log
    salConfigDir: /opt/opendaylight/system/org/opendaylight/controller/sal-clustering-config
    salConfigVersion: 1.10.4
    akka:
      seedNodeTimeout: 15s
      circuitBreaker:
        maxFailures: 10
        callTimeout: 90s
        resetTimeout: 30s
      recoveryEventTimeout: 90s
    datastore:
      persistentActorRestartMinBackoffInSeconds: 10
      persistentActorRestartMaxBackoffInSeconds: 40
      persistentActorRestartResetBackoffInSeconds: 20
      shardTransactionCommitTimeoutInSeconds: 120
      shardIsolatedLeaderCheckIntervalInMillis: 30000
      operationTimeoutInSeconds: 120
    javaOptions:
      maxGCPauseMillis: 100
      parallelGCThreads : 3
      numberGCLogFiles: 10
      minMemory: 512m
      maxMemory: 2048m
      gcLogOptions: ""
      # Next line enables gc logging
      # gcLogOptions: "-Xlog:gc=trace:file={{.Values.config.odl.gcLogDir}}/gc-%t.log}:time,level,tags:filecount={{.Values.config.odl.javaOptions.numberGCLogFiles}}"
        # enables sdnr functionality
  sdnr:
    enabled: true
    # mode: web - SDNC contains device manager only plus dedicated webserver service for ODLUX (default),
    # mode: dm - SDNC contains sdnr device manager + ODLUX components
    mode: dm
    # sdnronly: true starts sdnc container with odl and sdnrwt features only
    sdnronly: false
    sdnrdbTrustAllCerts: true
    kafka:
      enabled: false
      consumerGroupPrefix: &consumerGroupPrefix sdnr
      # Strimzi KafkaUser config see configuration below
      kafkaUser: &kafkaUser
        acls:
        - name: unauthenticated.SEC_
          type: topic
          patternType: prefix
          operations: [Read]
        - name: unauthenticated.VES_PNFREG_OUTPUT
          type: topic
          patternType: literal
          operations: [Read]
        - name: *consumerGroupPrefix
          type: group
          patternType: prefix
          operations: [Read]
      ## set if bootstrap server is not OOM standard
      # bootstrapServers: []
      ## set connection parameters if not default
      # securityProtocol: PLAINTEXT
      # saslMechanism: SCRAM-SHA-512
      ## saslJassConfig: provided by secret


    mountpointStateProviderEnabled: false
    netconfCallHome:
      enabled: true


    oauth:
      enabled: false
      tokenIssuer: ONAP SDNC
      tokenSecret: secret
      supportOdlusers: true
      redirectUri: null
      publicUrl: none
      odluxRbac:
        enabled: true
      # example definition for a oauth provider
      providersSecrets:
        keycloak: d8d7ed52-0691-4353-9ac6-5383e72e9c46
      providers:
      - id: keycloak
        type: KEYCLOAK
        host: http://keycloak:8080
        clientId: odlux.app
        secret: ${KEYCLOAK_SECRET}
        scope: openid
        title: ONAP Keycloak Provider
        roleMapping:
          mykeycloak: admin
    vesCollector:
      enabled: false
      tls:
        enabled: true
      trustAllCertificates: false
      username: sample1
      password: sample1
      address: dcae-ves-collector.onap
      port: 8080
      version: v7
      reportingEntityName: ONAP SDN-R
      eventLogMsgDetail: SHORT

# Strimzi KafkaUser/Topic config on top level
kafkaUser: *kafkaUser


# dependency / sub-chart configuration
network-name-gen:
  enabled: true
  serviceAccount:
    nameOverride: sdnc-name-gen
mariadb-galera: &mariadbGalera
  nameOverride: &sdnc-db sdnc-db
  config: &mariadbGaleraConfig
    rootPasswordExternalSecret: *rootDbSecret
    userName: &dbUser sdnctl
    userCredentialsExternalSecret: *dbSecretName
  rootUser:
    externalSecret: *rootDbSecret
  db:
    user: *dbUser
    externalSecret: *dbSecretName
  service:
    name: sdnc-dbhost
  sdnctlPrefix: sdnc
  persistence:
    mountSubPath: sdnc/mariadb-galera
    enabled: true
  replicaCount: 1
  serviceAccount:
    nameOverride: *sdnc-db

cds:
  enabled: false

dmaap-listener:
  enabled: true
  nameOverride: sdnc-dmaap-listener
  mariadb-galera:
    <<: *mariadbGalera
    config:
      <<: *mariadbGaleraConfig
      mysqlDatabase: *sdncDbName
  config:
    sdncChartName: sdnc
    dmaapPort: 3904
    sdncPort: 8282
    configDir: /opt/onap/sdnc/data/properties
    odlCredsExternalSecret: *odlCredsSecretName

ueb-listener:
  enabled: true
  mariadb-galera:
    <<: *mariadbGalera
    config:
      <<: *mariadbGaleraConfig
      mysqlDatabase: *sdncDbName
  nameOverride: sdnc-ueb-listener
  config:
    sdncPort: 8282
    sdncChartName: sdnc
    configDir: /opt/onap/sdnc/data/properties
    odlCredsExternalSecret: *odlCredsSecretName

sdnc-ansible-server:
  enabled: true
  config:
    restCredsExternalSecret: *ansibleSecretName
  mariadb-galera:
    <<: *mariadbGalera
    config:
      <<: *mariadbGaleraConfig
      mysqlDatabase: ansible
  service:
    name: sdnc-ansible-server
    internalPort: 8000

dgbuilder:
  enabled: true
  nameOverride: sdnc-dgbuilder
  config:
    db:
      dbName: *sdncDbName
      rootPasswordExternalSecret: '{{ .Values.global.mariadbGalera.localCluster |
        ternary
          (printf "%s-sdnc-db-root-password" (include "common.release" .))
          (include "common.mariadb.secret.rootPassSecretName"
            (dict "dot" . "chartName" "mariadb-galera")) }}'
      userCredentialsExternalSecret: *dbSecretName
    dbPodName: mariadb-galera
    dbServiceName: mariadb-galera
    # This should be revisited and changed to plain text
    dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5
  serviceAccount:
    nameOverride: sdnc-dgbuilder
  mariadb-galera:
  service:
    name: sdnc-dgbuilder
    ports:
    - name: http
      port: 3100
      nodePort: "03"

  ingress:
    enabled: false
    service:
      - baseaddr: "sdnc-dgbuilder-ui"
        name: "sdnc-dgbuilder"
        port: 3100
    config:
      ssl: "redirect"



# local elasticsearch cluster
localElasticCluster: true
elasticsearch:
  nameOverride: &elasticSearchName sdnrdb
  name: sdnrdb-cluster
  service:
    name: *elasticSearchName
  master:
    replicaCount: 3
    # dedicatednode: "yes"
    # working as master node only, in this case increase replicaCount for elasticsearch-data
    # dedicatednode: "no"
    # handles master and data node functionality
    dedicatednode: "no"
    nameOverride: *elasticSearchName
    cluster_name: sdnrdb-cluster

# enable
sdnc-web:
  enabled: true
  ## set if web socket port should not be default
  # sdnrWebsocketPort: *sdnrWebsocketPort
# default number of instances
replicaCount: 1

nodeSelector: {}

affinity: {}

# probe configuration parameters
liveness:
  initialDelaySeconds: 10
  periodSeconds: 10
  # necessary to disable liveness probe when setting breakpoints
  # in debugger so K8s doesn't restart unresponsive container
  enabled: true

readiness:
  initialDelaySeconds: 10
  periodSeconds: 10

service:
  type: NodePort
  name: sdnc
  portName: http
  internalPort: 8181
  internalPort2: 8101
  internalPort3: 8080

  #port
  externalPort: 8282

  externalPort2: 8202

  externalPort3: 8280

  nodePort4: 67

  clusterPort: 2550
  clusterPort2: 2650
  clusterPort3: 2681

  geoNodePort1: 61
  geoNodePort2: 62
  geoNodePort3: 63
  geoNodePort4: 64
  geoNodePort5: 65
  geoNodePort6: 66

  callHomePort: &chport 4334
  callHomeNodePort: 66
  ## set if web socket port should not be default
  ## change in sdnc-web section as well
  # sdnrWebsocketPort: &sdnrWebsocketPort 8182


## Persist data to a persitent volume
persistence:
  enabled: true

  ## A manually managed Persistent Volume and Claim
  ## Requires persistence.enabled: true
  ## If defined, PVC must be created manually before volume will be bound
  # existingClaim:
  volumeReclaimPolicy: Retain

  ## database data Persistent Volume Storage Class
  ## If defined, storageClassName: <storageClass>
  ## If set to "-", storageClassName: "", which disables dynamic provisioning
  ## If undefined (the default) or set to null, no storageClassName spec is
  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
  ##   GKE, AWS & OpenStack)
  accessMode: ReadWriteOnce
  size: 1Gi
  mountPath: /dockerdata-nfs
  mountSubPath: sdnc/mdsal
  mdsalPath: /opt/opendaylight/mdsal
  daeximPath: /opt/opendaylight/mdsal/daexim
  journalPath: /opt/opendaylight/segmented-journal
  snapshotsPath: /opt/opendaylight/snapshots

ingress:
  enabled: false
  service:
  - baseaddr: "sdnc-api"
    name: "sdnc"
    port: 8282
  - baseaddr: "sdnc-callhome"
    name: "sdnc-callhome"
    port: *chport
    protocol: tcp
    exposedPort: *chport
    exposedProtocol: TCP
  config:
    ssl: "redirect"

serviceMesh:
  authorizationPolicy:
    authorizedPrincipals:
      - serviceAccount: a1policymanagement-read
      - serviceAccount: cds-blueprints-processor-read
      - serviceAccount: consul-read
      - serviceAccount: ncmp-dmi-plugin-read
      - serviceAccount: policy-drools-pdp-read
      - serviceAccount: robot-read
      - serviceAccount: sdnc-ansible-server-read
      - serviceAccount: sdnc-dmaap-listener-read
      - serviceAccount: sdnc-prom-read
      - serviceAccount: sdnc-ueb-listener-read
      - serviceAccount: sdnc-web-read
      - serviceAccount: so-sdnc-adapter-read
      - serviceAccount: istio-ingress
        namespace: istio-ingress
    authorizedPrincipalsSdnHosts:
      - serviceAccount: sdnc-read

#Resource Limit flavor -By Default using small
flavor: small
#segregation for different envionment (Small and Large)

resources:
  small:
    limits:
      cpu: 999
      memory: 4.7Gi
    requests:
      cpu: 1
      memory: 4.7Gi
  large:
    limits:
      cpu: 999
      memory: 9.4Gi
    requests:
      cpu: 2
      memory: 9.4Gi
  unlimited: {}

#Pods Service Account
serviceAccount:
  nameOverride: sdnc
  roles:
    - read

#Log configuration
log:
  path: /var/log/onap