#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
formats. It will also include the AAF CA cert. If the microservice is
a TLS client only (indicated by setting .Values.tlsServer to false), the
certificate information includes only the AAF CA cert.
+
+Deployed POD may also include a Policy-sync sidecar container.
+The sidecar is included if .Values.policies is set. The
+Policy-sync sidecar polls PolicyEngine (PDP) periodically based
+on .Values.policies.duration and configuration retrieved is shared with
+DCAE Microservice container by common volume. Policy can be retrieved based on
+list of policyID or filter
*/}}
{{- define "dcaegen2-services-common.microserviceDeployment" -}}
{{- $logDir := default "" .Values.logDirectory -}}
{{- $certDir := default "" .Values.certDirectory . -}}
{{- $tlsServer := default "" .Values.tlsServer -}}
+{{- $policy := default "" .Values.policies -}}
+
apiVersion: apps/v1
kind: Deployment
metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
- mountPath: /opt/app/osaaf
name: tls-info
{{- end }}
+ {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }}
containers:
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
{{- if $certDir }}
- name: DCAE_CA_CERTPATH
- value: {{ $certDir}}/cacert.pem
+ value: {{ $certDir }}/cacert.pem
{{- end }}
- name: CONSUL_HOST
value: consul-server.onap
{{- if $certDir }}
- mountPath: {{ $certDir }}
name: tls-info
+ {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}}
+ {{- end -}}
+ {{- end }}
+ {{- if $policy }}
+ - name: policy-shared
+ mountPath: /etc/policies
{{- end }}
{{- if $logDir }}
- image: {{ include "repositoryGenerator.image.logging" . }}
name: filebeat-conf
subPath: filebeat.yml
{{- end }}
+ {{- if $policy }}
+ - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: policy-sync
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: POLICY_SYNC_PDP_USER
+ valueFrom:
+ secretKeyRef:
+ name: onap-policy-xacml-pdp-api-creds
+ key: login
+ - name: POLICY_SYNC_PDP_PASS
+ valueFrom:
+ secretKeyRef:
+ name: onap-policy-xacml-pdp-api-creds
+ key: password
+ - name: POLICY_SYNC_PDP_URL
+ value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969
+ - name: POLICY_SYNC_OUTFILE
+ value : "/etc/policies/policies.json"
+ - name: POLICY_SYNC_V1_DECISION_ENDPOINT
+ value : "policy/pdpx/v1/decision"
+ {{- if $policy.filter }}
+ - name: POLICY_SYNC_FILTER
+ value: {{ $policy.filter }}
+ {{- end -}}
+ {{- if $policy.policyID }}
+ - name: POLICY_SYNC_ID
+ value: {{ $policy.policyID }}
+ {{- end -}}
+ {{- if $policy.duration }}
+ - name: POLICY_SYNC_DURATION
+ value: {{ $policy.duration }}
+ {{- end }}
+ resources: {{ include "common.resources" . | nindent 2 }}
+ volumeMounts:
+ - mountPath: /etc/policies
+ name: policy-shared
+ {{- if $certDir }}
+ - mountPath: /opt/ca-certificates/
+ name: tls-info
+ {{- end }}
+ {{- end }}
hostname: {{ include "common.name" . }}
volumes:
- configMap:
{{- if $certDir }}
- emptyDir: {}
name: tls-info
+ {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{ include "common.certManager.volumesReadOnly" . | nindent 6 }}
+ {{- end }}
+ {{- end }}
+ {{- if $policy }}
+ - name: policy-shared
+ emptyDir: {}
{{- end }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
{{ end -}}
+
+{{/*
+ For internal use
+
+ Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore
+ and swaps keystore files.
+*/}}
+{{- define "dcaegen2-services-common._certPostProcessor" -}}
+ {{- $certDir := default "" .Values.certDirectory . -}}
+ {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{- $cmpv2Certificate := (index .Values.certificates 0) -}}
+ {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}}
+ {{- $certType := "pem" -}}
+ {{- if $cmpv2Certificate.keystore -}}
+ {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}}
+ {{- end -}}
+ {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "ca.crt" -}}
+ {{- $truststoresPasswordPaths := "" -}}
+ {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "tls.crt" $cmpv2CertificateDir "tls.key" -}}
+ {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}}
+ {{- if not (eq $certType "pem") -}}
+ {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}}
+ {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}}
+ {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}}
+ {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}}
+ {{- end }}
+ - name: cert-post-processor
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources:
+ {{- include "common.resources" . | nindent 4 }}
+ volumeMounts:
+ - mountPath: {{ $certDir }}
+ name: tls-info
+ {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }}
+ env:
+ - name: TRUSTSTORES_PATHS
+ value: {{ $truststoresPaths | quote}}
+ - name: TRUSTSTORES_PASSWORDS_PATHS
+ value: {{ $truststoresPasswordPaths | quote }}
+ - name: KEYSTORE_SOURCE_PATHS
+ value: {{ $keystoreSourcePaths | quote }}
+ - name: KEYSTORE_DESTINATION_PATHS
+ value: {{ $keystoreDestinationPaths | quote }}
+ {{- end }}
+{{- end -}}
Code Review / oom.git / blobdiff